CN110677238A - Broadcast encryption method and device - Google Patents
Broadcast encryption method and device Download PDFInfo
- Publication number
- CN110677238A CN110677238A CN201910181445.7A CN201910181445A CN110677238A CN 110677238 A CN110677238 A CN 110677238A CN 201910181445 A CN201910181445 A CN 201910181445A CN 110677238 A CN110677238 A CN 110677238A
- Authority
- CN
- China
- Prior art keywords
- key
- ciphertext
- generating
- master
- kem
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/06—Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a broadcast encryption method and a device, which relate to the technical field of communication, wherein the method comprises the steps that a key generation center generates system parameters params, a master key s and a master public key mpk according to an SM9 algorithm; the key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end; the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM(ii) a The sending end seals according to the session keyCT cipher textKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT. When the receiving end is a plurality of receiving ends, the calculation overhead can be reduced, and simultaneously, the SM9 encryption algorithm can be completely compatible, so that the existing SM9 facilities can be utilized to comprise a key generation function, a data encapsulation function and the like, and the hardware cost is reduced.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a broadcast encryption method and a broadcast encryption apparatus.
Background
Broadcast encryption is an encryption scheme that enables one-to-many secure communications over insecure channels. In a general broadcast encryption system, a broadcaster broadcasts encrypted information to users in the system, any user can obtain the encrypted information by monitoring the broadcast, and only users in an authorized user set can decrypt a broadcast ciphertext by using a private key of the user to recover corresponding plaintext information.
The SM9-IBE algorithm is part of the Chinese cipher Standard "identification-based cipher Algorithm SM 9". The method is used for many applications such as financial data protection, mail protection, message encryption in the Internet of things, data encryption on the cloud and the like. But one SM9-IBE encryption operation can only encrypt data to one recipient. For the broadcast encryption, which needs to encrypt data to multiple receivers, the SM9-IBE algorithm needs longer cipher text length and has high calculation cost.
Disclosure of Invention
In view of the above problems, embodiments of the present invention are proposed to provide a broadcast encryption method and a corresponding broadcast encryption apparatus that overcome or at least partially solve the above problems.
In order to solve the above problem, an embodiment of the present invention discloses a broadcast encryption method, including:
the key generation center generates a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm, and discloses the system parameter params and the master public key mpk;
the key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM;
The sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
In a preferred embodiment, the step of generating, by the key generation center, the system parameters params, the master key s, and the master public key mpk according to the SM9 algorithm includes:
the key generation center obtains the maximum receiving end number u of one-time broadcast encryption;
selecting three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、 G3The orders of all are prime numbers p;
random selection of G1Generator Q in a group1And G2Generator Q in a group2;
At random in the groupGenerating a master key s, calculating R1=sQ1,...,Ru=suQ1,W=s2Q2(ii) a Wherein when u is 1, W is not calculated;
precomputed J ═ e (R)1,Q2);
Generating the system parameter params ═ Q1,Q2,G1,G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W);。
In a preferred embodiment, the key generation center generates the key according to the system parameters params, the master key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDThe method comprises the following steps:
the key generation center is according to function H specified in SM9 standard1Derivative M ═ H1(IDb|| 0x03,p);
Judging that M + s is 0modp, if so, outputting error and stopping;
otherwise, calculate t ═ M + s)-1s modp;
Calculating sk according to the tID=tQ2。
In a preferred embodiment, the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEMThe method comprises the following steps:
the sending end generates a session key K and a session key encapsulation ciphertext CT by adopting a session key encapsulation mechanism KEM.Enc according to the system parameter params, the master public key mpk and the identification set ID of the receiving endKEM;
And the sending end generates a data encapsulation ciphertext CT by adopting a data encapsulation mechanism DEMDEM。
In a preferred embodiment, the sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT, which comprises the following steps:
the sending end encapsulates the session key into ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
In a preferred embodiment, the method further comprises:
the receiving end receives the ciphertext CT and identifies the private key sk according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
In a preferred embodiment, the generating of the session key K and the session key encapsulation ciphertext CTKEMAnd the step of generating the plaintext Msg each include a plurality of dot-by-sum calculations including:
dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data;
and summing the dot product summation data of the at least two groups to obtain a plurality of dot product summation calculation results.
In order to solve the above problem, an embodiment of the present invention discloses a broadcast encryption apparatus, including:
the first generation module is positioned in the key generation center and used for generating a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm and disclosing the system parameter params and the master public key mpk;
a second generating module located in the key generating center, configured to generate the second key according to the system parameter params, the master key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
a third generating module at the sending end, configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identifier set ID of the receiving end, the tag L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM;
A fourth generation module at the sending end, configured to encapsulate the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
In a preferred embodiment, the first generating module comprises:
the acquisition submodule is used for acquiring the maximum receiving end number u of one-time broadcast encryption;
a selection submodule for selecting the three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、G3The orders of all are prime numbers p;
a first random selection submodule for randomly selecting G1Generator Q in a group1And G2Generator Q in a group2;
A second random selection submodule for randomly selecting a groupIn generating a master keys, calculating R1= sQ1,...,Ru=suQ1,W=s2Q2(ii) a Wherein when u is 1, W is not calculated;
a pre-calculation module for pre-calculating J ═ e (R)1,Q2);
A first generation submodule for generating the system parameter params ═ Q1,Q2,G1,G2, G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W)。
In a preferred embodiment, the second generating module includes:
derivation submodule for deriving a function H according to the SM9 standard1Derivative M ═ H1(IDb|| 0x03,p);
The judgment submodule is used for judging that M + s is equal to 0modp, and if the M + s is equal to 0modp, outputting error and stopping; otherwise, calculate t ═ M + s)-1s modp;
An identification key generation submodule for calculating sk according to the tID=tQ2。
In a preferred embodiment, the third generating module comprises:
a session key encapsulation submodule, configured to generate a session key K and a session key encapsulation ciphertext CT by using a session key encapsulation mechanism kemKEM;
A data encapsulation submodule, configured to generate a data encapsulation ciphertext CT by using a data encapsulation mechanism demDEM。
In a preferred embodiment, the fourth generating module comprises:
an encryption submodule for encapsulating the session key into a ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
In a preferred embodiment, the method further comprises:
a decryption module at the receiving end for receiving the ciphertext CT and according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
Compared with the prior art, the embodiment of the invention has the beneficial effects that: the key generation center generates system parameters params, a master key s and a master public key mpk according to SM9 algorithm, and then generates system parameters params, a master key s and a master public key mpk according to the identification ID of any receiving terminalbGenerating an identification private key skID(ii) a The sending end adopts a session key encapsulation mechanism and a data encapsulation mechanism to generate a session key encapsulation ciphertext CTKEMAnd data encapsulation ciphertext CTDEMFinally, the session key is packaged into a ciphertext CTKEMAnd data encapsulation ciphertext CTDEMSplicing to generate a ciphertext; the encryption security is ensured, and the ciphertext length is not increased due to the increase of the number of the receiving ends, so that when the number of the receiving ends is multiple, the calculation overhead can be reduced, and simultaneously, the SM9 algorithm can be completely compatible, so that the existing SM9 facilities are utilized to comprise a key generation function, a data encapsulation function and the like, and the hardware cost is reduced.
Drawings
FIG. 1 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
FIG. 2 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
FIG. 3 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
FIG. 4 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
fig. 5 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention;
fig. 6 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention;
fig. 7 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention;
fig. 8 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Referring to fig. 1, an embodiment of the present invention provides a broadcast encryption method, including the following steps:
s01, the key generation center generates a system parameter params, a master key S and a master public key mpk according to SM9 algorithm, and discloses the system parameter params and the master public key mpk;
s02, the key generation center generates the system parameter params, the master key S, the master public key mpk and the ID of any receiving end according to the system parameter params, the master key S and the master public key mpkbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
s03, the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM;
S04, the sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
As the step S01, the key generation center generates a system parameter params, a master key S and a master public key mpk according to SM9 algorithm, and discloses the system parameter params and the master public key mpk; the key generation center refers to a trusted authority responsible for generating system parameters params, a master key s and a master public key mpk. Both the sending end and the receiving end can obtain the system parameters params and the master public key mpk; the master key s is stored in the key generation center. The system parameters params, master key s and master public key mpk are generated from the SM9 algorithm to achieve full compatibility with the SM9 algorithm.
Referring to fig. 2, the step S01 includes the following sub-steps:
s101, acquiring the maximum receiving end number u of one-time broadcast encryption;
s102, selecting three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、 G2、G3The orders of all are prime numbers p;
s103, randomly selecting G1Generator Q in a group1And G2Generator Q in a group2;
S104, randomly forming a groupGenerating a master key s, calculating R1=sQ1,...,Ru=suQ1,W=s2Q2When u is 1, W is not calculated;
s105, precomputing J ═ e (R)1,Q2);
S106, generating the system parameter params ═ Q1,Q2,G1,G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W)。
In step S02, the key generation center generates the key according to the system parameters params, the master key S, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end; according to the ID of the receiving endbA unique receiving end can be determined.
Referring to fig. 3, the step S02 includes the following sub-steps:
s201, according to a function H specified in SM9 standard1Derivative M ═ H1(IDb||0x03,p);
S202, judging that M + S is 0modp, if so, outputting error and stopping; otherwise, calculate t ═ M + s)-1s modp;
S203, calculating sk according to tID=tQ2。
In order to ensure the identification private key skIDThe correctness of (2) can be verified by the following steps:
according to the specification in the SM9 standardFunction H1Derivative M ═ H1(IDb||0x03,p);
Calculate T ═ e (MQ)1+R,skID);
If T is J, the output is "valid", otherwise the output is "invalid".
In step S03, the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM(ii) a The ID of the identification set of the receiving end is the set of the identifications of all the receiving ends; the plaintext Msg is plaintext information which is pre-sent by a sending end, and the session key encapsulates a ciphertext CTKEMIs the encapsulated ciphertext to the session key K that is used to encrypt the message.
Referring to fig. 4, the step S03 includes the following sub-steps:
s301, the sending end generates a session key K and a session key encapsulation ciphertext CT by adopting a session key encapsulation mechanism KEM.Enc according to the system parameter params, the master public key mpk and the identification set ID of the receiving endKEM(ii) a The session key encapsulates the ciphertext CTKEMAnd sending the data to the receiving end.
S302, the sending end generates a data encapsulation ciphertext CT by adopting a data encapsulation mechanism DEMDEM。
Enc uses the identification set ID (ID) of the receiving end1,..., IDt) Where t is less than or equal to u, the master public key mpk and the system parameter params are used as input and output<K,CTKEM>The method comprises the following concrete steps:
from selectionA medium random integer r;
for each IDjCalculate Mj=H1(IDj||0x03,p);
ComputingC1rX. The calculation method of X is as follows: first, a polynomial is calculatedCoefficient of (low exponential term coefficient before): (cf)0,cf1,...,cft) Then calculating X ═ cf0Q1+cf1R1+...+cftRt;
Calculating C2=(-r)W;
B=Jr;
K=KDF(EC2OSP(C1)||EC2OSP(C2)||FE2OSP(B)||I2OSP(cf0) Klen), where klen is the bit length required for the session key, EC2OSP represents an elliptic curve to byte string; FE2OSP represents a field element to byte string; i2OSP denotes integer-to-byte strings and KDF is a function specified in the SM9 standard.
CTKEM=EC2OSP(C1)||EC2OSP(C2)。
When u is 1, CTKEMNo ciphertext part C2And K ═ KDF (EC2OSP (C)1)||FE2OSP(B) ||ID,klen)。
The step of calculating X includes multiple dot product summation calculations, and preferably, the multiple dot product summation calculations may be accelerated by the following steps:
dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data;
summing the dot product summation data of the at least two groups to obtain the result of the calculation of the dot product summation
Dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data; for example, calculate X ═ cf0Q1+cf1R1+...+cftRtTo cf0Q1+cf1R1+...+cftRtFrom the firstItem start, divide the adjacent 6 item dot product calculations into a group, totally into n +1 groups: cf0Q1+cf1R1+...+cf5R5;cf6R6+...+cf11R11;...;cf6nR6n+...cftRt(ii) a And summing the point-multiplied summation data of the n +1 groups to obtain a final result X, thereby reducing the calculation difficulty and improving the calculation speed.
Enc takes a session key K, a tag L and a plaintext Msg as input, and outputs a data encapsulation ciphertext CTDEMThe method comprises the following concrete steps:
k is analyzed to be K ═ K1||K2,BITS(K1) BITS (Msg); i.e. byte string K1The bit number of the byte string Msg is equal to that of the byte string Msg;
C3=H(C2||K2);
CTDEM=C3||C2。
it should be noted that the data encapsulation mechanism dem.enc may also generate the data encapsulation ciphertext CT by using a block encryption manner specified by the SM9 encryption algorithm standardDEM。
In step S04, the sender encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
The ciphertext CT is packaged by the session keyKEMAnd the data package ciphertext CTDEMAnd performing splicing generation. .
And when the number of the receiving ends is more than 1 and less than or equal to u, the length of the ciphertext CT is kept unchanged.
In one embodiment, the broadcast encryption method further includes:
the receiving end receives the ciphertext CT and identifies the private key sk according to the corresponding identification private key skIDThe labelAnd analyzing the ciphertext CT by the identification set ID, the label L and the system parameter params to generate the plaintext Msg. The specific implementation process is as follows:
resolving CT into CT ═ CTKEM||CTDEM. If the CT analysis fails, outputting an error and stopping;
conversely, K ═ kem. dec (params, mpk, ID, sk) is calculatedID,CTKEM);
Then, based on K obtained by the above formula, Msg ═ demDEM)。
The KEM.Dec is a session key decapsulation mechanism; the specific steps for executing the session key decapsulation mechanism are as follows:
analytical CTKEMTo obtain (C)1,C2)=OS2ECP(CTKEM);
Judgment C1Whether or not it is in G1In, and C2Whether or not it is in G2Performing the following steps;
if not, outputting an error and stopping;
otherwise, calculate B1=e(C1,skID);
Assume IDiTo decipher a person, calculateThe calculation method comprises the following steps: first, a polynomial is calculatedCoefficient (c): (cf'0,cf'1,...,cf't-1) And then calculating PL ═ cf'1Q1+cf'2R1+...+cf't-1Rt-2;
Calculating Mi=H1(IDi||0x03,p),cf0=cf'0Mi;
B2=e(PL,C2);
B=(B1*B2)cf'0;
K=KDF(EC2OSP(C1)||EC2OSP(C2) I | FE2OSP (B) | I2OSP (cf0), klen), where klen is the bit length required for the session key.
When u is 1, calculate B1=e(C1,skID),K=KDF(EC2OSP(C1)||FE2OSP(B)|| ID,klen)。
The above steps include multiple dot product summation calculations when calculating PL, and the same step of calculating X in the synchronization step S301 may be adopted for calculation to reduce the calculation difficulty and increase the calculation speed, which is not described herein again.
The DEM and the Dec are data decapsulation mechanisms; the specific steps for executing the data decapsulation mechanism are as follows:
analytical CTDEMTo obtain CTDEM=C3||C2;
Resolving K to obtain K ═ K1||K2,BITS(K1)=BITS(C2);
According to said K2And C2Calculating C'3=H(C2||K2);
C 'is judged'3And C3Whether the values are equal or not, if not, outputting an error;
And the receiving end decrypts the ciphertext CT to generate a plaintext Msg.
The broadcast encryption method provided by this embodiment compares the computation overhead and the ciphertext expansion with the SM9-IBE algorithm, and the conclusion is as follows:
in the embodiment provided by the invention, the key generation center generates the system parameters params, the master key s and the master public key mpk according to the SM9 algorithm and then generates the system parameters params, the master key s and the master public key mpk according to the identification ID of any receiving terminalbGenerating an identification private key skID(ii) a The sending end adopts a session key encapsulation mechanism and a data encapsulation mechanism to generate a session key encapsulation ciphertext CTKEMAnd data encapsulation ciphertext CTDEMFinally, the session key is packaged into a ciphertext CTKEMAnd data encapsulation ciphertext CTDEMSplicing to generate a ciphertext; the encryption security is ensured, the ciphertext length cannot be increased due to the increase of the number of receiving ends, so that the calculation overhead is reduced, and meanwhile, the SM9 algorithm can be completely compatible, so that the existing SM9 facilities including a key generation function, a data encapsulation function and the like are utilized, and the hardware cost is reduced.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 5, a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention is shown, and may specifically include the following modules:
a first generating module 100 located at the key generating center, configured to generate a system parameter params, a master key s, and a master public key mpk according to an SM9 algorithm, and disclose the system parameter params and the master public key mpk;
a second generating module 200 located at the key generating center, configured to generate the system parameter params, the master key s, the master public key mpk, and the ID of any receiving end according to the system parameter params, the master key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
a third generating module 300 at the transmitting end, configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identifier set ID of the receiving end, the tag L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM(ii) a The ID of the identification set of the receiving end is the set of the identifications of all the receiving ends;
fourth generation module at transmitting end400 for encapsulating ciphertext CT in accordance with the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
As the second generating module 200, configured to generate a system parameter params, a master key s, and a master public key mpk according to the SM9 algorithm, and disclose the system parameter params and the master public key mpk; the key generation center refers to a trusted authority responsible for generating system parameters params, a master key s and a master public key mpk. Both the sending end and the receiving end can obtain the system parameters params and the master public key mpk; the master key s is stored in the key generation center. The system parameters params, master key s and master public key mpk are generated from the SM9 algorithm to achieve full compatibility with the SM9 algorithm.
Referring to fig. 6, the first generating module 100 includes the following sub-modules:
an obtaining submodule 101, configured to obtain the maximum number u of receiving ends for one broadcast encryption;
a selection submodule 102 for selecting the three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、G3The orders of all are prime numbers p;
a first random selection submodule 103 for randomly selecting G1Generator Q in a group1And G2Generator Q in a group2;
A second random selection submodule 104 for randomly selecting a groupGenerating a master key s, calculating R1= sQ1,...,Ru=suQ1,W=s2Q2(ii) a When u is 1, W is not calculated;
a pre-calculation module 105 for pre-calculating J ═ e (R)1,Q2);
A first generation submodule 106 for generating the system parameter params ═ Q1,Q2,G1, G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J, W)。
As the second generating module 200, it is used for generating the system parameter params, the master key s, the master public key mpk, and the ID of any receiving end according to the system parameter params, the master secret key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end; according to the ID of the receiving endbA unique receiving end can be determined.
Referring to fig. 7, the second generation module 200 includes the following sub-modules:
a derivation submodule 201 for deriving the function H according to the SM9 standard1Derivative M ═ IDb|| 0x03,p);
The judgment submodule 202 is used for judging that M + s is equal to 0modp, and if the M + s is equal to 0modp, outputting error and stopping; otherwise, calculate t ═ M + s)-1s modp;
An identification key generation submodule 203 for calculating skID=tQ2。
In order to ensure the identification private key skIDCan be verified by a verification module, the verification module comprising:
validating the derived submodule according to a function H specified in the SM9 standard1Derivative M ═ H1(IDb|| 0x03,p);
Verifying computation submodule, computing T ═ e (MQ)1+R,skID);
And the verification judgment sub-module outputs 'valid' if T is equal to J, and otherwise outputs 'invalid'.
For example, the third generating module 300 is configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM(ii) a The ID of the identification set of the receiving end is the set of the identifications of all the receiving ends; the plaintext Msg is plaintext information which is pre-sent by a sending end, and the session key encapsulates a ciphertext CTKEMIs a sealed cipher to a session key K used for encryption and decryptionAnd (4) information.
Referring to fig. 8, the third generating module 300 includes the following sub-modules:
a session key encapsulation submodule 301, configured to generate a session key K and a session key encapsulation ciphertext CT by using a session key encapsulation mechanism kem.enc according to the system parameter params, the master public key mpk, and the identifier set ID of the receiving endKEM(ii) a The session key encapsulates the ciphertext CTKEMAnd sending the data to the receiving end.
A data encapsulation submodule 302, configured to generate a data encapsulation ciphertext CT by using a data encapsulation mechanism demDEM。
Enc uses the identification set ID (ID) of the receiving end1,..., IDt) Where t is less than or equal to u, the master public key mpk and the system parameter params are used as input and output<K,CTKEM>I.e. session key K and session key encapsulation cryptogram CTKEM。
The session key encapsulation submodule 301 comprises a dot-by-dot summation first submodule and a dot-by-dot summation second submodule; the first submodule and the second submodule are used for calculating a plurality of point multiplication summation calculations. Specifically, the dot product summation first sub-module is used for dividing the required dot product summation calculation into a plurality of opposite parts, and each part independently adopts a multi-exponential summation algorithm to calculate the result; and the point multiplication and summation second submodule is used for summing the results of all independent parts of the first submodule to obtain the results of the point multiplication and summation calculation.
Enc takes a session key K, a tag L and a plaintext Msg as input, and outputs a data encapsulation ciphertext CTDEM。
The fourth generating module 400 is used for encapsulating the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT. The fourth generation module 400 includes the following sub-modules:
an encryption submodule for encapsulating the session key into a ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
And when the number of the receiving ends is more than 1 and less than or equal to u, the length of the ciphertext CT is kept unchanged.
In one embodiment, the broadcast encryption apparatus further includes:
a decryption module at the receiving end for receiving the ciphertext CT and according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
The decryption module comprises a dot-product-sum first sub-module and a dot-product-sum second sub-module; the first submodule and the second submodule are used for calculating a plurality of point multiplication summation calculations.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The broadcast encryption method and the broadcast encryption device provided by the invention are described in detail, and the principle and the implementation mode of the invention are explained by applying specific examples, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (13)
1. A broadcast encryption method, comprising:
the key generation center generates a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm, and discloses the system parameter params and the master public key mpk;
the key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving endbGenerating an identification private key skIDAnd will beThe identification private key skIDSending the data to a corresponding receiving end;
the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM;
The sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
2. The method according to claim 1, wherein the step of the key generation center generating the system parameters params, the master key s and the master public key mpk according to the SM9 algorithm comprises:
the key generation center obtains the maximum receiving end number u of one-time broadcast encryption;
selecting three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、G3The orders of all are prime numbers p;
random selection of G1Generator Q in a group1And G2Generator Q in a group2;
At random in the groupGenerating a master key s, calculating R1=sQ1,...,Ru=suQ1,W=s2Q2(ii) a Wherein when u is 1, W is not calculated;
precomputed J ═ e (R)1,Q2);
Generating the system parameter params ═ Q1,Q2,G1,G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W)。
3. The method of claim 1,the key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving endbGenerating an identification private key skIDThe method comprises the following steps:
the key generation center is according to function H specified in SM9 standard1Derivative M ═ H1(IDb||0x03,p);
Judging that M + s is 0modp, if so, outputting error and stopping;
otherwise, calculate t ═ M + s)-1s modp;
Calculating sk according to the tID=tQ2。
4. The method according to claim 1, wherein the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEMThe method comprises the following steps:
the sending end generates a session key K and a session key encapsulation ciphertext CT by adopting a session key encapsulation mechanism KEM.Enc according to the system parameter params, the master public key mpk and the identification set ID of the receiving endKEM;
And the sending end generates a data encapsulation ciphertext CT by adopting a data encapsulation mechanism DEMDEM。
5. The method of claim 4, wherein the sending end encapsulates the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT, which comprises the following steps:
the sending end encapsulates the session key into ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
6. The method of claim 1, further comprising:
the receiving end receives the ciphertext CT and identifies the private key sk according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
7. The method of claim 4 or claim 6, the generating a session key K and a session key encapsulation ciphertext CTKEMAnd the step of generating the plaintext Msg each include a plurality of dot product sum calculations, wherein the plurality of dot product sum calculations include:
dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data;
and summing the dot product summation data of the at least two groups to obtain a plurality of dot product summation calculation results.
8. A broadcast encryption apparatus, comprising:
the first generation module is positioned in the key generation center and used for generating a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm and disclosing the system parameter params and the master public key mpk;
a second generating module located in the key generating center, configured to generate the second key according to the system parameter params, the master key s, the master public key mpk, and the ID of any receiving endbGenerating an identification private key skIDAnd the identification private key sk is usedIDSending the data to a corresponding receiving end;
a third generating module at the sending end, configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identifier set ID of the receiving end, the tag L, and the plaintext MsgKEMAnd data encapsulation ciphertext CTDEM;
A fourth generation module at the sending end, configured to encapsulate the ciphertext CT according to the session keyKEMAnd the data package ciphertext CTDEMAnd generating the ciphertext CT.
9. The apparatus of claim 8, wherein the first generating module comprises:
the acquisition submodule is used for acquiring the maximum receiving end number u of one-time broadcast encryption;
a selection submodule for selecting the three groups G1、G2、G3And a bilinear pair e: G1×G2→G3Wherein G is1、G2、G3The orders of all are prime numbers p;
a first random selection submodule for randomly selecting G1Generator Q in a group1And G2Generator Q in a group2;
A second random selection submodule for randomly selecting a groupGenerating a master key s, calculating R1=sQ1,...,Ru=suQ1,W=s2Q2(ii) a Wherein when u is 1, W is not calculated;
a pre-calculation module for pre-calculating J ═ e (R)1,Q2);
A first generation submodule for generating the system parameter params ═ Q1,Q2,G1,G2,G3,e,p>The master key msk ═ s, the master public key mpk ═ (R)1,...,Ru,J,W)。
10. The apparatus of claim 8, wherein the second generating module comprises:
derivation submodule for deriving a function H according to the SM9 standard1Derivative M ═ H1(IDb||0x03,p);
The judgment submodule is used for judging that M + s is equal to 0modp, and if the M + s is equal to 0modp, outputting error and stopping; otherwise, calculate t ═ M + s)-1smodp;
An identification key generation submodule for calculating sk according to the tID=tQ2。
11. The apparatus of claim 8, wherein the third generating module comprises:
a session key encapsulation submodule, configured to generate a session key K and a session key encapsulation ciphertext CT by using a session key encapsulation mechanism kemKEM;
A data encapsulation submodule, configured to generate a data encapsulation ciphertext CT by using a data encapsulation mechanism demDEM。
12. The apparatus of claim 11, wherein the fourth generating module comprises:
an encryption submodule for encapsulating the session key into a ciphertext CTKEMAnd the data package ciphertext CTDEMAnd (5) splicing to generate a ciphertext CT.
13. The apparatus of claim 8, further comprising:
a decryption module at the receiving end for receiving the ciphertext CT and according to the corresponding identification private key skIDAnd the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910181445.7A CN110677238B (en) | 2019-03-11 | 2019-03-11 | Broadcast encryption method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910181445.7A CN110677238B (en) | 2019-03-11 | 2019-03-11 | Broadcast encryption method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110677238A true CN110677238A (en) | 2020-01-10 |
CN110677238B CN110677238B (en) | 2022-08-05 |
Family
ID=69068560
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910181445.7A Active CN110677238B (en) | 2019-03-11 | 2019-03-11 | Broadcast encryption method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110677238B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114301585A (en) * | 2021-11-17 | 2022-04-08 | 北京智芯微电子科技有限公司 | Using method, generating method and management system of identification private key |
CN114826611A (en) * | 2022-04-14 | 2022-07-29 | 扬州大学 | IND-sID-CCA2 security identifier broadcast encryption method based on SM9 |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101170404A (en) * | 2006-10-24 | 2008-04-30 | 华为技术有限公司 | Method for secret key configuration based on specified group |
WO2010076899A1 (en) * | 2009-01-05 | 2010-07-08 | 日本電気株式会社 | Broadcast encryption system, sender apparatus, user apparatus, encapsulation/decapsulation method |
CN103095710A (en) * | 2013-01-17 | 2013-05-08 | 北京交通大学 | Broadcast encryption transmission method in network based on identification and centering on contents |
CN103986574A (en) * | 2014-05-16 | 2014-08-13 | 北京航空航天大学 | Hierarchical identity-based broadcast encryption method |
CN105049207A (en) * | 2015-05-11 | 2015-11-11 | 电子科技大学 | ID-based broadcast encryption scheme containing customized information |
CN106992871A (en) * | 2017-04-01 | 2017-07-28 | 中国人民武装警察部队工程大学 | A kind of broadcast encryption method towards many groups |
CN107070874A (en) * | 2017-01-23 | 2017-08-18 | 济南浪潮高新科技投资发展有限公司 | System, encryption method and the device of broadcast communication, decryption method and device |
CN107317675A (en) * | 2017-04-01 | 2017-11-03 | 中国人民武装警察部队工程大学 | A kind of broadcast encryption method of transmittable personal information |
CN109039611A (en) * | 2018-08-31 | 2018-12-18 | 北京海泰方圆科技股份有限公司 | Decruption key segmentation and decryption method, device, medium based on SM9 algorithm |
-
2019
- 2019-03-11 CN CN201910181445.7A patent/CN110677238B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101170404A (en) * | 2006-10-24 | 2008-04-30 | 华为技术有限公司 | Method for secret key configuration based on specified group |
WO2010076899A1 (en) * | 2009-01-05 | 2010-07-08 | 日本電気株式会社 | Broadcast encryption system, sender apparatus, user apparatus, encapsulation/decapsulation method |
CN103095710A (en) * | 2013-01-17 | 2013-05-08 | 北京交通大学 | Broadcast encryption transmission method in network based on identification and centering on contents |
CN103986574A (en) * | 2014-05-16 | 2014-08-13 | 北京航空航天大学 | Hierarchical identity-based broadcast encryption method |
CN105049207A (en) * | 2015-05-11 | 2015-11-11 | 电子科技大学 | ID-based broadcast encryption scheme containing customized information |
CN107070874A (en) * | 2017-01-23 | 2017-08-18 | 济南浪潮高新科技投资发展有限公司 | System, encryption method and the device of broadcast communication, decryption method and device |
CN106992871A (en) * | 2017-04-01 | 2017-07-28 | 中国人民武装警察部队工程大学 | A kind of broadcast encryption method towards many groups |
CN107317675A (en) * | 2017-04-01 | 2017-11-03 | 中国人民武装警察部队工程大学 | A kind of broadcast encryption method of transmittable personal information |
CN109039611A (en) * | 2018-08-31 | 2018-12-18 | 北京海泰方圆科技股份有限公司 | Decruption key segmentation and decryption method, device, medium based on SM9 algorithm |
Non-Patent Citations (3)
Title |
---|
杨坤伟等: "一种新的基于身份的匿名加密", 《计算机应用与软件》 * |
王庆滨等: "具有固定公钥和私钥长度的广播加密方案", 《通信学报》 * |
陈宇等: "标准模型下基于身份的分等级加密方案", 《计算机技术与发展》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114301585A (en) * | 2021-11-17 | 2022-04-08 | 北京智芯微电子科技有限公司 | Using method, generating method and management system of identification private key |
CN114301585B (en) * | 2021-11-17 | 2024-01-05 | 北京智芯微电子科技有限公司 | Identification private key using method, generation method and management system |
CN114826611A (en) * | 2022-04-14 | 2022-07-29 | 扬州大学 | IND-sID-CCA2 security identifier broadcast encryption method based on SM9 |
CN114826611B (en) * | 2022-04-14 | 2023-10-20 | 扬州大学 | IND-sID-CCA2 security identification broadcast encryption method based on SM9 of national cipher |
Also Published As
Publication number | Publication date |
---|---|
CN110677238B (en) | 2022-08-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111740828B (en) | Key generation method, device and equipment and encryption and decryption method | |
CN107196763B (en) | SM2 algorithm collaborative signature and decryption method, device and system | |
CN107395368B (en) | Digital signature method, decapsulation method and decryption method in media-free environment | |
CA2590989C (en) | Protocol and method for client-server mutual authentication using event-based otp | |
CN101645773B (en) | Based on the stopover sites of elliptic curve cryptography | |
CN111106936A (en) | SM 9-based attribute encryption method and system | |
US20090100264A1 (en) | Communication device and communication system | |
CN110011995B (en) | Encryption and decryption method and device in multicast communication | |
CN110113150B (en) | Encryption method and system based on non-certificate environment and capable of repudiation authentication | |
CN112564907B (en) | Key generation method and device, encryption method and device, and decryption method and device | |
CN107425971B (en) | Certificateless data encryption/decryption method and device and terminal | |
CN109995509B (en) | Authentication key exchange method based on message recovery signature | |
US6640303B1 (en) | System and method for encryption using transparent keys | |
WO2020155622A1 (en) | Method, device and system for enhancing security of image data transmission, and storage medium | |
CN114726546B (en) | Digital identity authentication method, device, equipment and storage medium | |
WO2016067524A1 (en) | Authenticated encryption apparatus, authenticated decryption apparatus, authenticated cryptography system, authenticated encryption method, and program | |
CN1316405C (en) | Method for obtaining digital siguature and realizing data safety | |
CN110677238B (en) | Broadcast encryption method and device | |
CN114448641A (en) | Privacy encryption method, electronic equipment, storage medium and chip | |
CN115208615A (en) | Data encryption transmission method for numerical control system | |
CN112948867A (en) | Method and device for generating and decrypting encrypted message and electronic equipment | |
WO2013039659A1 (en) | Hybrid encryption schemes | |
CN113852466B (en) | User revocation method based on SM9 of China | |
CN114826611A (en) | IND-sID-CCA2 security identifier broadcast encryption method based on SM9 | |
CN114070549A (en) | Key generation method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |