CN115296792A - Identity-based signcryption method for protecting secret key - Google Patents
Identity-based signcryption method for protecting secret key Download PDFInfo
- Publication number
- CN115296792A CN115296792A CN202210703552.3A CN202210703552A CN115296792A CN 115296792 A CN115296792 A CN 115296792A CN 202210703552 A CN202210703552 A CN 202210703552A CN 115296792 A CN115296792 A CN 115296792A
- Authority
- CN
- China
- Prior art keywords
- sender
- private key
- receiver
- key
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses an identity-based signcryption method for protecting a secret key, which is characterized in that two credible assistors are arranged, the two assistors alternately help a sender and a receiver to generate an initial private key and a public key and update the private key at the starting point of each time period, the sender generates a signcryption ciphertext, and the receiver generates a plaintext by using a signcryption algorithm and performs signature verification. The invention sets two independent and physically safe credible assistors for the sender and the receiver respectively, and the two assistors help the sender and the receiver to generate the initial private key of the cryptosystem by using the secret value selected by the sender and the receiver, thereby avoiding the problem of identity revocation and realizing the function of resisting key leakage; the invention utilizes two assistors to alternately and respectively update the real-time private keys of the sender and the receiver in different time periods, thereby on one hand, allowing frequent real-time private key update, and on the other hand, reducing the secret key leakage probability of the assistors.
Description
Technical Field
The invention relates to information security, in particular to an identity-based signcryption method for protecting a secret key.
Background
Cryptography is the underlying support technology for information security and is also the core of authentication and access control. Privacy and authentication are two important security goals in cryptography. In the public key cryptosystem, the encryption and decryption schemes are the two basic schemes, which are used to provide two security targets, i.e. the confidentiality of the message and the authentication of the message. In some applications, such as e-mail, e-commerce, etc., it is desirable to achieve both security goals. The signcryption cryptosystem can complete the encryption and signature functions simultaneously in one logic step, and the calculated amount and the data amount are less than the sum of the two. And the sender generates a signed cipher text through signed cipher calculation. The recipient generates plaintext by a de-signcryption calculation and verifies the signature.
The closest prior art to this method is the Identity-Based Key-Insulated signature information, 23 (1): 27-45, which is provably secure under standard models. The method is suitable for application scenes and the like of which the private keys of a sender and a receiver need to be protected. The method mainly comprises the following steps: first, generating a public system parameter and a system master key; secondly, generating initial private keys of a sender and a receiver and an assistor key; thirdly, generating real-time private key updating information of a sender and a receiver; fourthly, generating real-time private keys of a sender and a receiver; fifthly, the sender generates a signature text; sixth, the recipient generates the ciphertext using a de-signcryption algorithm and verifies the signature. In the method, the private keys of the sender and the receiver are updated in each time slice, so that the capability of a system for defending the private key from being leaked is enhanced. However, the method has some defects, and the method cannot be used in an application scenario where an assistor key is leaked, so that the problem of private key protection in the application scenario cannot be solved.
Disclosure of Invention
The invention aims to: the invention aims to provide an identity-based signcryption method for protecting a secret key, so that the problem of private key protection in an application scene of realizing encryption and signature in one logic step is solved.
The technical scheme is as follows: the invention relates to an identity-based signcryption method for protecting a secret key, which has the following principle: setting two assistor keys, generating real-time private key updating information at the starting point of each time period by the two assistors, updating the real-time private keys, generating real-time private keys of a sender and a receiver, generating a ciphertext by the sender by using a signcryption algorithm, and generating a plaintext by the receiver by using a signcryption-free algorithm and verifying a signature. The method comprises the following steps:
(1) Establishing system parameters:
G 1 and G 2 Are all multiplicative groups of prime order p, G being G 1 A generator of (2); g 2 Is a multiplication loop group of order q, and e G 1 ×G 1 →G 2 Is a bilinear map; z p Represents the set {0,1,2.,. P-1}, used in this specificationRepresents Z p \ {0}; two hash functions H are selected u :{0,1} * →{0,1} nu ,H v :{0,1} nm →{0,1} nv Nu, nm and nv are safety parameters; setting the identity as a bit string with the length nu and setting the message as a bit string with the length nm; define a bijection V:Γ → G 2 Here V -1 Representing its inverse mapping, Γ is {0,1} nu+nm+nv A subset of p elements; selecting a pseudo-random function F: given an input parameter x of k bits and a seed of k bits, the function F will output a random string F of k bits long s (x) (ii) a Randomly selecting an integer alpha epsilon Z p Randomly choosing an integer g 2 ∈G 1 Setting g 1 =g α Setting Y = e (g) 1 ,g 2 ) (ii) a Randomly selecting u' epsilon to G 1 When i =1,.. Nu, u is randomly selected i ∈G 1 Setting nu-dimensional vectorRandomly selecting m' epsilon from G 1 When i =1 i ∈G 1 Setting nv dimension vectorSetting a master private keySetting system disclosure parameters as
(2) Private key extraction:
(2.1) setting u as a bit string of length nu representing identity; let u [ i ]]I-th bit of u; definition ofSo that u [ i ]]Set of subscript i of = 1; let w u,-1 Is H u (u | | -1) and w u,-1 [i]Is w u,-1 The ith bit; let w u,0 Is H u (u | | 0) and w u,0 [i]Is w u,0 The ith bit; definition ofTo make w u,-1 [i]Set of subscript i = 1; definition ofTo make w u,0 [i]Set of subscript i of = 1; randomly selecting two helper keys HK u,1 ,HK u,0 ∈{0,1} κ And calculateRandom selectionInitial private key for computing identity u
(2.2) the facilitator key and initial private key of the sender are HK a,1 ,HK a,0 And
(2.3) helper Key and initial private Key of receiver HK, respectively b,1 ,HK b,0 And
(3) Generating real-time facilitator update information for the sender and recipient at time slice t:
(3.1) setting w u,t Is H u (u | | t) and w u,t [i]Is w u,t I th bit of (1), define To make w u,t [i]Set of subscript i = 1; is also provided with w u,t-2 Is H u (u | | t-2) and w u,t-2 [i]Is w u,t-2 The ith bit of (1), defineTo make w u,t-2 [i]Set of subscript i of = 1; computingAndto construct a temporal private key update information UI for a time slice t of a user u u,t And calculating:
(3.2) the temporary private key updating information of the time slices t of the sender and the receiver are respectively as follows:
(4) Generating real-time private keys of the sender and the receiver at a time slice t:
decomposing temporary private key of user u in time slice t-1 intoDecomposing temporary private key updating information of time slice t intoIn order to construct a temporary private key d of a user u at a time slice t u,t And the user u calculates:
temporary private key d for arbitrary identity u and arbitrary time slice t u,t Has the following form:
likewise, the temporary private keys of the sender and the receiver in the time slice t are respectively:
(5) And (3) signing and sealing:
for message m, sender a signs a as follows:
Random selection of r m ,r′ t-1 ,Randomly selecting r epsilon {0,1} nv So that a m r is the same as Γ
Order toTo make from H v (m) a set of indices j whose j th bit is different from the j th bit of r, i.e.
And (3) calculating:
let r be t-1 =r′ t-1 +k a,t-1 ,r t =r′ t +k a,t ,
Sender a outputs a ciphertext:
and sends it to recipient B;
(6) And (3) de-signing and encrypting:
receiver B decomposes the received ciphertext (t, σ) into (t, (σ) <1> ,σ <2> ,σ <3> ,σ <4> ,σ <5> ,σ <6> ,σ <7> ,σ <8> ,σ <9> ) ); the receiver B willHis temporary private key is decomposed into
If the following equation holds, then message m is output, otherwise "the de-signcryption failed" is output;
a computer storage medium having stored thereon a computer program which, when executed by a processor, implements an identity-based signcryption method for protecting a secret key as described above.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a method of identity-based signcryption for protecting a key as described above when the computer program is executed by the processor.
Has the advantages that: compared with the prior art, the invention has the following advantages:
1. two independent and physically safe trusted assistors are respectively arranged for a sender and a receiver, and the two assistors help the sender and the receiver to generate an initial private key of a cryptosystem when the sender and the receiver use the secret value selected by the sender and the receiver, so that the problem of identity revocation is avoided, and a function of resisting key leakage is realized;
2. the password system alternately and respectively updates the real-time private keys of a sender and a receiver by using two assistors in different time periods, so that frequent real-time private key updating is allowed on one hand, and the key leakage probability of the assistors can be reduced on the other hand;
3. the sender implements encryption and signing in one logical step, which reduces the total computation and communication cost of encrypting and signing the message.
Drawings
FIG. 1 is a flow chart of the steps of the present invention.
Detailed Description
The technical scheme of the invention is further explained by combining the attached drawings.
As shown in fig. 1, an identity-based signcryption method for protecting a key includes the following steps:
(1) Establishing system parameters:
G 1 and G 2 Are all multiplicative groups of prime order p, G being G 1 The generator of (2); g 2 Is a multiplication loop group of order q, and e G 1 ×G 1 →G 2 Is a bilinear map; z p Represents the set {0,1,2.,. P-1}, used in this specificationRepresents Z p \ {0}; two hash functions H are selected u :{0,1} * →{0,1} nu ,H v :{0,1} nm →{0,1} nv Nu, nm and nv are safety parameters; setting the identity as a bit string with the length nu and setting the message as a bit string with the length nm; define a bijection V:Γ → G 2 Here V -1 Representing its inverse mapping, Γ is {0,1} nu+nm+nv A subset of p elements; selecting a pseudo-random function F: given an input parameter x of k bits and a seed of k bits, the function F will output a random string F of k bits long s (x) (ii) a Randomly selecting an integer alpha epsilon Z p Randomly choosing an integer g 2 ∈G 1 Setting g 1 =g α Setting Y = e (g) 1 ,g 2 ) (ii) a Randomly selecting u' epsilon as G 1 When i =1 i ∈G 1 Setting nu-dimensional vectorRandomly selecting m' belonged to G 1 When i =1Machine selection m i ∈G 1 Setting nv dimension vectorSetting a master private keySetting system disclosure parameters as
(2) Private key extraction:
(2.1) setting u as a bit string of length nu representing identity; let u [ i ]]I-th bit of u; definition ofSo that u [ i ]]Set of subscript i of = 1; let w u,-1 Is H u (u | | -1) and w u,-1 [i]Is w u,-1 The ith bit; let w u,0 Is H u (u | | 0) and w u,0 [i]Is w u,0 The ith bit; definition ofTo make w u,-1 [i]Set of subscript i of = 1; definition ofTo make w u,0 [i]Set of subscript i of = 1; randomly selecting two helper keys HK u,1 ,HK u,0 ∈{0,1} κ And calculateRandom selectionInitial private key for computing identity u
(2.2) helper Key and of senderThe initial private keys are HK respectively a,1 ,HK a,0 And
(2.3) receiver helper Key and initial private Key HK, respectively b,1 ,HK b,0 And
(3) Generating real-time facilitator update information for the sender and recipient at time slice t:
(3.1) setting w u,t Is H u (u | | t) and w u,t [i]Is w u,t I th bit of (1), define To make w u,t [i]Set of subscript i of = 1; is also provided with w u,t-2 Is H u (u | | t-2) and w u,t-2 [i]Is w u,t-2 I th bit of (1), defineTo make w u,t-2 [i]Set of subscript i = 1; computingAndto construct a temporal private key update information UI for a time slice t of a user u u,t And calculating:
(3.2) the temporary private key updating information of the time slices t of the sender and the receiver are respectively as follows:
(4) Generating real-time private keys of the sender and the receiver at a time slice t:
decomposing temporary private key of user u in time slice t-1 intoDecomposing temporary private key updating information of time slice t intoIn order to construct a temporary private key d of a user u at a time slice t u,t And the user u calculates:
temporary private key d for arbitrary identity u and arbitrary time slice t u,t Has the following form:
likewise, the temporary private keys of the sender and the receiver in the time slice t are respectively:
(5) And (3) signing and sealing:
for message m, sender a signs a as follows:
Random selection of r m ,r′ t-1 ,Randomly selecting r epsilon {0,1} nv So that a m r is the same as Γ
Order toTo make from H v (m) a set of indices j whose j th bit is different from the j th bit of r, i.e.
And (3) calculating:
let r be t-1 =r′ t-1 +k a,t-1 ,r t =r′ t +k a,t ,
Sender a outputs a ciphertext:
and sends it to recipient B;
(6) And (3) unfastening and encrypting:
the receiver B willThe received ciphertext (t, σ) is decomposed into (t, (σ) <1> ,σ <2> ,σ <3> ,σ <4> ,σ <5> ,σ <6> ,σ <7> ,σ <8> ,σ <9> ) ); receiver B decomposes his temporary private key into
If the following equation holds, then message m is output, otherwise "the de-signcryption failed" is output;
Claims (3)
1. an identity-based signcryption method for protecting a key, comprising the steps of:
(1) Establishing system parameters:
G 1 and G 2 Are all multiplicative groups of prime order p, G being G 1 A generator of (2); g 2 Is a multiplication loop group of order q, and e G 1 ×G 1 →G 2 Is a bilinear map; z p Represents the set {0,1,2.,. P-1}, used in this specificationRepresents Z p \ {0}; two hash functions H are selected u :{0,1} * →{0,1} nu ,H v :{0,1} nm →{0,1} nv Nu, nm and nv are safety parameters; setting the identity as a bit string with the length nu and setting the message as a bit string with the length nm; statorMeaning a bijection V: Γ → G 2 Here V -1 Representing its inverse mapping, Γ is {0,1} nu+nm+nv A subset of p elements; selecting a pseudo-random function F: given an input parameter x of k bits and a seed of k bits, the function F will output a random string F of k bits long s (x) (ii) a Randomly selecting an integer alpha epsilon Z p Randomly choosing an integer g 2 ∈G 1 Setting g 1 =g α Setting Y = e (g) 1 ,g 2 ) (ii) a Randomly selecting u' epsilon as G 1 When i =1 i ∈G 1 Setting nu-dimensional vectorRandomly selecting m' belonged to G 1 When i =1 i ∈G 1 Setting nv dimension vectorSetting a master private keySetting system disclosure parameters as
(2) Private key extraction:
(2.1) setting u as a bit string of length nu representing identity; let u [ i ]]The ith position of u; definition ofSo that u [ i ]]Set of subscript i of = 1; let w u,-1 Is H u (u | | -1) and w u,-1 [i]Is w u,-1 The ith bit; let w u,0 Is H u (u | | 0) and w u,0 [i]Is w u,0 The ith bit; definition ofTo make w u,-1 [i]Set of subscript i of = 1; definition ofTo make w u,0 [i]Set of subscript i of = 1; randomly selecting two helper keys HK u,1 ,HK u,0 ∈{0,1} κ And calculateRandom selectionInitial private key for computing identity u
(2.2) the facilitator key and initial private key of the sender are HK a,1 ,HK a,0 And
(2.3) helper Key and initial private Key of receiver HK, respectively b,1 ,HK b,0 And
(3) Generating real-time facilitator update information for the sender and recipient at time slice t:
(3.1) setting w u,t Is H u (u | | t) and w u,t [i]Is w u,t I th bit of (1), define To make w u,t [i]Set of subscript i of = 1; is also provided with w u,t-2 Is H u (u | | t-2) and w u,t-2 [i]Is w u,t-2 I th bit of (1), defineTo make w u,t-2 [i]Set of subscript i of = 1; computingAndto construct a temporal private key update information UI for a time slice t of a user u u,t And calculating:
(3.2) the temporary private key updating information of the time slices t of the sender and the receiver are respectively as follows:
(4) Generating real-time private keys of the sender and the receiver at a time slice t:
decomposing temporary private key of user u in time slice t-1 intoDecomposing temporary private key updating information of time slice t intoTo make up ofEstablishing temporary private key d of user u in time slice t u,t And the user u calculates:
temporary private key d for arbitrary identity u and arbitrary time slice t u,t Has the following form:
likewise, the temporary private keys of the sender and the receiver in the time slice t are respectively:
(5) And (3) signing and sealing:
for message m, sender a signs a as follows:
Order toTo make from H v (m) a set of indices j whose j th bit is different from the j th bit of r, i.e.
And (3) calculating:
let r be t-1 =r′ t-1 +k a,t-1 ,r t =r t ′+k a,t ,
Sender a outputs a ciphertext:
and sends it to recipient B;
(6) And (3) de-signing and encrypting:
receiver B decomposes the received ciphertext (t, σ) intoReceiver B decomposes his temporary private key into
If the following equation holds, then message m is output, otherwise "the de-signcryption failed" is output;
2. a computer storage medium on which a computer program is stored, which computer program, when being executed by a processor, carries out an identity-based signcryption method for protecting a key according to any one of claims 1-5.
3. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements an identity-based signcryption method for protecting a key according to any of claims 1-5 when executing the computer program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210703552.3A CN115296792A (en) | 2022-06-21 | 2022-06-21 | Identity-based signcryption method for protecting secret key |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210703552.3A CN115296792A (en) | 2022-06-21 | 2022-06-21 | Identity-based signcryption method for protecting secret key |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115296792A true CN115296792A (en) | 2022-11-04 |
Family
ID=83820590
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210703552.3A Pending CN115296792A (en) | 2022-06-21 | 2022-06-21 | Identity-based signcryption method for protecting secret key |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115296792A (en) |
-
2022
- 2022-06-21 CN CN202210703552.3A patent/CN115296792A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Baek et al. | Public key encryption with keyword search revisited | |
JP4809598B2 (en) | Use of isojani in the design of cryptographic systems | |
CN102811125B (en) | Certificateless multi-receiver signcryption method with multivariate-based cryptosystem | |
US7221758B2 (en) | Practical non-malleable public-key cryptosystem | |
US20080052521A1 (en) | Hierarchical identity-based encryption and signature schemes | |
US20060126832A1 (en) | ID-based signature, encryption system and encryption method | |
CA2819211C (en) | Data encryption | |
Lin et al. | Identity-based encryption with equality test and datestamp-based authorization mechanism | |
Diffie et al. | New Directions in cryptography (1976) | |
CN109831305B (en) | Anti-quantum computation signcryption method and system based on asymmetric key pool | |
Shen et al. | Identity-based authenticated encryption with identity confidentiality | |
CN113132104A (en) | Active and safe ECDSA (electronic signature SA) digital signature two-party generation method | |
CN110798313B (en) | Secret dynamic sharing-based collaborative generation method and system for number containing secret | |
US6931126B1 (en) | Non malleable encryption method and apparatus using key-encryption keys and digital signature | |
US20060251248A1 (en) | Public key cryptographic methods and systems with preprocessing | |
CN111431715A (en) | Policy control signature method supporting privacy protection | |
CN116743358A (en) | Repudiation multi-receiver authentication method and system | |
Wu et al. | ID-based remote authentication with smart cards on open distributed system from elliptic curve cryptography | |
CN109787773B (en) | Anti-quantum computation signcryption method and system based on private key pool and Elgamal | |
Rivest et al. | 9. A Method for Obtaining Digital Signatures and | |
CN115296792A (en) | Identity-based signcryption method for protecting secret key | |
CN109787772B (en) | Anti-quantum computation signcryption method and system based on symmetric key pool | |
JP2004246350A (en) | Enciphering device, deciphering device, enciphering system equipped with the same, enciphering method, and deciphering method | |
CN112733176A (en) | Identification password encryption method based on global hash | |
CN116074016A (en) | Secret key protection method based on threshold mechanism |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |