CN110677238A - Broadcast encryption method and device - Google Patents

Broadcast encryption method and device Download PDF

Info

Publication number
CN110677238A
CN110677238A CN201910181445.7A CN201910181445A CN110677238A CN 110677238 A CN110677238 A CN 110677238A CN 201910181445 A CN201910181445 A CN 201910181445A CN 110677238 A CN110677238 A CN 110677238A
Authority
CN
China
Prior art keywords
key
ciphertext
generating
master
kem
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910181445.7A
Other languages
Chinese (zh)
Other versions
CN110677238B (en
Inventor
程朝辉
杨海峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Ao Lian Information Security Technology Co Ltd
Original Assignee
Shenzhen Ao Lian Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Ao Lian Information Security Technology Co Ltd filed Critical Shenzhen Ao Lian Information Security Technology Co Ltd
Priority to CN201910181445.7A priority Critical patent/CN110677238B/en
Publication of CN110677238A publication Critical patent/CN110677238A/en
Application granted granted Critical
Publication of CN110677238B publication Critical patent/CN110677238B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a broadcast encryption method and a device, which relate to the technical field of communication, wherein the method comprises the steps that a key generation center generates system parameters params, a master key s and a master public key mpk according to an SM9 algorithm; the key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end; the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM(ii) a The sending end seals according to the session keyCT cipher textKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT. When the receiving end is a plurality of receiving ends, the calculation overhead can be reduced, and simultaneously, the SM9 encryption algorithm can be completely compatible, so that the existing SM9 facilities can be utilized to comprise a key generation function, a data encapsulation function and the like, and the hardware cost is reduced.

Description

Broadcast encryption method and device
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a broadcast encryption method and a broadcast encryption apparatus.
Background
Broadcast encryption is an encryption scheme that enables one-to-many secure communications over insecure channels. In a general broadcast encryption system, a broadcaster broadcasts encrypted information to users in the system, any user can obtain the encrypted information by monitoring the broadcast, and only users in an authorized user set can decrypt a broadcast ciphertext by using a private key of the user to recover corresponding plaintext information.
The SM9-IBE algorithm is part of the Chinese cipher Standard "identification-based cipher Algorithm SM 9". The method is used for many applications such as financial data protection, mail protection, message encryption in the Internet of things, data encryption on the cloud and the like. But one SM9-IBE encryption operation can only encrypt data to one recipient. For the broadcast encryption, which needs to encrypt data to multiple receivers, the SM9-IBE algorithm needs longer cipher text length and has high calculation cost.
Disclosure of Invention
In view of the above problems, embodiments of the present invention are proposed to provide a broadcast encryption method and a corresponding broadcast encryption apparatus that overcome or at least partially solve the above problems.
In order to solve the above problem, an embodiment of the present invention discloses a broadcast encryption method, including:
the key generation center generates a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm, and discloses the system parameter params and the master public key mpk;
the key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM
The sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
In a preferred embodiment, the step of generating, by the key generation center, the system parameters params, the master key s, and the master public key mpk according to the SM9 algorithm includes:
the key generation center obtains the maximum receiving end number u of one-time broadcast encryption;
selecting three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、 G3The orders of all are prime numbers p;
random selection of G1Generator Q in a group1And G2Generator Q in a group2
At random in the group
Figure BDA0001991452440000021
Generating a master key s, calculating R1=sQ1,...,Ru=suQ1,W=s2Q2(ii) a Wherein when u is 1, W is not calculated;
precomputed J ═ e (R)1,Q2);
Generating the system parameter params ═ Q1,Q2,G1,G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W);。
In a preferred embodiment, the key generation center generates the key according to the system parameters params, the master key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDThe method comprises the following steps:
the key generation center is according to function H specified in SM9 standard1Derivative M ═ H1(IDb|| 0x03,p);
Judging that M + s is 0modp, if so, outputting error and stopping;
otherwise, calculate t ═ M + s)-1s modp;
Calculating sk according to the tID=tQ2。
In a preferred embodiment, the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEMThe method comprises the following steps:
the sending end generates a session key K and a session key encapsulation ciphertext CT by adopting a session key encapsulation mechanism KEM.Enc according to the system parameter params, the master public key mpk and the identification set ID of the receiving endKEM
And the sending end generates a data encapsulation ciphertext CT by adopting a data encapsulation mechanism DEMDEM
In a preferred embodiment, the sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT, which comprises the following steps:
the sending end encapsulates the session key into ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
In a preferred embodiment, the method further comprises:
the receiving end receives the ciphertext CT and identifies the private key sk according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
In a preferred embodiment, the generating of the session key K and the session key encapsulation ciphertext CTKEMAnd the step of generating the plaintext Msg each include a plurality of dot-by-sum calculations including:
dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data;
and summing the dot product summation data of the at least two groups to obtain a plurality of dot product summation calculation results.
In order to solve the above problem, an embodiment of the present invention discloses a broadcast encryption apparatus, including:
the first generation module is positioned in the key generation center and used for generating a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm and disclosing the system parameter params and the master public key mpk;
a second generating module located in the key generating center, configured to generate the second key according to the system parameter params, the master key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
a third generating module at the sending end, configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identifier set ID of the receiving end, the tag L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM
A fourth generation module at the sending end, configured to encapsulate the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
In a preferred embodiment, the first generating module comprises:
the acquisition submodule is used for acquiring the maximum receiving end number u of one-time broadcast encryption;
a selection submodule for selecting the three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、G3The orders of all are prime numbers p;
a first random selection submodule for randomly selecting G1Generator Q in a group1And G2Generator Q in a group2
A second random selection submodule for randomly selecting a group
Figure BDA0001991452440000041
In generating a master keys, calculating R1= sQ1,...,Ru=suQ1,W=s2Q2(ii) a Wherein when u is 1, W is not calculated;
a pre-calculation module for pre-calculating J ═ e (R)1,Q2);
A first generation submodule for generating the system parameter params ═ Q1,Q2,G1,G2, G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W)。
In a preferred embodiment, the second generating module includes:
derivation submodule for deriving a function H according to the SM9 standard1Derivative M ═ H1(IDb|| 0x03,p);
The judgment submodule is used for judging that M + s is equal to 0modp, and if the M + s is equal to 0modp, outputting error and stopping; otherwise, calculate t ═ M + s)-1s modp;
An identification key generation submodule for calculating sk according to the tID=tQ2。
In a preferred embodiment, the third generating module comprises:
a session key encapsulation submodule, configured to generate a session key K and a session key encapsulation ciphertext CT by using a session key encapsulation mechanism kemKEM
A data encapsulation submodule, configured to generate a data encapsulation ciphertext CT by using a data encapsulation mechanism demDEM
In a preferred embodiment, the fourth generating module comprises:
an encryption submodule for encapsulating the session key into a ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
In a preferred embodiment, the method further comprises:
a decryption module at the receiving end for receiving the ciphertext CT and according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
Compared with the prior art, the embodiment of the invention has the beneficial effects that: the key generation center generates system parameters params, a master key s and a master public key mpk according to SM9 algorithm, and then generates system parameters params, a master key s and a master public key mpk according to the identification ID of any receiving terminalbGenerating an identification private key skID(ii) a The sending end adopts a session key encapsulation mechanism and a data encapsulation mechanism to generate a session key encapsulation ciphertext CTKEMAnd data encapsulation ciphertext CTDEMFinally, the session key is packaged into a ciphertext CTKEMAnd data encapsulation ciphertext CTDEMSplicing to generate a ciphertext; the encryption security is ensured, and the ciphertext length is not increased due to the increase of the number of the receiving ends, so that when the number of the receiving ends is multiple, the calculation overhead can be reduced, and simultaneously, the SM9 algorithm can be completely compatible, so that the existing SM9 facilities are utilized to comprise a key generation function, a data encapsulation function and the like, and the hardware cost is reduced.
Drawings
FIG. 1 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
FIG. 2 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
FIG. 3 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
FIG. 4 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
fig. 5 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention;
fig. 6 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention;
fig. 7 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention;
fig. 8 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Referring to fig. 1, an embodiment of the present invention provides a broadcast encryption method, including the following steps:
s01, the key generation center generates a system parameter params, a master key S and a master public key mpk according to SM9 algorithm, and discloses the system parameter params and the master public key mpk;
s02, the key generation center generates the system parameter params, the master key S, the master public key mpk and the ID of any receiving end according to the system parameter params, the master key S and the master public key mpkbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
s03, the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM
S04, the sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
As the step S01, the key generation center generates a system parameter params, a master key S and a master public key mpk according to SM9 algorithm, and discloses the system parameter params and the master public key mpk; the key generation center refers to a trusted authority responsible for generating system parameters params, a master key s and a master public key mpk. Both the sending end and the receiving end can obtain the system parameters params and the master public key mpk; the master key s is stored in the key generation center. The system parameters params, master key s and master public key mpk are generated from the SM9 algorithm to achieve full compatibility with the SM9 algorithm.
Referring to fig. 2, the step S01 includes the following sub-steps:
s101, acquiring the maximum receiving end number u of one-time broadcast encryption;
s102, selecting three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、 G2、G3The orders of all are prime numbers p;
s103, randomly selecting G1Generator Q in a group1And G2Generator Q in a group2
S104, randomly forming a group
Figure BDA0001991452440000061
Generating a master key s, calculating R1=sQ1,...,Ru=suQ1,W=s2Q2When u is 1, W is not calculated;
s105, precomputing J ═ e (R)1,Q2);
S106, generating the system parameter params ═ Q1,Q2,G1,G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W)。
In step S02, the key generation center generates the key according to the system parameters params, the master key S, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end; according to the ID of the receiving endbA unique receiving end can be determined.
Referring to fig. 3, the step S02 includes the following sub-steps:
s201, according to a function H specified in SM9 standard1Derivative M ═ H1(IDb||0x03,p);
S202, judging that M + S is 0modp, if so, outputting error and stopping; otherwise, calculate t ═ M + s)-1s modp;
S203, calculating sk according to tID=tQ2。
In order to ensure the identification private key skIDThe correctness of (2) can be verified by the following steps:
according to the specification in the SM9 standardFunction H1Derivative M ═ H1(IDb||0x03,p);
Calculate T ═ e (MQ)1+R,skID);
If T is J, the output is "valid", otherwise the output is "invalid".
In step S03, the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM(ii) a The ID of the identification set of the receiving end is the set of the identifications of all the receiving ends; the plaintext Msg is plaintext information which is pre-sent by a sending end, and the session key encapsulates a ciphertext CTKEMIs the encapsulated ciphertext to the session key K that is used to encrypt the message.
Referring to fig. 4, the step S03 includes the following sub-steps:
s301, the sending end generates a session key K and a session key encapsulation ciphertext CT by adopting a session key encapsulation mechanism KEM.Enc according to the system parameter params, the master public key mpk and the identification set ID of the receiving endKEM(ii) a The session key encapsulates the ciphertext CTKEMAnd sending the data to the receiving end.
S302, the sending end generates a data encapsulation ciphertext CT by adopting a data encapsulation mechanism DEMDEM
Enc uses the identification set ID (ID) of the receiving end1,..., IDt) Where t is less than or equal to u, the master public key mpk and the system parameter params are used as input and output<K,CTKEM>The method comprises the following concrete steps:
from selectionA medium random integer r;
for each IDjCalculate Mj=H1(IDj||0x03,p);
Computing
Figure BDA0001991452440000072
C1rX. The calculation method of X is as follows: first, a polynomial is calculated
Figure BDA0001991452440000081
Coefficient of (low exponential term coefficient before): (cf)0,cf1,...,cft) Then calculating X ═ cf0Q1+cf1R1+...+cftRt
Calculating C2=(-r)W;
B=Jr
K=KDF(EC2OSP(C1)||EC2OSP(C2)||FE2OSP(B)||I2OSP(cf0) Klen), where klen is the bit length required for the session key, EC2OSP represents an elliptic curve to byte string; FE2OSP represents a field element to byte string; i2OSP denotes integer-to-byte strings and KDF is a function specified in the SM9 standard.
CTKEM=EC2OSP(C1)||EC2OSP(C2)。
When u is 1, CTKEMNo ciphertext part C2And K ═ KDF (EC2OSP (C)1)||FE2OSP(B) ||ID,klen)。
The step of calculating X includes multiple dot product summation calculations, and preferably, the multiple dot product summation calculations may be accelerated by the following steps:
dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data;
summing the dot product summation data of the at least two groups to obtain the result of the calculation of the dot product summation
Dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data; for example, calculate X ═ cf0Q1+cf1R1+...+cftRtTo cf0Q1+cf1R1+...+cftRtFrom the firstItem start, divide the adjacent 6 item dot product calculations into a group, totally into n +1 groups: cf0Q1+cf1R1+...+cf5R5;cf6R6+...+cf11R11;...;cf6nR6n+...cftRt(ii) a And summing the point-multiplied summation data of the n +1 groups to obtain a final result X, thereby reducing the calculation difficulty and improving the calculation speed.
Enc takes a session key K, a tag L and a plaintext Msg as input, and outputs a data encapsulation ciphertext CTDEMThe method comprises the following concrete steps:
k is analyzed to be K ═ K1||K2,BITS(K1) BITS (Msg); i.e. byte string K1The bit number of the byte string Msg is equal to that of the byte string Msg;
Figure BDA0001991452440000082
C3=H(C2||K2);
CTDEM=C3||C2
it should be noted that the data encapsulation mechanism dem.enc may also generate the data encapsulation ciphertext CT by using a block encryption manner specified by the SM9 encryption algorithm standardDEM
In step S04, the sender encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
The ciphertext CT is packaged by the session keyKEMAnd the data package ciphertext CTDEMAnd performing splicing generation. .
And when the number of the receiving ends is more than 1 and less than or equal to u, the length of the ciphertext CT is kept unchanged.
In one embodiment, the broadcast encryption method further includes:
the receiving end receives the ciphertext CT and identifies the private key sk according to the corresponding identification private key skIDThe labelAnd analyzing the ciphertext CT by the identification set ID, the label L and the system parameter params to generate the plaintext Msg. The specific implementation process is as follows:
resolving CT into CT ═ CTKEM||CTDEM. If the CT analysis fails, outputting an error and stopping;
conversely, K ═ kem. dec (params, mpk, ID, sk) is calculatedID,CTKEM);
Then, based on K obtained by the above formula, Msg ═ demDEM)。
The KEM.Dec is a session key decapsulation mechanism; the specific steps for executing the session key decapsulation mechanism are as follows:
analytical CTKEMTo obtain (C)1,C2)=OS2ECP(CTKEM);
Judgment C1Whether or not it is in G1In, and C2Whether or not it is in G2Performing the following steps;
if not, outputting an error and stopping;
otherwise, calculate B1=e(C1,skID);
Assume IDiTo decipher a person, calculate
Figure RE-GDA0002098550840000091
The calculation method comprises the following steps: first, a polynomial is calculated
Figure RE-GDA0002098550840000092
Coefficient (c): (cf'0,cf'1,...,cf't-1) And then calculating PL ═ cf'1Q1+cf'2R1+...+cf't-1Rt-2
Calculating Mi=H1(IDi||0x03,p),cf0=cf'0Mi
B2=e(PL,C2);
B=(B1*B2)cf'0
K=KDF(EC2OSP(C1)||EC2OSP(C2) I | FE2OSP (B) | I2OSP (cf0), klen), where klen is the bit length required for the session key.
When u is 1, calculate B1=e(C1,skID),K=KDF(EC2OSP(C1)||FE2OSP(B)|| ID,klen)。
The above steps include multiple dot product summation calculations when calculating PL, and the same step of calculating X in the synchronization step S301 may be adopted for calculation to reduce the calculation difficulty and increase the calculation speed, which is not described herein again.
The DEM and the Dec are data decapsulation mechanisms; the specific steps for executing the data decapsulation mechanism are as follows:
analytical CTDEMTo obtain CTDEM=C3||C2
Resolving K to obtain K ═ K1||K2,BITS(K1)=BITS(C2);
According to said K2And C2Calculating C'3=H(C2||K2);
C 'is judged'3And C3Whether the values are equal or not, if not, outputting an error;
otherwise, calculate
Figure BDA0001991452440000101
And the receiving end decrypts the ciphertext CT to generate a plaintext Msg.
The broadcast encryption method provided by this embodiment compares the computation overhead and the ciphertext expansion with the SM9-IBE algorithm, and the conclusion is as follows:
Figure BDA0001991452440000102
in the embodiment provided by the invention, the key generation center generates the system parameters params, the master key s and the master public key mpk according to the SM9 algorithm and then generates the system parameters params, the master key s and the master public key mpk according to the identification ID of any receiving terminalbGenerating an identification private key skID(ii) a The sending end adopts a session key encapsulation mechanism and a data encapsulation mechanism to generate a session key encapsulation ciphertext CTKEMAnd data encapsulation ciphertext CTDEMFinally, the session key is packaged into a ciphertext CTKEMAnd data encapsulation ciphertext CTDEMSplicing to generate a ciphertext; the encryption security is ensured, the ciphertext length cannot be increased due to the increase of the number of receiving ends, so that the calculation overhead is reduced, and meanwhile, the SM9 algorithm can be completely compatible, so that the existing SM9 facilities including a key generation function, a data encapsulation function and the like are utilized, and the hardware cost is reduced.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 5, a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention is shown, and may specifically include the following modules:
a first generating module 100 located at the key generating center, configured to generate a system parameter params, a master key s, and a master public key mpk according to an SM9 algorithm, and disclose the system parameter params and the master public key mpk;
a second generating module 200 located at the key generating center, configured to generate the system parameter params, the master key s, the master public key mpk, and the ID of any receiving end according to the system parameter params, the master key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
a third generating module 300 at the transmitting end, configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identifier set ID of the receiving end, the tag L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM(ii) a The ID of the identification set of the receiving end is the set of the identifications of all the receiving ends;
fourth generation module at transmitting end400 for encapsulating ciphertext CT in accordance with the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
As the second generating module 200, configured to generate a system parameter params, a master key s, and a master public key mpk according to the SM9 algorithm, and disclose the system parameter params and the master public key mpk; the key generation center refers to a trusted authority responsible for generating system parameters params, a master key s and a master public key mpk. Both the sending end and the receiving end can obtain the system parameters params and the master public key mpk; the master key s is stored in the key generation center. The system parameters params, master key s and master public key mpk are generated from the SM9 algorithm to achieve full compatibility with the SM9 algorithm.
Referring to fig. 6, the first generating module 100 includes the following sub-modules:
an obtaining submodule 101, configured to obtain the maximum number u of receiving ends for one broadcast encryption;
a selection submodule 102 for selecting the three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、G3The orders of all are prime numbers p;
a first random selection submodule 103 for randomly selecting G1Generator Q in a group1And G2Generator Q in a group2
A second random selection submodule 104 for randomly selecting a group
Figure BDA0001991452440000121
Generating a master key s, calculating R1= sQ1,...,Ru=suQ1,W=s2Q2(ii) a When u is 1, W is not calculated;
a pre-calculation module 105 for pre-calculating J ═ e (R)1,Q2);
A first generation submodule 106 for generating the system parameter params ═ Q1,Q2,G1, G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J, W)。
As the second generating module 200, it is used for generating the system parameter params, the master key s, the master public key mpk, and the ID of any receiving end according to the system parameter params, the master secret key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end; according to the ID of the receiving endbA unique receiving end can be determined.
Referring to fig. 7, the second generation module 200 includes the following sub-modules:
a derivation submodule 201 for deriving the function H according to the SM9 standard1Derivative M ═ IDb|| 0x03,p);
The judgment submodule 202 is used for judging that M + s is equal to 0modp, and if the M + s is equal to 0modp, outputting error and stopping; otherwise, calculate t ═ M + s)-1s modp;
An identification key generation submodule 203 for calculating skID=tQ2。
In order to ensure the identification private key skIDCan be verified by a verification module, the verification module comprising:
validating the derived submodule according to a function H specified in the SM9 standard1Derivative M ═ H1(IDb|| 0x03,p);
Verifying computation submodule, computing T ═ e (MQ)1+R,skID);
And the verification judgment sub-module outputs 'valid' if T is equal to J, and otherwise outputs 'invalid'.
For example, the third generating module 300 is configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM(ii) a The ID of the identification set of the receiving end is the set of the identifications of all the receiving ends; the plaintext Msg is plaintext information which is pre-sent by a sending end, and the session key encapsulates a ciphertext CTKEMIs a sealed cipher to a session key K used for encryption and decryptionAnd (4) information.
Referring to fig. 8, the third generating module 300 includes the following sub-modules:
a session key encapsulation submodule 301, configured to generate a session key K and a session key encapsulation ciphertext CT by using a session key encapsulation mechanism kem.enc according to the system parameter params, the master public key mpk, and the identifier set ID of the receiving endKEM(ii) a The session key encapsulates the ciphertext CTKEMAnd sending the data to the receiving end.
A data encapsulation submodule 302, configured to generate a data encapsulation ciphertext CT by using a data encapsulation mechanism demDEM
Enc uses the identification set ID (ID) of the receiving end1,..., IDt) Where t is less than or equal to u, the master public key mpk and the system parameter params are used as input and output<K,CTKEM>I.e. session key K and session key encapsulation cryptogram CTKEM
The session key encapsulation submodule 301 comprises a dot-by-dot summation first submodule and a dot-by-dot summation second submodule; the first submodule and the second submodule are used for calculating a plurality of point multiplication summation calculations. Specifically, the dot product summation first sub-module is used for dividing the required dot product summation calculation into a plurality of opposite parts, and each part independently adopts a multi-exponential summation algorithm to calculate the result; and the point multiplication and summation second submodule is used for summing the results of all independent parts of the first submodule to obtain the results of the point multiplication and summation calculation.
Enc takes a session key K, a tag L and a plaintext Msg as input, and outputs a data encapsulation ciphertext CTDEM
The fourth generating module 400 is used for encapsulating the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT. The fourth generation module 400 includes the following sub-modules:
an encryption submodule for encapsulating the session key into a ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
And when the number of the receiving ends is more than 1 and less than or equal to u, the length of the ciphertext CT is kept unchanged.
In one embodiment, the broadcast encryption apparatus further includes:
a decryption module at the receiving end for receiving the ciphertext CT and according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
The decryption module comprises a dot-product-sum first sub-module and a dot-product-sum second sub-module; the first submodule and the second submodule are used for calculating a plurality of point multiplication summation calculations.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The broadcast encryption method and the broadcast encryption device provided by the invention are described in detail, and the principle and the implementation mode of the invention are explained by applying specific examples, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (13)

1. A broadcast encryption method, comprising:
the key generation center generates a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm, and discloses the system parameter params and the master public key mpk;
the key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving endbGenerating an identification private key skIDAnd will beThe identification private key skIDSending the data to a corresponding receiving end;
the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM
The sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
2. The method according to claim 1, wherein the step of the key generation center generating the system parameters params, the master key s and the master public key mpk according to the SM9 algorithm comprises:
the key generation center obtains the maximum receiving end number u of one-time broadcast encryption;
selecting three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、G3The orders of all are prime numbers p;
random selection of G1Generator Q in a group1And G2Generator Q in a group2
At random in the group
Figure FDA0001991452430000011
Generating a master key s, calculating R1=sQ1,...,Ru=suQ1,W=s2Q2(ii) a Wherein when u is 1, W is not calculated;
precomputed J ═ e (R)1,Q2);
Generating the system parameter params ═ Q1,Q2,G1,G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W)。
3. The method of claim 1,the key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving endbGenerating an identification private key skIDThe method comprises the following steps:
the key generation center is according to function H specified in SM9 standard1Derivative M ═ H1(IDb||0x03,p);
Judging that M + s is 0modp, if so, outputting error and stopping;
otherwise, calculate t ═ M + s)-1s modp;
Calculating sk according to the tID=tQ2。
4. The method according to claim 1, wherein the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEMThe method comprises the following steps:
the sending end generates a session key K and a session key encapsulation ciphertext CT by adopting a session key encapsulation mechanism KEM.Enc according to the system parameter params, the master public key mpk and the identification set ID of the receiving endKEM
And the sending end generates a data encapsulation ciphertext CT by adopting a data encapsulation mechanism DEMDEM
5. The method of claim 4, wherein the sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT, which comprises the following steps:
the sending end encapsulates the session key into ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
6. The method of claim 1, further comprising:
the receiving end receives the ciphertext CT and identifies the private key sk according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
7. The method of claim 4 or claim 6, the generating a session key K and a session key encapsulation ciphertext CTKEMAnd the step of generating the plaintext Msg each include a plurality of dot product sum calculations, wherein the plurality of dot product sum calculations include:
dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data;
and summing the dot product summation data of the at least two groups to obtain a plurality of dot product summation calculation results.
8. A broadcast encryption apparatus, comprising:
the first generation module is positioned in the key generation center and used for generating a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm and disclosing the system parameter params and the master public key mpk;
a second generating module located in the key generating center, configured to generate the second key according to the system parameter params, the master key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
a third generating module at the sending end, configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identifier set ID of the receiving end, the tag L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM
A fourth generation module at the sending end, configured to encapsulate the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
9. The apparatus of claim 8, wherein the first generating module comprises:
the acquisition submodule is used for acquiring the maximum receiving end number u of one-time broadcast encryption;
a selection submodule for selecting the three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、G3The orders of all are prime numbers p;
a first random selection submodule for randomly selecting G1Generator Q in a group1And G2Generator Q in a group2
A second random selection submodule for randomly selecting a groupGenerating a master key s, calculating R1=sQ1,...,Ru=suQ1,W=s2Q2(ii) a Wherein when u is 1, W is not calculated;
a pre-calculation module for pre-calculating J ═ e (R)1,Q2);
A first generation submodule for generating the system parameter params ═ Q1,Q2,G1,G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W)。
10. The apparatus of claim 8, wherein the second generating module comprises:
derivation submodule for deriving a function H according to the SM9 standard1Derivative M ═ H1(IDb||0x03,p);
The judgment submodule is used for judging that M + s is equal to 0modp, and if the M + s is equal to 0modp, outputting error and stopping; otherwise, calculate t ═ M + s)-1smodp;
An identification key generation submodule for calculating sk according to the tID=tQ2
11. The apparatus of claim 8, wherein the third generating module comprises:
a session key encapsulation submodule, configured to generate a session key K and a session key encapsulation ciphertext CT by using a session key encapsulation mechanism kemKEM
A data encapsulation submodule, configured to generate a data encapsulation ciphertext CT by using a data encapsulation mechanism demDEM
12. The apparatus of claim 11, wherein the fourth generating module comprises:
an encryption submodule for encapsulating the session key into a ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
13. The apparatus of claim 8, further comprising:
a decryption module at the receiving end for receiving the ciphertext CT and according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
CN201910181445.7A 2019-03-11 2019-03-11 Broadcast encryption method and device Active CN110677238B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910181445.7A CN110677238B (en) 2019-03-11 2019-03-11 Broadcast encryption method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910181445.7A CN110677238B (en) 2019-03-11 2019-03-11 Broadcast encryption method and device

Publications (2)

Publication Number Publication Date
CN110677238A true CN110677238A (en) 2020-01-10
CN110677238B CN110677238B (en) 2022-08-05

Family

ID=69068560

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910181445.7A Active CN110677238B (en) 2019-03-11 2019-03-11 Broadcast encryption method and device

Country Status (1)

Country Link
CN (1) CN110677238B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301585A (en) * 2021-11-17 2022-04-08 北京智芯微电子科技有限公司 Using method, generating method and management system of identification private key
CN114826611A (en) * 2022-04-14 2022-07-29 扬州大学 IND-sID-CCA2 security identifier broadcast encryption method based on SM9

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170404A (en) * 2006-10-24 2008-04-30 华为技术有限公司 Method for secret key configuration based on specified group
WO2010076899A1 (en) * 2009-01-05 2010-07-08 日本電気株式会社 Broadcast encryption system, sender apparatus, user apparatus, encapsulation/decapsulation method
CN103095710A (en) * 2013-01-17 2013-05-08 北京交通大学 Broadcast encryption transmission method in network based on identification and centering on contents
CN103986574A (en) * 2014-05-16 2014-08-13 北京航空航天大学 Hierarchical identity-based broadcast encryption method
CN105049207A (en) * 2015-05-11 2015-11-11 电子科技大学 ID-based broadcast encryption scheme containing customized information
CN106992871A (en) * 2017-04-01 2017-07-28 中国人民武装警察部队工程大学 A kind of broadcast encryption method towards many groups
CN107070874A (en) * 2017-01-23 2017-08-18 济南浪潮高新科技投资发展有限公司 System, encryption method and the device of broadcast communication, decryption method and device
CN107317675A (en) * 2017-04-01 2017-11-03 中国人民武装警察部队工程大学 A kind of broadcast encryption method of transmittable personal information
CN109039611A (en) * 2018-08-31 2018-12-18 北京海泰方圆科技股份有限公司 Decruption key segmentation and decryption method, device, medium based on SM9 algorithm

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170404A (en) * 2006-10-24 2008-04-30 华为技术有限公司 Method for secret key configuration based on specified group
WO2010076899A1 (en) * 2009-01-05 2010-07-08 日本電気株式会社 Broadcast encryption system, sender apparatus, user apparatus, encapsulation/decapsulation method
CN103095710A (en) * 2013-01-17 2013-05-08 北京交通大学 Broadcast encryption transmission method in network based on identification and centering on contents
CN103986574A (en) * 2014-05-16 2014-08-13 北京航空航天大学 Hierarchical identity-based broadcast encryption method
CN105049207A (en) * 2015-05-11 2015-11-11 电子科技大学 ID-based broadcast encryption scheme containing customized information
CN107070874A (en) * 2017-01-23 2017-08-18 济南浪潮高新科技投资发展有限公司 System, encryption method and the device of broadcast communication, decryption method and device
CN106992871A (en) * 2017-04-01 2017-07-28 中国人民武装警察部队工程大学 A kind of broadcast encryption method towards many groups
CN107317675A (en) * 2017-04-01 2017-11-03 中国人民武装警察部队工程大学 A kind of broadcast encryption method of transmittable personal information
CN109039611A (en) * 2018-08-31 2018-12-18 北京海泰方圆科技股份有限公司 Decruption key segmentation and decryption method, device, medium based on SM9 algorithm

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
杨坤伟等: "一种新的基于身份的匿名加密", 《计算机应用与软件》 *
王庆滨等: "具有固定公钥和私钥长度的广播加密方案", 《通信学报》 *
陈宇等: "标准模型下基于身份的分等级加密方案", 《计算机技术与发展》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301585A (en) * 2021-11-17 2022-04-08 北京智芯微电子科技有限公司 Using method, generating method and management system of identification private key
CN114301585B (en) * 2021-11-17 2024-01-05 北京智芯微电子科技有限公司 Identification private key using method, generation method and management system
CN114826611A (en) * 2022-04-14 2022-07-29 扬州大学 IND-sID-CCA2 security identifier broadcast encryption method based on SM9
CN114826611B (en) * 2022-04-14 2023-10-20 扬州大学 IND-sID-CCA2 security identification broadcast encryption method based on SM9 of national cipher

Also Published As

Publication number Publication date
CN110677238B (en) 2022-08-05

Similar Documents

Publication Publication Date Title
CN111740828B (en) Key generation method, device and equipment and encryption and decryption method
CN107196763B (en) SM2 algorithm collaborative signature and decryption method, device and system
CN107395368B (en) Digital signature method, decapsulation method and decryption method in media-free environment
CA2590989C (en) Protocol and method for client-server mutual authentication using event-based otp
CN101645773B (en) Based on the stopover sites of elliptic curve cryptography
CN111106936A (en) SM 9-based attribute encryption method and system
US20090100264A1 (en) Communication device and communication system
CN110011995B (en) Encryption and decryption method and device in multicast communication
CN110113150B (en) Encryption method and system based on non-certificate environment and capable of repudiation authentication
CN112564907B (en) Key generation method and device, encryption method and device, and decryption method and device
CN107425971B (en) Certificateless data encryption/decryption method and device and terminal
CN109995509B (en) Authentication key exchange method based on message recovery signature
US6640303B1 (en) System and method for encryption using transparent keys
WO2020155622A1 (en) Method, device and system for enhancing security of image data transmission, and storage medium
CN114726546B (en) Digital identity authentication method, device, equipment and storage medium
WO2016067524A1 (en) Authenticated encryption apparatus, authenticated decryption apparatus, authenticated cryptography system, authenticated encryption method, and program
CN1316405C (en) Method for obtaining digital siguature and realizing data safety
CN110677238B (en) Broadcast encryption method and device
CN114448641A (en) Privacy encryption method, electronic equipment, storage medium and chip
CN115208615A (en) Data encryption transmission method for numerical control system
CN112948867A (en) Method and device for generating and decrypting encrypted message and electronic equipment
WO2013039659A1 (en) Hybrid encryption schemes
CN113852466B (en) User revocation method based on SM9 of China
CN114826611A (en) IND-sID-CCA2 security identifier broadcast encryption method based on SM9
CN114070549A (en) Key generation method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant