CN104125199A

CN104125199A - Attribute-based anonymous authentication method and system thereof

Info

Publication number: CN104125199A
Application number: CN201310148635.1A
Authority: CN
Inventors: 高志刚; 司晓琳; 李强; 张严; 冯登国; 张立武; 刘世超; 金波; 邹翔
Original assignee: Institute of Software of CAS; Third Research Institute of the Ministry of Public Security
Current assignee: Institute of Software of CAS; Third Research Institute of the Ministry of Public Security
Priority date: 2013-04-25
Filing date: 2013-04-25
Publication date: 2014-10-29
Anticipated expiration: 2033-04-25
Also published as: CN104125199B

Abstract

The invention discloses an attribute-based anonymous authentication method which contains the following steps: 1) a trusted party TP generates a master key x and system public parameters according to set safety parameters; 2) a user U registers with the TP to submit attributes and initiates an attribute certificate issue request; 3) the TP verifies the attributes of the user U and issues an attribute certificate for the user U according to the attributes of the U, the master key x and the system public parameters; 4) the user U initiates an access request to a service provider SP; 5) the SP looks up an access strategy corresponding to the access request and returns the access strategy to the user U; 6) the user U selects an attributes that the U wants to use according to the access strategy, and an anonymous certificate is calculated by the use of the attribute certificate and a private key r and is sent to the SP; and 7) the SP verifies the anonymous certificate, and accepts the access request and provides corresponding service to the user if verification is passed and the access strategy is satisfied. According to the invention, privacy of a user is guaranteed, and a more flexible threshold attribute selective showing scheme is supported.

Description

Anonymous authentication method and system based on attributes

Technical Field

The invention belongs to the field of computer technology and information security, relates to a method for protecting privacy of user access service behaviors and preventing privacy leakage in a cloud computing environment, and particularly relates to an anonymous authentication method and system based on attributes.

Background

With the development of the internet and the mobile internet, people's daily life has a higher and higher degree of dependence on network services, and the network services are beginning to relate to various aspects of clothes and eating houses. Especially, in recent years, the cloud computing concept is proposed, so that network services are converged on the internet, and the personal consumption behaviors such as e-government affairs, e-commerce, e-medical treatment, various enterprise-level application management systems are widely applied, web browsing, shopping, social contact, games and the like are more and more. Many activities in real life do not require proof of identity, while identity management systems in web applications require users to authenticate and severely restrict and monitor user access to the system or application. Therefore, the behavior, the preference and other privacy information of the user in the network activity may be revealed during identity authentication, and is tracked and even analyzed by the auditing function of the service provider, so that the benefit of the user is damaged.

An important technology of identity authentication at present is a digital certificate system based on an X.509 system, but the X.509 public key certificate system and a network identity authentication technology have many risks in privacy protection: firstly, a user is required to submit identity information in the stage of registering RA; secondly, the public key certificate can be obtained in a public mode, and the public key certificate contains user information; thirdly, the public key directory and the revocation list can reveal some privacy information of the user; fourth, the identity is fully public at the time of authentication. The traditional authentication process is actually the combination of identity identification and authentication, so that excessive user information is provided for a service provider, the privacy of a user is leaked, and the security threat is brought to the user. In practical scenarios, the service provider needs to know whether the user qualifies to access the service, rather than the user specific identity information.

Therefore, for the privacy protection of users, research on anonymous certificates and authentication techniques thereof becomes a hotspot, and the core idea of anonymous authentication is to separate the qualification and identity identification of users in the authentication process, namely, only verifying that users are members in a certain set without revealing the specific identities of the users in the authentication process. Traditional anonymous authentication schemes such as ring signature and group signature mean that a user can prove to a service provider that an identity certificate owned by the user belongs to a certain specific user set (a set qualified for accessing a service) according to requirements of a specific scenario, but the service provider cannot identify which specific user in the specific user set the user belongs to, so that the technology realizes personal privacy protection by hiding the identity of the user. However, with the appearance and development of signature technology with privacy protection property based on attribute signature and the like, a new idea is provided for the design of an anonymous authentication scheme. A key of a user in attribute-Based Signature (ABS) contains some attribute information, and then the user can use its private key to sign a message. Similar to ring signatures, signatures generated by ABS schemes may be verified as being generated by users that satisfy a combination of related attributes, but the particular generator of the signature cannot be determined. The ABS scheme is an anonymous certificate and authentication system architecture taking attributes as centers, user roles, relationships, personal information and the like are abstracted into attributes, and a server can make a resource access control strategy according to the user attributes; and the user side can establish own security policy and set whether to allow attribute extraction, so that the attribute-based user anonymous access is realized in the manner. The ABS signature scheme realizes the anonymity of the user and the proof of the attribute, so the ABS signature scheme can be easily converted into an anonymous authentication scheme. Compared with the traditional anonymous authentication scheme, the ABS scheme has higher efficiency (the threshold ABS scheme can realize the signature length and the verification process with constant complexity under certain conditions, and the calculation cost and the message length of the threshold ABS scheme are far smaller than those of the similar anonymous authentication scheme), and more complex security policies (such as threshold and the like) can be proved. In conclusion, the research on the anonymous credential scheme based on the new signature scheme such as ABS is also a feasible research direction of the anonymous credential system.

At present, some research projects take anonymous authentication related technologies as important contents of research, including the shibboleth project of Oasis organization and the Liberty project of Liberty alliance, but the core technologies of these projects use pseudonyms in the communication process, so that a third party cannot acquire personal information of a user, and a service provider can still acquire the real identity of the user and can correlate user behaviors, thereby destroying the personal privacy of the user. In the invention, the service provider can only obtain the attribute required by the service but can not obtain other attributes, so that the activity association can not be carried out, and further the real identity of the user can not be obtained.

Disclosure of Invention

An object of the present invention is to overcome the problems in the prior art and to provide an anonymous authentication method and system based on attributes. In particular, the invention comprises the following two important aspects: firstly, an anonymous authentication algorithm based on signature of attributes is designed; second, an anonymous authentication system based on attributes is devised.

Anonymous authentication method based on attributes

The invention aims to provide an attribute-based anonymous authentication system to strengthen privacy protection of a user, a trusted party authenticates the user and issues an attribute certificate for the user, the user shows the attribute to a service party, and the service party verifies the attribute certificate to complete an authentication process. The anonymous authentication method based on the attribute mainly comprises a signature scheme based on the attribute, the presentation and verification system of the anonymous voucher provides the presentation and verification functions of the anonymous voucher for a system running an anonymous authentication protocol, the realization of an anonymous voucher presentation and verification algorithm is provided, and the threshold assertion presentation of the user attribute can be supported.

Attributes represent basic properties of the schema:

● anonymity

● incoherence

● selection of an attribute: application cannot obtain policy-independent attribute information

The signature scheme comprises three main algorithms, each of which functions as follows: (the function of each algorithm is described here simply, and the parameters and calculation process of the algorithm will be described in detail in the detailed description)

System setup algorithm: the algorithm is a probability polynomial time algorithm finished by an attribute authority (namely a trusted party), the algorithm inputs security parameters defined by the trusted party (the security parameters are selected by the trusted party, and if the security parameters of each operation are different, the generated master key and the generated public parameters are different, such as according to time selection), and outputs the master key and the system public parameters, the master key is stored by the trusted party, and the system public parameters are externally disclosed, so that other parties can easily obtain the master key and the system public parameters (such as publishing on an official website);

user Grant algorithm: as shown in fig. 2, the algorithm is a probabilistic polynomial time algorithm implemented by an attribute authority (i.e., trusted party), the algorithm inputs an attribute set of a user (the attribute set of the user is registered by the trusted party, and the trusted party is verified by the trusted party in an offline manner), a master key and system public parameters, the algorithm outputs a private key corresponding to the attribute, forms an attribute certificate, and securely transmits the attribute certificate to the user through a secret channel between the trusted party and the user (e.g., an offline manner, field handover, etc.); meanwhile, the trusted party generates a pair of public and private keys for the user and sends the pair of public and private keys to the user through a secure channel.

User pro algorithm: as shown in fig. 3, the algorithm is a probabilistic polynomial time algorithm completed by a user, the user first obtains a public parameter issued by a trusted party, the algorithm inputs a system public parameter (published by the trusted party), a message (message related to a service to be accessed), an attribute certificate of the user, a secret random number r (a private key for generating an anonymous certificate), and an attribute condition required by a user who requires the target service to access the service (for example, the user of the service needs to have k attributes of the listed n attributes, and the information is obtained from a service provider), outputs the anonymous certificate, and then sends the generated anonymous certificate to the service provider;

user Verify algorithm: as shown in fig. 4, the algorithm is a deterministic polynomial time algorithm implemented by a verifier, that is, a service provider, the service provider first obtains public parameters published by a trusted party, calls the algorithm when it is necessary to verify the access qualification of a user, inputs the public parameters, messages (related to the service to be accessed by the user), attribute conditions (for example, the user of the service needs to have k attributes out of n listed attributes), and anonymous credentials, performs verification according to the UserVerify algorithm (the algorithm is described in detail in the specific embodiment), and outputs a judgment value "accept" or "reject".

Anonymous authentication system based on attribute

The main participants of the system comprise a Trusted Party (TP), a User Agent (UA) (users interact with the trusted party and a Service Provider through the User Agent), and a Service Provider (SP), wherein the trusted party TP verifies the User attribute and is responsible for issuing an attribute certificate for the User; the user agent UA performs corresponding calculations on behalf of the user, including mapping of user attributes, attribute credential calculations, credential attestation calculations, and the like. The service provider SP defines the attributes required by the service user to access the service, acquires the attribute certificate of the user, verifies the certificate of the user and the like.

The architecture is shown in fig. 1, in which there are one TP, one user U (user communicates with TP or SP through UA), one service provider SP, and in the application process, there are necessarily multiple users U, multiple service providers SP, and of course, there may be multiple trusted parties TP. The system mainly comprises three parts, namely certificate issuing service, user agent plug-in and application service. The main components of each part are as follows:

A. credential issuance service

● user authentication

● certificate issuing

B. User agent plug-in

● voucher request

● credential management

● voucher presentation

C. Application service

● policy management

● credential validation

The certificate signing and issuing service runs at a TP end of a trusted party, wherein the user identity authentication function confirms that a user has a legal public and private key pair (the public and private key pair is generated for the user by a trusted authority such as a public security bureau according to the identity of the user) by using a public key encryption technology, and the legality of the user is authenticated; the certificate issuing function is that a user submits an attribute to a trusted party and provides an attribute certificate request, the trusted party performs administrative verification and verification on the attribute applied by the user, and after the verification is passed, a corresponding attribute certificate is issued for the user, and the attribute certificate is used for processing the authenticated attribute of the user and can be used for encryption operation.

The user agent plug-in runs at the user end and completes some complex operations and matching on behalf of the user. The method firstly assigns an attribute identifier to an attribute of an application certificate submitted by a user (the assignment method is firstly specified by the TP and is easy to obtain by other parties, and aims to convert the attribute into an integer capable of performing encryption operation, such as mapping 'age = 1' to '1'), and sends a value corresponding to the attribute to be applied by the user to the TP instead of the user proposing an application request of an attribute certificate to a trusted party. The voucher management function is to maintain a list of all the applied attribute vouchers of the user and execute operations of searching, adding, deleting, replacing and the like of the attribute vouchers. The voucher showing function is that after the attribute required to be provided by the service provider SP is obtained, the corresponding attribute voucher is selected, the content of the voucher is subjected to selective hidden attribute calculation according to the requirement of the SP, and then the voucher is shown to the service provider as an anonymous voucher. After a challenge (random number challenge) issued to the service provider, a response value is calculated according to the difference of the challenge values, and the SP is proved that the user has hidden attributes.

The application service is mainly an SP end, and the policy management function is mainly an attribute policy required by maintenance access service; the certificate verification is to verify the attribute certificate sent by the user side according to the access policy (different services, different access policies, both stored in the SP end) of the corresponding service and the TP public parameter pair (the specific verification algorithm is explained in detail in the implementation scheme), and to determine whether the requirement of the access policy is satisfied. If the verification is passed, the user passes the authentication of the service.

Compared with the prior art, the invention has the advantages that:

1) compared with the existing general anonymous voucher system, the anonymous voucher algorithm based on attribute signature is adopted, so that the user can selectively hide the attribute, and a more flexible threshold attribute selective presentation scheme can be supported.

2) The length of the attribute signature in the invention is constant, so the length of the message transmitted by the anonymous authentication protocol is constant, and the communication efficiency of the protocol is improved.

3) While privacy is guaranteed, the attribute-based signature technology guarantees the forgery prevention and loan prevention properties of the certificate, and guarantees the authentication and access control process with high privacy and high security by taking a user as a center.

4) The specific algorithm implementation in the attribute-based anonymous credential scheme is relatively independent of the framework, and convenient and fast expansion can be performed under a unified framework, so that more kinds of algorithms are supported.

5) Non-connectability, that is to say that the service or services together relate the activities of the user, is computationally difficult, that is to say that a user will remain anonymous no matter how many times it accesses a service.

6) With minimal privileges, it is difficult for a service or services to compute attributes of a user together in addition to the attributes required by the service. That is, each time the user is authenticated, the service can only obtain the attributes that the session needs and that the user authorizes to present, but cannot obtain other attribute information of the user.

Drawings

FIG. 1 is a diagram of an anonymous credential architecture;

FIG. 2 illustrates an anonymous authentication system credential issuance protocol;

FIG. 3 anonymous authentication system credential presentation protocol;

FIG. 4 anonymous authentication system modules and interfaces.

Detailed Description

The present invention will be described in more detail with reference to the following examples. Wherein, the embodiment 1 gives the anonymous credential algorithm based on attribute signature related to the system, and the embodiment 2 gives the concrete operation mode of the anonymous credential system.

Example 1 anonymous authentication Algorithm based on Properties

A specific example of the attribute-based signature algorithm of the present invention is given below:

is provided withAndis a prime order cyclic group of order p (t is used to denoteDescription of the inventionAndtwo different groups, that is, the present invention needs to set two groups, and uses the angle mark t to distinguish two different prime order cyclic groups), g isThe generator of (1).Is composed ofToBilinear mapping of (c).

System setup algorithm

The algorithm is executed by a trusted party, firstly, the maximum attribute number n contained in the certificate is defined, and then an attribute value omega is distributed to each user attribute i possibly used_i(according to a predefined allocation) and additionally n-1 redundancy attributes d are selected_jAnd forming a redundancy attribute set D (the allocation of the redundancy attributes needs to ensure that the redundancy attributes are not repeated with the user attributes, if the number of the user attributes in the certificate to be constructed is less than n, the trusted party selects the redundancy attributes to supplement the n), and the redundancy attributes are not issued to any user. Followed by random selectionGenerating the element g, h, randomly selectingCalculated as a private key, i.e. a master keyAs part of the common parameters of the system, the schemeTP finally generates a common parameter of

The master key for TP is x. (the common parameters include a user attribute set omega and a redundancy attribute set D which needs to be published externally)

User Grant algorithm

When the user U applies for and collects the attribute omega_UE Ω property credential (where Ω is the set of all properties, Ω_UFor a user attribute set), the TP performs the following operations:

first, it is examined

If not, the execution is refused, namely, the execution is refused when the attribute submitted by the user application contains the redundancy attribute.

If the intersection is empty, TP randomly selects a generatorThen to Ω_UProperty value ω of the ith property_Ui(calculated for each attribute), calculate intermediate valuesCompute output attribute cre ═ g_U，{U_i}(ω_Ui∈Ω_U)}。

User cave algorithm

When a user wants to access a service, it needs to prove that the attribute it possesses satisfies the policy defined by SP corresponding to the service, where the policy is a threshold policy, i.e. an application service user attribute must satisfy: consistent with at least t attributes of the k attributes in the attribute set a, i.e., Γ ═ t, a (1 ≦ t ≦ k ≦ a | ≦ n, | a | ≦ n Ω_U| ≧ t), the user agent UA selects an attribute subset from its attribute set that can satisfy the SP policyThen select the set D ═ D_iThe first n + t-k-1 elements in the lattice, the collection of these elements is denoted as D_n+t-k-1. The user can use U in his credential cre_iCalculation (each attribute has a U in cre_iValue, credential value for each attribute):

<math> <mrow> <msub> <mi>A</mi> <mn>1</mn> </msub> <mo>=</mo> <msup> <msub> <mi>g</mi> <mi>U</mi> </msub> <mrow> <mn>1</mn> <mo>/</mo> <msub> <mi>Π</mi> <mrow> <msub> <mi>ω</mi> <mi>Ui</mi> </msub> <mo>&Element;</mo> <msubsup> <mi>Ω</mi> <mi>U</mi> <mo>′</mo> </msubsup> </mrow> </msub> <mrow> <mo>(</mo> <mi>x</mi> <mo>+</mo> <msub> <mi>ω</mi> <mi>Ui</mi> </msub> <mo>)</mo> </mrow> </mrow> </msup> </mrow> </math>

next, since | D_n+t-k-1∩(A-Ω′_U) The user can use | (n + t-k-1) + (k-t) ═ n-1

g, g^{x}, . . ., g^{x^{n - 1}}, h, h^{x}, . . ., h^{x^{n - 1}}

Computing

<math> <mrow> <msub> <mi>A</mi> <mn>2</mn> </msub> <mo>=</mo> <msup> <mi>g</mi> <mrow> <msub> <mi>Π</mi> <mrow> <mi>ω</mi> <mo>&Element;</mo> <msub> <mi>D</mi> <mrow> <mi>n</mi> <mo>+</mo> <mi>t</mi> <mo>-</mo> <mi>k</mi> <mo>-</mo> <mn>1</mn> </mrow> </msub> <mo>∩</mo> <mrow> <mo>(</mo> <mi>A</mi> <mo>-</mo> <msubsup> <mi>Ω</mi> <mi>U</mi> <mo>′</mo> </msubsup> <mo>)</mo> </mrow> </mrow> </msub> <mrow> <mo>(</mo> <mi>x</mi> <mo>+</mo> <mi>ω</mi> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> <msub> <mi>A</mi> <mn>3</mn> </msub> <mo>=</mo> <msup> <mi>h</mi> <mrow> <msub> <mi>Π</mi> <mrow> <mi>ω</mi> <mo>&Element;</mo> <msub> <mi>D</mi> <mrow> <mi>n</mi> <mo>+</mo> <mi>t</mi> <mo>-</mo> <mi>k</mi> <mo>-</mo> <mn>1</mn> </mrow> </msub> <mo>∩</mo> <mrow> <mo>(</mo> <mi>A</mi> <mo>-</mo> <msubsup> <mi>Ω</mi> <mi>U</mi> <mo>′</mo> </msubsup> <mo>)</mo> </mrow> </mrow> </msub> <mrow> <mo>(</mo> <mi>x</mi> <mo>+</mo> <mi>ω</mi> <mo>)</mo> </mrow> </mrow> </msup> </mrow> </math>

(where A1, A2, A3 are the median values calculated). Finally, UA randomly selects a secret valueFor calculatingWill be anonymous voucher (pi)₁，π₂，π₃，π₄) And sending the data to the SP.

User Verify algorithm

Verifier SP obtains (pi)₁，π₂，π₃，π₄) Then, g is confirmed first_U＝π₄Whether or not (g)_UIs the first element, pi, in the user anonymous credential₄The last element in the anonymous evidence sent to the SP by the UA in the step C), if so, the user of the anonymous voucher belongs to the user set which has issued the voucher, and then the UA uses the anonymous voucherComputingAnd verifying:and e (h, π)₂)＝e(g，π₃) And if so, indicating that the attribute owned by the user meets the threshold strategy gamma.

Embodiment 2 anonymous authentication system based on attributes

The present embodiment is intended to provide a specific example of the attribute-based anonymous authentication system of the present invention.

The system comprises three bodies: trusted Party (TP), User Agent (UA), and Service Provider (SP). The three parts are connected through a network, and the trusted party is responsible for authenticating the user and issuing an attribute certificate for the user. The primary tasks on the part of the user are performed by the user agent, which is primarily the attribute credential reception, storage, querying, and generation of authentication assertions to assist in the completion of the authentication of the application service provider. Before requesting service, a user needs to apply attribute credentials to a trusted party, and only the attributes that the application service provider needs to be authenticated need to be presented when requesting service, for example, an online game company only needs to prove that the age is larger than the legal age, the country belongs to a specified country, and the like. And the service provider verifies the attribute presented by the user, and corresponding access right is given if the verification is passed.

The specific implementation process comprises four stages: system initialization, credential issuance protocol, credential presentation protocol, and credential validation protocol. The system initialization process generates the necessary common parameters for the operation of the protocol. The certificate issuing process is mainly completed by the negotiation between the trusted party TP and the user. The credential presentation protocol is completed by the user in conjunction with the service provider SP.

The present embodiment is based on the following scenario settings: after obtaining an attribute certificate issued by a trusted party TP, a user U accesses the resource of an application provider SP, the SP specifies an access policy gamma, and if the U meets the access policy, the user is allowed to access the resource, and the specific process is as follows:

1) the TP runs the setup algorithm in embodiment 1, saves the generated master key, and issues the system public parameters in a manner that other parties can easily obtain the system public parameters

2) A user U initiates an attribute certificate issuing request to a TP through a user agent UA, namely registering and submitting an attribute;

3) the TP and the U execute an authentication protocol, verify the attribute owned by the user, and issue an attribute certificate cre for the user according to the attribute of the U, the master key x and the system public parameters;

4) a user U initiates an access request to a service provider SP through a user agent UA, wherein the access request comprises an identifier of a service to be accessed;

5) an application service provider SP searches an access strategy required by a resource accessed by a user (the strategy is pre-customized, the strategies required by different services are different, and the SP only needs to search a corresponding strategy), and returns the strategy to an agent UA of a user U;

6) the user agent prompts the user U to select an attribute to be used, the user calculates an anonymous credential by using an attribute credential of the user U and a private key r for generating the anonymous credential according to the attribute (the attribute credential issued by the TP is processed, so that the SP can decrypt the attribute required by the target service and cannot obtain specific values of other attributes in the attribute credential, but can know that the TP authentication is obtained, and a specific algorithm is a C algorithm in an example 1), and the attribute is sent to the SP through the user agent;

7) the application service provider SP verifies the anonymous attestation of the user and returns the resource to the user if the verification passes and the access policy is satisfied (the specific algorithm is algorithm D in example 1).

Claims

1. An anonymous authentication method based on attributes comprises the following steps:

1) the credible party TP generates a master key x and system public parameters according to the set security parameters; the master key x is a private key of the trusted party TP;

2) registering and submitting the attribute to the TP by a user U, and initiating an attribute certificate issuing request;

3) the TP verifies the attribute owned by the user U, and generates and issues an attribute certificate cre for the user U according to the attribute of the U, the master key x and the system public parameters;

4) a user U initiates an access request to a service provider SP;

5) the service provider SP searches an access strategy corresponding to the access request and returns the access strategy to the user U;

6) the user U selects the attribute to be used according to the access strategy, then calculates an anonymous voucher by using the attribute voucher cre and a private key r for generating the anonymous voucher, and sends the anonymous voucher to the SP;

7) and the service provider SP verifies the anonymous voucher, and if the anonymous voucher passes the verification and meets the access policy, the service provider SP receives the access request and provides corresponding service to the user.

2. The method according to claim 1, characterized in that the method of generating the attribute certificate cre is: and the trusted party generates the attribute certificate by using the attribute set input by the user, the master key x and the system public parameter by using a probability polynomial time algorithm.

3. The method of claim 1, wherein the anonymous credential is generated by: the user acquires system public parameters issued by a trusted party, and then generates the anonymous voucher through a probability polynomial time algorithm according to the system public parameters, the information, the attribute voucher of the user, a private key r for generating the anonymous voucher and an attribute to be used.

4. The method of claim 1 wherein the method for the service provider SP to authenticate the anonymous credential comprises: the service provider verifies the anonymous credential based on system public parameters, messages, predicates, and signatures to the messages using a deterministic polynomial time algorithm.

5. The method of claim 1, wherein the trusted party generates the master key x and the system public parameter according to the security parameter set by the trusted party by using a probabilistic polynomial time algorithm.

6. The method according to any one of claims 1 to 5, wherein the master key x and the system public parameter are generated by:

61) trusted party sets two prime order cyclic groups of order pAndg isThe generation element of (a) is generated,is composed ofToBilinear mapping of (c);

62) setting the maximum attribute number contained in the attribute certificate as n, and then distributing an attribute value omega to each user attribute i possibly used_iAnd additionally n-1 redundancy attributes d are selected_jForming a redundancy attribute set D; wherein each redundancy attribute d_jNot repeated with the user attribute;

63) random selectionGenerating the element g, h, randomly selectingAs the private key of TP, i.e. the master key, the public parameter is generated by using the probability polynomial time algorithm

7. The method of claim 6, wherein the attribute voucher is generated by: when the user U applies for and collects the attribute omega_UWhen the attribute certificate belongs to omega, wherein omega is the set of all attributes, omega_UAttribute set of user U; the credible party firstly checks whether the attributes submitted when the user U applies for the attributes contain redundant attributes, if yes, the generation of attribute certificates is refused, otherwise, the credible party randomly selects a generation elementThen to Ω_UProperty value ω of the ith property_UiCalculating the median valueThereby computing the output attribute certificate cre ═ g_U，{U_i}(ω_Ui∈Ω_U）}。

8. The method of claim 7, wherein the anonymous credential is generated by:

81) when a user wants to access a service of a service provider, the user selects an attribute subset capable of meeting a service policy corresponding to the service from the user attribute set through a user agent UAWherein the service policy is: the user attribute set is consistent with at least t attributes in the k attributes in the attribute set A corresponding to the service;

82) user selection set D ═ D_iThe first n + t-k-1 elements in the lattice, the collection of these elements is denoted as D_n+t-k-1；

83) The user uses the attribute value U in his attribute credential cre_iComputing

<math> <mrow> <msub> <mi>A</mi> <mn>2</mn> </msub> <mo>=</mo> <msup> <mi>g</mi> <msub> <mi>Π</mi> <mrow> <mi>ω</mi> <mo>&Element;</mo> <msub> <mi>D</mi> <mrow> <mi>n</mi> <mo>+</mo> <mi>t</mi> <mo>-</mo> <mi>k</mi> <mo>-</mo> <mn>1</mn> </mrow> </msub> <mo>∩</mo> <msup> <mrow> <mo>(</mo> <mi>A</mi> <mo>-</mo> <msubsup> <mi>Ω</mi> <mi>U</mi> <mo>′</mo> </msubsup> <mo>)</mo> </mrow> <mrow> <mo>(</mo> <mi>x</mi> <mo>+</mo> <mi>ω</mi> <mo>)</mo> </mrow> </msup> </mrow> </msub> </msup> <mo>,</mo> <msub> <mi>A</mi> <mn>3</mn> </msub> <mo>=</mo> <msup> <mi>h</mi> <msub> <mi>Π</mi> <mrow> <mi>ω</mi> <mo>&Element;</mo> <msub> <mi>D</mi> <mrow> <mi>n</mi> <mo>+</mo> <mi>t</mi> <mo>-</mo> <mi>k</mi> <mo>-</mo> <mn>1</mn> </mrow> </msub> <mo>∩</mo> <msup> <mrow> <mo>(</mo> <mi>A</mi> <mo>-</mo> <msubsup> <mi>Ω</mi> <mi>U</mi> <mo>′</mo> </msubsup> <mo>)</mo> </mrow> <mrow> <mo>(</mo> <mi>x</mi> <mo>+</mo> <mi>ω</mi> <mo>)</mo> </mrow> </msup> </mrow> </msub> </msup> <mo>;</mo> </mrow> </math>

84) Random selectionCalculated as the private key r for generating anonymous vouchersObtaining the anonymous credential (pi)₁，π₂，π₃，π₄）。

9. The method as claimed in claim 1, wherein the user side assigns an attribute identifier set by the trusted party to each attribute submitted by the user, and sends the attribute and the attribute value to be applied by the user to the trusted party by using the corresponding identifier and the corresponding attribute value.

10. An anonymous authentication system based on attributes, characterized by comprising a trusted party TP, a user agent UA and a service provider SP which are connected with each other through a network; wherein,

the trusted party is responsible for authenticating the user and generating a master key x and system public parameters according to the set security parameters; the master key x is a private key of the trusted party TP; verifying the attribute owned by the user U, and generating and issuing an attribute certificate cre for the user U according to the attribute of the user U, the master key x and the system public parameters;

the user agent is used for registering attributes of the user U to the trusted party, applying, receiving, storing and inquiring the attribute certificate, initiating an access request to the service provider SP and generating an anonymous certificate to show the service provider;

and the service provider verifies the anonymous voucher presented by the user agent, and if the anonymous voucher passes the verification and meets the corresponding access policy, the service provider gives corresponding access authority.