CN103368741A - Anonymous participant identity-based signcryption method for multiple receivers - Google Patents

Abstract

The invention discloses an anonymous participant identity-based signcryption method for multiple receivers, solving the technical problem that the safety of the current signcryption method for multiple receivers is poor. The technical scheme comprises the steps of (1) sender signcryption: a sender IDs selects n authorization receivers ID1, ID2, ellipsis, IDn, builds an authorization receiver identity information list L={ID1, ID2, ellipsis, IDn}, constructs a signcryption ciphertext C=<Y, X, U, sigma, W, T, J>, and broadcasts the signcryption ciphertext C so as to complete signcryption operation; and (2) receiver decryption: a receiver IDi calculates h'=H4 (sigma, X, U, T, J) according to elements in the signcryption ciphertext C firstly, then judges whether an equation e (W, P)=e (X+h'Y, Ppub) is workable, decodes a message ciphertext sigma by using a symmetrical decipherment algorithm Dk() to obtain a cleartext M=DK(sigma), and completes the decryption process. The sender is anonymous through constructing a pseudo public key, meanwhile Lagrange's interpolation is adopted for fusing identity information of all the authorization receivers to realize that the identities of the authorization receivers are anonymous for non-authorization receivers, and the safety of the signcryption method for multiple receivers is improved.

Description

The multi-receiver label decryption method of participant's identity anonymity

Technical field

The present invention relates to a kind of multi-receiver label decryption method, particularly the multi-receiver label decryption method of a kind of participant's identity anonymity.

Background technology

In the distribute network application (for example Web conference, roundtable conference and pay TV); in order to protect all participant's privacy of identities of carrying out session in the communication system; and guarantee that session content only can be authorized to the user and correctly decipher; and unauthorized user can't correctly be deciphered, and needs the secure broadcast technology as support.Secure broadcast is to realize that a sender to the technology that a plurality of authorized receivers send safely identical message, can realize the demand for security of above-mentioned network application.

Document " Anonymous ID Based Signcryption Scheme for Multiple Receivers; Cryptology ePrint Archive.Report2009/345 " discloses a kind of multi-receiver label decryption method of ID-based sender anonymity, the key step of the method is: at first, user's (comprising sender and recipient) registers to the TTP of trusted third party (Trusted Third Party) with the identity information of self, TTP calculates PKI and private key for each registered user, and user's PKI is open, with corresponding private key secret be distributed to each user; Sign when close, the sender selects at random some registered subscriber identity informations and consists of an identity of the sender information aggregate together with self identity information, thereby calculate with identity of the sender information aggregate, authorized receiver's the identity information of private key, structure of oneself and the message that will send and to obtain ciphertext, and ciphertext is broadcasted; During deciphering, the recipient receives authorized receiver's identity information tabulation of checking first after the ciphertext in the ciphertext, if oneself is not the authorized receiver, then is not decrypted; If oneself be the authorized receiver, then the private key of usefulness oneself is verified sender's identity and is decrypted.But there are some defectives in this scheme: at first, although the sender is by being hidden in the method that realizes the identity of the sender anonymity in the identity of the sender information aggregate with self identity information, but such method can not stop the assailant to use the identity of the sender information aggregate in a plurality of ciphertexts adopt is intersected that contrast is attacked and the method for collusion is dwindled conjecture scope to identity of the sender, even works as the conjecture scope and can directly obtain identity of the sender in enough hour; Secondly, in the scheme that the document proposes, comprise all authorized receivers' identity information set in the ciphertext, be that any recipient who receives this ciphertext can know the authorized receiver's of this message identity information, thereby can not guarantee recipient's identity anonymity (comprising that the authorized receiver is anonymous to unauthorized recipient's identity anonymity and the identity between the authorized receiver).

Summary of the invention

In order to overcome the deficiency of existing multi-receiver label decryption method poor stability, the invention provides the multi-receiver label decryption method of a kind of participant's identity anonymity.The sender of the method constructs a pseudo-PKI according to the PKI of oneself and communicates when each broadcast communication, because the assailant can inquire its corresponding identity of the sender information by PKI, so the use of pseudo-PKI can stash sender's true identity, thereby can realize sender anonymity; The sender adopts the Lagrange's interpolation technology that all authorized receivers' identity information is merged as a part of signing dense literary composition when signing close message, thereby in signing dense literary composition, directly do not expose sender's identity information tabulation, and then can realize that the authorized receiver is anonymous to unauthorized recipient's identity; Simultaneously, can not calculate the other side's identity information by the relation of signing between the dense civilian element between the authorized receiver, thereby can realize that the identity between the authorized receiver is anonymous.Potential participant's identity information leakage problem when having prevented broadcast communication has been protected the privacy of communication parties, the fail safe that has improved multi-receiver label decryption methods.

The technical solution adopted for the present invention to solve the technical problems: the multi-receiver label decryption method of a kind of participant's identity anonymity is characterized in may further comprise the steps:

(1) the close process of sender's label;

Sender ID _sWhen close to the label of clear-text message M,

(1a) sender ID _sChoose n authorized receiver ID ₁, ID ₂..., ID _n, set up authorized receiver's identity information tabulation L={ID ₁, ID ₂..., ID _n, wherein n is the integer greater than zero;

(1b) sender ID _sChoose random number r ∈ Z _q ^*, calculating sender's pseudo-PKI Y=rQ _s, Q wherein _sBe sender ID _sPKI, Z _q ^*Be the non-zero multiplicative group based on prime number q;

(1c) for each authorized receiver ID _i, i=1 wherein, 2 ..., n, sender ID _sEvaluation x _i=H ₂(ID _i) and numerical value y _i=α _i(Q _i+ P ₁), then, utilize lagrange-interpolation structure polynomial function f _i(x) as follows:

$f_i\left(x\right)=\underset{1\&le;l\&NotEqual;j\&le;n}{\mathrm{\&Pi;}}\frac{{x-x}_j}{x_l-x_j}=a_{i,1}+a_{i,2}x+...+a_{i,n}{x}^{n-1}$

Wherein, x is polynomial function f _i(x) independent variable;

Then, sender ID _sBe calculated as follows information:

$T_i=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{y}_j$

$J_i=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{J^{\text{'}}}_j$

Wherein, H ₂Be password one-way Hash function, Q _iBe authorized receiver ID _iPKI, P ₁Be sender ID _sFrom group G ₁In the element chosen arbitrarily, a _{I, j}Polynomial function f _i(x) coefficient and i ≠ j, i=1,2 ..., n, j=1,2 ..., n, J _i ^'=α α _i ^-1P _Pub, α _iBe sender ID _sThe positive integer of selecting at random,

(1d) construction set T={T ₁, T ₂..., T _nAnd set J={J ₁, J ₂..., J _n;

(1e) sender ID _sEvaluation U=α P, and utilize sender ID _sPseudo-PKI Y evaluation X=α Y and key K=H ₃(e (P _Pub, P ₁) ^α), wherein, H ₃Be the password one-way Hash function, e is bilinear map, P _PubBe the Your Majesty of system key;

(1f) sender ID _sUtilize symmetric encipherment algorithm E _k() is encrypted clear-text message M, obtains message ciphertext σ=E _K(M);

(1g) sender ID _sCalculate h=H ₄(σ, X, U, T, J), then, the compute signature information W=(rD of α+h) _s, D wherein _sBe sender ID _sPrivate key, H ₄Be the password one-way Hash function.

(1h) sender ID _sStructure is signed dense civilian C=＜Y, X, and U, σ, W, T, J＞, and will sign dense civilian C and broadcast, finish and sign close operation;

(2) recipient's decrypting process;

Recipient ID _i, i=1 wherein, 2 ..., n, when signing the deciphering of dense civilian C,

(2a) recipient ID _iAt first according to element σ, the X, U, T, the J that sign among the dense civilian C, calculate h '=H ₄(σ, X, U, T, J) then judges equation e (W, P)=e (X+h ' Y, P _Pub) whether set up, wherein, W, X, Y are for signing the element among the dense civilian C, P and P _PubBe the open parameter of system, e is bilinear map;

If equation is false, then the dense civilian C of explanation label is invalid or recipient ID _iNot the authorized receiver, at this moment, recipient ID _iWithdraw from decrypting process; If equation is set up, then signing dense civilian C is effective and recipient ID _iThe authorized receiver, then, recipient ID _iContinue to carry out following process;

(2b) recipient ID _iEvaluation x _i=H ₂(ID _i), then utilize the element T and the J that sign among the dense civilian C to calculate intermediate parameters ${\mathrm{\&eta;}}_i=T_1+x_i{T}_2+...+\left(X_i^{n-1}\mathrm{mod}q\right)T_n$ With ${\mathrm{\&tau;}}_i=J_1+x_i{J}_2+...+\left(x_i^{n-1}\mathrm{mod}q\right)J_n;$

(2c) recipient ID _iUse the element U and the intermediate parameters η that sign among the dense civilian C _iAnd τ _iEvaluation ω=e (τ _i, η _i) e (U, D _i) ^-1, D wherein _iBe recipient ID _iPrivate key, then, computation key K=H ₃(ω);

(2d) recipient ID _iUtilize symmetrical decipherment algorithm D _k() message cipher text σ is decrypted and obtains clear-text message M=D _K(σ), finish decrypting process.

The invention has the beneficial effects as follows: communicate because the sender of the method constructs a pseudo-PKI according to the PKI of oneself when each broadcast communication, because the assailant can inquire its corresponding identity of the sender information by PKI, so the use of pseudo-PKI can stash sender's true identity, thereby has realized sender anonymity; The sender adopts the Lagrange's interpolation technology that all authorized receivers' identity information is merged as a part of signing dense literary composition when signing close message, thereby in signing dense literary composition, directly do not expose sender's identity information tabulation, and then realized that the authorized receiver is anonymous to unauthorized recipient's identity; Can not calculate the other side's identity information by the relation of signing between the dense civilian element between the authorized receiver, thereby realize that the identity between the authorized receiver is anonymous.Potential participant's identity information leakage problem when having prevented broadcast communication has been protected the privacy of communication parties, the fail safe that has improved multi-receiver label decryption methods.

Below in conjunction with drawings and Examples the present invention is elaborated.

Description of drawings

Fig. 1 is the flow chart of the multi-receiver label decryption method of participant's identity of the present invention anonymity.

Embodiment

Describe the present invention in detail with reference to Fig. 1.

Explanation of nouns.

TTP: trusted third party, often taken on by key generation centre, be responsible for producing sender and recipient's private key;

Z: the system safety parameter that the TTP of trusted third party chooses;

Q: the large prime number that the TTP of trusted third party chooses, satisfy q〉2 ^z

G ₁: the q rank addition cyclic group that the TTP of trusted third party chooses;

G ₂: the q factorial method cyclic group that the TTP of trusted third party chooses;

E: the G that the TTP of trusted third party chooses ₁And G ₂On bilinear map, i.e. e:G ₁* G ₁→ G ₂

A → B: domain of definition A is to the mapping of codomain B;

P:G ₁On generator, chosen at random by the TTP of trusted third party;

S: system's master key, chosen at random by the TTP of trusted third party;

Z _q ^*: based on the non-zero multiplicative group of prime number q;

P _Pub: system Your Majesty's key, P _Pub=sP;

H _i: password one-way Hash function, i=1 wherein, 2,3,4;

{ 0,1} ^*: the string that any long " 0 " or " 1 " consists of;

M: clear-text message;

| the length of M|: clear-text message M;

E _k(): symmetric encipherment algorithm, wherein k is key;

E _k(m): utilize symmetric encipherment algorithm E _k() is encrypted message m;

D _k(): symmetrical decipherment algorithm, with symmetric encipherment algorithm E _k() is corresponding, and wherein k is key;

D _k(c): utilize symmetrical decipherment algorithm D _k() is decrypted ciphertext c;

Params: the open parameter of system;

ID: subscriber identity information, the user comprises sender and recipient;

ID _s: sender's identity information;

Q _s: sender ID _sPKI, Q _s=H ₁(ID _s);

D _s: sender ID _sPrivate key, D _s=sQ _s

Y: sender ID _sPseudo-PKI;

N: authorized receiver's number;

ID _i: the identity information of authorized receiver i, i=1 wherein, 2 ..., n;

Q _i: authorized receiver ID _iPKI, Q _i=H ₁(ID _i), i=1 wherein, 2 ..., n;

D _i: authorized receiver ID _iPrivate key, D _i=sQ _i, i=1 wherein, 2 ..., n;

L: authorized receiver's identity information tabulation;

P ₁: the element of from group G1, choosing arbitrarily;

f _i(x): utilize the polynomial function of Lagrange's interpolation structure, wherein x is independent variable, i=1, and 2 ..., n;

A mod q: represent the remainder after A is divided by q;

σ: message ciphertext;

C: sign dense literary composition;

＜a, b ..., c 〉: by element a, b ..., the sequential element set that c consists of;

Specific implementation method is as follows:

Step 1, system made.

Key generation centre is chosen large prime number q, wherein a q according to security parameter z〉2 ^z, the addition cyclic group G on q rank of structure ₁With a q factorial method cyclic group G ₂Construct a bilinear map e:G ₁* G ₁→ G ₂From group G ₁On choose at random generator P, and selecting system master key s ∈ Z at random _q ^*, calculate corresponding system Your Majesty's key P _Pub=sP; Construct 4 password one-way Hash function, be designated as: H ₁: { 0,1} ^*→ G ₁H ₂: { 0,1} ^*→ Z _q ^*H ₃: G ₂→ { 0,1} ^{| M|}H ₄: { 0,1} ^{| M|}* G ₁ ^N+3→ Z _q ^*Choose symmetric encipherment algorithm E _k() and symmetrical decipherment algorithm D _k(), wherein k is key;

Key generation centre structure and public address system parameter p arams, the params building method is:

params=<G ₁,G ₂,q,e,P,P _pub,H ₁,H ₂,H ₃,H ₄,E _k(),D _k()>

Simultaneously, the safe saved system master key of key generation centre s.

Step 2, user's registration.

The user submits identity information ID ∈ { 0,1} to key generation centre ^*, key generation centre is according to system parameters params, the master key s of system and subscriber identity information ID ∈ { 0,1} ^*Calculate user's PKI Q _ID=H ₁(ID), user's private key D _ID=sQ _ID, externally announce this user's PKI and user's private key sent to the user safely.

Step 3, the sender signs close.

Sender ID _sChoose n authorized receiver ID ₁, ID ₂..., ID _n, wherein n be integer and n greater than 0, structure authorized receiver identity information tabulation L={ID ₁, ID ₂..., ID _n; Sender ID _sAs follows to the close process of the label of clear-text message M:

Sender ID _sChoose random number r ∈ Z _q ^*, calculating sender's pseudo-PKI Y=rQ _s, Q wherein _sBe sender ID _sPKI;

Sender ID _sFrom group G ₁In choose at random one element P ₁, for each authorized receiver ID _i, i=1,2 ..., n, sender ID _sChoose random number α _i∈ Z _q ^*, evaluation x _i=H ₂(ID _i) and numerical value y _i=α _i(Q _i+ P ₁), utilize Lagrange's interpolation structure n-1 order polynomial function f _i(x):

$f_i\left(x\right)=\underset{1\&le;l\&NotEqual;j\&le;n}{\mathrm{\&Pi;}}\frac{{x-x}_j}{x_l-x_j}=a_{i,1}+a_{i,2}x+...+a_{i,n}{x}^{n-1}$

Wherein, x is polynomial function f _i(x) independent variable;

Then, sender ID _sBe calculated as follows information:

$T_i=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{y}_j$

$J_i=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{J^{\text{'}}}_j$

Wherein, H ₂Be password one-way Hash function, Q _iBe authorized receiver ID _iPKI, a _{I, j}Polynomial function f _i(x) coefficient and i ≠ j, i=1,2 ..., n, j=1,2 ..., n, J _i ^'=α α _i ^-1P _Pub,

α _iBe sender ID _sThe positive integer of selecting at random;

Sender ID _sEvaluation U=α P, and utilize sender ID _sPseudo-PKI Y evaluation X=α Y, then, utilize bilinearity to password one-way Hash function H ₃Computation key K=H ₃(ω), ω=e (P wherein _Pub, P ₁) ^αUtilize symmetric encipherment algorithm E _k() is encrypted clear-text message M and obtains message ciphertext σ=E _K(M);

Sender ID _sCalculate h=H ₄(σ, X, U, T, J), then, the compute signature information W=(rD of α+h) _s, D wherein _sBe sender ID _sPrivate key, H ₄Be the password one-way Hash function;

Sender ID _sIt is C=＜Y that structure is signed dense literary composition, X, and U, σ, W, T, J＞, and will sign dense civilian C and broadcast.

Step 4, recipient's deciphering.

Recipient ID _i, i=1 wherein, 2 ..., n, as follows to the decrypting process of signing dense civilian C:

At first calculate h '=H according to signing dense civilian C ₄(σ, X, U, T, J) is then according to the open parameter P of element X, Y, W and system and the P that sign among the dense civilian C _PubJudge equation e (W, P)=e (X+h'Y, P _Pub) whether set up;

If equation is false, then the dense civilian C of explanation label is invalid or recipient ID _iNot the authorized receiver, at this moment, recipient ID _iWithdraw from decrypting process, if set up, then signing dense civilian C is effective and recipient ID _iBe the authorized receiver, continue to carry out following process;

Recipient ID _iUtilize password one-way Hash function H ₂Evaluation x _i=H ₂(ID _i), utilize numerical value x _iCalculate intermediate parameters η with the set T and the J that sign among the dense civilian C _i=T ₁+ x _iT ₂+ ...+(x _i ^N-1Modq) T _nAnd τ _i=J ₁+ x _iJ ₂+ ...+(x _i ^N-1Modq) J _n

Recipient ID _iUse the element U and the parameter η that sign among the dense civilian C _iAnd τ _iEvaluation ω=e (τ _i, η _i) e (U, D _i ^-1) computation key K=H then ₃(ω); Utilize at last the decipherment algorithm D in the system parameters _k() message cipher text σ is decrypted and obtains message plaintext M=D _K(σ), finish decrypting process.

Claims (1)

1. the multi-receiver label decryption method of participant's identity anonymity is characterized in that may further comprise the steps:

(1) the close process of sender's label;

Sender ID _sWhen close to the label of clear-text message M,

(1a) sender ID _sChoose n authorized receiver ID ₁, ID ₂..., ID _n, set up authorized receiver's identity information tabulation L={ID ₁, ID ₂..., ID _n, wherein n is the integer greater than zero;

(1b) sender ID _sChoose random number r ∈ Z _q ^*, calculating sender's pseudo-PKI Y=rQ _s, Q wherein _sBe sender ID _sPKI, Z _q ^*Be the non-zero multiplicative group based on prime number q;

(1c) for each authorized receiver ID _i, i=1 wherein, 2 ..., n, sender ID _sEvaluation x _i=H ₂(ID _i) and numerical value y _i=α _i(Q _i+ P ₁), then, utilize lagrange-interpolation structure polynomial function f _i(x) as follows:

$f_i\left(x\right)=\underset{1\&le;l\&NotEqual;j\&le;n}{\mathrm{\&Pi;}}\frac{{x-x}_j}{x_l-x_j}{a}_{i,1}+a_{i,2}x+...+a_{i,n}{x}^{n-1}$

Wherein, x is polynomial function f _i(x) independent variable;

Then, sender ID _sBe calculated as follows information:

$T_i=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{y}_j$

$J_i=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{J^{\text{'}}}_j$

Wherein, H ₂Be password one-way Hash function, Q _iBe authorized receiver ID _iPKI, P ₁Be sender ID _sFrom group G ₁In the element chosen arbitrarily, a _{I, j}Polynomial function f _i(x) coefficient and i ≠ j, i=1,2 ..., n, j=1,2 ..., n,

α _iBe sender ID _sThe positive integer of selecting at random,

(1d) construction set T={T ₁, T ₂..., T _nAnd set J={J ₁, J ₂..., J _n;

(1e) sender ID _sEvaluation U=α P, and utilize sender ID _sPseudo-PKI Y evaluation X=α Y and key K=H ₃(e (P _Pub, P ₁) ^α), wherein, H ₃Be the password one-way Hash function, e is bilinear map, P _PubBe the Your Majesty of system key;

(1f) sender ID _sUtilize symmetric encipherment algorithm E _k() is encrypted clear-text message M, obtains message ciphertext σ=E _K(M);

(1g) sender ID _sCalculate h=H ₄(σ, X, U, T, J), then, the compute signature information W=(rD of α+h) _s, D wherein _sBe sender ID _sPrivate key, H ₄Be the password one-way Hash function.

(1h) sender ID _sStructure is signed dense civilian C=＜Y, X, and U, σ, W, T, J＞, and will sign dense civilian C and broadcast, finish and sign close operation;

(2) recipient's decrypting process;

Recipient ID _i, i=1 wherein, 2 ..., n, when signing the deciphering of dense civilian C,

(2a) recipient ID _iAt first according to element σ, the X, U, T, the J that sign among the dense civilian C, calculate h '=H ₄(σ, X, U, T, J) then judges equation e (W, P)=e (X+h ' Y, P _Pub) whether set up, wherein, W, X, Y are for signing the element among the dense civilian C, P and P _PubBe the open parameter of system, e is bilinear map;

If equation is false, then the dense civilian C of explanation label is invalid or recipient ID _iNot the authorized receiver, at this moment, recipient ID _iWithdraw from decrypting process; If equation is set up, then signing dense civilian C is effective and recipient ID _iThe authorized receiver, then, recipient ID _iContinue to carry out following process;

(2b) recipient ID _iEvaluation x _i=H ₂(ID _i), then utilize the element T and the J that sign among the dense civilian C to calculate intermediate parameters ${\mathrm{\&eta;}}_i=T_1+x_i{T}_2+...+\left(X_i^{n-1}\mathrm{mod}q\right)T_n$ With ${\mathrm{\&tau;}}_i=J_1+x_i{J}_2+...+\left(x_i^{n-1}\mathrm{mod}q\right)J_n;$

(2c) recipient ID _iUse the element U and the intermediate parameters η that sign among the dense civilian C _iAnd τ _iEvaluation ω=e (τ _i, η _i) e (U, D _i) ^-1, D wherein _iBe recipient ID _iPrivate key, then, computation key K=H ₃(ω);

(2d) recipient ID _iUtilize symmetrical decipherment algorithm D _k() message cipher text σ is decrypted and obtains clear-text message M=D _K(σ), finish decrypting process.

Images