CN101051902A - Agent signcryption method and system - Google Patents

Abstract

The invention solves issues that disadvantages of large amount of calculation and system security exist in current technique. The method includes steps: setting up system parameters, generating proxy cipher-signed private key, sending cipher-signed message, recovering cipher-signed message, and validating proxy cipher sign. The invention raises operation efficiency, and avoids dependence on secure channel.

Description

A kind of agent signcryption method and system

Technical field

The present invention relates to computer communication and E-business applications field, particularly a kind of agent signcryption method and system.

Background technology

In the application of computer communication and ecommerce, secret and authentication is one of sixty-four dollar question.Usually reach secret purpose with the means of encrypting in the prior art, reach the purpose of authentication with the means of digital signature.In order to reach the effect of maintaining secrecy and authenticating simultaneously, traditional way is to encrypt earlier afterwards to sign or sign earlier and afterwards encrypt.1997, Zheng proposed to sign close notion, and the function of signing Mi Xitongji signature and encryption is in one.Suppose that Alice will send a message m to Bob, Alice does not wish that outer others of Bob sees message m, and Alice will allow Bob know that message derives from Alice really simultaneously, signs close system and can satisfy this demand.Afterwards sign or sign afterwards to encrypt earlier and compare with first the encryption, sign close system and improved communication efficiency, reduced computational burden.The close system of the label of a safety should satisfy simultaneously can not forge, non-repudiation and the requirement of maintaining secrecy.Can not forge and be meant that anyone can not pretend to be Alice to produce one and effectively sign the close Bob of giving and be not found.It is close that non-repudiation is meant in a single day Alice has sent about the label of certain message m to Bob, and he can not deny this part thing later on.Even confidentiality is meant communicating by letter between Alice and Bob and transmits on overt channel, other people can not know that message that they transmit expressly.

In real society, run into agency's situation through regular meeting.For example, the manager of a company will arrive the other places and go on business, and in order not influence the business of company, this manager needs to entrust a reliable assistant as the agency, allow this assistant during he goes on business, can represent him to handle some relevant mails, and on some vital document, sign etc.

In order to solve above-mentioned agency problem, proxypassword is learned and is arisen at the historic moment.The notion that proxypassword is learned can apply to a lot of occasions, when a succedaneum obtain by certain conversion original person act on behalf of private key after just can represent original person to go to carry out operations such as some plain text encryption, decrypt ciphertext, digital signature.

Mambo, Usuda in 1996 and Okamto have proposed the notion of allograph.In a Proxy Signature Scheme, on behalf of original signer, an appointed proxy signers can generate effective allograph.Proxy Signature Scheme should satisfy character such as non-repudiation, verifiability, unforgeable, the property distinguished.Simultaneously, because allograph plays an important role in actual applications, so allograph is subjected to extensive concern once proposition, Chinese scholars has been carried out deep discussion and research to it.1997, S.Kim, S.Park and D.Wom combined part devolution and certificate granting agency, have obtained part certificate of authority allograph.Allograph may be used on many fields, especially in distributed environment, as mobile agent, mobile communication, network calculations, distributed network, electronic transaction, e-bank, electronic voting etc.

When the file of allograph contained business secret if desired, only allograph was not enough, and therefore at this time also need to be keep secret needs to use the combination of allograph and digital encryption.

1999, Gamage, Leiwo and Zheng propose the notion of agent signcryption.The combined efficiency that adds the numeral encryption as digital signature is close not as the numeral label, and the efficient of the combination of allograph and digital encryption primitive is not as agent signcryption.Therefore, the application of agent signcryption in fields such as ecommerce is very widely.Gamage, Leiwo and Zheng have proposed an agent signcryption system based on a discrete logarithm difficult problem, and operation efficiency is than higher.But the shortcoming of this method is: the first, and original sender does not limit the identity of acting on behalf of the sender, and anyone can pretend to be is to act on behalf of the sender; The second, original sender is not to the authority of acting on behalf of the sender and act on behalf of the time limit and limit, and acts on behalf of the sender and can represent original sender to do anything; The 3rd, original sender also can be pretended to be and acted on behalf of the sender and carry out agent signcryption, and other people can't differentiate; The 4th, after acting on behalf of the sender and sending a message, can deny and oneself once do this part thing; The 5th, this system but also need escape way.

Recently, based on the theoretical agent signcryption scheme that has proposed some approved safes of bilinearity pairing of elliptic curve, for example, based on the close scheme of label of pairing.This scheme has guaranteed the fail safe of system, and does not need escape way.This scheme is based on the realization of bilinearity matching method, although people have done a lot of researchs to pairing, pairing is calculated still needs very big amount of calculation, so the efficient that this class scheme realizes under existing understanding is not high.

Summary of the invention

The agent signcryption scheme that relies on safe lane in the prior art is pretended to be easily in order to solve, agent signcryption is difficult for checking, and the agent signcryption computation schemes amount that breaks away from safe lane is too big, shortcoming at the bottom of the efficient the invention provides a kind of agent signcryption method and system.The objective of the invention is the fail safe of the system that guarantees, and remove, improve operation efficiency simultaneously the safe lane dependence.

The invention provides a kind of agent signcryption method, said method comprising the steps of:

Steps A: initialization system parameter;

Step B: act on behalf of the sender and generate the agent signcryption private key according to the letter of attorment that system parameters, the private key of acting on behalf of the sender and original sender generate;

Step C: describedly act on behalf of the sender and generate according to recipient's PKI and described agent signcryption private key and sign close message, and the close message of described label is sent to the recipient;

Step D: the recipient is decrypted the close message of described label, recovers message, and verifies described sender of the message's identity.

Described step B specifically may further comprise the steps:

Step B1: original sender is made a certificate of authority, and with the encrypted private key generation letter of attorment of the described certificate of authority with original sender, sends to then and act on behalf of the sender;

Step B2: after acting on behalf of the sender and receiving letter of attorment, according to the validity of the open key checking letter of attorment of original sender;

Step B3: after checking is passed through, act on behalf of the sender and generate the agent signcryption private key according to letter of attorment.

Described step D specifically may further comprise the steps:

Step D1: after the recipient receives and signs close message, according to the open key of signing close message, original sender with act on behalf of the open key of sender and generate the open key of agent signcryption;

Step D2: the recipient is decrypted signing close message with open key of agent signcryption and recipient's private key, obtains message;

Step D3: the identity of verifying described sender of the message.

It is as follows to generate the close message specific implementation step of label among the described step C:

Step C1: the described PKI pk that acts on behalf of the sender with the recipient _r ^kMessage m is encrypted, promptly act on behalf of the sender and select a random number $k\∈Z_q^{*},$ Z wherein _q ^*Be a multiplicative group, its element comprises more than or equal to 1 and smaller or equal to all integers of q-1,

Calculate t ₁=g ^kMod p,

t ₂＝pk _r ^k?mod?p；

And calculate $c=E_{H_1\left(t_2\right)}\left(m\right),$ H wherein ₁(t ₂) be key;

Step C2: with agent signcryption private key sk _ProMessage c after encrypting is signed,

Calculate e=H ₂(c ‖ t ₁) and s=k+sk _ProE mod q,

Generate and sign close message (ω, r _ω, c, e, s);

Step C3: with the close message of described label (ω, r _ω, c, e s) sends to the recipient.

Described method is further comprising the steps of:

Step e 1: when disputing, the recipient sends to the third party acting on behalf of the allograph of sender to message;

Step e 2: after the third party receives and acts on behalf of the allograph of sender to message, generate the open key of agent signcryption, and encrypting messages is carried out conversion with the open key of described agency;

Step e 3: described third party verifies, checking is acted on behalf of the sender by explanation then and sent agent signcryption to message really to the recipient; Otherwise do not send.

The present invention also provides a kind of agent signcryption system, and described system comprises: the initialization system parameter module, generate private key module, generate message and sign close module and recover message module;

Described initialization system parameter module is used for the initialization system parameter;

Described generation private key module is used to act on behalf of the sender and generates the agent signcryption private key according to the letter of attorment that system parameters, the private key of acting on behalf of the sender and original sender generate;

Described generation message is signed close module and is used for PKI and the described agent signcryption private key generation label close message of the described sender of agency according to the recipient, and the close message of described label is sent to the recipient;

Described recovery message module is used for the recipient the close message of described label is decrypted, and recovers message, and verifies described sender of the message's identity.

Described system also comprises checking agent signcryption module;

Described checking agent signcryption module is used for described agent signcryption is verified.

Described checking agent signcryption module specifically comprises transmission authorization information unit, generates open key unit of agency and authentication unit;

Described transmission authorization information unit is used for the recipient allograph to message is sent to the third party;

The open key unit of described generation agency be used for the third party receive act on behalf of the allograph of sender to message after, generate the open key of agent signcryption, and with described agency openly key encrypting messages is carried out conversion;

Described authentication unit is used for the third party described agent signcryption is verified.

The invention has the beneficial effects as follows:

1, removed dependence, made that the agent signcryption system can practicability safe lane;

2, improved operation efficiency effectively, made that the present invention is easier to be stored the space is little, computing capability is more weak user and to accept;

3, fail safe has obtained guarantee, anyone must not pretend to be and acts on behalf of the sender and sign closely, and acts on behalf of the sender in case message has been carried out signing close, can not deny, contemporary reason sender's identity and authority are restricted, and can not entrust outer message to implement to sign close to original sender.

Description of drawings

Fig. 1 is an agent signcryption method flow chart of the present invention;

Fig. 2 is an agent signcryption system schematic of the present invention.

Embodiment

With embodiment the present invention is further specified below with reference to accompanying drawings, but not as a limitation of the invention.

The entity that technical scheme of the present invention relates to is as follows:

(1) original sender: the agency by agreement sender exercises the entity of signing close power.

(2) act on behalf of the sender: accept the mandate of original sender, represent original sender to send the entity of signing close message to the recipient.

(3) recipient: act on behalf of the reception object that the sender sends message.

(4) third party: the present age, the reason sender denied when once having sent certain message to the recipient, and the recipient can lodge a proof to the third party, carries out ruling by the third party.

Referring to Fig. 1, the invention provides a kind of method of agent signcryption, described method step is as follows:

Steps A: initialization system parameter;

Step 101: the initialization system parameter, concrete assignment procedure is as follows:

At first, select parameter p, q, g, wherein p is a big prime number that is not less than 1024 bits, and q is the prime factor that is not less than 160 bits of p-1, and g is Z _p ^*In the element that rank are q, i.e. a g ^qMod p=1, Z _p ^*Be a multiplicative group, its element comprises more than or equal to 1 and smaller or equal to all integers of p-1;

Set (E _K(.), D _K(.)) be a pair of desirable symmetric cryptography/decipherment algorithm, key is K.

Secondly, select hash function H ₁And H ₂

$H_1:Z_p^{*}\→{\left\{\mathrm{0,1}\right\}}^{*},$ H ₁Be a unidirectional hash function, this function is safe simultaneously, and it is Z _p ^*On a number be mapped to 0,1 character string of a random length, this character string is (E _k(.), D _k(.)) key space K, as the key of symmetric cryptography/decipherment algorithm;

$H_2:{\left\{\mathrm{0,1}\right\}}^{*}\→Z_q^{*},$ H ₂Be another unidirectional hash function, it also is safe, and it is mapped to Z to 0,1 character string of a random length _q ^*, Z _q ^*Be a multiplicative group, its element comprises more than or equal to 1 and smaller or equal to all integers of q-1, m will sign close message, $m\∈Z_p^{*}.$

At last, the key in the selective system is to parameter, and promptly the key of original sender is to (sk _Os, pk _Os), wherein ${\mathrm{pk}}_{\mathrm{os}}=g^{{\mathrm{sk}}_{\mathrm{os}}}\mathrm{mod}p,$ The key of acting on behalf of the sender is to (sk _Ps, pk _Ps), wherein ${\mathrm{pk}}_{\mathrm{ps}}=g^{{\mathrm{sk}}_{\mathrm{ps}}}\mathrm{mod}p,$ With recipient's key to (sk _r, pk _r), wherein ${\mathrm{pk}}_r=g^{{\mathrm{sk}}_r}\mathrm{mod}p,$ ${\mathrm{sk}}_{\mathrm{os}},{\mathrm{sk}}_{\mathrm{ps}},{\mathrm{sk}}_r\∈Z_q^{*}.$ Private key sk is a signature/decruption key, and PKI pk is used for checking/encryption.With (sk _Pro, pk _Pro) represent the key of agent signcryption right, wherein ${\mathrm{pk}}_{\mathrm{pro}}=g^{{\mathrm{sk}}_{\mathrm{pro}}}\mathrm{mod}p.$ Original sender represents that with ω the connection between the character string is represented with ‖ for the certificate of authority of acting on behalf of the sender.

Step B: act on behalf of the sender and generate the agent signcryption private key according to the letter of attorment that system parameters, the private key of acting on behalf of the sender and original sender generate; Concrete steps are as follows:

Step 102: in order to give the authorized agency sender signing close power, original sender need be made a certificate of authority ω, has comprised the scope of message that can agent signcryption among the ω, original sender and act on behalf of sender's identity, and act on behalf of the time limit.

Step 103: with the encrypted private key of certificate of authority ω with original sender, concrete cryptographic algorithm is as follows:

Select a random number $l\∈Z_q^{*},$

Calculate r _ω=g ^lMod p, s _ω=l+sk _OsH ₂(ω ‖ r _ω) mod q,

After the certificate of authority is encrypted, generate letter of attorment (ω, r _ω, s _ω), then by overt channel letter of attorment (ω, r _ω, s _ω) issue and act on behalf of the sender.

Step 104: after acting on behalf of the sender and receiving letter of attorment, the validity of checking letter of attorment is promptly calculated e earlier _ω=H ₂(ω ‖ r _ω),

Check equation again $g^{s_{\mathrm{\ω}}}=r_{\mathrm{\ω}}\·{\mathrm{pk}}_{\mathrm{os}}^{e_{\mathrm{\ω}}}\mathrm{mod}p$ Whether set up, if equation is set up, letter of attorment is effective, otherwise invalid.

Step 105: after acting on behalf of the sender and verifying that letter of attorment effectively, generate the agent signcryption private key according to the private key of letter of attorment and proxy signers, the algorithm that specifically calculates the agent signcryption private key is: sk _Pro=s _ω+ sk _PsH ₂(ω ‖ r _ω) mod q.

Step C: describedly act on behalf of the sender and generate according to recipient's PKI and described agent signcryption private key and sign close message, and the close message of described label is sent to the recipient; Concrete steps are as follows:

Step 106: act on behalf of the sender to the message m ∈ of original sender 0,1} ^*Sign closely, and will sign close message and send to the recipient, detailed process is:

At first, act on behalf of the sender and message is encrypted, promptly with recipient's PKI

Act on behalf of the sender and select a random number $k\∈Z_q^{*},$

Calculate t ₁=g ^kMod p,

t ₂＝pk _r ^k?mod?p；

And calculating generates encrypting messages $c=E_{H_1\left(t_2\right)}\left(m\right),$ H wherein ₁(t ₂) be the occurrence of key K.

Then, encrypting messages c is signed with the agent signcryption private key,

Calculate e=H ₂(c ‖ t ₁) and s=k+sk _ProE mod q,

Generate and sign close message (ω, r _ω, c, e, s);

At last, will sign close message (ω, r by overt channel _ω, c, e s) sends to the recipient.

Step D: the recipient is decrypted the close message of described label, recovers message, and verifies described sender of the message's identity; Concrete steps are as follows:

Step 107: the recipient receives and signs close message (ω, r _ω, c, e, s) after, at first generate the open key of agent signcryption

${\mathrm{pk}}_{\mathrm{pro}}={({\mathrm{pk}}_{\mathrm{os}}\·{\mathrm{pk}}_{\mathrm{ps}})}^{H_2\left(\mathrm{\ω}\right|\left|r_{\mathrm{\ω}}\right)}\·r_{\mathrm{\ω}}\mathrm{mod}p;$

Private key with open key of agent signcryption and recipient is decrypted signing close message then, calculates

$t_1=g^s\·{\mathrm{pk}}_{\mathrm{pro}}^{-e}\mathrm{mod}p,$

$t_2=t_1^{{\mathrm{sk}}_r}\mathrm{mod}p;$

Pass through formula $m=E_{H_1\left(t_2\right)}\left(c\right),$ Recover message m.

Check e=H then ₂(c ‖ t ₁) whether set up, if set up, illustrate that then the sender to the agent signcryption of message m is the described sender of agency really; Otherwise be not.

Step e: described agent signcryption is verified; Concrete steps are as follows:

Step 108: when disputing, need the checking agent signcryption, at this moment the recipient is acting on behalf of allograph (m, the H of sender to message m ₁(t ₂), w, r _w, c, e s) sends the third party to.

Step 109: the third party receives and acts on behalf of allograph (m, the H of sender to message m ₁(t ₂), w, r _w, c, e, s) after, generate the open key of agent signcryption ${\mathrm{pk}}_{\mathrm{pro}}={({\mathrm{pk}}_{\mathrm{os}}\·{\mathrm{pk}}_{\mathrm{ps}})}^{H_2\left(\mathrm{\ω}\right|\left|r_{\mathrm{\ω}}\right)}\·r_{\mathrm{\ω}}\mathrm{pod\; p};$

With the open key of agent signcryption the allograph of message is carried out conversion, obtain $t_1=g^s\·{\mathrm{pk}}_{\mathrm{pro}}^{-e}\mathrm{mod}p.$

Step 110: checking equation e=H ₂(c ‖ t ₁) whether set up, if set up, checking again $m=E_{H_1\left(t_2\right)}\left(c\right)$ Whether set up, two formulas, then explanation is acted on behalf of the sender and sent agent signcryption to message m really to the recipient if all setting up.

Referring to Fig. 2, the present invention also provides a kind of agent signcryption system, and described system comprises: the initialization system parameter module, generate private key module, generate message and sign close module and recover message module;

Described initialization system parameter module is used for the initialization system parameter;

Described generation private key module is used to act on behalf of the sender and generates the agent signcryption private key according to the letter of attorment that system parameters, the private key of acting on behalf of the sender and original sender generate;

Described generation message is signed close module and is used for PKI and the described agent signcryption private key generation label close message of the described sender of agency according to the recipient, and the close message of described label is sent to the recipient;

Described recovery message module is used for the recipient the close message of described label is decrypted, and recovers message, and verifies described sender of the message's identity.

Described system also comprises checking agent signcryption module;

Described checking agent signcryption module is used for described agent signcryption is verified.

Described checking agent signcryption module specifically comprises transmission authorization information unit, generates open key unit of agency and authentication unit;

Described transmission authorization information unit is used for the recipient allograph to message is sent to the third party;

The open key unit of described generation agency be used for the third party receive act on behalf of the allograph of sender to message after, generate the open key of agent signcryption, and with described agency openly key encrypting messages is carried out conversion;

Described authentication unit is used for the third party described agent signcryption is verified.

More than be that preferred implementation of the present invention is described, common variation and replacement that those skilled in the art carries out in the scheme scope of the technology of the present invention all should be included in protection scope of the present invention.

Claims (10)

1. an agent signcryption method is characterized in that, said method comprising the steps of:

Steps A: initialization system parameter;

Step B: act on behalf of the sender and generate the agent signcryption private key according to the letter of attorment that system parameters, the private key of acting on behalf of the sender and original sender generate;

Step C: describedly act on behalf of the sender and generate according to recipient's PKI and described agent signcryption private key and sign close message, and the close message of described label is sent to the recipient;

Step D: the recipient is decrypted the close message of described label, recovers message, and verifies described sender of the message's identity.

2. a kind of agent signcryption method as claimed in claim 1 is characterized in that, described step B specifically may further comprise the steps:

Step B1: original sender is made a certificate of authority, and with the encrypted private key generation letter of attorment of the described certificate of authority with original sender, sends to then and act on behalf of the sender;

Step B2: after acting on behalf of the sender and receiving letter of attorment, according to the validity of the open key checking letter of attorment of original sender;

Step B3: after checking is passed through, act on behalf of the sender and generate the agent signcryption private key according to letter of attorment.

3. a kind of agent signcryption method as claimed in claim 1 or 2 is characterized in that, described step C specifically may further comprise the steps:

Step C1: the described PKI pk that acts on behalf of the sender with the recipient _r ^kMessage m is encrypted, promptly

Act on behalf of the sender and select a random number $k\∈Z_q^{*},$ Z wherein _q ^*Be a multiplicative group, its element comprises more than or equal to 1 and smaller or equal to all integers of q-1,

Calculate t ₁=g ^kMod p,

t ₂＝pk _r ^k?mod?p；

And calculating encrypting messages $c=E_{H_1\left(t_2\right)}\left(m\right),$ H wherein ₁(t ₂) be key;

Step C2: with agent signcryption private key sk _ProC signs to encrypting messages,

Calculate e=H ₂(c ‖ t ₁) and s=k+sk _ProE mod q,

Generate and sign close message (ω, r _ω, c, e, s);

Step C3: with the close message of described label (ω, r _ω, c, e s) sends to the recipient.

4. a kind of agent signcryption method as claimed in claim 1 or 2 is characterized in that, described step D specifically may further comprise the steps:

Step D1: after the recipient receives and signs close message, according to the open key of signing close message, original sender with act on behalf of the open key of sender and generate the open key of agent signcryption;

Step D2: the recipient is decrypted signing close message with open key of agent signcryption and recipient's private key, obtains message;

Step D3: the identity of verifying described sender of the message.

5. a kind of agent signcryption method as claimed in claim 3 is characterized in that, described step D specifically may further comprise the steps:

Step D1: after the recipient receives and signs close message, according to the open key of signing close message, original sender with act on behalf of the open key of sender and generate the open key of agent signcryption;

Step D2: the recipient is decrypted signing close message with open key of agent signcryption and recipient's private key, obtains message;

Step D3: the identity of verifying described sender of the message.

6. a kind of agent signcryption method as claimed in claim 1 or 2 is characterized in that, described method is further comprising the steps of:

Step e 1: when disputing, the recipient sends to the third party acting on behalf of the allograph of sender to message;

Step e 2: after the third party receives and acts on behalf of the allograph of sender to message, generate the open key of agent signcryption, and encrypting messages is carried out conversion with the open key of described agency;

Step e 3: described third party verifies, checking is acted on behalf of the sender by explanation then and sent agent signcryption to message really to the recipient; Otherwise do not send.

7. a kind of agent signcryption method as claimed in claim 4 is characterized in that, described method is further comprising the steps of:

Step e 1: when disputing, the recipient sends to the third party acting on behalf of the allograph of sender to message;

Step e 2: after the third party receives and acts on behalf of the allograph of sender to message, generate the open key of agent signcryption, and encrypting messages is carried out conversion with the open key of described agency;

Step e 3: described third party verifies, checking is acted on behalf of the sender by explanation then and sent agent signcryption to message really to the recipient; Otherwise do not send.

8. an agent signcryption system is characterized in that, described system comprises: initialization system parameter module, generation private key module, generation message are signed close module and are recovered message module;

Described initialization system parameter module is used for the initialization system parameter;

Described generation private key module is used to act on behalf of the sender and generates the agent signcryption private key according to the letter of attorment that system parameters, the private key of acting on behalf of the sender and original sender generate;

Described generation message is signed close module and is used for PKI and the described agent signcryption private key generation label close message of the described sender of agency according to the recipient, and the close message of described label is sent to the recipient;

Described recovery message module is used for the recipient the close message of described label is decrypted, and recovers message, and verifies described sender of the message's identity.

9. a kind of agent signcryption as claimed in claim 8 system is characterized in that described system also comprises checking agent signcryption module;

Described checking agent signcryption module is used for described agent signcryption is verified.

10. a kind of agent signcryption as claimed in claim 9 system is characterized in that, described checking agent signcryption module specifically comprises and sends the authorization information unit, generates open key unit of agency and authentication unit;

Described transmission authorization information unit is used for the recipient allograph to message is sent to the third party;

The open key unit of described generation agency be used for the third party receive act on behalf of the allograph of sender to message after, generate the open key of agent signcryption, and with described agency openly key encrypting messages is carried out conversion;

Described authentication unit is used for the third party described agent signcryption is verified.

Images