CN113067702B - Identity-based encryption method supporting ciphertext equivalence test function - Google Patents

Abstract

The invention discloses an identity base encryption method supporting an equivalence test function, which mainly solves the problem that the identity base encryption efficiency supporting the equivalence test function under a standard model in the prior art is low. The implementation scheme is as follows: the key generation center generates a master key according to the security parameters, and generates a private key and an authorization trapdoor of a user according to the master key and the public key; the user sends the authorization trapdoor to a designated server through a secret channel; a user encrypts a plaintext message and a hash value thereof in parallel; the decryptor inputs the ciphertext and the private key, and decrypts the ciphertext to obtain a plaintext; the server takes the authorized trapdoors and the ciphertext of the two users as input to perform equivalence test; and the server returns a test result to the user, if the test result is 1, the plaintext of the two users is equal, otherwise, the plaintext is not equal. Compared with an identity-based encryption scheme supporting an equivalent test function under a standard model, the identity-based encryption method is higher in computing efficiency and more outstanding in performance, and can be applied to cloud storage and dense data retrieval of big data.

Description

Identity-based encryption method supporting ciphertext equivalence test function

Technical Field

The invention belongs to the technical field of information security, and particularly relates to an identity-based encryption method supporting a ciphertext equivalence test function, which can be applied to cloud storage and ciphertext data retrieval of big data.

Background

As cloud computing technology is widely used, more and more private data is uploaded to the cloud server. However, there are still some careless mistakes in the protection of the privacy and data information of the user by the cloud server. In recent years, news in which private data stored in a cloud server by a user is leaked is frequently seen. For example, in 11 months in 2018, information announced by the luxury company that 5 hundred million tenants in a hotel wedding room under flag was leaked; in the same year and 12 months, 3 million unknown user data of the social platform are sold in the darknet, and the like. The leakage of the private data of the user may cause a great risk to the user. Accordingly, cryptographic techniques for achieving user privacy data protection in cloud computing environments are beginning to be widely studied. Generally, a user encrypts private data and uploads the encrypted data to a server, but data management in a ciphertext state in the server becomes a new problem, namely, the original characteristics and structure of the data are lost after encryption, so that various operations on a plaintext are difficult to perform on a ciphertext. For example, if a user wants to perform query operation on data in a ciphertext state, all data must be downloaded, decrypted and then queried, which greatly increases the calculation and transmission overhead and thus is very inefficient. To this end, a ciphertext equivalence test encryption technique is proposed to solve this problem.

The cipher text equivalence test encryption technology is used for solving the matching problem of different public key encryption data, namely a tester can judge whether two sections of cipher texts encrypted by different public keys contain the same message on the premise of not decrypting the cipher texts. The ciphertext equivalence testing technology has very wide application prospects, such as classification of encrypted data according to tags, filtering and archiving of e-mails, and matching and searching of patients with the same disease in an electronic medical system.

However, most of the existing identity-based encryption schemes supporting the ciphertext equivalence test function are provably safe under a random language prediction model. The random oracle model is an important concept of a provable security theory, and refers to a cryptography tool of using a random oracle in security certification of a cryptographic scheme. The random prediction machine is a hash function which determines, discloses and outputs random uniformity. In the implementation process of the scheme, only a real hash function can be used for replacing the random prediction machine, so that an adversary can possibly attack by using the defects of the real hash function. The proof model without the use of a random oracle is called the standard model. Under the standard model, the security of the scheme only depends on the standard properties of the hash function, such as collision resistance, and the adversary is limited only by time and computing power without other assumptions. A higher level of security can be demonstrated for a secure cryptographic scheme under the standard model.

Lee et al, in 2016, in the paper "Public Key Encryption with authentication Test in the Standard Model" (2016/1182,2016, cryptographic equivalent garment archive), disclose an identity based Encryption method supporting ciphertext equivalence Test functions under a Standard Model. Firstly, generating a master key according to security parameters, and then generating a private key for a user according to the master key and a user public key; encrypting the plaintext message by the user to obtain a ciphertext, and generating an authorization trapdoor according to the private key; and sending the authorized trapdoor to a designated server through a secret channel; and the server performs equivalence test on the ciphertext according to the authorization modes specified by different users and returns a test result to the user. The scheme has low efficiency and no practicability due to the application of the complex three-layer identity-based encryption and the strong one-time signature technology which can not be forged.

Disclosure of Invention

The invention aims to provide an identity base encryption method supporting the equivalence test function aiming at the defects of the prior art so as to improve the efficiency of identity base encryption supporting the equivalence test function under a standard model.

In order to achieve the purpose, the technical scheme adopted by the invention is as follows:

(1) initializing a system:

(1a) inputting a security parameter λ, and giving a bilinear map e:

let g be

Is given as e (g, g) is

A generator ofIn (1),

is a group of multiplication cycles of the order of a prime number p,

a multiplication loop group of order prime p;

(1b) the key generation center KGC selects two cryptographic hash functions H₁:

H:

And is arranged at

Randomly selecting 5 different master key generation stage parameters alpha and beta₁,β₂,β₃,β₄Wherein, 0,1^*Representing a bit string of arbitrary length,

represents the set 0,1, …, p-1;

(1c) and the key generation center calculates and outputs a system master key MSK and a system public parameter PP according to the selected hash function and the random parameter:

MSK＝(α,β₁,β₂,β₃,β₄)

wherein, g₁＝g^α,

(2) And (3) generating a user private key:

(2a) entering a user identity identifier

A system master key MSK and a system public parameter PP;

(2b) KGC is in

Randomly selecting 4 different user private key generation stage parameters r₁,r₂,r₃,r₄And calculates the user private key d_ID：

(3) Authorized trapdoor extraction:

user generated authorization trapdoor td ═ (d)₇,d₈) And sending the authorized trapdoor to a designated server through a secret channel;

(4) encryption:

(4a) inputting a plaintext message

A user identity identifier ID and a public parameter PP;

(4b) the user is at

And randomly selecting a parameter s, and calculating a ciphertext CT:

CT＝(C₁,C₂,C₃,C₄,C₅)＝((g1g^-ID)^s,e(g,g)^s,e(h₃,g)^s·m,e(h₄,g)^s·H(m),e(h₁,g)^se(h₂,g)^sw)

wherein w ═ H₁(C₁,C₂,C₃,C₄)；

(4c) The user uploads the ciphertext CT to the cloud server;

(5) and (3) decryption:

(5a) inputting the ciphertext CT corresponding to the ID and the user private key d_IDAnd system common parameters PP, solutionThe secret is calculated as w ═ H₁(C₁,C₂,C₃,C₄)；

(5b) And (3) verification:

if true, two intermediate results are computed:

and

if H (m ') -H ', outputting correct plaintext m (═ m '), otherwise, failing to decrypt;

(6) and (3) testing:

(6a) let the plaintext message of user i be m_iUser j plaintext message is m_jRespectively inputting ciphertext CT of user i_iAuthorized trapdoor td_iAnd ciphertext CT of user j_jAuthorized trapdoor td_j；

(6b) According to the ciphertext and the trapdoor given in the step (6a), the server calculates the hash value H (m) of the plaintext message of the user i_i) And hash value H (m) of user j's plaintext message_j) And judging whether the two are equal:

if H (m)_i)＝H(m_j) If so, outputting 1 to indicate that the plaintext messages of the user i and the user j are equal, and establishing contact between the user i and the user j through the cloud server;

otherwise, outputting 0, indicating that the plaintext messages of the user i and the user j are not equal, and the cloud server re-executes the test algorithm to match other users with the plaintext messages equal to those of the respective users.

Compared with the prior art, the invention has the following advantages:

1) according to the invention, as the ciphertext is constructed by encrypting the plaintext and the hash value thereof in parallel, the cloud server obtains the hash values of the plaintext of two users by the calculation of the authorization trap door, and realizes the equivalent test function by judging whether the plaintext and the hash value are equal or not;

2) compared with the scheme of Lee and the like, the invention has the advantages that as fewer public parameters are selected, the key and the ciphertext size are shorter, and the communication overhead is reduced; secondly, the statistics of the operation times involved in the encryption algorithm, the decryption algorithm and the test algorithm in the invention shows that compared with the scheme of Lee et al, the calculation efficiencies of the encryption algorithm, the decryption algorithm and the test algorithm in the invention are respectively improved by 60%, 70% and 65%.

Drawings

FIG. 1 is a flow chart of an implementation of the present invention.

Detailed Description

Embodiments of the invention are described in further detail below with reference to the accompanying drawings:

referring to fig. 1, the identity-based encryption method supporting the ciphertext equivalence test function in this embodiment includes the following steps:

step 1, system initialization.

(1.1) inputting a security parameter lambda, and giving a bilinear mapping e:

let g be

Is given as e (g, g) is

A generator of (a), wherein,

is a group of multiplication cycles of the order of a prime number p,

a multiplication loop group of order prime p;

(1.2) selecting two cryptographic hash functions H by the key generation center KGC₁:

H:

And is arranged at

Randomly selecting 5 different master key generation stage parameters alpha and beta₁,β₂,β₃,β₄Wherein, 0,1^*Representing a bit string of arbitrary length,

represents the set 0,1, …, p-1;

(1.3) the key generation center calculates and outputs a system master key MSK and a system public parameter PP according to the selected hash function and the random parameter:

MSK＝(α,β₁,β₂,β₃,β₄)

wherein, g₁＝g^α,

And 2, generating a user private key.

(2.1) entering a user identity identifier

A system master key MSK and a system public parameter PP;

(2.2) KGC in

Randomly selecting 4 different user private key generation stage parameters r₁,r₂,r₃,r₄And calculates the user private key d_ID：

Wherein d is₁To d₈Represents 8 parts of the user's private key, namely:

d₁＝r₁，

d₃＝r₂，

d₅＝r₃，

d₇＝r₄，

and 3, authorizing trap door extraction.

Inputting a user private key d_ID＝(d₁,d₂,d₃,d₄,d₅,d₆,d₇,d₈) The user extracts the seventh and eighth parts from the private key as authorization trapdoors: td is (d)₇,d₈) And sends the authorization trapdoor td to the designated server through the secret channel.

And 4, encrypting the plaintext message by the user.

(4.1) input plaintext message

A user identity identifier ID and a public parameter PP;

(4.2) the user is at

And randomly selecting a parameter s, and calculating a ciphertext CT:

CT＝(C₁,C₂,C₃,C₄,C₅)＝((g1g^-ID)^s,e(g,g)^s,e(h₃,g)^s·m,e(h₄,g)^s·H(m),e(h₁,g)^se(h₂,g)^sw) Wherein, C₁To C₅Represents 5 parts of the ciphertext, namely:

C₁＝(g₁g^-ID)^s

C₂＝e(g,g)^s

C₃＝e(h₃,g)^s·m

C₄＝e(h₄,g)^s·H(m)

C₅＝e(h₁,g)^se(h₂,g)^sw，w＝H₁(C₁,C₂,C₃,C₄)；

and (4.3) uploading the ciphertext CT to a cloud server by the user.

And 5, the decryptor decrypts the ciphertext.

(5.1) inputting the ciphertext CT and the user private key d_IDAnd system common parameters PP, the decryptor first calculates C₁To C₄Hash value of (2): w ═ H₁(C₁,C₂,C₃,C₄)；

(5.2) verifying:

whether or not:

if so, two intermediate results are computed:

and

executing (5.3), otherwise, failing to decrypt;

(5.3) verifying whether H (m ') is true, if so, outputting correct plaintext m (═ m'), otherwise, failing to decrypt.

And 6, executing the equivalence test by the cloud server.

(6.1) let the plaintext message of user i be m_iUser j plaintext message is m_jRespectively inputting ciphertext CT of user i_iAuthorized trapdoor td_iAnd ciphertext CT of user j_jAuthorized trapdoor td_jThese parameters are respectively expressed as follows:

CT_i＝(C_1,i,C_2,i,C_3,i,C_4,i,C_5,i)

CT_j＝(C_1,j,C_2,j,C_3,j,C_4,j,C_5,j)

td_i＝(d_7,i,d_8,i)

td_j＝(d_7,j,d_8,j)

wherein, CT_iConsists of five parts, C_1,i,C_2,i,C_3,i,C_4,i,C_5,iRespectively representing the first part to the fifth part of the user i ciphertext;

CT_jconsists of five parts, C_1,j,C_2,j,C_3,j,C_4,j,C_5,jRespectively representing the first part to the fifth part of the ciphertext of the user j;

td_iconsisting of two-part private keys of user i, d_7,i,d_8,iA seventh part and an eighth part respectively representing a private key of the user i;

td_jconsisting of two-part private keys of user j, d_7,j,d_8,jA seventh part and an eighth part respectively representing a private key of the user i;

(6.2) according to the ciphertext and the trapdoor given in (6.1), the server calculates the hash value H (m) of the plaintext message of the user i_i) And hash value H (m) of user j's plaintext message_j)：

Wherein, C_1,iRepresenting a first part of the ciphertext of user i, C_2,iA second part, C, representing the ciphertext of user i_4,iFourth part, d, representing user i's ciphertext_7,iA seventh part, d, representing the private key of user i_8,iAn eighth portion representing a private key of user i; c_1,jRepresenting a first part, C, of the ciphertext of user j_2,jRepresenting a second part, C, of the ciphertext of user j_4,jFourth part, d, representing user j ciphertext_7,jRepresenting a seventh part of the private key of user j, d_8,jAn eighth portion representing a private key of user j;

(6.3) determination of H (m)_i) And H (m)_j) Whether the two are equal:

if H (m)_i)＝H(m_j) If so, outputting 1, indicating that the plaintext messages of the user i and the user j are equal, and establishing contact between the user i and the user j through the cloud server;

if H (m)_i)≠H(m_j) And outputting 0, namely that the plaintext messages of the user i and the user j are not equal, and re-executing the test algorithm by the cloud server to match other users with the plaintext messages equal to the users.

While the invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention.

Claims (3)

1. An identity-based encryption method supporting ciphertext equivalence test function is characterized by comprising the following steps:

(1) initializing a system:

(1a) inputting security parameters, giving a bilinear map

Let g be

Is given as e (g, g) is

A generator of (a), wherein,

is a group of multiplication cycles of the order of a prime number p,

a multiplication loop group of order prime p;

(1b) the key generation center KGC selects two cryptographic hash functions

And is arranged at

Randomly selecting 5 different master key generation stage parameters alpha and beta₁,β₂,β₃,β₄Wherein, 0,1^*Representing a bit string of arbitrary length,

represents the set 0,1, …, p-1;

(1c) and the key generation center calculates and outputs a system master key MSK and a system public parameter PP according to the selected hash function and the random parameter:

MSK＝(α,β₁,β₂,β₃,β₄)

wherein, g₁＝g^α,

(2) And (3) generating a user private key:

(2a) entering a user identityIdentifier

A system master key MSK and a system public parameter PP;

(2b) KGC is in

Randomly selecting 4 different user private key generation stage parameters r₁,r₂,r₃,r₄And calculates the user private key d_ID：

(3) Authorized trapdoor extraction:

user generated authorization trapdoor td ═ (d)₇,d₈) And sending the authorized trapdoor to a designated server through a secret channel;

(4) encryption:

(4a) inputting a plaintext message

A user identity identifier ID and a public parameter PP;

(4b) the user is at

And randomly selecting a parameter s, and calculating a ciphertext CT:

CT＝(C₁,C₂,C₃,C₄,C₅)＝((g₁g^-ID)^s,e(g,g)^s,e(h₃,g)^s·m,e(h₄,g)^s·H(m),e(h₁,g)^se(h₂,g)^sw)，

wherein w ═ H₁(C₁,C₂,C₃,C₄)；

(4c) The user uploads the ciphertext CT to the cloud server;

(5) and (3) decryption:

(5a) inputting the ciphertext CT corresponding to the ID and the user private key d_IDAnd the system common parameter PP, the decryptor first calculates w ═ H₁(C₁,C₂,C₃,C₄)；

(5b) And (3) verification:

if true, two intermediate results are computed:

and

if H (m ') -H ', outputting correct plaintext m (═ m '), otherwise, failing to decrypt;

(6) and (3) testing:

(6a) let the plaintext message of user i be m_iUser j plaintext message is m_jRespectively inputting ciphertext CT of user i_iAuthorized trapdoor td_iAnd ciphertext CT of user j_jAuthorized trapdoor td_j；

(6b) According to the ciphertext and the trapdoor given in the step (6a), the server calculates the hash value H (m) of the plaintext message of the user i_i) And hash value H (m) of user j's plaintext message_j) And judging whether the two are equal:

if H (m)_i)＝H(m_j) If so, outputting 1 to indicate that the plaintext messages of the user i and the user j are equal, and establishing contact between the user i and the user j through the cloud server;

otherwise, outputting 0, indicating that the plaintext messages of the user i and the user j are not equal, and the cloud server re-executes the test algorithm to match other users with the plaintext messages equal to those of the respective users.

2. The method according to claim 1, wherein the ciphertext CT of the user i input in (6a)_iAuthorized trapdoor td_iAnd ciphertext CT of user j_jAuthorized trapdoor td_jRespectively watchShown below:

CT_i＝(C_1,i,C_2,i,C_3,i,C_4,i,C_5,i)

CT_j＝(C_1,j,C_2,j,C_3,j,C_4,j,C_5,j)

td_i＝(d_7,i,d_8,i)

td_j＝(d_7,j,d_8,j)

wherein, CT_iConsists of five parts, C_1,i,C_2,i,C_3,i,C_4,i,C_5,iRespectively representing the first part to the fifth part of the user i ciphertext;

CT_jconsists of five parts, C_1,j,C_2,j,C_3,j,C_4,j,C_5,jRespectively representing the first part to the fifth part of the ciphertext of the user j;

td_iconsisting of two-part private keys of user i, d_7,i,d_8,iA seventh part and an eighth part respectively representing a private key of the user i;

td_jconsisting of two-part private keys of user j, d_7,j,d_8,jRepresenting a seventh portion and an eighth portion, respectively, of the private key of user j.

3. The method of claim 1, wherein the hash value of the plaintext message for user i, H (m), is calculated in (6b)_i) And hash value H (m) of user j's plaintext message_j) The formula is as follows:

wherein, C_1,iRepresenting a first part of the ciphertext of user i, C_2,iA second part, C, representing the ciphertext of user i_4,iFourth part, d, representing user i's ciphertext_7,iA seventh part, d, representing the private key of user i_8,iAn eighth portion representing a private key of user i; c_1,jRepresenting a first part, C, of the ciphertext of user j_2,jRepresenting a second part, C, of the ciphertext of user j_4,jFourth part, d, representing user j ciphertext_7,jRepresenting a seventh part of the private key of user j, d_8,jRepresenting an eighth portion of the private key of user j.

Images