CN101527629A - Hierarchical identity-based encryption and signature schemes - Google Patents

Hierarchical identity-based encryption and signature schemes Download PDF

Info

Publication number
CN101527629A
CN101527629A CN 200810183756 CN200810183756A CN101527629A CN 101527629 A CN101527629 A CN 101527629A CN 200810183756 CN200810183756 CN 200810183756 CN 200810183756 A CN200810183756 A CN 200810183756A CN 101527629 A CN101527629 A CN 101527629A
Authority
CN
China
Prior art keywords
entity
value
ciphertext
pkg
element
Prior art date
Application number
CN 200810183756
Other languages
Chinese (zh)
Inventor
克雷格·B·金特里
艾丽斯·西尔弗伯格
Original Assignee
株式会社Ntt都科摩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US36619602P priority Critical
Priority to US60/366,292 priority
Priority to US60/366,196 priority
Priority to US10/384,328 priority
Application filed by 株式会社Ntt都科摩 filed Critical 株式会社Ntt都科摩
Priority to CN03803910.9 priority
Publication of CN101527629A publication Critical patent/CN101527629A/en

Links

Abstract

The present invention provides a hierarchical identity-based encryption and signature schemes. Methods are provided for encoding and decoding a digital message between a sender and a recipient in a system including a plurality of private key generators (PKGs). The PKGs include at least a root PKG and n lower-level PKG in the hierarchy between the root PKG and the recipient. A root key generation secret is selected and is known only to the root PKG (102). A root key generation parameter (104) is generated based on the root key generation secret. A lower-level key generation secret is selected for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG (106). A lower-level key generation ciphertext (108) also is generated for each of the n lower-level PKGs using at least the lower-level key generation secret for its associated lower-level private key generator.

Description

基于身份的分级加密与签名方案 Based on a hierarchical encryption and signature scheme

本申请是申请号为03803910.9、申请日为2003年3月18日、发 This application is the application number 03803910.9, filed on March 18, 2003, issue

明名称为"基于身份的分级加密与签名方案"的发明专利申请的分案申请。 Ming divisional application name "identity-based hierarchical encryption and signature scheme," the invention patent application.

相关申请 RELATED APPLICATIONS

申请人特此依据35U.S.Cpi9(e)要求2002年3月21日提交的临时美国专利申请60/366292和2002年3月21日提交的临时美国专利申请60/366196的优先权,所述的两个临时专利申请都通过引用包括在本申请中。 The applicant hereby based 35U.S.Cpi9 (e) of provisional US patent March 21, 2002 filed US provisional patent 60/366292 and March 21, 2002 filed 60/366196, said two provisional patent applications are incorporated by reference in the present application.

技术领域 FIELD

本发明主要涉及密码技术以及通过计算机网络或通过其他类型的系统与设备进行的保密通信,并尤其涉及用来对通信进行加密和解密的基于身份的分级方案。 The present invention relates generally to cryptography and secure communication over computer networks or via other types of systems and equipment, and more particularly to hierarchical identity-based scheme is used to encrypt and decrypt communications.

背景技术 Background technique

大致说来,基于身份的密码系统是公共密钥密码系统,在这类系统中, 一个实体的公共密钥是由与该实体的身份相关的信息得来的。 Generally speaking, identity-based cryptosystem is a public key cryptography system, in such systems, a public key entity is associated with the identity of the entity's information comes from. 例如,所述的身份信息可以是个人信息(即姓名、地址、电子邮箱地址等)或是计算机信息(即IP地址等)。 For example, the identity information may be personal information (ie name, address, e-mail address, etc.) or a computer information (ie, IP address, etc.). 但是,身份信息不仅可以包括与实体身份严格相关的信息,还包括广泛的可用信息,比如时间 However, the identity information may include not only information strictly related to the identity of an entity, also includes a wide range of available information, such as time

或日期。 Or date. 也就是说,身份信息概念的重要性不在于它与实体身份的严格关系,而在于任何希望向实体发送加密消息的人都能轻易获得该信息。 In other words, the importance of the concept of identity does not lie in its strict relationship with the identity of an entity, but rather anyone who wishes to send encrypted messages to the entities can easily obtain the information.

一个实体的私有密钥由一个受委托方或逻辑进程产生并分配,所述的受委托方或逻辑进程通常被称为私有密钥生成器("PKG")。 A private key is generated and distributed by the entity by a commissioning party or logical process, the delegatee process commonly referred to as logic or a private key generator ( "PKG"). PKG利用一个主密文信息来产生私有密钥。 PKG primary ciphertext using a private key generating information. 由于一个实体的公共密钥可根 Because the public key may be a root entity

据其身份推知,因此当Alice想要向Bob发送一条消息时,她就不必从数据库中取回Bob的公共密钥。 According to deduce their identity, so when Alice wants to send a message to Bob, she would not have to retrieve Bob's public key from the database. 而是Alice只需根据Bob的识别信息直接推知密钥。 Alice only directly, but inferred Bob's key according to the identification information. 公共密钥数据库就成为多余,认证授权("CAs") 也是不必要的了。 Public key database becomes superfluous, authentication and authorization ( "CAs") is also a necessary. 无需将Bob的身份"绑定,,到他的公共密钥上,因为他的身份即是他的公共密钥。 Bob's identity is no need to "bind ,, to his public key, because his identity that is his public key.

基于身份的系统的概念并不新鲜。 The concept of identity-based system is not new. 它在A. Shamir所著的"Identity-Based Cryptosystems and Signatures Schemes (基于身份的加密系统与签名方案)"中就已被提出,该文发表于ADVANCES IN CRYPTOGRAPHY - CRYPTO 484 , Lecture Notes in Computer Science 196 ( 1984) , Springer, 47-53。 It had been proposed in the A. Shamir's book "Identity-Based Cryptosystems and Signatures Schemes (identity based encryption system and signature scheme)," The article published in the ADVANCES IN CRYPTOGRAPHY - CRYPTO 484, Lecture Notes in Computer Science 196 (1984), Springer, 47-53. 然而,可实际应用的基于身份的加密方案至今仍未被找到。 However, identity-based encryption scheme practical application has not yet been found. 例如,基于身份的方案在下列文献中就已^皮提出,C. Cocks所著的"An Identity-Based Encryption Scheme Based on Quadratic Residues (以平方残差为基础的基于身份的力口密方案)",该文可在http:〃www .cesg.gov.uk /technology/ id-pkc/media /ciren.pdf 4寻到;D. Boneh, M. Franklin所著的"Identity Based Encryption from the Weil Pairing (由Weil配对得到的基于身份的加密)",该文发表于ADVANCES IN CRYPTOGRAPHY - CRYPTO 2001, Lecture Notes in Computer Science2139 ( 2001 ) , Springer, 213-229; 以及D. Boneh, M. Franklin所著的"Identity Based Encryption from the Weil Pairing (extended version)(由Weil酉己对^寻到的基于身份的加密(扩展版本)),,,该文可在http:〃www,cs.stanford.edu/〜dabo/papers/ibe.pdf得至'J 。 Cocks的方案是基于"平方残差问题"的,尽管加密和解密都相当地快(大约是RSA 的速度),但是会有显著的消息扩展(即密文比特长度是明文比 For example, identity-based schemes bark had a ^ in the following documents, C. Cocks book "An Identity-Based Encryption Scheme Based on Quadratic Residues (identity-based encryption scheme to force the mouth squared residuals based)" the paper may be http: /ciren.pdf 〃www .cesg.gov.uk / technology / id-pkc / media 4 find a; D Boneh, M. Franklin book "Identity Based Encryption from the Weil Pairing (. Weil obtained by the pairing of identity-based encryption), "the article published in the ADVANCES iN CRYPTOGRAPHY - CRYPTO 2001, Lecture Notes in Computer Science2139 (2001), Springer, 213-229; and D. Boneh, M. Franklin book" identity based encryption from the Weil Pairing (extended version) (a ^ Weil to find a unitary hexyl identity-based encryption (extended version)) ,,, in this paper can be http: 〃www, cs.stanford.edu / ~dabo /papers/ibe.pdf have to 'J. Cocks's scheme is based on "residual squares problem", although encryption and decryption are quite fast (about the speed of RSA), but there is significant message expansion (i.e. density bit length than the plaintext message 特长度的许多倍)。Boneh-Franklin方案将其安全性的基础建立在"双线性Diffie-Hellman问题"上,在使用超奇异椭圆曲线或阿贝尔鎂曲线上的Weil或Tate配对时,该方案相当快速与高效。 Many times the bit length) .Boneh-Franklin scheme which is based on the establishment of safety "Bilinear Diffie-Hellman problem", when used in the Weil supersingular elliptic curve or abelian magnesium curve or Tate pairing, the package is very fast and efficient.

然而,已知的基于身份的加密方案都有一个显著的缺陷——它们都不是分级结构的。 However, the known identity-based encryption scheme has a significant drawback - they are not the hierarchy. 在非基于身份的公共密钥加密技术中,已经可以 In the non-identity-based public key encryption technology, already

设置CA的分级结构,在该结构中,根CA可以为其他CA发放证书, 而后者又可以为特定域内的用户发放证书。 Set CA hierarchy, in this structure, the root CA can issue certificates for other CA, which in turn may issue a certificate for the user-specific domain. 这样做是很值得的,因为它减轻了根CA的工作量。 Doing so is very worthwhile because it reduces the workload of the root CA. 可供基于身份的加密技术使用的实用分级方案还未被开发出来。 Identity-based encryption technology available for practical use classification program has not yet been developed.

理想情况下,基于身份的分级加密方案将包括一个逻辑或实际PKG的分级结构。 Ideally, a hierarchical identity-based encryption scheme would include a hierarchy of logical or actual the PKG. 例如, 一个根PKG可以向其他PKG发放私有密钥,而后者又可以向特定域内的用户发放私有密钥。 For example, a root PKG may be issued to other private key PKG, which in turn may issue a private key to user-specific domain. 同时,只要发送方获得了根PKG的公共参数,即使发送方根本不在系统中,也可以在不上线查找接收方的公共密钥或低级公共参数的情况下发送一条加密信息。 Transmitting an encrypted information without simultaneously, as long as the sender obtained the public parameters of the root PKG, even if the sender did not in the system, may not find the public key on line or lower side of the common parameters received. 基于身份的分级加密方案的另一个优点在于损坏控制。 Another advantage of a hierarchical identity-based encryption scheme is that damage to the control. 例如, 一个域PKG的密文的泄漏并不会危及更高层次PKG的密文,也不会危及任何其他不是这个被损害的域PKG的直接下级的PKG的密文。 For example, the ciphertext of a leak domain PKG and will not jeopardize the higher levels of PKG ciphertext, it will not jeopardize any direct subordinate of PKG PKG other domains are not compromised this ciphertext. 而Cocks和Boneh-Franklin所提倡的方案并不具有这些特性。 And Cocks and Boneh-Franklin scheme advocated does not have these characteristics.

安全而实用的基于身份的分级加密方案还未被开发出来。 Secure and practical hierarchical identity-based encryption scheme has not yet been developed. 一种具有部分共谋抵抗性的基于身份的分级密钥共享方案已经在下列文献中被提出:G. Ha謂ka, T. Nishioka, Y. Zheng, H. Imai所著的"An Efficient Hierarchical Identity-Based Key-Sharing Method Resistant Against Collusion Attacks ( —种能够抵抗共谋攻击的高效的基于身份的分级密钥共享方法),,,该文发表于ADVANCES IN CRYPTOGRAPHY - ASIACRYPT 1999, Lecture Notes in Computer Science 1716( 1999 ), Springer, 348-362;以及G. Hanaoka, T. Nishioka: Y. Zheng, H. Imai 所著的"A Hierarchical Non-Interactive Key-Sharing Scheme With Low Memory Size and High Resistance Against Collusion Attacks ( —种具有低内存容量、高共谋攻击抵抗性的分级非互动密钥共享方案),,,该文将发表于THE COMPUTER JOURNAL 。 Hierarchical identity-based key sharing scheme with partial collusion resistance have been proposed in the following documents:. G Ha that ka, T. Nishioka, Y. Zheng, H. Imai book "An Efficient Hierarchical Identity -Based key-sharing method resistant Against collusion attacks (- efficient and resistant to the kind of hierarchical key sharing method based on the identity of collusion attack) ,,, this article was published in ADVANCES iN CRYPTOGRAPHY - ASIACRYPT 1999, Lecture Notes in Computer Science 1716 (1999), Springer, 348-362; and G. Hanaoka, T. Nishioka: Y. Zheng, H. Imai book "a Hierarchical Non-Interactive Key-Sharing Scheme With Low Memory Size and High Resistance Against Collusion Attacks ( - species with low memory capacity, high-grade resistance to attack collusion non-interactive key sharing scheme) ,,, this article will be published in tHE COMPUTER JOURNAL. 另夕卜,在J. Horwitz, B. Lynn所著的"Toward Hierarchical Identity-Based Encryption(走向基于身份的分级加密),, 一文中还提供了对基于身份的分级加密的介绍,该文即将发表于ADVANCES IN CRYPTOGRAPHY - EUROCRYPT 2002, Lecture Notes in Computer Science, Springer。 Horwitz和Lynn提出了一种 Bu the other evening, in J. Horwitz, B. Lynn's book "Toward Hierarchical Identity-Based Encryption (to identity-based hierarchical encryption) ,, a paper also provides a hierarchical identity-based encryption of introduction, the article to be published in ADVANCES iN CRYPTOGRAPHY -. EUROCRYPT 2002, Lecture Notes in Computer Science, Springer Horwitz and Lynn proposed a

两级的分级方案,该方案在第一级具有完全的共谋抵抗性,并在第二级具有部分的共谋抵抗性(即,用户可以共谋以获得他们的域PKG 的密文,并据此假扮成域PKG)。 Two classification schemes, this scheme has full collusion resistance in the first stage, and having a collusion resistant portion (i.e., the user may seek to obtain their domain PKG ciphertext in a second stage, and Accordingly posing as domain PKG). 但是,Horwitz-Lynn系统的复杂性会随着第二级上的共谋抵抗性提高,因此该方案不可能做到既实用又安全。 However, the complexity of the system will Horwitz-Lynn complicity with resistance on the second level increase, so the program can not be both practical and safe.

因此需要一种安全实用的基于身份的分级加密方案。 Therefore a need for a secure and practical hierarchical identity-based encryption scheme. 本发明的一个目标就是要提供一种安全而又实用的基于身份的分级加密方案。 An object of the invention is to provide a secure and practical hierarchical identity-based encryption scheme. 本发明的另一个目标是要提供一种安全而又实用的基于身份的分级签名方案。 Another object of the invention is to provide a secure and practical hierarchical identity-based signature scheme. 本发明的另一个目标是所述的加密与签名方案都是完全可调整的。 Another object of the present invention is that the encryption and signature schemes are fully adjustable. 本发明的另一个目标是所述的加密与签名方案在任意数量的级别上都具有完全的共谋抵抗性,并且它们具有随机预言模型中的选定密文安全性。 Another object of the present invention is that the encryption and signature schemes in any number of levels has full collusion resistance, and they have chosen ciphertext security in the random oracle model.

发明内容 SUMMARY

根据本发明,它提供了用来实现安全可靠且实用的基于身份的分级加密与签名方案的方法。 According to the present invention, it provides a secure and practical hierarchical based encryption and signature schemes used to implement the method.

根据本发明的一方面内容,它提供了一种用来在一个系统中的发送方与接收方之间编码和解码数字消息的方法,所述的系统中包括多个私有密钥生成器("PKG")。 According to an aspect of the present invention, there is provided a method between the sender and the receiver for encoding and decoding a digital message used in a system, said system comprising a plurality of private key generators ( " PKG "). 这些PKG中至少包括一个根PKG以及根PKG与接收方之间的分级结构中的"个低级PKG,其中^1。 一个根密钥生成密文被选取,并且仅为根PKG所知。根据所述的根密钥生成密文产生一个根密钥生成参数。为n个低级PKG各选取一个低级密钥生成密文,其中每个低级密钥生成密文仅对其相关的低级PKG 已知。还要为w个低级PKG各产生一个低级密钥生成参数,其中至少要用到对应于相关低级私有密钥生成器的低级密钥生成密文。至少利用根密钥生成参数和接收方身份信息来对所述的消息进行编码,以形成一个密文。产生一个接收方私有密钥,使得该接收方私有密钥至少与根密钥生成密文、根PKG和接收方之间的分级结构中的"个低级PKG相关的"个低级密钥生成密文中的一个或多个、以及接收方身份信息有关。至少利用接收方私有密钥来解密所述的密文以恢复所述的消息。 These include at least a root PKG in the hierarchy between the root PKG and the PKG and the recipient of the "low-level PKG, wherein 1 ^ a root key generation ciphertext is selected, and only the root PKG in the art. Depending on the said generating a root key ciphertext generating a root key generation parameter for each of the n lower PKG key generating select a lower ciphertext, wherein each of the lower key generating ciphertext only known to its related lower-level PKG. each also produce a lower key generation parameters w a lower PKG, wherein use of at least the private key corresponding to the relevant lower lower key generator generates ciphertext using at least information of the root key generation parameter and recipient identity to encode the message to form a ciphertext generating a recipient private key such that the recipient private key and the root key to generate the ciphertext at least, between the root PKG and the recipient in the hierarchy the "low-level PKG associated with" low-key generating one or more ciphertext, and recipient identity information. using at least the recipient private key to decrypt the ciphertext to recover the message.

根据本发明的另一方面内容,它提供了一种用来在一个系统中的发送方与接收方之间编码和解码数字消息的方法,所述的系统中包括多个私有密钥生成器("PKG,,)。这些PKG中至少包括一个根PKG、 根PKG与发送方之间的分级结构中的m个低级PKG,其中wa,根PKG与接收方之间的分级结构中的"个低级PKG,其中"i,以及PKG,,它是发送方与接收方共同的前辈PKG。在该分级结构中,w个私有密钥生成器中的/个是发送方与接收方共同的前辈PKG,其中/》1 。 According to another aspect of the present invention, there is provided a method between the sender and the receiver for encoding and decoding a digital message used in a system, said system comprising a plurality of private key generators ( "PKG ,,). these include at least a root PKG PKG, the root PKG in the hierarchy between the sender of m lower PKG, wherein wa, between the root PKG and the recipient in the hierarchy of" low-level PKG, where "i, and PKG ,, which is the sender and receiver joint predecessors PKG. in this hierarchy, w is keyed Private Builder / sender and the receiver is a joint predecessors PKG, where / "1.

根据本发明这一方面的内容,要为根PKG与发送方之间的分级结构中的w个低级PKG各选取一个低级密钥生成密文。 The content of this aspect of the invention, to between the root PKG and the sender in the hierarchy of w each select a lower lower PKG key generating ciphertext. 生成一个发送方私有密钥,使得该发送方私有密钥至少与根密钥生成密文、根PKG和发送方之间的分级结构中的w个低级PKG相关的w个低级密钥生成密文中的一个或多个、以及发送方身份信息有关。 Generating a sender private key such that the sender private key to generate ciphertext and at least the root key, the root PKG in the hierarchy between the sender and the low-level PKG w w related to low-level key generation ciphertext one or more, as well as information about the identity of the sender. 生成一个接收方私有密钥,使得该接收方私有密钥至少与根密钥生成密文、根PKG和接收方之间的分级结构中的n个低级PKG相关的《个低级密钥生成密文中的一个或多个、以及接收方身份信息有关。 Generating a recipient private key such that the recipient private key to generate ciphertext and at least the root key, the root PKG in the hierarchy between the receiver and the lower side of the n PKG associated with "low-level key generation ciphertext one or more, as well as information about the identity of the recipient. 至少利用接收方身份信息、发送方私有密钥、以及和位于或低于公共前辈PKG, 级别的(m-/ + 1)个私有密钥生成器相关的低级密钥生成参数中的0个或多个,来对所述的消息进行编码,但是不能使用和高于公共前辈PKG,的(/-】)个PKG相关的低级密钥生成参数中的任何一个。 Using at least the recipient identity information, the sender private key, and the public, and at or below the PKG predecessor, level (m- / + 1) with a Private key generator generates a low-level key associated parameters or 0 a plurality of to encode the message, but can not be used and higher than the common predecessors PKG, the (/ -]) related to a lower PKG key generating any parameters. 至少利用发送方身份信息、接收方私有密钥、以及和位于或低于公共前辈PKG/级别的("-/ + 1)个私有密钥生成器相关的低级密钥生成参数中的0个或多个,来对所述的消息进行解码,但是不能使用和高于公共前辈PKG/的(/-l)个PKG相关的低级密钥生成参数中的任何一个。 Using at least the sender identity information, the recipient private key, and the public, and at or below the predecessor PKG / level ( "- / + 1) with a Private key generator generates a low-level key associated parameters or 0 plurality, to decode the message, but can not be used and higher than the common predecessors PKG / the (/ -l) th lower associated PKG key generating any parameters.

根据本发明的另一方面内容,它提供了一种用来在一个系统中的发送方与接收方之间产生及验证一条消息的数字签名的方法,所述的 According to another aspect of the present invention, there is provided a method A method for generating in a system between the sender and the recipient to verify a digital signature of the message, said

系统中包括多个PKG。 The system includes a plurality of PKG. 这些PKG中至少包括一个根PKG以及根PKG 与发送方之间的分级结构中的"个低级PKG,其中"a。 These include at least a root PKG in the hierarchy between the root PKG and the PKG and the sender of the "low-level PKG, wherein" a. 一个根密钥生成密文被选取,并且仅为根PKG所知。 Generating a root key ciphertext is selected, and only the root PKG in the art. 根据所述的根密钥生成密文产生一个根密钥生成参数。 The root key to generate a ciphertext generating a root key generation parameter. 为"个低级PKG各选取一个低级密钥生成密文,其中每个低级密钥生成密文仅对其相关的低级PKG已知。 还要为"个低级PKG各产生一个低级密钥生成参数,其中至少要用到对应于相关低级私有密钥生成器的低级密钥生成密文。 As "low-select a respective lower PKG key generating ciphertext, wherein each of the lower key generating ciphertext only known to its related lower-level PKG. Also as" low-level PKG generates a respective low-level key generation parameters, wherein at least a lower to use the private key corresponding to the relevant lower key generator generates a ciphertext. 为发送方生成一个私有密钥,使得该私有密钥至少与根密钥生成密文以及发送方身份信息有关。 For the sender generates a private key, such that the private key, and generate the ciphertext sender and identity information related to at least the root key. 至少利用发送方私有密钥来签署所述的消息以生成一个数字签名。 Message using at least the sender private key to sign the digital signature to generate a. 至少利用根密钥生成参数以及发送方身份信息来验证所述的数字消息。 Digital message using at least the root key generation parameter and the sender identity information to the authentication.

附图说明 BRIEF DESCRIPTION

以下对本发明优选实施例的说明参照了附图,其中: The following description with reference to the accompanying drawings of the preferred embodiments of the present invention, wherein:

图1示出了一张流程图,该图根据本发明的当前优选实施例展示了一种编码和解码数字消息的方法; FIG 1 shows a flow chart which shows a view of an embodiment method for encoding and decoding a digital message according to the current invention is preferred;

图2示出了一张流程图,该图根据本发明的另一个当前优选实施例展示了一种在发送方y和接收方z之间编码及解码数字消息的方法; FIG 2 shows a flow chart illustrating another embodiment of the present invention shows a presently preferred method for encoding and decoding a digital message between a sender y and a recipient z;

图3示出了一张框图,该图展示了一种典型的分级结构,在这种结构中可以实现图2所示的方法; FIG 3 shows a block diagram, which illustrates a typical hierarchical structure, the method in this configuration shown in FIG. 2 may be implemented;

图4示出了一张流程图,该图根据本发明的另一个当前优选实施例展示了一种编码和解码一条数字消息m的方法,所述的数字消息在发送方^和接收方z之间传递; FIG. 4 shows a flow chart illustrating example demonstrates a method of encoding and decoding a digital message m, according to another presently preferred, the number z of the message sender and recipient ^ inter transfer;

图5示出了一张流程图,该闺根据本发明的另一个当前优选实施例展示了一种编码和解码一条数字消息m的方法,所述的数字消息在发送方^和接收方z之间传递; FIG. 5 shows a flow chart which shows the Inner embodiment a method of encoding and decoding a digital message m, according to another presently preferred, the number z of the message sender and recipient ^ inter transfer;

图6示出了一张流程图,该图根据本发明的另一个当前优选实施例展示了一种编码和解码一条数字消息m的方法,所述的数字消息在发送方y和接收方z之间传递; FIG 6 shows a flow chart illustrating example demonstrates a method of encoding and decoding a digital message m according to another presently preferred according to the present invention, z of said digital message sender y and the recipient inter transfer;

图7示出了一张流程图,该图根据本发明的另一个当前优选实施例展示了一种生成及验证一个数字签名的方法; FIG. 7 shows a flow chart illustrating example demonstrates a method for generation and verification of a digital signature according to another presently preferred;

图8示出了一张流程图,该图根据本发明的另一个当前优选实施例展示了一种生成及验证一条数字消息m的数字签名的方法,所述的数字消息在发送方^和接收方z之间传递;以及 FIG 8 shows a flow chart illustrating example demonstrates a method for generating a digital message m and verification of a digital signature according to another presently preferred, said digital message sender and receiver ^ transmitted between parties z; and

图9示出了一张流程图,该图根据本发明的另一个当前优选实施例展示了一种生成及验证一条数字消息m的数字签名脚的方法,所述的数字消息在发送方少和接收方z之间传递。 Figure 9 shows a digital message of a flow chart, which illustrates a method of generating a digital message m and verification of the digital signature foot according to another preferred embodiment of the current embodiment of the present invention, the less the transmission and transfer between the recipient z.

具体实施方式 Detailed ways

本发明的当前优选方法提供了安全可靠而实用的基于身份的分级加密("HIDE")与签名("HIDS")方案。 The current preferred method of the present invention provides a secure and practical hierarchical identity-based encryption ( "HIDE") and signature ( "HIDS") schemes. 所述的分级方案是完全可调整的,在任意数量的级别上都具有完全的共谋抵抗性,并且具有随机预言模型中的选定密文安全性。 The classification scheme is fully adjustable, on any number of levels has full collusion resistance, and has a selected ciphertext security in the random oracle model. 这些目标部分是通过在各个低级PKG中引入附加随机信息而实现的。 These objectives are portions by introducing additional random information at each of the lower PKG achieved. 这些方案在直观上令人惊讶的一个方面在于,即使低级PKG产生了附加随机信息,也不会迫使在分级结构的根级别以下添加公共参数。 These programs intuitively surprising aspect is that an even lower PKG generates additional random information, the common parameter is not forced to add the root level of the hierarchy. 另外,低级PKG所产生的随机 Further, the lower the generated random PKG

密S息的能力造成负面影响。 S ability to close a negative impact on interest rates. 、、 '、、"、 ,, ',,'

本发明的每一个HIDE和HIDS方案都需要PKG的分级结构, 该结构中至少包括一个根PKG和多个低级PKG。 Each HIDE and HIDS schemes of the present invention requires a hierarchical structure of PKG, which structure comprises at least one root PKG and a plurality of low-level PKG. 分级结构和低级PKG可以是逻辑的,也可以是实际的。 PKG and the lower hierarchy may be logical, it may also be practical. 例如, 一个单个实体就可以产生根密钥生成密文和低级密钥生成密文,低级用户的加密或签名密钥都是由后者生成的。 For example, a single entity may generate a root key generation and cipher key generation ciphertext lower, lower user encryption or signature keys are generated by the latter. 在这种情况下,低级PKG都不是独立的实体, 而只是以逻辑分级结构组织的进程或信息,并被用来为分级结构中的后代PKG及用户生成密钥。 In this case, lower PKG are not separate entities, but only the process in a logical hierarchy or organization information, and used to generate a key for future user and PKG in the hierarchy. 或者,每个低级PKG也可以是独立的实体。 Alternatively, each low-level PKG may be a separate entity. 另一种备选方案涉及实际与逻辑低级PKG的混合形式。 Another alternative involves a hybrid form of actual and logical lower PKG. 为了本文公开说明的目的,短语"低级PKG,,一般被用来指代这些备选方案中 For purposes of illustration disclosed herein, the phrase "lower PKG ,, generally used to refer to these alternatives

18的任意一种。 Any one of 18.

在本文所公开的基于身份的分级密码系统环境下,基于身份的公共密钥可以是基于时间周期的。 In the hierarchical identity-based cryptographic system environment disclosed herein, identity-based public key can be based on time periods. 例如, 一个特定接收方的身份会随各个随后的时间周期而变化。 For example, a particular recipient's identity may change with each subsequent time period. 或者,接收方也可以将时间周期安排为它自己在分级结构中的后代或下级,并且发送方会在编码消息时使用正确时间周期上的身份。 Alternatively, the receiver may be arranged to its own time period progeny or lower in the hierarchy, and a sender would use the identity of the proper time period when encoding the message. 不论采用何种方式,每个密钥都只在相关的时 Regardless of the manner, each key is only relevant when

间周期内才能有效的用来签署要送给Bob的消息。 In order to effectively used to sign the message to be sent to Bob in between cycles.

本发明的HIDE方案通常包括5个随机化的算法:根设置、低级设置、抽取、加蜜以及解密。 HIDE embodiment of the present invention generally include five randomized algorithms: Root setting, lower setting, extraction, decryption and honey. 这些算法中的三个依赖于分级结构中相 Three of these algorithms depend on relative hierarchy

关实体的身份。 Off the identity of the entity. 每名用户最好都在分级结构中拥有一个位置,该分级结构可由它的ID元组(ID,,...,ID,)定义。 Each user preferably has a position in the hierarchy, the hierarchy may be its ID-tuple (ID ,, ..., ID,) is defined. 所述用户在分级结构中的前辈是根PKG以及ID元组为{(ID,,...,ID,):l《"(,-1)}的用户或PKG。为了计算的目的,ID元组最好用二进制字串表示。 The user senior in the hierarchy are the root PKG and the ID-tuple of {(ID ,, ..., ID,): l "" (, - 1)} to a user or PKG calculation purposes, ID. tuple is preferably represented by a binary string.

在根设置算法中,根PKG使用一个保密参数/fc来产生公共系统 Algorithm is provided in the root, the root PKG uses a security parameter / fc to generate public system

参数以及一个根密钥生成密文。 A root key generation parameter and the ciphertext. 所述的系统参数包括对消息空 The system parameter message including air

间M和密文空间X的描述。 Description between M and the ciphertext space X. 所述的系统参数是公开使用的,但只有根PKG知道根密钥生成密文。 The disclosed system parameters is used, but only the root PKG know the root key generation ciphertext.

在低级设置算法中,为了抽取的目的,每个低级PKG最好产生它自己的低级密钥生成密文。 In the lower setting algorithm, for the purpose of extraction, each lower PKG preferably generates its own lower key generates a ciphertext. 或者,低级PKG也可以为每次抽取产生一次性密文。 Alternatively, lower PKG ciphertext may be generated for each one-time extraction.

在抽取算法中, 一个PKG (根PKG或低级PKG)为它的任意一个后代产生一个私有密钥。 In extraction algorithm, a PKG (PKG or a lower root PKG) generates a private key for any of its progeny. 该私有密钥是利用系统参数、生出方PKG的私有密钥以及任何其他的优选密文信息产生的。 The private key is to use the system parameters, birth PKG party private key and any other information generated ciphertext preferred.

在加密算法中,发送方从根PKG接收系统参数,最好是通过本系统以外的某些安全途径接收。 In the encryption algorithm, the sender receives the system parameters from the root PKG, preferably via some secure receiving means other than the present system. 发送方不必接收任何低级密钥生成参数。 The sender does not have to receive any low-level key generation parameters. 所述的发送方利用和期望接收方的ID元组来编码一条消息 The sender and the intended recipient using the ID of an encoded message tuple

MeM,以产生一个加密文本CeX。 MeM, to produce an encrypted text CeX. 相反地,在解码算法中,接收方利用和接收方的私有密钥d来解码力口密文本C , 以恢复消息M 。 In contrast, in the decoding algorithm, the recipient and the recipient using a private key d to decode encrypted text C opening force, to recover a message M.

加密和解密最好都满足标准的一致性约束:va/gM: Decryption (戸ra柳乂c):m 其中c = Encryption (pmw?w, /z)元组,m)。 Encryption and decryption preferably satisfy the standard consistency constraint: va / gM: Decryption (Liu qe Kobe ra c): m where c = Encryption (pmw w, / z?) Tuples, m).

象HIDE方案一样,本发明的HIDS方案一般也包括5个随机化的算法:根设置、低级设置、抽取、签署以及验证。 The same as the HIDE schemes, the HIDS schemes of the present invention generally include five randomized algorithms: Root setting, lower setting, extracting, signing and authentication. 在根设置中,系统参数会被补充以包括进对签名空间i:的说明。 Root settings, the system parameters are supplemented to include a spatial signature into the i: illustration. 低级设置和抽取最好与上述HIDE中的算法一样。 And extraction is preferably set lower as the above-described algorithm in HIDE.

在签署算法中,数字消息的发送方利用戸m柳和发送方的私有密钥d签署消息MeM,以生成一个签名"s。在验证算法中,被签署消息的接收方利用以及发送方的ID元组来验证签名S。验证算法 Signing algorithm, the sender of a digital message m using Kobe Liu and a private key d sender signed the message MeM, to generate a signature "s. In the authentication algorithm, the recipient of the message signed using the sender ID and tuple to verify the signature verification algorithm S.

最好输出"有效,,或"无效,,。 Preferably outputs "valid ,, or" null ,,. 签署与验证最好也满足一致性约束: VMeM: Verification (paraffM,/D元组,S)^'有效" 其中5" = Signing (p麵柳,d, M)。 Signing and verification is also preferably satisfy the consistency constraint: VMeM: Verification (paraffM, / D tuples, S) ^ 'effective' where 5 "= Signing (p sides Liu, d, M).

HIDE与HIDS方案的安全性 Security HIDE and HIDS schemes

下面将分别针对HIDE和HIDS来说明实现了本发明的方案的安全性。 The following will be described for the HIDE and HIDS schemes of security achieved the present invention. 在基于身份的非分级加密技术环境下人们已经注意到,必须为基于身份的系统加强选定密文安全性的标准定义。 In the non-hierarchical identity-based encryption technology environment it has been noted, the standard definition of security must be selected ciphertext to strengthen the identity-based systems. 这是因为,为了进行安全性分析,应该假定一个敌对方能够获得与其选择的任意身份相关的私有密钥(除了受到攻击的特定身份以外)。 This is because, for security analysis, should assume a hostile parties can obtain the identity of any of its related to the selected private key (in addition to the specific identity of being attacked). 这一点同样适用于基于身份的分级加密技术。 This also applies to hierarchical identity-based encryption technology. 因此,为了确保本发明的HIDE方案是具有选定密文安全的,就可以让一个模拟攻击者进行密钥抽取查询。 Therefore, to ensure HIDE aspect of the invention is a chosen ciphertext secure, you can make a simulated attacker key extraction query. 同时,还要允许该模拟敌对方选择其所希望挑战的身份。 At the same time, but also to allow the analog adversary choose their identity challenge of hope.

还应该注意的是, 一个敌对方可以自适应性或非自适应性地选取 It should also be noted that an adversary may be adaptively selected or adaptive

其对象的身份。 The identity of its object. 自适应地选取其对象的敌对方将首先进行乱序查询和抽取查询,并接着根据这些查询的结果选取它的目标。 Adaptively select other enemy objects which will be first-order extraction queries and query, and then choose its target based on the results of these queries. 这样的敌对方在开始攻击时不会有特定的目标。 This adversary does not have a specific target at the start of the attack. 而是,只要它能破解某人,该敌对方就是成功的。 Instead, as long as it can break a person, the other is the enemy of success. 另一方面, 一个非自适应的敌对方不会根据乱序查询和抽取查询的结果来选取它的目标。 On the other hand, a non-adaptive adversary does not pick the target based on the results of its queries and scrambled extraction queries. 例如,这样的敌对方会以一个私敌为目标。 For example, this adversary will be a personal enemy target. 该敌对方仍会进行乱序查询和抽取查询,但是它的目标选择是严格根据目标身份的,而非根据查询结果。 The adversary is still out of order queries and extraction queries, but its target selection is strictly based on the identity of the target, rather than based on the query results. 显而易见,针对自适应目标选取的敌对方的安全性是更强的,因此也是更加优越可取的安 Obviously, for the safety of the adaptive target selected adversaries are stronger, and therefore more superior desirable safety

全性概念。 The whole concept. 但是,对本发明中HIDE方案的安全性分析提到了两种类型的安全性。 However, the safety of the present invention analyzed HIDE scheme mentioned two types of security.

如果在以下的竟赛中不存在对挑战者具有不可忽略优势的受多项式限制的敌对方A,那么就称HIDE方案对自适应选取密文以及自适应选取目标的攻击具有语义上的安全性。 If you have an adversary A polynomial limited by the non-negligible advantage of the challenger, then said HIDE scheme adaptive and adaptive chosen ciphertext attack selected targets in the following race does not actually exist with security on semantics.

设置:挑战者取得一个保密参数/t并运行根设置算法。 Setting: Challenger made a secret parameter / t and set the root algorithm run. 它将得到的系统参数戸m肌提供给敌对方。 Kobe will get the system parameters m muscle available to adversaries. 它将根密钥生成密文留给自己。 It will root key generation ciphertext for themselves.

阶段l:敌对方提出查询《,...,^,其中《是下列查询中的一种: Phase l: make an inquiry adversary ", ..., ^, which" is one of the following query:

1. 公共密钥查询(ID元组,):挑战者对ID元组,运行一个乱序算法, 1. The public key query (ID-tuple): challenger ID tuple, a shuffling algorithm run,

以获得对应于ID元组,的公共密钥//(ID元组,)。 To obtain a public key corresponding to the ID-tuple of // (ID-tuple).

2. 抽取查询(ID元组,):挑战者运行抽取算法以生成对应于ID元组,的私有密钥《,并将《发送给敌对方。 2. Extraction query (ID-tuple): Run Challenger extraction algorithm to generate a corresponding ID tuple, private key ", and" to adversary.

3. 解密查询(iD元组,,c,): 44战者运行抽取算法以生成对应于ID元组, 的私有密钥",,利用",运行解密算法以解密c,,并将结果得到的明文发送给敌对方。 3. decryption queries (iD tuple ,, c,): 44 war who runs extraction algorithm to generate a corresponding tuple ID, a private key ",, use", run the decryption algorithm to decrypt C ,, and the results It is sent in the clear to adversaries.

这些查询可以自适应地提出。 These queries can be adaptively made. 另外,:帔查询的ID元组,可以对应于分级结构任何一个级别上的位置。 Further,: ID-tuple cape query, may correspond to any position on the hierarchy one level.

挑战: 一旦敌对方判定阶段l已经结束,它就会输出两个长度相 Challenge: Once the adversary adjudication phase l has ended, it will output the length of phase two

等的明文M。 Such as plaintext M. ,M^M,以及一个它希望挑战的ID元組。 , M ^ M, and it is hoped ID tuple a challenge. 唯一的限制在 The only limitation in

于,该ID元组以及它的前辈都不能出现在阶段1中的任何私有密钥抽取查询中。 In the ID tuple and its predecessors can not occur in phase 1 of any private key extraction query. 挑战者随意选取一个随机比特&{0,1},并设 Randomly selecting a random challenger & bits {0,1}, and let

ID元组,M丄它将C作为一次挑战发送给敌对方。 ID tuple, M C as a challenge Shang will be sent to the adversary.

阶段2:敌对方提出更多的查询^+1,...,&,其中《,是下列查询中的 Phase 2: The adversary made more inquiries ^ + 1, ..., &, which "is the following query

一种: One of:

1. 公共密钥查询(ID元组,):挑战者像在阶段1中那样进行回应。 1. The public key query (ID tuple): Challenger respond like that in phase 1.

2. 抽取查询(ID元组,):挑战者像在阶段1中那样进行回应。 2. Extraction query (ID tuple): Challenger like to respond as in phase 1. 3.解密查询(C,ID元组,):挑战者像在阶段1中那样进行回应。 3. decryption query (C, ID tuple): Challenger respond like that in phase 1. 阶段2中的查询受到如下限制,即挑战者不能对与挑战密文c相关的ID元组进行抽取查询,或是利用那个ID元组以及密文C进行解密查询。 Queries in Phase 2 is restricted as follows, i.e., a query for the challenger can not be extracted tuple ID associated with the challenge ciphertext c, or use that ID-tuple and the ciphertext C is decrypted query. 这一限制同样适用于该ID元组的所有前辈。 This restriction also applies to all of the ancestors of the ID-tuple.

猜测:敌对方输出一个猜测值6'"0,1}。如果"6',则敌对方赢得比赛。 Guess: adversary outputs a guess 6, the adversary to win '6 "0, 1} if."'. 敌对方在攻击本方案中所拥有的优势被定义为—[6 = 6']-^|。 Adversary attack in this program have the advantage of being defined as - [6 = 6 '] - ^ |.

在以下所述的竟赛中,如果不存在拥有不可忽略优势的多项式时 In the race actually below, if you do not have when there is non-negligible advantage of the polynomial

间敌对方,那么HIDE方案就被称为单向加密方案。 Between adversaries, then HIDE program is called a one-way encryption scheme. 在该竟赛中,敌对方A被给予一个随积乂^共密钥尺—和一个加密文本C,并输出一个 In this actually match, the adversary A is given a common key with the product scale qe ^ - and a ciphertext C, and outputs a

对明文的猜测值,所述的加密文本C是利用对随机消息M进行加密 Guess for the plaintext, the encrypted text C using encrypts the random message M

得到的。 owned. 如果^是A输出M的概率,那么就称所述的敌对方对本方案 If the output M ^ is the probability of A, then said to the adversaries for this program

具有优势"所述的竟赛如下进行: It has the advantage "of the racers as follows:

设置:挑战者取得一个保密参数yt并运行根设置算法。 Setting: Challenger made a confidential setting parameters yt root and run the algorithm. 它将得到的系统参数戸m慰提供给敌对方。 Kobe resulting system parameter m comfort provided to the adversary. 它将根密钥生成密文留给自己。 It will root key generation ciphertext for themselves.

阶段l:敌对方就如在上述选定密文安全性分析的阶段l中那样进行/>共密钥和/或抽取查询。 Stage l: As adversary performed as in stage l ciphertext security analysis of said selected /> co-key and / or extraction queries.

挑战: 一旦敌对方判定阶段l已经结束,它就会输出一个它希望 Challenge: Once the adversary adjudication phase l has ended, it will output a hope that it

4兆战的新ID元组/D。 The new ID 4 trillion yuan battle group / D. 才兆战者随意选取一个随机的MeM ,并设C =五"co^rio"(para柳,ID元组,M)。 Katherine war who was selected at random a random MeM, and set C = five "co ^ rio" (para Liu, ID-tuple, M). 它将C作为一次才兆战发送给敌对方。 C as it once was sent to the war trillion adversaries.

阶段2:敌对方对除了/D及其前辈以外的其他身份提出更多的公共密钥查询以及更多的抽取查询,挑战者则会如阶段l中那样作出回应。 Phase 2: adversaries in addition to other identity / D and its predecessors made more public key query and extract more queries, such as the challenger will respond in stage l.

猜测:敌对方输出一个猜测值M'eM。 Guess: adversary outputs a guess M'eM. 如果M:M',则敌对方贏得比赛。 If the M: M ', the adversary to win the game. 敌对方在攻击本方案中所拥有的优势被定义为Pr[MM']。 Advantages enemy attack each other in this program have been defined as Pr [MM '].

本发明的方案对于上述挑战是安全可靠的。 Respect to the embodiment of the present invention is safe challenge. 另外,本发明的HIDS 方案针对现有的针对自适应选取消息的伪造也是安全可靠的。 Further, HIDS schemes of the present invention for selecting a message for the conventional adaptive counterfeiting is secure. 即使在(自适应地)获取了目标在敌对方所选取的消息上的签名之后,敌对方也不能伪造出它的目标在其以前并未签署过的其他消息上的签名。 Even after obtaining the signature on the message adversaries target selected in the (adaptive), the adversary can not forge signatures on its target other messages that have not previously signed a.

一个HIDS敌对方还将拥有对除了它的目标及其前辈以外的其他实体进行公共密钥查询和私有密钥抽取查询的能力,以及选取其目标的能 HIDS adversary will also have a pair of goals in addition to its predecessors and other entities the ability to be able to query the public key and private key extraction queries, as well as select their targets

力。 force. 对于HIDE而言,敌对方的目标选择可以是自适应的也可以是非自适应的。 For HIDE, the adversary may be adaptive target selection may be non-adaptive. 配对 pair

本发明的当前优选HIDE和HIDS方案都是基于配对的,例如与椭圆曲线或阿贝尔簇曲线相关的Weil或Tate配对。 The presently preferred HIDE and HIDS schemes of the present invention are based on the pairing, e.g. associated with elliptic curves or abelian cluster Weil or Tate pairing curve. 所述的方法也可以是基于双线性Diffie-Hellman问题的。 The method may also be based on the Bilinear Diffie-Hellman problem. 它们使用两个循环群r,和r2 , 这两个循环群最好具有同样大小的素数阶《。 They use two cyclic groups r, and r2, the two cyclic groups preferably have the same size prime order. " 第一群r,最好是椭圆曲线或阿贝尔簇曲线上的一群点,并且r,上的群规则可以被写成加性的。 A first group of r, is preferably a group of points on an elliptic curve or abelian clusters curve, and r, a group of rules can be written in the additive. 第二群r2最好是一个有限域的乘性子群,并且r2上的群规则可以被写成乘性的。 Preferably r2 is a second group of finite field multiplication subgroups, the group rules and r2 can be written on the multiplicative. 但是,也可以使用其他类型的群作为符合本发明的r,和G。 However, other types may be used as r group consistent with the present invention, and G.

所述的方法还利用了第一群r,的生成器^。 The method further utilizes a first group of r, ^ generator. 另外,还提供了一个配对或函数s:nxr, — r2 ,用来将第一群r,的两个元素映射成第二群r2的一个元素。 In addition, also it provides a pairing or function s: nxr, - r2, for mapping a first group of r, the two elements into a single element of the second group of r2. 函数s最好满足三个条件。 S function best meet three conditions. 首先,函数s最好是双线性的, First, the function s preferably is bilinear,

如果2和/?都在g中,且"和6都是整数,那么s("e,MXe,w广。第二, If the 2 and /? In g, and the "6 and are integers, then the S (" wide e, MXe, w. Second,

函数s最好是非退化的,从而使得该映射不会将r, xrt中的所有配对转变为r,中的身份。 S function best non-degenerate, such that the map does not r, xrt all pairs of transitions is r, the identity. 第三,函数s最好是可以高效计算的。 Third, efficient function s is preferably calculated. 满足这三个条件的函数"皮认为是可行的。 Meet these three conditions as a function of "skin considered feasible.

函数s最好还是对称的,从而对所有的e,/?er,都有" = s(凡e)。 然而,对称性直接来自于双线性以及r,是循环群这样一个事实。可根据现有技术中已知的方法来修改与超奇异椭圆曲线以及阿贝尔簇曲线相关的Weil和Tate配对,以创建这样的双线性映射。但是,即使将第一循环群r,的元素称为"点"会暗示函数S是一种经过修改的Weil 或Tate配对,但应该注意的是,任何可行的配对e'都能够发挥作用。 S function best symmetry, so that all e, /? Er, has "= s (where E). However, the symmetry is directly derived from the fact that such a bilinear and r, is a cyclic group. According to a method known in the art to modify the graph associated with supersingular elliptic curves and abelian cluster Weil and Tate pairing, to create such bilinear maps. However, even when the first cyclic group r, elements referred to "point" function S will imply a modified Weil or Tate pairing, it should be noted that any viable pairing e 'can play a role.

本发明中HIDE和HIDS方案的安全性主要是基于双线性Diffie-Hellman问题的。 Security of HIDE and HIDS present invention is mainly based on bilinear scheme Diffie-Hellman problem. 双线性Diffie-Hellman问题是在给定一个随机选取的Per。 Bilinear Diffie-Hellman problem is given a randomly selected Per. 以及"尸、6P和c尸(对于未知的随机选取的"》,ceZ/《Z ) 的情况下,求出e,,P广的问题。 And "dead, and c 6P P (for unknown randomly chosen" ", ceZ /" Z) in the case of, e ,, P obtains wide problem. 在r,中解决Diffie-Hellman问题就解决了双线性Diffie-Hellman问题,这是因为e,,_P)* = ^"WV尸)。类似地,在r;中解决Diffie-Hellman问题也就解决了双线性Diffie-Hellman问 In r, the Diffie-Hellman problem to solve is solved Bilinear Diffie-Hellman problem, because e ,, _ P) * = ^ "WV corpse) Similarly, r;. Diffie-Hellman problems are addressed will solve the bilinear Diffie-Hellman asked

题,因为如果g"(尸,尸),那么g。6、fe1,其中^^("尸,6尸)且gC"(/V尸)。 Problem, because if G '(corpse, P), then g.6, fe1, wherein ^^ ( "dead, corpse 6) and gC" (/ V corpse).

为了使双线性Diffie-Hellman问题变得困难,就应该对r,和r,进行选取,使得在r,或r^中不存在能够有效地解决Diffie-Helhnan问题的已知算法。 In order to Bilinear Diffie-Hellman problem is difficult, it should be r, and r, for selection, such known algorithms can effectively solve the Diffie-Helhnan problem does not exist in r, or r ^ in.

如果一个随机化算法ir采用了一个保密参数hO、在^:的多项式 If a randomization algorithm uses a security parameter ir hO, in ^: polynomials

时间内运行、并输出两个群r,和r2的描述以及一个可4亍配对&r, xr; — r2 的描述,其中所述的两个群最好具有相同的素数阶"那么该算法ir就是一个双线性Diffie-Hellman生成器。如果ir是一个双线性Diffie-Hellman参数生成器,那么一个算法B在解决双线性Diffie-Hellman问题中所拥有的优势A/v『(B)就被定义为,当送入算法的输入项为r,、 r2、 S、 p、"尸、6尸和w时,算法B输出e'(P,尸广的概率, 其中(r,,r^)是ir针对足够大的保密系数/t的输出,p是r,的随机生成器,"、6和c则是Z/《Z的随机元素。双线性Diffie-Hellman问题下的假设是,A^「(B)对于所有的有效算法B都是可忽略的。 HIDE方案 The running time, and outputs two groups r, and r2, and a description may be paired right foot 4 & r, xr; - r2 described, wherein two of the groups preferably has the same prime order "then the algorithm is ir a bilinear Diffie-Hellman generator. If ir is a bilinear Diffie-Hellman parameter generator, then a B algorithms in solving the bilinear Diffie-Hellman problem have the advantage of a / v "(B) on It is defined as when the entry into the algorithm to r ,, r2, S, p, "dead, dead and 6 w, algorithm B outputs e '(P, dead wide probability, wherein the (r ,, r ^ ) is sufficiently large for the output ir confidential coefficient / t, p is an r, the random generator ", 6, and c is the Z /" random elements of Z assuming the bilinear Diffie-Hellman problem, a ^ '(B) B for all efficient algorithms are negligible. HIDE program

现在参见附图,图1所示的流程图根据本发明的一种当前优选实施例展示了一种编码和解码数字消息的方法。 Referring now to the drawings, the flowchart shown in FIG. 1 embodiment shows a method of encoding and decoding a digital message according to the present invention are presently preferred. 该方法在包括多个PKG 的HIDE系统中执行。 The method is performed in a HIDE system including a plurality of PKG. 所述的PKG中至少包括一个根PKG以及根PKG和接收方之间的分级结构中的"个低级PKG,其中l 。 Said at least a root PKG in the hierarchy between the root PKG and the PKG and the recipient of the "low-level PKG, wherein l.

在模块102中,根PKG选取一个只有根PKG知道的根密钥生成密文。 At block 102, the root PKG select only the root PKG a known root key generates a ciphertext. 该根密钥生成密文可被用来为分级结构中根PKG以下的PKG和/或用户生成私有密钥。 The root key may be used to generate the ciphertext to generate the private key of the root PKG and the PKG / or user hierarchy. 然后,在模块104中,根PKG根据根密钥生成密文产生一个根密钥生成参数。 Then, at block 104, the root PKG root key to generate a ciphertext generated according to the root key generation parameter. 该根密钥生成参数被用来掩饰根密钥生成密文。 The root key generation parameter is used to cover a root key generation ciphertext. 该根密钥生成参数可被透露给低级PKG,而又不会危及根密钥生成密文。 The root key generation parameter may be revealed to lower PKG, without detriment to the root key to generate the ciphertext. 在模块106中,低级PKG选取低级密钥生成密文。 At block 106, the lower lower PKG key generating select ciphertext. 与一个给定的低级PKG相关的低级密钥生成密文可被用来为分级结构中在该相关低级PKG之下的PKG和/或用户生成私有密钥。 Lower key associated with a given low-level PKG generates a ciphertext may be used to lower the correlation PKG PKG below and / or user generated private key hierarchy. 与根密钥生成密文类似,每个低级密钥生成密文仅对其相关的低级PKG已知。 Similar to the ciphertext generating a root key, each lower key known only to generate the ciphertext its associated lower PKG.

在模块108中,为"个低级PKG各自产生低级密钥生成参数。 每个低级密钥生成参数的产生至少要利用其相关低级PKG的低级密钥生成密文。与根密钥生成参数类似,每个低级密钥生成参数掩饰了与其相关的低级密钥生成密文。 In block 108, the key generation parameter is generated as a lower "low-level PKG are each at least a lower key generation parameter is generated for each use to lower its associated lower PKG key generating ciphertext generates a root key similar parameters, each lower cover key generation parameters associated with the lower key generates a ciphertext.

在模块110中,发送方至少利用根密钥生成参数以及与接收方相关的身份信息来编码消息以形成一个密文。 At block 110, the sender using at least the root key generation parameters associated with the recipient and identity information is encoded to form a ciphertext message. 例如,可以只利用根密钥生成参数以及接收方的身份来编码所述的消息。 For example, the message may be utilized only the root key generation parameter and recipient identity to the coding. 或者,也可以利用低级密钥生成参数中的一个,就像在下文中将根据双HIDE方案进行更详细说明的一样。 Alternatively, you can use a lower key generation parameters, as performed as described in more detail hereinafter dual HIDE scheme. 在模块112中, 一个低级PKG为接收方生成一个私有密钥,使得该私有密钥至少与根密钥生成密文、与分级结构中根PKG和接收方之间的w个低级PKG相关的"个低级密钥生成密文中的一个或多个、以及接收方的身份信息相关。例如,除了根密钥生成密文和接收方的身份信息之外,接收方的私有密钥最好还至少与向接收方发放私有密钥的PKG的低级密钥生成密文相关。或者,接收方的私有密钥也可以与所有"个前辈PKG的低级密钥生成密文以及根密钥生成密文相关。 In block 112, a low-level PKG to receive a private key generated above, such that the private key to generate ciphertext and at least the root key associated with the hierarchy between the root PKG and the recipient of PKG lower the w "th generating one or more lower key ciphertext, the recipient and identity information related to, for example, in addition to the root key to generate the ciphertext and the recipient identity information, the recipient private key is preferably also at least to PKG payment recipient private key is related to low-level key generation ciphertext. Alternatively, the recipient's private key may be encrypted and a ciphertext root key generation key associated with a lower generating all "seniors of PKG. 在模块114中,接收方至少利用其私有密钥来解码密文并恢复消息。 At block 114, the recipient with at least its private key to decode the ciphertext and recover the message. 除了利用其私有密钥来解码以外,接收方最好还利用与分级结构中根PKG和接收方之间的"个低级PKG相关的n个低级密钥生成参数。 In addition to using its private key to decode the outside, the recipient preferably also uses the n lower hierarchy key generation parameters root "low-level PKG between PKG and the recipient related.

每个低级PKG都有一个密钥生成密文,就像根PKG—样。 Each lower PKG has a key generation ciphertext, just like the root PKG-. 如上所述,低级PKG最好利用这个密文来为它的各个后代生成私有密钥,就像根PKG那样做。 As described above, preferably by the lower PKG ciphertext generating a private key for each of its descendants, so as to make the root PKG. 这样,后代的私有密钥就与低级PKG的密钥生成密文相关。 Thus, the private key generations on the key associated with a lower PKG generates a ciphertext. 即使低级PKG为了限制密钥托管(escrow)的目的而使用其密钥生成密文的修改版本来隐藏那个密文,这一点也是成立的,正如下文中将要更完整地说明的那样。 In order to limit even lower PKG key escrow (Escrow) purposes using a modified version of its key generation ciphertext to the ciphertext hide, this is also true, as will be more fully described hereinafter as. 同时,低级PKG不必总是使用相同的密文来进行每次私有密钥提取,而是可以为PKG的每个后代随机产生一个新的密钥生成密文,从而为每个后代得到不同的密钥生成参数。 Meanwhile, lower PKG need to always use the same ciphertext each time the private key extraction is performed, but may be randomly generates a new key for each generated ciphertext PKG offspring, resulting in a different secret for each offspring key generation parameters. 由于一个低级PKG能够为接收方生成一个私有密钥(模块112 ), 因此根PKG不必自己生成所有的私有密钥。 Since a lower PKG capable party generates a private key (block 112) is received, so the root PKG need not generate all of the private keys themselves. 另外,由于低级PKG使用它们自己的密钥生成密文来为它们的后代产生私有密钥,因此暴露一个低级密钥生成密文只会对分级结构造成有限的安全性损害。 In addition, due to the low level PKG use their own cipher key generation to generate private keys for their offspring, and thus exposed to a low-level key generation ciphertext only cause limited damage to the security hierarchy. 与其暴露分级结构中所有的私有密钥,不如让一个低级PKG的一次违规行为只暴露该PKG的私有密钥以及利用那个PKG的密钥生成密文产生的那些私有密钥(即,作为被暴露PKG在分级结构中的直系后代的那些用户的私有密钥)。 Its exposure to the hierarchy of all the private keys, let a low-level PKG of a violation only exposed the PKG's private key and a private key that use the PKG's key generation ciphertext produced (that is, as to be exposed PKG lineal descendants of those user's private key in the hierarchy).

本实施例的另一个优点在于,发送方不必处在分级结构中即可向接收方发送一个编码消息。 Another advantage of this embodiment is that the sender is not necessary to send a coded message at the recipient in the hierarchy. 该发送方只需知道与接收方相关的身份信息以及由根PKG生成的系统参数。 The sender needs to know the identity associated with the recipient and system parameters generated by the root PKG. 但是,当发送方处于分级结构中时,本发明的HIDE方案还有某些额外的优点会体现出来。 However, when the sender is in the hierarchical structure, there are some additional advantages of the HIDE schemes of the present invention, will be reflected. 例如,当发送方与接收方都处在分级结构中时,就可以通过利用双方的身份来改善消息加密的效率。 For example, when the sender and recipient are in the hierarchy, it is possible to improve the efficiency of message encryption by using the identity of both. 这类HIDE方案可以;陂称为双HIDE,因为发送方与接收方的身份都被用作加密及解密算法的输入。 Such HIDE scheme may be; HIDE Pei called a double, because the identity of the sender and the recipient are used as input to the encryption and decryption algorithms. 现在将参照图2和图3来说明使用了双HIDE方案的编码与解码方法。 Referring now to FIGS. 2 and 3 will be described using the method of encoding and decoding dual HIDE scheme.

双HIDE Double HIDE

图2所示的流程图根据本发明的另一个当前优选实施例展示了一种在发送方y和接收方z之间编码及解码数字消息的方法。 The flowchart shown in FIG. 2 embodiment shows a method for encoding and decoding a digital message between a sender y and a recipient z according to another presently preferred. 图3所示的框图展示了一种典型的分级结构,在这种结构中可以实现这种方法。 Block diagram shown in FIG. 3 shows a typical hierarchical structure, this structure may be implemented in this method. 与先前的实施例相似,该方法可在一个HIDE系统中实现,所述的HIDE系统中至少包括一个才艮PKG 302,以及才艮PKG 302与接收方z 308之间的分级结构中的"个低级PKG 304a,b,d,其中"a。 The embodiment is similar to the previous embodiment, the method may be implemented in a HIDE system, HIDE system including at least one of a hierarchical structure between Gen only PKG 302, the PKG 302 and only Gen recipient z 308 is "th low-level PKG 304a, b, d, wherein "a. 该实施例中的发送方y 306必须也在分级结构中,并且该分级结构中还包括才艮PKG 302与发送方y 306之间的m个低级PKG 304a,b,c,其中wa。 Example sender y 306 in this embodiment also must be in the hierarchy, and the hierarchy also includes Gen only PKG 302 and the sender y m between the low-level PKG 306 304a, b, c, which wa. 在根PKG302与发送方y 306之间的m个PKG304a,b,c,以及根PKG 302与接收方z 308之间的"个PKG 304a,b,d中,有/个PKG 304a,b是发送方y 306与接收方z 308的公共前辈,其中1《"w,"。例如,在图3中示出了这/个7〉共前辈PKG中的两个(PKG乂PKGJ04a和PKGy,/PKGz/304b )。 y m th PKG304a PKG302 between the root 306 with the sender, b, c, and root PKG 302 and the recipient between z 308 "a PKG 304a, b, d, there are / a PKG 304a, b are transmitted y 306 and the recipient side common predecessors z 308, wherein 1 "" w, ". For example, in Figure 3 it is shown / number 7> two (qe PKGJ04a PKG and the PKG PKGy co predecessor, / PKGz / 304b).

该实施例的方法在模块202中开始,在该模块中,根PKG 302 The method of this embodiment begins in block 202, in the module, the root PKG 302

选取一个只有根PKG302知道的根密钥生成密文。 Selecting a root only the root key generation PKG302 known ciphertext. 然后,在模块204 Then, at block 204

中,根PKG 302根据根密钥生成密文产生一个根密钥生成参数。 , The root PKG 302 generates a root key to generate a ciphertext according to the root key generation parameter. 在模 In the mold

块206中,低级PKG 304a-d选取4氐级密钥生成密文。 In block 206, PKG 304a-d select lower 4 Di level key generation ciphertext. 与才艮密钥生成 With the only key generation Gen

密文类似,每个低级密钥生成密文只对与其相关的低级PKG 304a-d Similarly ciphertext, the ciphertext each lower key generation associated with only lower PKG 304a-d

已知。 A known. 在模块208中,为"个低级PKG 304a-d各自产生低级密钥生 At block 208, the "low-level PKG 304a-d are each generated key generating lower

成参数。 As a parameter. 每个低级密钥生成参数的产生至少要用到对应于其相关低级 Generating each lower key generation parameter is used at least corresponding to its associated lower

PKG 304a-d的^f氐级密钥生成密文。 PKG 304a-d of level key generation Di ^ f ciphertext.

在才莫块210中,发送方的上代PKG, 304c为发送方^ 306生成 In block 306 generates only Mo 210, the sender of the previous generation PKG, 304c of sender ^

一个私有密钥,使得该私有密钥至少与根密钥生成密文、与根PKG A private key, such that the private key and generates a ciphertext at least the root key, the root PKG

302和发送方y 306之间的w个低级PKG 304a,b,c相关的w个低级密 Y w sender 302 and 306 between the lower PKG 304a, b, c associated with a lower density of w

钥生成密文中的一个或多个、以及发送方的身份信息相关。 Generating one or more keys in the ciphertext, and the information related to the identity of the sender. 例如,除 For example, in addition to

了根密钥生成密文和发送方的身份信息以外,发送方的私有密钥最好至少还与发送方的上代pkg, 304c的低级密钥生成密文相关。 The root key generation and cipher text identification information other than the sender, the sender's private key is also preferably at least pkg sender with the previous generation, the key 304c of the lower generating a correlation ciphertext. 或者, or,

发送方的私有密钥也可以与它所有附个直系前辈PKG的低级密钥生成密文以及根密钥生成密文相关。 The sender's private key, and the ciphertext may be generated with a lower root key a key all its immediate predecessor is attached to the ciphertext associated PKG. 在模块212中,接收方的上代pkg^ 304d为接收方z生成一个私有密钥,生成的方式与发送方的上代pkg, At block 212, the recipient of the previous generation pkg ^ 304d recipient z generate a private key, generating a manner as previous generations pkg sender,

304c用来生成发送方私有密钥的方式类似。 304c for generating a sender private key way similar.

在模块214中,发送方少编码消息以形成一个密文,该过程至少要用到发送方的私有密钥以及与根PKG 302和发送方少306之间的(m —/ + 1)个PKG (即,pkg^ 304b和pkg戸304c)相关的低级密钥生 At block 214, the encoded message sender less to form a ciphertext, the process is use of at least the private key between the sender and the less the root PKG 306 and the sender 302 (m - / + 1) th PKG (i.e., pkg ^ 304b and 304c Kobe pkg) associated lower key generation

成参数中的一个或多个,且所述的PKG位于发送方;;306和接收方z 308的最低级公共前辈PKG( pkg,pkgz/ 304b)的级别或低于该级别。 Into one or more parameters, and the sender is located ;; PKG 306 and the recipient z 308 is the lowest level common predecessors PKG (pkg, pkgz / 304b) level or below that level.

在对消息进行编码时,发送方y 306最好不要用到与高于最低级公共前辈PKG ( PKGy〃PKGz/ 304b)的(/-l)个PKG (即PKG- 304a)有关 When encoding a message, the sender y 306 and it is best not to use more than the minimum level PKG public predecessors (PKGy〃PKGz / 304b) of the (/ -l) th PKG (i.e. PKG- 304a) related

的任何低级密钥生成参数。 Any lower key generation parameters.

然后,在模块216中,接收方z 308解码密文以恢复出所述的消息,该过程至少要用到接收方的私有密钥以及与根PKG 302和接收方z 308之间的("-/ + 1)个PKG (即,PKGZ/ 304b和PKG罚304c)相关的 Then, at block 216, the recipient z 308 decodes the ciphertext to recover the message, the process is use of at least the recipient private key and a root PKG 302 and the recipient z 308 between ( "- / + 1) th PKG (i.e., PKGZ / 304b and 304c penalty PKG) associated

低级密钥生成参数中的一个或多个,且所述的PKG位于发送方少306 和接收方z 308的最低级公共前辈PKG (PKG乂PKG:, 304b)的级别 Generating one or more lower key parameters, and the sender is located at least PKG 306 and the recipient z 308 lowest common predecessors of PKG (PKG qe PKG :, 304b) level

或低于该级别。 Or below that level. 在对消息进行解码时,接收方z 308最好不要用到与高于最低级公共前辈PKG( PKG/PKGrf 304b)的(Zl)个PKG(即PKG:, When decoding the message, the recipient z 308 is better to not higher than the lowest common predecessors PKG (PKG / PKGrf 304b) of (Zl) a PKG (PKG :, i.e.

304a)有关的任何低级密钥生成参数。 304a) any low-key about the generation parameters.

本发明的这种双HIDE实施例提供了对消息进行编码和解码的 This dual-HIDE embodiment of the present invention provides encoding and decoding of the message

更为高效的方案,因为只需使用较少的密钥生成参数。 More efficient solution, because only using fewer key generation parameters. 例如,普通 For example, ordinary

HIDE方案中的解码大约需要所有的/7个密钥生成参数,但是在双 Decoding HIDE scheme requires all / 7 about the key generation parameters, but bis

HIDE方案中的解码只需要("-/ + 1)个密钥生成参数。双HIDE方案要 Decoding HIDE scheme requires only ( "- / + 1) th key generation parameter for a dual-HIDE schemes.

求发送方少306在向接收方z 308发送一条编码消息之前先获得它的 Less demand sender 306 before sending an encoded message 308 to a recipient z obtained its first

私有密钥,这与只需获得根PKG的公共系统参数相反。 Private key, as opposed to simply get the root PKG's public system parameters. 双HIDE方 Double HIDE party

案还使得发送方少306和接收方z 308能够限制密钥托管的范围,就 Case 306 also makes the receiver less sender z 308 can be restricted and the scope of key escrow, it

如下文中将要更完整说明的那样。 As As will be more fully described. 这个共享的密文是除了它们最低级公共前辈PKG/PKGz, 304b以外的第三方所不知道的。 This shared ciphertext is in addition to their lowest level public seniors PKG / PKGz, third parties other than 304b do not know.

基本HIDE Basic HIDE

图4所示的流程图根据本发明的另一个当前优选实施例展示了一种编码和解码一条数字消息M的方法,所述的数字消息在发送方y The flowchart shown in FIG. 4 in accordance with another embodiment of the present invention shows a presently preferred method of encoding and decoding a digital message M, said digital message sender y

和接收方z之间传递。 Transfer between the receiver and z. 如图3中所示,接收方z 308在分级结构中比根PKG低"+ l个级别,并且与ID元组(n^,…,lD—,))相关联。接收方的ID元组中包括与接收方有关的身份信息ID如D,以及与其在分级结构中的"个前辈低级PKG相关的身份信息lDa。 As shown in FIG. 3, the recipient z 308 in the hierarchy lower than the root PKG "+ l levels, and the ID-tuple (n ^, ..., lD-,)) is associated. Recipient ID-tuple included in the receiver associated with the identification information ID as D, and in the hierarchy of its "lower seniors PKG associated identity information lDa. 该方法在模块402中开始,在该模块中生成元素的第一与第二循环群r,和r,。 The method starts in block 402, the first and second cyclic groups r generated in the module elements, and r ,. 在模块404中, 选取一个函数"使得该函数e'能够由第一循环群r;的两个元素生成第二循环群r,的一个元素。函数s最好是一种可行的配对,如上所述。 在模块406中选取第一循环群r;的一个根生成器户。。在模块408中, 选取一个随机根密钥生成密文〜,该密文与根PKG 302相关且只有根PKG 302知道。s。最好是循环群z/^的一个元素。在模块410中产生一个根密钥生成参数e。-vP。。 e。最好是第一循环群r,的一个元素。在模块412中,选取一个第一函数//,,使得z/,能够由第一串二进制数生成第一循环群r,的一个元素。在模块414中选取一个第二函数//2,使得A能够由第二循环群r,的一个元素生成第二串二进制数。模块402 至414的功能都是上述HIDE根设置算法的组成部分,并且最好都在大致相同的时刻完成。作为示例,比如那些在Boneh-Franklin中公开的函数就可以被用作,和2 。 In block 404, a select function "such that the function e 'r can be the first cyclic group;. A second element of the two elements generates a cyclic group r, s function is preferably a viable pairing, as above selecting said first cycle in the module group 406 r;. a root generator module 408 in the user .., selecting a random root key generation ~ ciphertext, the ciphertext associated with the root PKG 302 and only the root PKG 302 know .s. preferably the cyclic group of z / ^ an element. element generates a root key generation parameter a e.-vP .. e. preferably the first cyclic group r, in module 410. in module 412, selecting a first function that // ,, z /, can be generated by the first group of the first cycle binary number sequence r, an element. in selecting a second function module 414 // 2, so that a can a second cyclic group r, generating a second element of a binary number string. 402-414 module functions are an integral part of the above-described algorithm is provided HIDE root, and preferably are completed at substantially the same time. as an example, such as those function in the Boneh-Franklin may be used as disclosed, and 2.

接下来的一系列模块(模块416至424)示出了作为低级设置算法的组成部分而执行的功能。 The next series of modules (modules 416-424) as a functional part of the lower setting algorithm performed. 在模块416中,为接收方的"个前辈低级PKG各生成一个7>共元素pz,。每个z^共元素Pz, = //,(IDp…,IDJ最好都 In block 416, the "lower seniors PKG generates a respective receiver 7> pz ,. common elements of each element of z ^ co Pz, = //, (IDp ..., IDJ are preferably

是第一循环群r;的一个元素,其中ia《"。尽管是以单个模块表示的, 但是所有公共元素《,的产生需要进行一段时间,而非一次全部完成。 The first is the cyclic group R & lt; a generating element, wherein IA ''. While a single module is shown, but all common elements ", requires a period of time, rather than all at once.

为接收方的"个前辈低级PKG 304a,b,d各选取一个低级密钥生成密文&,(模块418)。该低级密钥生成密文^最好是循环群z/^的元素,其中i&^,并且每个低级密钥生成密文&最好只有它相关的 The "lower PKG seniors recipient 304a, b, d each select a low-level key generation & ciphertext, (block 418). The lower key generation ciphertext ^ cyclic group preferably z / ^ element, wherein i & ^, and each lower key generation & ciphertext preferably only its associated

低级PKG知道。 Low-level PKG know. 同样,尽管是以单个模块表示,但是所有低级密钥生成密文&的选取需要进行一段时间,而非一次全部完成。 Similarly, although a single module is represented, but all lower key generation & ciphertext selection required period of time, rather than all at once.

为发送方的n个前辈低级PKG各生成一个低级机密元素&,(模块420)。 Is n-lower PKG seniors each sender secret element & generate a lower, (block 420). 每个低级机密元素&,^^) + ^^最好是第一循环群r;的一 Each secret element lower & ^^) + ^^ preferable that the first cyclic group R & lt; a

个元素,其中i"'^。尽管与公共元素《,以及密文&一样都是以单个模块表示的,但是所有机密元素&,的产生也需要进行一段时间,而非一次全部完成。为了这些重复的密钥生成过程的缘故,可将s。定为r,的 Elements, where i " '^. Although common element", and the ciphertext & single module are the same as indicated, but all produce & secret element, also needs a period of time, rather than all at once. For these repeating the sake key generation process can be s. as r, a

身份元素。 Identity elements.

还要为接收方的n个前辈低级PKG各产生一个低级密钥生成参数a,(模块422 )。 Also for the n recipient seniors lower PKG generates a respective low level key generation parameters a, (module 422). 每个密钥生成参数a,-^^最好都是第一循环群r,的 Each key generation parameters a, - ^^ preferably all of the first cyclic group r, a

元素,其中B/^。 Element, wherein the B / ^. 同样,尽管以单个模块表示,但是所有密钥生成参数込,的产生也需要进行一段时间,而非一次全部完成。 Similarly, although represented in a single module, but all the key generation parameter generation includes the postage, also need to be a period of time, rather than all at once.

随后两个模块(模块424和426 )的功能是作为上述抽取算法的一部分而执行的。 Then two modules (modules 424 and 426) functions as a part of the extraction algorithm is performed. 在才莫块424中生成与接收方z相关的接收方公共元素《(一。该接收方公共元素,pz(„+1) = //1(idz1,...idz(„+1)),最好是第一循环群r,的一个元素。然后在模块426中生成与接收方z有关的接收方机密元素&(„+,)。该接收方机密元素, In block 424 generates only Mo z associated with the recipient of the recipient public element "(i. The recipient public element, pz (" + 1) = //1(idz1,...idz("+1)) preferably the first cyclic group r, an element. then module 426 and the recipient z is generated in the recipient secret element associated & ( '+). the recipient secret element,

也是第一循环群r,的一个元素。 Also the first cyclic group r, an element.

为方便起见,第一函数/z,可被选为一种迭代函数,从而可以按照 For convenience, the first function / z, may be selected as an iterative function, thereby in accordance with

例如//,(/V,),IDJ而非i/,(ID,,…IDJ来计算公共点《。 E.g. //, (/ V,), IDJ not i /, to calculate a common point "(ID ,, ... IDJ.

图4中所示的最后两个模块(模块428和430)代表了上述的加密与解密算法。 Last two modules (modules 428 and 430) shown in FIG. 4 represents the above-described encryption and decryption algorithms. 在才莫块428中,消息M被编码以生成一个加密文本C。 In block 428 it Mo, message M is encoded to generate an encrypted text C. 该编码过程最好至少用到根密钥生成参数a以及ID元组(n^,…iD—D)。 The encoding process is preferably used in at least a root key generation parameter and the ID-tuple (n ^, ... iD-D). 然后在模块430中解码加密文本c以恢复消息M。 At block 430 then decodes the encrypted text c to recover the message M. 该解码过程最好至少用到低级密钥生成参数^以及接收方机密元素,其中ls,《n 。 The process is preferably used in at least a lower decoding key generation parameter and the recipient secret element ^, where ls, "n.

图4中所示的模块不必完全顺次出现。 Module shown in FIG. 4 need not be completely occur sequentially. 例如, 一个知道接收方身份的发送方可以在接收方获得私有密钥之前对通信进行加密。 For example, prior to encrypting communications receiver to know the identity of a sender private key can be obtained at the receiving side.

现在将参照图5和图6,来详细说明在对消息M及密文c进行编码和解码中所提到的参数及元素的具体运用。 Referring now to FIGS. 5 and 6, the specific elements and operation parameters of the message M and the ciphertext c is encoded and decoded as mentioned be described in detail. 图5所示的流程图根据 5 according to the flowchart shown in FIG.

本发明的另一个当前优选实施例展示了一种编码和解码一条数字消 Another presently preferred embodiment of the present invention exhibit an encoding and decoding a digital cancellation

息M的方法,所述的数字消息在发送方y和接收方z之间传递。 M rate method, said transmitted digital message between a sender y and the recipient z. 在这个被称为基本HIDE的方案中,根设置、低级设置以及抽取算法都与图4中模块402至426所示的实施例相同。 In this basic scheme is referred HIDE, the root is set lower extraction algorithms are provided and illustrated embodiment of module 402 to 426 the same as in FIG. 4. 图5所示的流程图展示了加密与解密算法,它在模块528a中从选取一个随机加密参数r开始。 FIG 5 shows a flowchart of the encryption and decryption algorithms, selecting it from a start of the random encryption parameter r in block 528a. r最好是循环群Z/W中的一个整数。 r is preferably an integer of the cyclic group Z / W in. 然后在模块528b中利用公式C = ["。,"2,...,f/„+1,r]生成加密文本c 。该加密文本c中包括元素C/,=《, 其中/ = 0和2^、" + 1,这些元素与接收方在分级结构中的位置有关。 Then in the module 528b using the formula C = [ ".," 2, ..., f / "+ 1, r] to generate an encrypted text c. C included in the encrypted text element C /, =", where / = 0 and ^ 2, "+ 1, these elements and the receiver position in the hierarchy concerned. plus

密文本C的其他组成部分是加密形式的实际消息,r = M@//2^),其中 Other components of the cipher text C is the actual message in encrypted form, r = M @ // 2 ^), wherein

g"(a,A)。元素g最好是第二循环群r,的成员。在消息被编码之后, 可以根据基本HIDE解密算法对其进行解密,在该解密算法中利用公 g "(a, A). Preferably a second element of the cyclic group g r, members. After the encoded message can be decrypted based on the decryption algorithm substantially HIDE, using the public decryption algorithm

式M = K ® // The formula M = K ® //

,从加密文本c中恢复出消息M (模块530 ) , Recover from an encrypted text c is the message M (module 530)

n》',",) n " ',",)

全HIDE Full HIDE

利用已知的方法来使得单向加密方案具有针对选定加密文本攻击的安全性,可以将基本HIDE方案转换为全HIDE方案,后者在随机预言模型中具有选定加密文本安全性。 Using known methods such that a one-way encryption scheme having a security for the selected attack the encrypted text, can be converted to substantially full-HIDE scheme HIDE schemes, the latter having a selected encrypted text security in the random oracle model. 现在将参照图6来说明一种具有选定密文安全性的全HIDE方案。 It will now be described having a full-HIDE scheme selected ciphertext security with reference to FIG.

图6所示的流程图根据本发明的另一个当前优选实施例展示了一种编码和解码一条数字消息M的方法,所述的数字消息在发送方^ 和接收方z之间传递。 The flowchart shown in FIG. 6 embodiment shows a method of encoding and decoding a digital message M according to another presently preferred invention, said digital message passing between the sender and the recipient ^ z. 在本发明的该实施例中,根设置、低级设置以及抽取算法都与参照图4所述的实施例相同,只是该实施例的根设置算法需要两个额外的函数。 In this embodiment of the present invention, the root is provided, and the lower extraction algorithms are provided and Example 4 described with reference to FIG same, except the root sets the algorithm of this embodiment requires two additional functions. 因此,图6所示的流程图从额外函数(模块615a和615b )的选择开始,并继续进行加密与解密算法(模块628a 至630d )。 Therefore, as shown in a flowchart of FIG. 6 to select additional functions (modules 615a and 615b) from the beginning, and continues encryption and decryption algorithm (module 628a to 630d).

通过选择一个第三函数仏(模块615a)和一个第四函数仏(模块615b)来完成根设置算法。 Be accomplished by selecting a root algorithm is provided a third function Fo (block 615a) and a fourth function Fo (block 615b). 第三函数//3最好能够由两串二进制数产生循环群z/《z的一个整数。 // third function is capable of producing the cyclic group is preferably 3 z / "z an integer from two strings of binary numbers. 第四函数仏最好能够由另一个二进制串产生一个二进制串。 Fourth function Fo is preferably capable of generating a binary string by another binary string.

加密算法从模块628a开始,该模块示出了随机二进制串cr的选取。 Encryption algorithm begins at block 628a, which shows a module select random binary string of cr. 然后,该随机二进制串tr被用来生成一个随机整数^A(cT,M,), Then, the random binary string tr be used to generate a random integer ^ A (cT, M,),

如模块628b所示。 As shown in block 628b. 其中『是实际消息M的对称加密。 Wherein "M is a symmetric encryption of the actual message. 该加密最好是利用对称加密算法£生成的,并用//4^)作为加密密钥。 Preferably the encrypted using a symmetric encryption algorithm £ generated and used // ^ 4) as an encryption key. 相应的, 『:五仏w(M)。 Accordingly, the ": Five Fo w (M). 在模块628c中,生成力口密文本C^t/。 At block 628c, the opening force generated cipher text C ^ t /. ,"2,…,(7"+"F,『]。该 , "2, ..., (7" + "F,"]. The

密文C中包括元素f/,《,其中,=0和2《""+ 1,其与接收方在分级结 Ciphertext C includes elements f /, ", where = 0 and 2" "," + 1, in which the receiver classification junction

构中的位置有关。 The location of the structure. 加密文本c的第二个组成部分是加密形式的随机二进制串cj, r = CT@//2(g0,其中g"(込,ig。元素g最好是第二循环群r,的成员。加密文本c的第三个组成部分是『,如上所迷,它是对称加密 The second component of the encrypted text c is the encrypted form of random binary string cj, r = CT @ // 2 (g0, where g "(includes the postage, ig. Preferably a second element of the cyclic group g r, members. the third component is the encrypted text c ', above the fans, it is the symmetric encryption

形式的实际消息。 Actual message form.

解密算法从模块630a开始,该模块示出了随机二进制串a的恢 Decryption algorithm begins at block 630a, the module is shown a sequence of random binary recovery

复。 complex. 随机二进制串(T是利用/^式"F6仏 Random binary sequence (T using / ^ of formula "F6 Fo

恢复的。 Recovery. 然后利 Then Lee

、nx , Nx

用公式M:《("(r)从密文c中恢复出消息M (才莫块630b)。可对加密文本进行检查,以检验内部一致性。例如,可以生成一个实验性的随机整数r'-^(cT,M,『),如模块630c中所示。然后,就可以在模块630d 中利用该实验性的随机整数,来检验"。=,尸。及",=,&,其中2&^" + l。 Using the formula M: "(" (r) recovered from the ciphertext c illustrating the message M (Mo only block 630b) the encrypted text can be checked, for example, to check for internal consistency, may generate a random integer r an experimental. '- ^ (cT, M, "), as shown in block 630c then you can use the experimental random integer in the module 630d, to test, =, &, where." =, and dead.. " 2 & ^ "+ l.

如果成立,则可认为加密文本c是真实的。 If true, the encrypted text c may be considered to be true. 双基本HIDE与双全HIDE Basic double with queen HIDE HIDE

参照图2和图3所述的双HIDE概念可被应用于基本HIDE和全 Referring to FIGS. 2 and 3, the dual-HIDE FIG concept may be applied to substantially the whole HIDE and

HIDE方案。 HIDE program. 当发送方与接收方都处在分级结构中时,如图3所示, When the sender and recipient are in the hierarchy, as shown in Figure 3,

双HIDE就能令它们提高它们的加密通信的效率与安全性。 Double HIDE they can make to improve the efficiency and safety of their encrypted communications. 对基本 The basic

HIDE和全HIDE方案应用双HIDE需要决定附加信息,这些信息大 HIDE HIDE program and full application of double HIDE need to decide on additional information that large

多是通过上述的低级设置算法决定的。 Mostly through the above-mentioned lower setting algorithm decision. 例如,必须为发送方的w个前辈低级PKG决定公共元素&、低级密钥生成密文〜,、低级机密元素〜 For example, common elements must decide w seniors sender & PKG lower, lower ciphertext key generation secret element ~ ~ ,, lower

以及低级密钥生成参数&,。 And a lower key generation parameter & ,. 但是要注意,对于作为发送方y和接收方z Note, however, for the y and z as a transmitter receiver

的公共前辈的低级PKG来说,这些参数最好相同,以便对发送方^和接收方z进行分析(也就是说,对于所有的"/最好有: &, = &,以及&, = ^ )。双HIDE还需要为发送方决定一个发送方公共元素^(—和一个发送方机密元素&,,使用的方法与上述为接收方决定这些参数时所用的方法相同。 Lower PKG public predecessors, these parameters are preferably the same, for the analysis of the sender and the recipient ^ z (that is, for all "/ preferably are: &, =, and &, ^ = .) bis HIDE also need to decide the sender side a transmission element common ^ (- and a sender secret element & ,, with the above method is the same as the receiver when the method of determining the parameters used.

有了这些附加参数,就可以才艮据双HIDE原理对消息M进行编码以生成一个加密文本C,编码的过程要利用低级密钥生成参数&,(其中,'H)以及发送方机密元素&(—,但是不会用到/</的低级密钥生成参数&,。类似地,对加密文本C解码以恢复消息M时要利用低级密钥生成参数&,(其中/W)以及接收方机密元素&(„+1),但是不会用到"/ With these additional parameters, data can only Gen bis HIDE principle message M is encoded to generate a ciphertext C process, to use a lower encoding key generation parameters &, (where, 'H) and a sender secret element & (-, but not used / </ lower key generation parameter ,. & Similarly, when decoding the ciphertext C to recover the message M using the lower key generation parameters to &, (where / W) and the recipient & secret elements ( "+ 1), but does not use the" /

的低级密钥生成参数a,。 Lower key generation parameter a ,.

例如,在基本HIDE方案中(图4与图5),双HIDE的应用改变了消息崖的编码以生成一个密文0 = ["。",+1,...,"„+1,",其中对于/ = 0和 For example, in the basic HIDE scheme (FIGS. 4 and 5), application of dual-HIDE changes the encoding of the message to generate a cliff ciphertext 0 = [ ".", + 1, ..., "" +1, " , wherein for / = 0 and

/+^""+1,有",=《,其中^^M④z/2(g;,),并且其中~= ff。:,(—) / ^ + "" + 1, the "=", wherein ^^ M④z / 2 (g ;,), and wherein ~ = ff.:,(-)

〃,因子的计算与以前相同,但是只需计算其中的少部分。 〃, factor calculation the same as before, but only a small part of them is calculated. 然而,双基本HIDE要求发送方y使用多于上述生成g所必需的密钥生成参数" 来生成&,。这是因为发送方的身份被包含到加密算法中了。 解密算法的效率提高更为惊人。消息M是利用m=w" y。 However, the basic dual-HIDE claim sender y to use more key generation parameters "required for the generation g ,. & generates This is because the sender's identity is included in the encryption algorithm. Decryption algorithm to improve efficiency more surprising. message m using m = w "y. ,"""恢复的。同样,还是只需要较少的f/,参 "" "Recovery. Again, still requires less f /, ginseng

教。 teach. 类似地,接收方需要用于双HIDE的密钥生成参数込,比其他情况下所必需的要少。 Similarly, the receiving side need for a dual key generation parameter includes the postage HIDE than necessary in other cases less.

全HIDE也可以被修改以创建一种双全HIDE方案。 Full HIDE may also be modified to the creation of a queen HIDE program. 加密算法中 Encryption Algorithm

加密文本c的生成被修改为C = [f/。 Generating an encrypted text c is modified to C = [f /. ,"/+1,...,t/„+1,n],其中对于,'=o和/ + 1^、" + 1,有(7,参数『和r仍然以同才羊的方法生成,『=& , "/ + 1, ..., t /" + 1, n], wherein for, '= o and / ^ + 1, "+ 1, with a (7, parameters" r and still only sheep with the method generation, "=

并且|/ = (7@//2(^)中的参数&/=. And | / = (7 @ // 2 (^) parameters & / =.

n::u。 n :: u.

在双全HIDE方案中,解密算法也被修改。 In full-duplex HIDE program, the decryption algorithm is also modified. 随机二进制串cr是利 Cr is the random binary string Lee

用(j = f④//, By (j = f④ //,

+1), +1),

恢复的。 Recovery. 另外,消息m的恢复不变, Further, the recovery of the same message m,

尽管已经用PKG, 304b作为发送方少与接收方z的最低公共前辈PKG说明了这些双HIDE方案,但是PKG, 304b可以是任意的公共前辈PKG。 Although with the PKG, as few 304b sender and the recipient z, PKG lowest common predecessors double HIDE schemes illustrate these, but PKG, 304b may be any common predecessors PKG. 加密与解密算法是相同的。 Encryption and decryption algorithms are the same. 但是为了获得最高的效率, PKG, 304b最好是最低公共前辈PKG。 But in order to obtain maximum efficiency, PKG, 304b preferably lowest common predecessors PKG.

除了效率的提高以外,本发明的双HIDE方案还通过限制密钥托管提供了更高的安全性。 In addition to increased efficiency, the dual-HIDE embodiment of the present invention also provides increased security by restricting key escrow. 在上述的基本HIDE和全HIDE方案中,接收方的所有直系前辈PKG都能解密发给接收方的消息。 In the basic and full HIDE HIDE scheme, all immediate predecessors PKG recipient can decrypt the message sent to the recipient. 但是,由于双HIDE方案加入了PKG,。 However, due to the addition of the dual-HIDE schemes PKG ,. (PKG,的直接上代)的密钥生成密文, 该密文对于PKGn以上的公共前辈PKG是未知的,因此那些公共前辈PKG就不能解密发送方少与接收方z之间的消息。 (PKG, directly previous generation) key generates a ciphertext, the ciphertext common predecessors for more than PKGn PKG is unknown, so that the public can not decrypt the message PKG seniors less between sender and recipient z.

密钥托管可被进一步限制,从而即使是PKG,的直接上代也不能解密发送方少与接收方z之间的消息。 Key escrow may be further restricted, so that even PKG, directly previous generation can not decrypt messages between the sender and the receiver at least z. 这一点可以通过在为发送方少和接收方z生成私有密钥(或是为PKG,的后代同时又是发送方^与接收方z的前辈的PKG生成私有密钥)的过程中隐藏PKG,的私有密钥来实现。 This can be hidden by PKG is less in the sender and the recipient z generate a private key (or of PKG, the progeny is also the sender and the recipient z ^ predecessors PKG generates a private key) of the process, the private key is implemented. 例如,对于某些随才几的"Z"z, PKG, 304b可以通过设置S',:^,+Z^和e',^2M + M而轻易地改变其私有密钥。 For example, for some with only a few of the "Z" z, PKG, 304b can set S ',: ^, + Z ^ and e', ^ 2M + M and easily change its private key. 新的私有密钥S', 同样有效,但是却不为PKG,的直接上代所知。 The new private key S ', equally effective, but not as a PKG, directly previous generation art. 因此,PKG,以上的PKG都不能对加密发送给接收方z的消息进行解码。 Thus, PKG, PKG can not be sent over the encrypted message to the recipient z decoded. 更具体地说, more specifically,

八有接收方z在PKG,的域内的前辈才能够解密发送给接收方z的消息。 Senior art has eight recipient z in PKG, can decrypt the transmitted message to the recipient z. 当PKG, 304b通过设置:= & + 6《和g,—, := g,—, + M来改变其私有密钥时,新的私有密钥仍然与PKG"的密钥生成密文^相关,因为新的私有密钥是从一个由PKG,」利用^生成的私有密钥推得的。 When PKG, 304b by setting: = + 6 "and g, -,: = g, - when, + M to change its private key, and a new private key is still PKG" key generates a ciphertext related ^ because the new private key from one of PKG, "with a private key to generate the push of ^. 一般而言,在本文所讨论的所有方案中, 一个用户或PKG可以通过选取^ 的值(其中""")并设置S'—1):=S—" + Z二6,C和仏一ft,+6,尸。 Generally, in all schemes discussed herein, a user or PKG may be selected by the value of ^ (where "" ") and provided S'-1): = S-" + Z two 6, C and a Fo ft, + 6, dead. (其中l&^),来改变它自己的机密元素&("+,)和密钥生成参数込,(其中 (Wherein l & ^), to change its own secret element & ( "+,) and key generation parameters includes the postage, (wherein

B/《n)。 B / "n). 然而,为了本发明的目的,这种新的私有密钥仍然被认为与原始的私有密钥有关,从而也和密钥生成密文&的初始值有关。 However, for purposes of the present invention, this new private key is still considered to be related to the original private key, key generation, and thus the initial value of the ciphertext & about.

具有更高效的加密解密技术的双HIDE方案 Dual-HIDE scheme has a more efficient encryption and decryption techniques

在上述的双HIDE方案中,可以将加密器必须计算的配对值的数量减少一个,而又不会提高解密器必须计算的配对值的数量。 In the dual-HIDE schemes, the number of encryption must pairing value calculation can be reduced by one, but do not increase the number of the pairing value calculation must be decrypted. 例如, 上述的双基本HIDE加密算法可以被修改,从而密文 For example, the above-described basic double HIDE encryption algorithm may be modified so ciphertext

(/+,)]>《(/+2), (/ +)]> "(/ + 2),

g一:n,:〖?))p、"",+"如果密文被表示为 g a: n,:? 〖)) p, "", + "if the ciphertext is represented as

咖。 coffee. A一》乾必) A a "must dry)

C = [[/。 C = [[/. ,",+1,K,"„+1,",那么就可以利用m = r@//2 , ", + 1, K," "+ 1,", then you can use the m = r @ // 2

来对其进行解密。 To decrypt it.

同样地,也可以将解密器必须计算的配对值的数量减少一个,而 Likewise, the value may be the number of pairs of descrambler must calculate a reduction, and

又不会提高加密器必须计算的值的数量。 And the number of encrypted values ​​must be calculated not improve. 例如,双基本HIDE加密算 For example, the double basic encryption algorithm HIDE

法可以被修改,从而密文。 Method may be modified such that the ciphertext. =[尸。 = [Corpse. ,^^,+2),《,^^),^@//2(^(,+1))],其中 ^^ + 2), "^ ^), ^ 2 @ @ (^ (+ 1))], wherein

gz(,+l)=命。 gz (, + l) = life. A口M,,(尸祠-,")=u。如果密文被表示为 A port M ,, (dead Temple -, "). = U If the ciphertext is represented as

c = ["。,"/+2,k,"„,k〗,那么#尤可以利用m = re//2 c = [ ".," / + 2, k, "", k〗, it can be used especially in # m = re // 2

来对 Come on

其进行解密。 It is decrypted.

经过JU正的j氐级才艮PKG After JU positive j stages before Di Gen PKG

可以通过创建一个经过认证的低级才艮PKG将上述双HIDE方案的高效性扩展到位于分级结构之外的消息发送方。 By creating a certified Gen PKG only lower the efficiency of the two-HIDE scheme extensions located to the outside of the hierarchy of the message sender. 要"认证"低级PKG,根PKG可以提出一个附加参数,比如一个随机消息M'。 To "certify" lower PKG, the root PKG may make an additional parameter, such as a random message M '. 然后, 低级PKG"签署,,M',生成签名5^ = &/+^^.,其中S,是低级PKG的私有密钥,s,则是其低级密钥生成密文。低级PKG还会公布对应于 Then, lower PKG "sign ,, M ', generating the signature ^ 5 = / + ^^., Where S, is the low-level PKG's private key, s, which is lower key generation ciphertext. PKG will lower corresponding to the published

利用经过认证的低级根PKG,位于分级结构之外的发送方无需计算接收方所有"个前辈PKG的公共元素^即可向接收方z发送加密 Using a certified lower root PKG, a sender outside the hierarchy located without calculating all the recipient public element "^ seniors to the PKG to send encrypted to the recipient z

消息。 Messages. 发送方可以利用对应于低级认证根PKG的参数更高效地加密消息。 The sender can more efficiently use the encrypted message corresponding to the root PKG lower authentication parameters. 具体地说,发送方计算CA(iD,,...,iDjer,,其中 Specifically, the sender computes CA (iD ,, ..., iDjer ,, wherein

然后发送方选取一个随机的reZ〜Z , 并生成加密文本<formula>formula see original document page 35</formula>)],其中 The sender then select a random reZ~Z, and generates an encrypted text <formula> formula see original document page 35 </ formula>)], wherein

^""A,)。 ^ "" A,). 假设接收到的密文C^t/。 Assuming that the received ciphertext C ^ t /. ,C/,+,,..则 , C /, + ,, .. the

&(„+1)是接收方的私有密钥。 分布式PKG & ( "+ 1) is the recipient's private key. Distributed PKG

为了进一步保护上述HIDE方案的密钥生成密文,并使得这些方案对于不诚实的PKG具有鲁棒性,可以利用已知的阈加密技术将密钥生成密文和私有密钥分布开。 To further protect the key generation ciphertext HIDE schemes described above, and so these programs for dishonest PKG robust, using known techniques of threshold encryption key and a private key to generate ciphertext distribution opening.

更高效的加密技术 More efficient encryption

通过将分级结构中的最高两级合并成单个根PKG,就可以提高用于上述HIDE方案的加密技术的效率。 By the two highest in the hierarchy into a single root PKG, can be used to improve the efficiency of the above-described encryption HIDE scheme. 在那种情况下,g"(e。,《)被包含在系统参数中。这样就省去了加密器计算该配对值的任务。然而, 解密器必须计算一个额外的配对(这是它在树的下一级的结果)。 In that case, g "(e.,") Is included in the system parameters. This eliminates the need to encrypt calculates the pairing value of the task. However, the descrambler must calculate an additional pair (in which it is the results under a tree).

HIDS方案 HIDS program

现在考虑本发明的签名方案或HIDS方案,图7所示的流程图根据本发明的另一个当前优选实施例展示了一种生成及验证一个数字签名的方法。 Now consider the signature scheme or HIDS schemes of the present invention, the flowchart shown in FIG. 7 example demonstrates a method for generation and verification of digital signature according to another presently preferred. 该方法在一个包含多个PKG的HIDS系统中实现。 The method is implemented in a HIDS system including a plurality of PKG in. 所述的PKG中至少包括一个根PKG以及根PKG与发送方或签署人之间的分级结构中的M个低级PKG,其中"^。在模块702中,根PKG The root PKG PKG comprises a root PKG and the sender signed the hierarchy or at least between the M lower human PKG, wherein "^ At block 702, the root PKG

接收方可以解密该密文以恢复消息M = F @ //: The recipient can decrypt the ciphertext to recover the message M = F @ //:

rd,",) rd, ",)

其中选取一个只有根PKG知道的根密钥生成密文。 Wherein selecting a root PKG knows only the root key generation ciphertext. 该根密钥生成密文可被用来为分级结构中低于根PKG的PKG或用户产生私有密钥。 The root key may be used to generate a cipher text to the hierarchical structure below the root PKG or PKG user generated private key. 然后在模块704中,根PKG根据根密钥生成密文产生一个根密钥生成参数。 Then at block 704, the root PKG according to the root key generation ciphertext generating a root key generation parameter. 在模块706中,低级PKG选取低级密钥生成密文。 At block 706, select the lower lower PKG key generating ciphertext. 与一个给定的低级PKG相关的低级密钥生成密文可被用来为分级结构中低于该相关低级PKG的PKG或用户生成私有密钥。 Lower key associated with a given low-level PKG generates a ciphertext may be used as the hierarchical structure below the lower of PKG associated PKG or user generated private key. 与根密钥生成密文类似, 每个低级密钥生成密文只对其相关的低级PKG已知。 Similar to the ciphertext generating a root key, each key generation lower ciphertext only known for its associated lower PKG. 在模块708中, 为„个低级PKG各自产生低级密钥生成参数。每个低级密钥生成参数的产生都至少要用到其相关低级PKG的低级密钥生成密文。 At block 708, the key generation parameter is generated as a lower "low-level PKG each. Each lower key generation parameters are generated at least use to lower its associated lower PKG key generating ciphertext.

在模块710中, 一个低级PKG为接收方生成一个私有密钥,使得该私有密钥至少与"个低级密钥生成密文中的一个相关。例如,发送方的私有密钥至少可以与向接收方发放私有密钥的PKG的低级密钥生成密文相关。但是,接收方的私有密钥最好与它所有n个前辈PKG的低级密钥生成密文以及根密钥生成密文相关。在模块712中, 发送方至少利用其私有密钥来签署消息并生成数字签名。然后在模块714中,接收方或校验器至少利用低级密钥生成参数之一来验证该数字签名。例如,可以只利用根密钥生成参数来验证该签名。或者,也可以利用低级密钥生成参数中的一个或多个。 At block 710, the receiving party generates a low-level PKG is a private key, such that a related private key ciphertext generating at least "low-level key. For example, the sender's private key may be associated with at least the recipient issuing private key PKG key generating ciphertext lower correlation. However, the recipient private key is preferably associated with all its predecessors the n lower PKG key generating ciphertext root key generation and ciphertext in block 712, using at least the sender private key to sign the message and generate a digital signature. then at block 714, the recipient or validator using at least one low-level key generation parameters to verify the digital signature. for example, only using the root key generation parameter to verify the signature. Alternatively, the key may be generated using the lower one or more parameters.

图8所示的流程图根据本发明的另一个当前优选实施例展示了一种生成及验证一条数字消息M的数字签名的方法,所述的数字消 Digital flowchart shown in FIG. 8 example demonstrates a method for generating a digital message M and verification of the digital signature according to another presently preferred, the extinction

息在发送方少和接收方z之间传递。 Less information transfer between the receiver and the sender z. 如图3所示,发送方y 306在分级结构中比根PKG低m + l个级别,并且与ID元组(ID卢…,ID—J相关联。 发送方的ID元组中包括与发送方相关的身份信息ID—d,以及与它在分级结构中的m个前辈低级PKG的每一个相关的身份信息ID力。该方法从;f莫块802开始,生成元素的第一与第二循环群r;和r2。在模块804 中,选取一个函数"使得该函数S能够由第一循环群r^的两个元素生成第二循环群G的一个元素。函数s最好是一种可行的配对,如上所述。在模块806中选取第一循环群r,的一个根生成器户。。在模块808 中,选取一个随机根密钥生成密文〜,该密文与根PKG302相关且只有根PKG302知道。s。最好是循环群Z/《z的一个元素。在模块810中 3, the sender y 306 in the hierarchy lower than the root PKG m + l levels, and the ID-tuple (ID Lu ..., ID-J is associated. ID-tuple of the sender comprises transmitting identity information associated with each ID force party related identity information ID-d, and a hierarchical structure in which m seniors method from the lower PKG;. f Mo start block 802, generating the first and second elements cyclic group r;. and r2 at block 804, a select function "can be such that the function s ^ r by the first two elements of a cyclic group generate a second element of the cyclic group G is preferably a viable function s. pairing, as described above. r is a cyclic group selected first module 806, a user .. root generator module 808, selecting a random root key generation ~ ciphertext, the ciphertext and associated with root PKG302 only the root PKG302 known .s. preferably the cyclic group z / "z of an element in the module 810

产生一个根密钥生成参数a^。 Generating a root key generation parameter a ^. p。 p. . 2。 2. 最好是第一循环群r,的一个元素。 Preferably the first cyclic group r, an element.

在模块812中,选取一个第一函数//,,使得7/,能够由第一串二进制数生成第一循环群r,的一个元素。 At block 812, a first selection function such that ,, // 7 /, r cyclic group capable of generating a first binary number by a first string, an element. 在模块814中选取一个第二函数//3, 使得//3能够由第二循环群「2的一个元素生成第二串二进制数。模块802至814的功能都是上述HIDS根设置算法的组成部分,并且最好都在大致相同的时刻完成。作为示例,比如那些在Boneh-Franklin 中公开的函数就可以被用作//,和//3。实际上,函数A和A可以是完全 Selecting a second function module 814 // 3 // 3 such that it can be "a second string element 2 is generated by a second binary number a cyclic group. The functional modules 802-814 are disposed composition of the HIDS Root Algorithm portion, and preferably they are at substantially the same time to complete. by way of example, functions such as those disclosed in Boneh-Franklin may be used as the // and // 3. in practice, the function of a and a may be fully

相同的函数。 The same function. 但是会有一个潜在的隐患。 But there is a potential hazard. 一名攻击者可能尝试让签署人签署肘=叫,其中/D,代表了一个实际身份。 An attacker could try to get called, have signed elbow =, where / D, it represents a real identity. 在这种情况下,签署人 In this case, the undersigned

的签名实际上会是一个私有密钥,此后该密钥可被用来解密消息及伪造签名。 The autograph session is actually a private key, then the key can be used to decrypt messages and forge signatures. 但是,通过采用某些能够区分签名与私有密钥提取的手段——比如一个比特前缀或为//3釆用不同的函数,该隐患是可以避免的。 However, by using some means can distinguish between the extracted signature with the private key - such as a bit prefix or preclude the use of @ 3 different functions, the risk is avoided.

接下来的一系列模块(模块816至824)示出了作为低级设置算 The next series of modules (modules 816-824) shows a lower set operator

法的组成部分而执行的功能。 Functional part of the method executed. 在模块816中,为发送方的w个前辈低级PKG各生成一个公共元素A,。 At block 816, w is lower PKG seniors each sender generates a common element A ,. 每个公共元素;=//1(101,...,10;/,)最好 Each common element; // 1 = (101, ..., 10; /,) preferably

都是第一循环群r,的一个元素,其中i&、w。 The first is the cyclic group r, an element in which i &, w. 尽管是以单个模块表示的,但是所有公共元素;的产生需要进行一段时间,而非一次全部完 Although a single module is represented, but all the common elements; generating the need for a period of time rather than all at once finished

成o To o

为发送方的w个前辈低级PKG 304a,b,d各选取一个低级密钥生成密文〜(模块818)。 W seniors sender is lower PKG 304a, b, d each select a lower ciphertext ~ key generation (block 818). 该低级密钥生成密文〜最好是循环群Z/《Z的元素,其中l"《m,并且每个低级密钥生成密文、最好只有与它相关 The lower key generation ciphertext - preferably the cyclic group Z / "element Z, wherein l" "m, and each lower cipher key generation, it is preferably associated with only

的低级PKG知道。 Low-level PKG know. 同样,尽管是以单个模块表示,但是所有低级密钥生成密文〜,的选取需要进行一段时间,而非一次全部完成。 Similarly, although a single module is represented, but all lower ciphertext ~ key generation, the need to select a period of time, rather than all at once.

为发送方的w个前辈低级PKG各生成一个低级机密元素〜(模块820)。 W is lower PKG seniors each sender generates a low-level secret element ~ (module 820). 每个低级机密元素&,&M + ^,v^最好是第一循环群r^的一个元素,其中i^^附。 Each secret element lower &, & M + ^, v ^ is preferably an element of the first cyclic group r ^, where i ^^ attached. 尽管与公共元素/;以及密文〜,一样都是以单个模块表示的,但是所有机密元素、的产生也需要进行一段时间,而非一次全部完成。 Although the common element /; ~ and the ciphertext, the same are represented by a single module, but produce all the secret elements, also requires a period of time, rather than all at once. 为了这些重复的密钥生成过程的缘故,可将s。 These repeated for the sake of the key generation process can be s. 定为r,的身份元素。 As r, identity elements.

还要为发送方的附个前辈低级PKG各产生一个低级密钥生成参数g,(模块822)。 Also attached to lower PKG seniors each sender generates a low-level key generation parameter g, (block 822). 每个密钥生成参数&,-vP。 Each key generation parameter &, - vP. 最好都是第一循环群r, Cyclic groups preferably are first r,

的元素,其中i《"w。同样,尽管以单个模块表示,但是所有密钥生成参数"的产生也需要进行一段时间,而非一次全部完成。 Elements, wherein i "" w. Similarly, although represented by a single module, but all the key generation parameter "generation also need to be a period of time, rather than all at once.

随后两个模块(模块824和826)的功能是作为上述抽取算法的一部分而执行的。 Then two modules (modules 824 and 826) functions as a part of the extraction algorithm is performed. 在模块824中生成与发送方少相关的发送方公共元 Generating less associated with transmission of the sender public element 824 in the module

素尸—+1)。 Su corpse - + 1). 该发送方公共元素,i^+,广仏(ID卢…ID咖+,)),最好是第一循环 The sender public element, i ^ +, wide Fo (ID ... ID coffee Lu +)), preferably the first cycle

群r,的一个元素。 Group r, an element. 然后在模块826中生成与发送方少有关的发送方机 Then generates sender less relevant sender machine module 826

密元素&—。 & Secret elements -. 该发送方机密元素,sy(„+1)=、+〜Jpy(jn+1)=z;:;、(,-1)&,最 The sender secret element, sy ( "+ 1) =, + ~Jpy (jn + 1) = z;:;, (, - 1) &, most

好也是第一循环群r,的一个元素。 Good circulation is also the first group of r, an element.

为方便起见,第一函数/z,可被选为一种迭代函数,从而可以按照 For convenience, the first function / z, may be selected as an iterative function, thereby in accordance with

例如^(A(,—D,ID,,.)而非//1(101,...1〜)来计算公共点S 。 For example ^ (A (, -. D, ID ,,) instead //1(101,...1~) to calculate a common point S.

图8中所示的最后两个模块(模块828和830 )代表了上述的签署与验证算法。 The last two modules (modules 828 and 830) shown in FIG. 8 represents the above-described signing and verification algorithm. 在模块828中,消息M被签署以生成一个数字签名浙。 At block 828, the message M is signed to generate a digital signature Zhejiang. 该签署过程最好至少用到发送方机密元素^(—。然后在模块830中验 The signing process is preferably used in at least the sender secret element ^ (- test at block 830 is then

证数字签名& 。 Digital signature certificate &. 该验证过程最好至少用到根密钥生成参数a以及低级密钥生成参数&,。 The verification process is preferably used in at least the root key generation parameter and a lower key generation parameter & ,. 现在将参照图9来说明这些参数和元素在签署消息M以及验证数字签名时的具体用法。 9 will now be described with reference to FIG particular usage of these parameters and elements in the signing message M and verification of the digital signature.

图9所示的流程图根据本发明的另一个当前优选实施例展示了一种生成及验证一条数字消息M的数字签名s【'g的方法,所述的数字消息在发送方^和接收方z之间传递。 The flowchart shown in FIG. 9 shows one embodiment of generating a digital message M and verification of the digital signature s according to another presently preferred [ 'g method, said digital message sender and recipient ^ transfer between z. 在该方案中,根设置、低级设置以及抽取算法都与图8中模块802至826所示的实施例相同。 In this embodiment, the root is provided, and the lower extraction algorithms are provided the embodiment shown identical modules 802 to 826 in FIG. 8. 因此,图9所示的流程图在模块927a中从选取一个发送方密钥生成密文〜m+1)开 Accordingly, the flowchart shown in FIG. 9 in the module 927a selected from a sender key generation ciphertext ~m + 1) open

始,该密文只有发送方^知道。 Beginning the ciphertext only the sender knows ^. 在模块927b中,利用公式2—+1) = ^1+1)/}。 In the block 927b using the formula 2- + 1) = 1 ^ + 1) /}. 产生一个与发送方相关联的发送方密钥生成参数2,+1)。 Generating a sender associated with the sender key generation parameter 2, + 1). 然后,签署算法从发送方在模块928a中生成一个消息元素^=//3(10卢...,10一|),似)。 Then, the algorithm generates a signed message from a sender element in the module 928a // ^ 3 = (10 ... Lu, a 10 |), like).

该消息元素^最好是第一循环群r,的一个成员。 A member of the message element of the first cyclic group is preferably ^ r, a. 在模块928b中利用方程^ = ^+,)+^+1)^生成数字签名s/g本身。 At block 928b using the equation ^ = ^ +) + ^ + 1) ^ generating a digital signature s / g per se. 接收方通过检验方程 Receiver via the test equation

38<formula>formula see original document page 39</formula>是否满足来验证数字签名&。 38 <formula> formula see original document page 39 </ formula> to verify the digital signature satisfies &.

本文参照本发明的优选实施例以及图示实例对本发明进行了详细的说明,但是应该明白,在本发明的思想与范围内可以实现各种变化与改进。 Herein with reference to the present invention is preferably present invention has been described in detail and embodiment examples illustrated embodiments, it should be understood that, within the spirit and scope of the present invention can be realized that various changes and improvement.

Claims (48)

1.一种计算机实施的加密方法,用于在分级加密方案中对用于解密期望接收方实体E的密文信息的消息M进行加密,该方法包括: (1)获得变量值r; (2)获得所述消息M的第一加密,使用值gr可解密所述第一加密,其中g是一个预定义函数在值ê(p0,p1)处的值;ê:G1×G1→G2是非退化双线性映射,其中G1和G2是群,并且ê,G1和G2将用于解密; p0,p1是G1的元素,其中至少一个依赖于分级加密系统中E的上代的ID; (3)获得第一密文部分,包括多个值,每个值是群G1的元素并且是rF形式的值的线性表达,其中每个F是E和/或至少E的一个上代的ID的预定义函数,其中至少一个值F依赖于E的至少一个上代的ID;以及(4)产生使用所述第一密文部分和所述消息M的第一加密而形成的密文。 1. A computer-implemented method of encryption, the encryption scheme for classification of the information used to decrypt the ciphertext desired receiver entity E encrypts the message M, the method comprising: (1) obtaining a value of the variable r; (2 ) obtaining said first encrypted message M, the value can decrypt the first encrypted gr, where g is the value of a predefined function values ​​ê (p0, p1) at; ê: G1 × G1 → G2 nondegenerate bilinear map, is the group wherein G1 and G2, and Ê, G1 and G2 for decrypting; p0, p1 is an element of G1, which is dependent on at least one of the previous generation ID hierarchical encryption system E; and (3) obtaining first ciphertext portion, comprising a plurality of values, each value is an element of group G1 is a linear form of rF expression values, where each of E and F is a / E or at least a previous generation of the predefined function ID, wherein at least one of the at least one value dependent on the previous generation of ID F E; and (4) generating a first ciphertext encrypted using the first portion of the message M and to form a ciphertext.
2. 根据权利要求l的方法,其中所述第一密文部分不依赖于M。 2. The method of claim l, wherein said first portion is not dependent on the ciphertext M.
3. 根据权利要求1或2的方法,其中所述分级加密方案为使得: 根实体E。 3. The method according to claim 1 or claim 2, wherein the hierarchical encryption scheme such as: root entity E. 生成其密文整数so;在分级等级iX)的E的上代的每个实体Ei生成各自的密文整数si;对每个整数ie[l,t],其中P1是E的分级等级且其中E产E,每个实体Ei获得等于Sw+SwPj的值,并且设置Ej的密文Si为所述等于Sw+SwPi 的值或通过修改所述等于Sw+SwPi的值而获得的值,其中每个Pj是包括Ei的ID的一个或多个ID的函数,并且S。 SO which generates ciphertext integer; each generated ciphertext integer si in each hierarchical level of the previous generation entity Ei iX) of E,; ie [l, t] for each integers, wherein P1 is a hierarchical level wherein E and E yield value E, Ei is obtained for each entity equal to the value Sw + SwPj, and Ej disposed ciphertext Si is equal to the value Sw + SwPi or by modifying the value equal to Sw + SwPi obtained, wherein each Pj Ei comprising a plurality of ID or ID of a function, and S. 是Gi的身份元素,Pj可用于所述解密;每个实体Ej(iG [1,tl】)生成元素Qi,且Q产SjP。 Gi is the identity element, Pj can be used for the decryption; each entity Ej (iG [1, tl]) generating elements Qi, Q and yield SjP. ,每个实体Ei(ie [2,tl】) 为所有ke [1,il】获得一组元素Qk,并且修改一个或多个Qk或者保持其不被修改以相应于Si,并且实体Et接收元素Ch,…,Qw。 Each entity Ei (ie [2, tl]) for all ke [1, il] to obtain a set of elements Qk, Qk and modifying one or more modified or that it is not held to correspond to Si, and the element receiving entity Et Ch, ..., Qw.
4. 根据权利要求3的方法,其中对至少一个值iE[2,t-lj, Ei设置Si等于Sw+s"Pi,并且元素Qk不被Ej修改。 4. A method according to claim 3, wherein the at least one value of iE [2, t-lj, Ei equal to the set Si Sw + s "Pi, and the element is not modified Qk Ej.
5. 根据权利要求3的方法,其中对至少一个值iE[2,tl】: Ej为一个或多个整数值cE[l,il】生成一个或多个变量整数值bc,并且使用所述等于Sw+s"Pj的值生成Si作为值bcPe+1的和;以及Ej通过对每个所述c使用Qe+ bePo替换元素Qe,从而修改元素Qk。 5. The method according to claim 3, wherein the at least one value of iE [2, tl]: Ej one or more integer values ​​cE [l, il] generate one or more variable BC integer values, and using the equal Sw + s "value Pj is generated as Si and the value bcPe + 1; and Qe Ej by using for each of the elements Qe c + bePo Alternatively, to modify the elements Qk.
6. 根据权利要求3的方法,其中每个F是一个或多个元素P。 6. The method as claimed in claim 3, wherein each F is one or more elements P. ,…,Pt 的线性表达,使得值F —起定义了除Pj外的所有P。 , ..., a linear expression Pt, such that the value F - since all defined Pj, except P. ,…,Pt的值;对某些je[l,tl】,g=g(QQ,Pj),且g""可如下计算g =rW^(Q卜l,Ui)其中UfrP。 , ..., Pt value; certain je [l, tl], g = g (QQ, Pj), and g "" can be calculated as g = rW ^ (Q Bu l, Ui) wherein UfrP. ,每个U尸rPi。 Each U corpse rPi.
7. 根据权利要求6的方法,其中所述值F是对所有iE[0,t】从而ei 且』=1的值Pj。 7. A method according to claim 6, wherein F is the value of all iE [0, t] and thereby ei "= value of Pj 1.
8. 根据权利要求3的方法,其中获得所述第一加密包括: 从另一个实体获得值Sig-S什s,PM,, l是选择的整数,Kt,其中S,不用于加密所述消息M,并且Pm,可用于加密,且积s,P。 8. The method according to claim 3, wherein the first encryption obtaining comprises: obtaining a value from another entity even Sig-S s, PM ,, l is an integer selected, Kt, where S, is not used to encrypt the message M, and Pm, can be used for encryption, and the product s, P. 作为Q,用于加密所述消息M;计算g: 二g(P0,S%)g — §(SiP0,PM,)其中g^可以计算如下r二,0,St)其中对每个iE卩+l,t】,Ui-rPj;以及值F —起定义了P。 As Q, used to encrypt the message M; calculated g: two g (P0, S%) g - § (SiP0, PM,) where g ^ can be calculated as r =, 0, St) wherein each iE Jie + l, t], Ui-rPj; and the value F - defined from P. 和所有的P1+1,..,Pt。 And all of P1 + 1, .., Pt.
9. 根据权利要求8的方法,其中g—(P。,S0。 9. A method according to claim 8, wherein g- (P., S0.
10. 根据权利要求3的方法,其中:代表实体Eym执行所述方法,其在分级加密方案中的m级并且是某些Kt的E,的后代;在分级i>0级的Eym的上代的每个实体Eyi,生成相应的密文整数syi;对每个整数ie[l,m】,每个实体Eyi从等于Sy糾+Sy糾Pyi的值获得Eyi 的密文Syi,其中每个Pyi是包括Eyi的ID的一个或多个ID的函数,并且可用于解密,并且Sy。 10. The method according to claim 3, wherein: the progeny entities representing Eym the method is performed, in which m-level hierarchical encryption scheme and certain of Kt E, of; the classification i> 0 of the previous generation stage Eym each entity Eyi, to form the corresponding ciphertext integer syi; ie [l, m] for each integer, each entity Eyi + correction value Sy Pyi correct cipher text Eyi obtained from Syi equal to Sy, wherein each is Pyi Eyi comprising a plurality of ID or ID of a function, and may be used to decrypt and Sy. 是G的身份元素;每个实体Eyi(iE[l,ml】)生成一个元Qyi, Qy尸SyiP。 G is the identity element; each entity Eyi (iE [l, ml]) to generate one yuan Qyi, Qy dead SyiP. ,为所有kE[l,il】 获得一组元素Qyk,并且提供修改或未经修改的元素Qyk和Qyi给Ey(i+1)。 For all kE [l, il] conceivable that. It is obtained a set of elements, and provided with or without modification to the elements conceivable that. It Qyi and Ey (i + 1).
11.根据权利要求10的方法,其中:nSl+lg (Qy(i-1)' Pyi)并且^可计算如下r = g(U0, St)g — nu,(Q卜i,Ui)其中对每个iE[l+l,t】,U尸rPi;以及值F—起定义了P。 11. The method according to claim 10, wherein: nSl + lg (Qy (i-1) 'Pyi) and calculated as ^ r = g (U0, St) g - nu, (Q Bu i, Ui) in which each iE [l + l, t], U dead RPI; and F- values ​​defined from P. 和所有的P1+1,..,Pt。 And all of P1 + 1, .., Pt.
12. 根据权利要求11的方法,其中从s,与^分离地产生作为变量值。 12. The method according to claim 11, wherein from s, and ^ separately produced as a variable value.
13. 才艮据权利要求10的方法,其中syl=S|,以及一g(Po,Sym) g = U(Q'y(i—D,Pyi)并且f可计算如下g 一nL1+2g(Q",uo其中U,+产r(Py(,-P,+0,以及对i=0和每个iE[l+2,t], U产rPi,以及值F—起定义了P。,PyG+1)-Pl+1 ,和所有的Pl+2,..,Pt。 13. The method according to only Gen of claim 10, wherein syl = S |, and a g (Po, Sym) g = U (Q'y (i-D, Pyi) f and g can be calculated as a nL1 + 2g ( Q ", uo wherein U, + yield r (Py (, - P, + 0, i = 0 and for each iE [l + 2, t], U yield rPi, and F- values ​​defined from P. , PyG + 1) -Pl + 1, and all Pl + 2, .., Pt.
14. 根据权利要求3的方法,其中对每个i〉l,Pi是(IDv.,,IDi)的函数。 14. The method according to claim 3, wherein for each i> l, Pi is (IDv. ,, IDi) of the function.
15. —种计算机实施的解密方法,用于从密文C恢复消息M,代表拥有使用从分级加密方案中的一个或多个E的上代获取的一个或多个值而获得的E的密文信息的实体E, E的密文信息包括群Gi的元素S(E), 其中S(E)是群Gi的第一成员的线性组合,在所述线性组合中每个第一成员与一个相应整数系数相关联,所述第一成员包括群&的一个或多个第一元素,其各自依赖于E的ID,所述第一成员包括群Gi的一个或多个第二元素,其各自独立于E的ID,该方法包括:(1) 根据下面计算值gr: 密文C;元素S(E);和群Gi的一组一个或多个元素Q;其中每个元素Q独立于密文C,但是依赖于一个或多个第一和第二元素的系数,其中值gr不依赖于E的ID但是依赖于一个或多个第二元素的系数,值gr作为比例A/B的函数而计算,其中:(i) A是群G2的一个或多个元素的第一乘积,所述第一乘积的一个或多个元 15. - Species computer implemented decryption method for recovering the message M from the ciphertext C, E have the representative from a hierarchical encryption scheme used in the previous generation, or one or more values ​​of a plurality of E acquired ciphertext obtained entity information E, E cipher text information comprising a group Gi elements S (E), wherein S (E) is a linear combination of the first group Gi of the members, in each of the linear combination with a respective first member integer coefficients associated with the first group of members comprising one or more first & element, each of E depends on the ID, the first member comprises one or more second element group Gi, each of which is independently ID E in, the method comprising: (1) the following Calcd gr: ciphertext C; element S (E); and the group Gi a set of one or more elements Q; wherein Q independently each ciphertext element C, but it is dependent on the one or more coefficients of the first and second elements, wherein the value of E does not depend on gr ID, but is dependent on the one or more coefficients of the second element, as a function of the value gr ratio of a / B and calculation, wherein: (i) a is a group G2 of the product or a first plurality of elements, a first product of said one or more membered 包括一个元素,该元素是两个元素上的双线性非退化映射S : Gi XG! Includes an element that is non-degenerate bilinear mapping of two elements on S: Gi XG! — G2,所述两个元素中至少一个元素依赖于S(E)且至少一个元素依赖于密文C;以及(ii) B是群G2的一个或多个元素的第二乘积,所述第二乘积的一个或多个元素包括各自等于在两个元素上的映射g的值的一个或多个元素,所述两个元素中至少一个依赖于一个或多个元素Q并且至少一个依赖于密文C;(2) 使用值gr来从C恢复消息M。 - G2, the two elements at least one element dependent on S (E) and at least one element dependent on a ciphertext C; and (ii) B is a group G2 of the second product or a plurality of elements, said first a product of two or more elements each comprise one or more elements equal to the value of g is mapped on two elements, at least one of the two elements is dependent on one or more Q and at least one element dependent on the secret Wen C; (2) using the value from the message to recover gr C M.
16. 根据权利要求15的方法,其中除了A和/或B和/或密文C中存在的信息以外,操作(2)不使用所述第一元素的系数的任何信息 16. The method of any of the information according to claim 15, wherein in addition to the A and / or B and / or C existing in the ciphertext information, the operation (2) coefficient of the first element is not used
17. 根据权利要求15的方法,其中除了A和/或B和/或密文C中存在的信息以外,操作(2)不使用任何E的ID上的信息。 17. The method according to claim 15, wherein in addition to the A and / or B and / or the information present in the ciphertext C, the operation (2) without using any ID information on the E.
18. 根据权利要求17的方法,其中值gr依赖于E的一个或多个上代的ID。 18. The method of claim 17, wherein the value gr is dependent on a previous generation or more E's ID.
19. 根据权利要求15的方法,其中所述第一元素的系数各自是E的上代的密文并且不能用于解密E。 19. The method according to claim 15, wherein the coefficient E is the first element of each of the previous generation can not be used to decrypt the ciphertext and E.
20. 根据权利要求19的方法,其中所述第二元素的系数各自是E的上代的密文并且不能用于解密E。 20. The method according to claim 19, wherein said second coefficient of each element E is the previous generation and can not be used to decrypt the cipher text E.
21. 根据权利要求15的方法,其中一个或多个所述第二元素依赖于一个或多个E的上代的ID。 21. The method according to claim 15, wherein said one or more second elements rely on one or a plurality of the ID of the previous generation of E.
22. 根据权利要求15的方法,其中其中:t〉l是E的分级等级; {&}是所述第一成员并且(SiJ是所述系数;对每个ie[l,tl], E产E且Ej是E的分级等级i的上代,并且其中对每个i<t, Pi是IDi的函数,所述IDi是相应实体Ei的ID,但是对任意k>i, Pi独立于任何IDk;以及对一个或多个整数ie[l,t】,所述一个或多个元素Q是一个或多个元素QiU。,其中Po是群Gi的预定义元素。 22. The method according to claim 15, wherein wherein: t> l is the hierarchical level E; {&} and said first member (Sij is the coefficient; each ie [l, tl], E yield E and Ej is the previous generation of hierarchical levels E i, and wherein for each i <t, Pi is a function IDi, IDi is the ID of the respective entity Ei, but for any k> i, Pi IDk, independent of any; and one or more integers ie [l, t], the Q is one or more elements of one or more elements Qiu., where Po is the group Gi of the predefined elements.
23. 根据权利要求22的方法,其中=g(U。,S(E))其中j是在[l,t-ll中选定的整数;从所述密文C获得所述元素Ufl,Ud^t}#j)。 23. The method according to claim 22, wherein = g (U., S (E)) where j is selected in the [l, t-ll integer; Ufl obtaining the element from the ciphertext C, Ud ^ t} #j).
24. 根据权利要求23的方法,其中每个U尸rPi,其中r是E不可用的整数。 24. The method of claim 23, wherein each U integer dead RPI, where E r is unavailable.
25. 根据权利要求22的方法,其中下面的条件(a)或(b)之一成立: (、 =,,卿其中:l是在[2,tl】中选定的整数;从所述密文C获得所述元素U。, Ui(i=l+l,...,t);A、 ff — e(Uo,St)g(Um,Q!) W gr — U(Q卜i局)其中:l是在[2,t-2】中选定的整数;从所述密文C获得所述元素U0, Ui(i-l+2,…,t) 25. The method according to claim 22, wherein the following conditions (a) or (b) one established: (, = ,, Qing wherein: L is selected in [2, tl] integer; from the secret C to obtain the element described U., Ui (i = l + l, ..., t); A, ff - e (Uo, St) g (! Um, Q) W gr - U (Q i Bu Board ) where: l is in [2] integer selected t-2; U0 obtaining the element from the ciphertext C, Ui (i-l + 2, ..., t)
26. 根据权利要求22的方法,其中所述分级加密方案是使得: 每个实体Ei(05i〈t)生成各自的密文整数si;对每个整数ie[l,t】,每个实体Ei从等于S"+SwPj的值获得Ej的密文Si,其中S(E"St并且其中S。是Gi的身份元素;每个实体Ei(ie[l,tl】)生成Qi且Q产SiP。,对所有kE[l,il】,每个实体Ei(iE [2,tl】)获得一组元素Qk并且修改一个或多个Qk或保持其未经修改以相应于Si。 26. The method according to claim 22, wherein said hierarchical encryption scheme is such that: each entity Ei (05i <t) are each generated ciphertext integer si; ie [l for each integer, t], each entity Ei from equal S "+ SwPj value of Ej obtained ciphertext Si, wherein S (E" St S. and wherein Gi is the identity element; each entity Ei (ie [l, tl]) generated Qi and Q yield SiP. to obtain a set of elements for all Qk kE [l, il], each entity Ei (iE [2, tl]) and Qk or modifying one or more retaining its corresponding unmodified to Si.
27. —种计算机实现的密钥提取方法,用于包括多个实体的分级加密方案,每个实体与加密密文值S("S值")相关联,加密密文值S是群Gt的一个元素,该方法包括,代表所述实体之一的实体E",其具有分级等级tl,其中t>l并且其中根实体E。具有分级等级0:(1) 从Ew的直系上代接收的数据中获得相应于EN1的第一密文值;(2) 从相应于En的第一密文值获得E"的S值St-1;(3) 对Ew的一个或多个直系后代Et的每一个: 获得值Pt,其为Et的ID的函数并且是群Gi的元素;生成包括值SM+SwPt的数据作为相应于Et的第一密文值,其中Sm是Ew生成的密文值;以及提供包括所述第一密文值Sw+SMPt的所述数据给Et,使得Et产生Et的密文S值。 27. - Method key extraction species computer-implemented encryption schemes for classifying comprises a plurality of entities, each entity ciphertext encrypted value S ( "S value") associated, encrypted ciphertext value of S is the group Gt an element, the method comprising, represents one of the entity of the entity E ", which has a hierarchical level tl, where t> l and wherein the root entity E. hierarchical level 0 with: (1) data received from the immediate previous generation of Ew obtaining a value corresponding to the first ciphertext EN1; and (2) from St-1 value S corresponding to the first ciphertext obtained E value of En "; and (3) one or more of the direct descendants Ew each of Et a: obtain the value Pt, which is a function of an ID and Et is the group Gi element; generating a value SM + SwPt data as the first ciphertext corresponding to the value of Et, Ew where Sm is generated ciphertext value; providing a value of the first ciphertext data Sw + SMPt to the Et, Et produce the ciphertext S such that the value of Et.
28. 根据权利要求27的方法,其中t〉2,其中操作(2)包^i殳置S"等于所述相应于Ew的第一密文值,并且该方法还包括,代表Ew,:对l£St-2的每个等级i,获得群G,的元素Qi,每个元素Qi与等级i的上代Ew相关联;对每个EM的直系后代Et,提供元素Qi(l:^Kt-2)和Q"给Et,其中Qm由E"生成为Qt-产St.iPn,其中P。是群^的预定义公共元素,其中Po独立于后代Et和实体EM。 28. The method according to claim 27, wherein t> 2, wherein the operation (2) the package is set Shu ^ i S "is equal to the value corresponding to the first ciphertext Ew, and the method further comprises, on behalf Ew ,: each l £ St-2 level i obtained group G, Qi elements, each element of the previous generation Ew associated with the rank i Qi; Et direct descendants of each EM, there is provided the elements Qi (l: ^ Kt- 2), and Q "to Et, Qm wherein the E" is generated as Qt- production St.iPn, wherein ^ is the group P. predefined common elements, where Po and independent entities progeny Et EM.
29. 根据权利要求27的方法,其中t〉2,其中操作(2)包括对一个或多个选中的值ce[l,t-2】生成一个或多个变量整数值bc,并且设置Sw等于值bePe+1以及相应于Ew的所述第一密文值之和; 其中所述方法还包括,代表Ew:对的每个等级i,获得群Gi的元素Qi,每个元素Qi与等级i的上代E"相关联;对每个所述值c,使用Qc+bcP。替代Qc;以及然后对Ew的每个直系后代Et:对Em的每个直系后代Et,提供元素Qi(lS^t-2)和Qw给Et,其中QM 由E"生成为Qw= St.iP。 29. The method of claim 27, wherein t> 2, wherein the operation (2) comprises one or more of the value of ce selected [l, t-2] to generate one or more variables BC integer values, and set equal to Sw bePe + 1 and the value of Ew corresponding to said first value and ciphertext; wherein said method further comprises the representative Ew: for each level i, the obtained element group Gi of Qi, Qi and each element of class i the previous generation E "is associated; C for each of the values, the use of alternative Qc of Qc + bcP; Et, and then each of the direct descendants of Ew: Et Em per lineal descendants, there is provided the elements Qi (lS ^ t -2) to Qw and Et, wherein QM "is generated as the E Qw = St.iP. ,其中P。 Where P. 是群Gi的预定义^^共元素,其中P0 独立于后代Et和实体Ew。 Gi is a group of predefined elements were ^^, which is independent of the offspring Et P0 and entities Ew.
30. 根据权利要求27的方法,其中Ew具有多于一个的直系后代Et, 并且对所有后代Et产生作为单一值的sM。 30. The method of claim 27, wherein Ew having more than one direct descendants Et, and generates a single value for all descendants sM Et.
31. 根据权利要求27的方法,其中Ew具有多于一个的直系后代Et, 并且对每个后代Et产生单独的值sw。 31. The method according to claim 27, wherein Ew having more than one direct descendants Et, and generates a single value for each offspring sw Et.
32. —种计算机实施的在消息M上为签署人Et生成数字签名的方法, 所述签署人Et是包括至少实体Eo,Ei,…,Et,它2的分级系统中比实体E0 低等级t的实体,其中在该分级系统中每个实体Ei(i二l,...,t)是实体Ew 的后代,该方法包括:(1) 获得签署人的密钥St,其是群&的成员;(2) 获得签署人的整数密文st;(3) 在消息M上生成签名成分Sig,作为值Sig=St+stPM 其中:"+,,是群Gi的群操作;以及Pm是依箱于消息M的值并且是群^的成员。 32. - Method for the signatory Et generate a digital signature on the message M types of computer implemented, the signatory entity comprising at least Et Eo, Ei, ..., Et, which grading system 2 than the lower level entity E0 t entity, wherein the rating system in each entity Ei (i two l, ..., t) is a descendant of Ew entity, the method comprising: (1) obtaining the signer's key St, which is a group of & members; (2) obtaining a ciphertext integer signer st; (3) generate a signature Sig component on the message M, as the value Sig = St + stPM wherein: "+, Gi is a group operation group; and Pm is by members in case the value of the message M and is a group of ^.
33. —种计算机实施的验证消息M上的数字签名以验证该数字签名是签署人Et的正确签名的方法,所述签署人Et是包括至少实体Eo,Ev..,Et, t$2的分级系统中比实体E。 33. - the number M kinds of message authentication signature to validate a computer-implemented method of signing the digital signature is correct signer of Et, Et is the signatory entity comprising at least Eo, Ev .., Et, t $ grade 2 system entities than E. 低等级t的实体,其中在该分级系统中每个实体Ej(il,…,t)是实体EM的后代,该方法包括:(1) 获得签名成分Sig,其为预定义的群Gi的元素;(2) 获得与各自的一个或多个实体Ei相关联的一个或多个值Qi,所述一个或多个值Qi包括值Qt; (3)确认g(P0,Sig) : y其中:Po是群G,的预定义元素;所述积riig(Qi-i,Pi)对包含1至t的整数的适当子集中所有整数i进行;每个Qi-产s"P。,其中s"是实体E"的整数密文;Q产soPo,其中Si是实体Et的整数密文;e是Gj X Gi到预定义的群G2的双线性非退化映射;Pm是依箱于消息M的值并且是群^的成员; 每个Pi依赖于实体Ej的身份; V是群G2的元素。 Low levels of t entity, wherein the rating system in each entity Ej (il, ..., t) is a descendant of EM entity, the method comprising: (1) obtaining a signature Sig component, which element group Gi predefined ; (2) obtaining a respective one or more entities associated with one or more Ei values ​​Qi, Qi of the one or more values ​​comprises a value Qt; (3) acknowledgment g (P0, Sig): y wherein: Po is the group G, the predefined elements; the product riig (Qi-i, Pi) containing t is an integer of 1 to an appropriate subset for all integers i; each Qi- production s "P, where S." entity E "is an integer of ciphertext; Q yield soPo, where Si is a solid integer ciphertext Et; Gj X Gi E is a predefined non-degenerate bilinear mapping group G2; Pm is in the tank is in accordance with the message M value and is a member of the group ^; each Pi Ej dependent on the identity of the entity; V is an element of group G2.
34. 根据权利要求32或33的方法,其中: 每个实体Ej(iX))从实体E w接收其密钥Si;每个实体Ej(i々)生成其密文Si并且还生成密钥Si+1如下: Si+产Sj+SiPi+i并且提供密钥Si+1给所述实体E每个实体Ei(05i5t)生成值Q尸SiP。 34. The method according to claim 32 or claim 33, wherein: each entity Ej (iX)) receives its key Si of the entity from E w; each entity of Ej (i々) which generates ciphertext and also generates key Si of the Si +1 follows: Si + Sj + SiPi + i yield and Si + 1 provides the key to each entity of the entity E Ei (05i5t) generated value Q dead SiP. ,其中P。 Where P. 是群Gi的预定义的元素。 Gi is a predefined group of elements.
35. 权利要求34的方法,其中所述签名成分Sig将被提供给验证器, 其中对于在包括从O到t的整数的子集中的值i,所述验证器访问值(Qi〉。 35. The method of claim 34, wherein said signature Sig component will be provided to the verifier, which includes the value for the i t is an integer from O to the subset, access the verification value (Qi>.
36. 根据权利要求35的方法,其中所述包括从O到t的整数的子集是包括从1到tl的所有整数的集合。 36. The method according to claim 35, wherein said subset comprises an integer from O to t is a set of all integers from 1 to to tl.
37. —种设备,用于执行根据任一前述权利要求的方法。 37. - kind of apparatus for performing the method according to any preceding claim.
38. —种设备,用于根据权利要求32来生成数字签名。 38. - kind of device for generating digital signatures according to claim 32.
39. 根据权利要求32的方法或权利要求38的设备,其中St = / s卜iPi其中每个Pi是实体Ei的身份的公共函数,并且每个s"是实体E" 的整数密文。 39. The apparatus according to claim 38 or method of claim 32, wherein St = / s Bu iPi where Pi is the identity of each entity Ei is a public function, and each of s "is an entity E" is an integer of ciphertext.
40. 根据权利要求39的方法或设备,其中在操作(l)中,所述签署人从所述实体E"获得St,并且在操作(2)中,所述签署人生成st。 40. A method or apparatus according to claim 39, wherein in operation (l), the signer St obtained from the entity E ", and in operation (2), the signer generates st.
41. 根据权利要求39的方法或设备,其中每个Pj依赖于每个实体Ej的身份,使得l5j5i。 41. A method or apparatus according to claim 39, wherein each Pj depends on the identity of each entity Ej so l5j5i.
42. 根据权利要求39的方法或设备,其中: 每个实体Ei(iX))从所述实体Ew接收其密钥Si; 每个实体Ei(i々)生成其密钥Sj并且还生成密钥Sw如下: Si+产Si+SjPj+i并且提供所述密钥Si+1至所述实体Ei+1;每个实体Ei((^St)生成值Q尸s;Pq,其中P。是群Gi的预定义的元素。 42. A method or apparatus according to claim 39, wherein: each entity Ei (iX)) receives its key from the entity Ew of Si; each entity Ei (i々) which generates a key and also generates key Sj Sw as follows: Si + Si + SjPj + i producing and providing the key to the entity Si + 1 Ei + 1; each entity Ei ((^ St) generates a dead value Q s; Pq, where Gi is the group P. the predefined elements.
43. 根据权利要求42的方法或设备,其中所述签名成分Sig将被提供给验证器,其中对于在包括从O到t的整数的子集中的值i,所述验证器访问值(QJ。 43. A method or apparatus according to claim 42, wherein said signature Sig component will be provided to the verifier, which includes the value for the i t is an integer from O to the subset, access the verification value (QJ.
44. 根据权利要求43的方法或设备,其中所述包括从0到t的整数子集是包括从1到M的所有整数的集合。 44. The method or apparatus of 43, wherein said comprises an integer from 0 to t is a subset of the set of all integers from 1 to M claims.
45. —种可操作以验证消息M上的数字签名从而确定所述数字签名是签署人Et的正确签名的设备,所述签署人Et是包括至少实体Eo,Ev..,Et, t^2的分级系统中比实体E。 45. - species is operable to verify the digital signature on the message M to determine the correct digital signature is a signature device signing person Et, Et is the signatory entity comprising at least Eo, Ev .., Et, t ^ 2 the rating system than the entity E. 低等级t的实体,其中在该分级系统中每个实体Ei(il,…,t)是实体E"的后代,该设备操作可用于:(1) 获得签名成分Sig,其为预定义的群^的元素;(2) 获得与各自的一个或多个实体Ei相关联的一个或多个值Qi,所述一个或多个值Qi包括值Qt;(3) 确认<formula>formula see original document page 10</formula>其中:P。是群Gt的预定义公共元素;S是Gi X Gt到预定义的群G2的双线性非退化映射;PM是依赖于消息M的值并且是群^的成员; 每个Pi依赖于实体Ej的身份; V是群G2的元素。 Low levels of t entity, wherein the rating system in each entity Ei (il, ..., t) is a descendant of the entity E ", the device operation can be used: (1) obtaining a signature Sig component, which is a predefined group ^ element; (2) obtaining a respective one or more entities associated with one or more Ei values ​​Qi, Qi of the one or more values ​​comprises a value Qt; (3) confirm <formula> formula see original document . page 10 </ formula> where: P is the group Gt predefined common element; S is a non-degenerate bilinear mapping group G2, Gi X Gt a predefined; the PM is dependent on the value of the message M and ^ is the group members; each Pi Ej depend on the identity of the entity; V G2 is a group of elements.
46. 根据权利要求43的方法或权利要求45的设备,其中所述积Ilig(Qi-i,Pi)在除了整数i()以外的包括从l到t的所有整数i上进行,以及V=g(Q0,Pi0)。 46. ​​The apparatus of claim 45 or method of claim 43, wherein said product Ilig (Qi-i, Pi) comprising from l to all integers i t is an integer except I () other than the claims and V = g (Q0, Pi0).
47. 根据权利要求46的方法或设备,其中所述积n^(Qi-i,Pi)在包括从2到t的所有整数i上进行,并且Vg(Q。,P,)。 47. A method or apparatus according to claim 46, wherein said product n ^ (Qi-i, Pi) from all integers i 2 to t including, and Vg (Q., P,).
48. 根据权利要求33的方法或权利要求45的设备,其中: 每个实体Ei(iX))从实体E "接收其密钥Si; 每个实体Ej(kt)生成其密文Si并且还生成密钥Sw如下:并且提供密钥Si+1给所述实体E每个实体Ei(05Kt)生成值Q尸SiP。,其中Po是群Gi的预定义的元素。 48. The apparatus of claim 45 or method according to claim 33, wherein: each entity Ei (iX)) from an entity E "receives its key Si; each entity Ej (kt) which generates and also generates ciphertext Si key Sw as follows: Si + 1 and provides the key to each entity of the entity E Ei (05Kt) generated value Q dead SiP, where Po is a predefined group of elements Gi.
CN 200810183756 2002-03-21 2003-03-18 Hierarchical identity-based encryption and signature schemes CN101527629A (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US36619602P true 2002-03-21 2002-03-21
US60/366,292 2002-03-21
US60/366,196 2002-03-21
US10/384,328 2003-03-07
CN03803910.9 2003-03-18

Publications (1)

Publication Number Publication Date
CN101527629A true CN101527629A (en) 2009-09-09

Family

ID=41095340

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810183756 CN101527629A (en) 2002-03-21 2003-03-18 Hierarchical identity-based encryption and signature schemes

Country Status (1)

Country Link
CN (1) CN101527629A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104065483A (en) * 2014-06-06 2014-09-24 武汉理工大学 Identity-based cryptograph (IBC) classified using method of electronic communication identities
CN105743646A (en) * 2016-02-03 2016-07-06 四川长虹电器股份有限公司 Encryption method and system based on identity
CN105897420A (en) * 2014-11-21 2016-08-24 褚万青 Atomic nucleus type password system, direct communication method and indirect communication method
CN107508796A (en) * 2017-07-28 2017-12-22 北京明朝万达科技股份有限公司 A kind of data communications method and device
CN105897420B (en) * 2014-11-21 2019-07-16 褚万青 A kind of atom caryogram cryptographic system and direct communication method and indirect communication method

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104065483A (en) * 2014-06-06 2014-09-24 武汉理工大学 Identity-based cryptograph (IBC) classified using method of electronic communication identities
CN104065483B (en) * 2014-06-06 2017-05-10 武汉理工大学 Identity-based cryptograph (IBC) classified using method of electronic communication identities
CN105897420B (en) * 2014-11-21 2019-07-16 褚万青 A kind of atom caryogram cryptographic system and direct communication method and indirect communication method
CN105897420A (en) * 2014-11-21 2016-08-24 褚万青 Atomic nucleus type password system, direct communication method and indirect communication method
CN105743646B (en) * 2016-02-03 2019-05-10 四川长虹电器股份有限公司 A kind of Identity based encryption method and system
CN105743646A (en) * 2016-02-03 2016-07-06 四川长虹电器股份有限公司 Encryption method and system based on identity
CN107508796A (en) * 2017-07-28 2017-12-22 北京明朝万达科技股份有限公司 A kind of data communications method and device
CN107508796B (en) * 2017-07-28 2019-01-04 北京明朝万达科技股份有限公司 A kind of data communications method and device

Similar Documents

Publication Publication Date Title
Boneh et al. Chosen-ciphertext security from identity-based encryption
Waters Efficient identity-based encryption without random oracles
Boneh et al. Space-efficient identity based encryptionwithout pairings
Libert et al. Efficient revocation and threshold pairing based cryptosystems
Dutta et al. Pairing-Based Cryptographic Protocols: A Survey.
Lewko et al. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption
Li et al. Hidden attribute-based signatures without anonymity revocation
Lin et al. Secure threshold multi authority attribute based encryption without a central authority
Chow et al. Efficient forward and provably secure ID-based signcryption scheme with public verifiability and public ciphertext authenticity
Boneh et al. Identity-based encryption from the Weil pairing
US7814326B2 (en) Signature schemes using bilinear mappings
Katz et al. Introduction to modern cryptography
Li et al. Oblivious signature-based envelope
Shao et al. CCA-secure proxy re-encryption without pairings
Herranz et al. Constant size ciphertexts in threshold attribute-based encryption
Chu et al. Identity-based proxy re-encryption without random oracles
Liu et al. Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model
Horwitz et al. Toward hierarchical identity-based encryption
Ateniese et al. Key-private proxy re-encryption
Boneh et al. Generalized identity based and broadcast encryption schemes
Han et al. Privacy-preserving decentralized key-policy attribute-based encryption
Liu et al. Certificateless signcryption scheme in the standard model
Agrawal et al. Efficient lattice (H) IBE in the standard model
Ivan et al. Proxy Cryptography Revisited.
Canetti et al. Chosen-ciphertext secure proxy re-encryption

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C12 Rejection of an application for a patent