KR101599996B1 - Server and system for revocable identity based encryption - Google Patents

Abstract

An identity (ID)-based encryption server is provided. The ID-based encryption server comprises: a setup module to receive a security constant and a user combination as an input and generate a public parameter and a first master key; a private key generation module to generate a private key using the public parameter, status information of binary tree and the first master key; and an update key generation module to generate an update key using the public parameter, a revocation list, the status information and the first master key and transmit the updated key to the terminal.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to an ID-

An embodiment according to the concept of the present invention relates to a discardable ID-based encryption server and system, and more particularly to a discardable ID-based encryption server and system capable of discarding a decryption key of an expired user efficiently, ID based password server and system.

In a public key encryption system based on a public key infrastructure (PKI), since an encryption key and a decryption key exist in a random value (random string or random value), a relationship between an encryption key and a user A certificate is required to be authenticated, and the certificate is issued by the certificate authority (Central Authority). To encrypt the data, the sender receives the certificate for the public key and the public key of the recipient in advance from the recipient and performs verification of the key and then encrypts the data. In order to solve the inconvenience of using such a certificate, an Identity Based Encryption (IBE) has been developed.

In the ID-based cryptosystem, identification information capable of identifying the recipient at the time of encryption, for example, the recipient's e-mail address, employee number, and telephone number, is used as a public key. Since the value that can identify the recipient is used as the public key, the sender does not have to authenticate to the separate key, and consequently no certificate is required in the system.

However, since the decryption key issued by each user is based on the master key of the server, the server can decrypt all the ciphertexts existing in the cryptographic system. If the existing ID-based cryptosystem is used in a cloud storage environment that stores a large number of users' data, the cloud server can decrypt all the stored data, thereby raising the user's privacy intrusion problem.

In order to solve such a problem, it is possible to use the ID-based cryptosystem separately from the storage server and the key issuing server, but in this case, user management (subscription and withdrawal) by the cloud server becomes impossible, User management is performed.

Thus, there is a need for an ID-based cryptosystem in which a storage service provider is not able to decrypt data stored in a server while user management by a cloud storage service provider is possible.

Korean Patent No. 10-1382626

Disclosure of Invention Technical Problem [8] The present invention provides a disposable ID-based password server and system capable of managing users by a service provider and protecting data stored in a service providing server from a service provider.

The identity-based cryptographic server according to an embodiment of the present invention includes a setup module for receiving a security constant and a user set as input, generating a public parameter and a first master key, status information of the public parameter, A private key generation module for generating a private key using the first master key and transmitting the generated private key to the terminal, and an update module for updating the public key, the revocation list, the status information, Generating an update key, and transmitting the generated update key to the terminal.

Also, the ID-based cryptosystem according to the embodiment of the present invention includes the encryption server and the second server, and the second server receives the security constant and the user set as input, A second setup module for generating a second master key and an auxiliary key generation module for generating the auxiliary key using the public parameter, the second master key, and the ID of the terminal, and transmitting the generated auxiliary key to the terminal, .

According to the disposable ID-based cryptographic server and system according to the embodiment of the present invention, user management by the service provider is possible, and data stored in the server can be protected from the service provider.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to more fully understand the drawings recited in the detailed description of the present invention, a detailed description of each drawing is provided.
FIG. 1 illustrates an ID-based cryptosystem according to an embodiment of the present invention.
2 is a functional block diagram of the first server shown in FIG.
3 is a functional block diagram of the second server shown in FIG.
4 is a functional block diagram of the second terminal shown in FIG.

It is to be understood that the specific structural or functional description of embodiments of the present invention disclosed herein is for illustrative purposes only and is not intended to limit the scope of the inventive concept But may be embodied in many different forms and is not limited to the embodiments set forth herein.

The embodiments according to the concept of the present invention can make various changes and can take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It should be understood, however, that it is not intended to limit the embodiments according to the concepts of the present invention to the particular forms disclosed, but includes all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms may be named for the purpose of distinguishing one element from another, for example, without departing from the scope of the right according to the concept of the present invention, the first element may be referred to as a second element, The component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like are used to specify that there are features, numbers, steps, operations, elements, parts or combinations thereof described herein, But do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings attached hereto.

FIG. 1 illustrates an ID-based cryptosystem according to an embodiment of the present invention. 1, an ID based cryptographic system 10 usable in a cloud storage environment includes a first server 100, a second server 200, a first terminal 300, and a second terminal 400 ). According to an embodiment, the cryptographic system 10 may further include a cloud server 500 capable of providing cloud services.

The first server 100, which may be referred to as a key generation center or a key generation server, generates a private key USK and an update key UK and transmits the generated private key USK and the updated key UK ) To the second terminal 400. [ The first server 100 may be the same server as the cloud server 500 or may be a server physically separated from the cloud server 500 but operated by the operator of the cloud server 500. [

The second server 200 may generate the supplementary key (PSK) and transmit the generated supplementary key (PSK) to the second terminal 400. The second server 200 is physically separated from the first server 100 and is a server operated by an operator different from the operator of the first server 100. However, the present invention is not limited thereto . When the first server 100 and the second server 200 are operated by different entities, the possibility that the ciphertext (CT) stored in the cloud server 500 including the first server 100 is decrypted arbitrarily is excluded .

The first terminal 300 that is the sender's terminal that transmits the ciphertext (CT) generates a ciphertext (CT) by encrypting the message using the ID of the user of the second terminal 400 or the ID of the second terminal 400 do. Also, the first terminal 300 can transmit the generated ciphertext (CT) to the cloud server 500. [ According to an embodiment, the first terminal 300 may transmit the generated ciphertext (CT) directly to the second terminal 400 via a wire / wireless communication network.

The second terminal 400 receiving the ciphertext CT receives the private key USK and the update key UK from the first server 100 and receives the update key UK from the second server 200, PSK). The second terminal generates a decryption key using the received private key (USK), the update key (UK), and the supplementary key (PSK). The second terminal can decrypt the ciphertext (CT) received from the first terminal 300 or the cloud server 500 using the decryption key.

The first terminal 300 or the second terminal 400 may be a personal computer, a tablet PC, a notebook, a net-book, an e-reader, a personal digital assistant assistant, a portable multimedia player (PMP), an MP3 player, an MP4 player, or a handheld device such as a mobile phone or a smart phone .

The cloud server 500 may be a server that provides a cloud service.

2 is a functional block diagram of the first server shown in FIG. Referring to FIGS. 1 and 2, the first server 100 includes a setup module 110, a private key generation module 130, and an update key generation module 150. According to an embodiment, the first server 100 may further include a revocation module 170.

)을 수행하여 공개 파라미터(PP)와 제1 마스터키(MK_Server)를 생성한다. The setup module 110 includes a set-up algorithm (&^lt; ^{RTI ID} = 0.0 >

) To generate a public parameter PP and a first master key MK _Server .

Specifically, the set-up module 110 to the normal generator, a small number (prime number) having p as a percentile-layer creates a linear group (p, G, G _T, e), and the layers of the g linear group (G) .

)를 선택하여 제1 공개 파라미터(

)를 생성한다. 또한, 셋업 모듈(110)은 임의의 스트링(string)에 해당하는 입력값을 타원곡선 위의 점으로 매핑하는 매핑 함수(

)와 매핑 함수(

)를 선택한다.In addition, the setup module 110 may generate a random number

) To select the first disclosure parameter (

). The set-up module 110 also includes a mapping function for mapping an input value corresponding to an arbitrary string to a point on the elliptic curve

) And the mapping function (

).

), 매핑 함수(

), 및 매핑 함수(

)를 포함하는 공개 파라미터(PP)를 공개한다. 본 발명에서 이용되는 공개 파라미터(

) 중 제2 공개 파라미터(

)는 제2 서버(200)에 의해 생성된 파라미터일 수 있다.The setup module 110 includes a normal generation circle g, a linear linear group G,

), Mapping function (

), And mapping function (

) Of the public domain. The public parameters (< RTI ID = 0.0 >

The second disclosure parameter (

May be a parameter generated by the second server 200.

)를 생성한다. 생성된 제1 마스터키는 사용자의 개인키와 업데이트키를 생성하는 과정에서 이용될 수 있다.The setup module 110 also includes a first master key ("

). The generated first master key can be used in the process of generating the user's private key and the update key.

)을 실행하여, 개인키를 생성하고, 생성된 개인키를 제2 단말기(400)로 송신한다.The private key generation module 130 generates a private key generation algorithm (hereinafter referred to as " private key generation algorithm ") by inputting the time T, the ID, the first master key, the state information ST of the binary tree BT,

) To generate a private key, and transmits the generated private key to the second terminal 400. [

)를 선택하고, 선택된 말단 노드(

)에 ID를 할당한다. 그리고 개인키 생성 모듈(130)은 각각의 노드(

)에 대해 다음과 같은 과정을 수행한다. 여기서,

은 노드(

)에서부터 루트 노드(최상위 노드)까지의 경로에 포함되어 있는 노드들의 집합을 의미한다.Specifically, the private key generation module 130 generates a private key of the root node BT,

), Selects the selected end node (

). The private key generation module 130 generates a private key

), The following procedure is performed. here,

The node (

) To the root node (the highest node).

)에 대응하는 임의의 난수(

)가 정의되어 있지 않는 경우, 임의의 난수(

)를 선택하여 선택된 난수를 노드(

)에 할당 또는 정의한다.1. Node (

) ≪ / RTI >

) Is not defined, an arbitrary random number (

) To select the selected random number as the node (

).

)를 선택한다.2. Any random number (

).

3. Create a first private key (usk _{θ, 0} ) and a second private key (usk _{θ, 1} ) defined by the following equation:

)를 생성하고, 생성된 개인키를 제2 단말기(400)로 송신할 수 있다.After performing the above processes, the private key generation module 130 generates a private key including a first private key and a second private key corresponding to each node [theta]

), And transmit the generated private key to the second terminal 400.

)을 실행하여 업데이트키를 생성하고, 생성된 업데이트키를 제2 단말기(400)로 송신한다.The update key generation module 150 generates an update key generation algorithm (hereafter referred to as an update key generation algorithm) that takes as input the time T, the first master key, the state information ST of the binary tree BT,

) To generate an update key, and transmits the generated update key to the second terminal 400.

That is, the update key generation module 150 periodically generates an update key, and transmits the generated update key to the second terminal 400. The second terminal 400 can generate a decryption key using the received update key.

Prior to generating the update key, the update key generation module 150 may obtain, on the binary tree BT, a set (Y) of nodes to which a corresponding update key is to be generated.

The set of nodes (Y) can be obtained using a node creation algorithm (KUNode) with binary tree (BT), revocation list (RL), and time (T) as inputs. The details of the algorithm are as follows.

는 노드(

)의 폐기 시간을 의미하고, 노드(

)는 노드(

)의 왼쪽 자식 노드를 의미하고, 노드(

)는 노드(

)의 오른쪽 자식 노드를 의미한다. 이진트리(BT) 상에서 각각의 사용자는 말단 노드에 할당된다.

는 노드(

)에서부터 루트 노드, 즉 최상위 노드까지 경로상에 위치한 노드들의 집합을 의미한다.On the algorithm

Is a node (

), And the node (

) Is a node

), And the node (

) Is a node

) ≪ / RTI > On the binary tree (BT), each user is assigned to an end node.

Is a node (

) To a root node, that is, a root node.

Therefore, only the update key corresponding to the nodes included in the set Y at time T is created, and the non-revoked users generate the update key corresponding to any one of the nodes included on the route from the own node to the root node The decryption key can be generated at the time T since the node of the set Y is included in the set Y.

), 즉 집합(Y)에 포함된 노드(θ)에 대해 다음과 같은 과정을 수행한다.The update key generation module 150 generates a set (Y) of nodes for generating an update key,

), I.e., the node (?) Included in the set (Y), the following process is performed.

1. bring any random number (β _θ) defined in the node (θ) of a binary tree (BT).

)를 선택한다.2. An arbitrary index (

).

)와 제2 업데이트키(

)를 생성한다.3. The first update key (

) And the second update key (

).

)에 관하여, 위의 과정이 완료되면, 업데이트키 생성 모듈(150)은 제1 업데이트키와 제2 업데이트키를 포함하는 업데이트키(

)를 제2 단말기(400)로 송신한다.All nodes (

), When the above process is completed, the update key generation module 150 generates an update key including the first update key and the second update key

To the second terminal (400).

)을 수행함으로써, ID에 대한 폐기 동작을 수행할 수 있다.The discard module 170 is a discard algorithm that takes as input the ID to be discarded, the time T, the revocation list RL, and the state information ST of the binary tree BT

), The discard operation for the ID can be performed.

라면,

를 새로운 폐기 목록으로 갱신함으로써, ID에 대한 폐기 동작을 수행할 수 있다.That is, the end node to which the ID is assigned

Ramen,

To the new revocation list, the revocation operation for the ID can be performed.

3 is a functional block diagram of the second server shown in FIG. Referring to FIGS. 1 to 3, the second server 200 includes a setup module 210 and an auxiliary key generation module 230.

)을 수행하여 공개 파라미터(PP)와 제2 마스터키(MK_PKG)를 생성한다. 이때, 보안 상수(1^λ)와 사용자의 집합(N)은 제1 서버(100)와 제2 서버(200) 간에 미리 공유된 값일 수 있다.Setup module 210 includes a set-up algorithm (&^lt; ^{RTI ID} = 0.0 >

) To generate a public parameter PP and a second master key MK _PKG . At this time, the security constant 1 ^? And the set N of users may be a value previously shared between the first server 100 and the second server 200.

Specifically, the set-up module 210 to the normal generator, a small number (prime number) having p as a percentile-layer creates a linear group (p, G, G _T, e), and the layers of the g linear group (G) .

)를 선택하여 제2 공개 파라미터(

)를 생성한다. 또한, 셋업 모듈(210)은 임의의 스트링(string)에 해당하는 입력값을 타원곡석 위의 점으로 매핑하는 매핑 함수(

)와 매핑 함수(

)를 선택한다.Also, the setup module 210 may generate a random number ("

) To select the second disclosure parameter (

). In addition, the setup module 210 may include a mapping function for mapping an input value corresponding to an arbitrary string to a point on an elliptic curve

) And the mapping function (

).

), 매핑 함수(

), 및 매핑 함수(

)를 포함하는 공개 파라미터를 공개한다. 본 발명에서 이용되는 공개 파라미터(

) 중 제1 공개 파라미터(

)는 제1 서버(100)에 의해 생성된 파라미터일 수 있다.The setup module 210 includes a normal generation circle g, a double linear group G,

), Mapping function (

), And mapping function (

). ≪ / RTI > The public parameters (< RTI ID = 0.0 >

The first disclosure parameter (

May be a parameter generated by the first server 100.

)를 생성한다. 생성된 제2 마스터키는 제2 단말기(400)로 송신할 보조키를 생성하는 과정에서 이용될 수 있다.The setup module 210 also includes a second master key ("

). The generated second master key can be used in the process of generating the auxiliary key to be transmitted to the second terminal 400.

The operation overlapping with the operation of the setup module 110 of the first server 100 during the operation of the setup module 210 may be performed by either the setup module 210 or the setup module 110 and may be shared And may be performed in each of the two setup modules.

)을 수행하여 보조키를 생성하고, 생성된 보조키를 제2 단말기(400)로 송신한다.The auxiliary key generation module 230 includes an auxiliary key generation algorithm (hereinafter referred to as an auxiliary key generation algorithm) in which the ID, the second master key,

) To generate the auxiliary key, and transmits the generated auxiliary key to the second terminal 400.

)를 선택하고, 선택된 임의의 난수(

)를 이용하여 제1 보조키(psk₀)와 제2 보조키(psk₁)를 포함하는 보조키(PSK_ID=(psk₀,psk₁))생성할 수 있다.Specifically, the auxiliary key generation module 230 generates random numbers

), And selects a random number (

(PSK _ID = (psk ₀ , psk ₁ )) including the first auxiliary key (psk ₀ ) and the second auxiliary key (psk ₁ ) by using the first auxiliary key (psk ₀ )

The first auxiliary key (psk ₀ ) and the second auxiliary key (psk ₁ ) can be generated by the following equations.

In the above equation, ID may refer to identification information of the second terminal 400. The generated auxiliary key (PSK _ID ) may be transmitted to the second terminal 400.

4 is a functional block diagram of the second terminal shown in FIG. Referring to FIGS. 1 to 4, the second terminal 400 includes a decryption key generation module 410 and a decryption module 430.

)을 수행하여 복호화키를 생성할 수 있다.The decryption key generation module 410 generates a decryption key generation algorithm (hereinafter, referred to as " decryption key generation algorithm ") using an auxiliary key, a private key,

) To generate a decryption key.

Specifically, the decryption key generation module 410 receives the PSK _ID from the second server 200 and receives the private key (USK _ID ) and the update key (UK _T ) from the first server 100 can do. Also, the decryption key generation module 410 may generate a decryption key using the supplementary key (PSK _ID ), the private key (USK _ID ), the update key (UK _T ), and the public parameter (PP).

The generation process of the sub key will be described in detail as follows.

,

, 및

을 이용하여 복호화키를 생성할 수 있다. 이때, 집합(I)는 이진트리 상에서 제2 단말기(400)의 개인키에 속해있는 노드들의 집합, 즉 제2 단말기(400)의 ID가 할당된 말단 노드로부터 루트 노드까지의 경로에 포함된 노드들의 집합을 의미하고, 집합(S)는 이진트리 상에서 업데이트키에 속해있는 노드들의 집합을 의미한다.The decryption key generation module 410

,

, And

Can be used to generate a decryption key. At this time, the set (I) is a set of nodes belonging to the private key of the second terminal 400 on the binary tree, that is, a node included in the path from the end node to which the ID of the second terminal 400 is allocated to the root node (S) means a set of nodes belonging to an update key on a binary tree.

If the intersection of the set I and the set J is an empty set, that is, I? J = ?, the decryption key generation module 410 can not generate a decryption key. Since the ID of the second terminal 400 can be seen to have been discarded or withdrawn at T time.

)를 생성할 수 있다. 이때,

이고,

이고,

이다.If the intersection of the set I and the set J is not an empty set, that is, if I∩J ≠ Φ, the decryption key generation module 410 generates a decryption key &thetas;≤ I • J)

Can be generated. At this time,

ego,

ego,

to be.

)을 수행하여 암호문을 복호화할 수 있다.The decryption module 430 decrypts a decryption key (a decryption key)

) To decrypt the ciphertext.

Specifically, the decryption module 430 decrypts the ciphertext (CT _ID ) received from the first terminal 300 or the cloud server 500 using the generated decryption key (DK _{ID, T} ) and the disclosure parameter (PP) can do. Since the ciphertexts CT are (C, C ₁ , C ₂ , C ₃ ) and the decryption keys DK are (D ₁ , D ₂ , D ₃ ), the ciphertext CT can be decrypted have.

)을 생성할 수 있다. 이때,

을 만족한다.At this time, the encryption process by the first terminal 300 is as follows. The first terminal 300 performs a cryptographic algorithm in which the ID of the second terminal 400, the time T, the message M, and the public parameter PP are input,

Can be generated. At this time,

.

Each of the configurations of the first server, the second server, and the second terminal shown in FIG. 2 to FIG. 4 may be functionally and logically separated, and each configuration may be divided into separate physical devices or separately The average expert in the technical field of the present invention can easily deduce that it is not meant to be written in the code of the present invention.

In this specification, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, the module may mean a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and does not necessarily mean a physically connected code or a kind of hardware.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

100: first server
110: Setup module
130: private key generation module
150: Update key generation module
170: Disposal module
200: second server
210: Setup module
230: Auxiliary key generation module
300: first terminal
400: second terminal
410: Decryption key generation module
430: Decryption module
500: Cloud server

Claims (4)

1. An identity based cryptosystem comprising a first server and a second server,
Wherein the first server comprises:
A setup module for receiving as input a security constant and a user set, generating a public parameter and a first master key;
A private key generation module for generating the private key using the public parameter, state information of the binary tree, and the first master key, and transmitting the generated private key to the terminal; And
And an update key generation module for generating an update key using the public parameter, the revocation list, the state information, and the first master key, and transmitting the generated update key to the terminal,
Wherein the second server comprises:
A second setup module for receiving the security constant and the user set as inputs and generating the public parameter and the second master key; And
Generating an auxiliary key by using the public parameter, the second master key, and the ID of the terminal, and transmitting the generated auxiliary key to the terminal;
ID based cryptographic system. The method according to claim 1,
Wherein the update key generation module periodically generates an update key and transmits the generated update key to the terminal. The method according to claim 1,
Wherein the public parameters generated by the setup module include at least one of an overlaid linear group, a generation source of the double linear group, a first public parameter generated using an arbitrary random number, and an arbitrary input string, And a second mapping function for mapping the first mapping function to the second mapping function. The method according to claim 1,
Further comprising: the terminal receiving the private key, the update key, and the auxiliary key to generate a decryption key, and decrypting the cipher text using the generated decryption key.

Images