CN101527629A - Hierarchical identity-based encryption and signature schemes - Google Patents

Abstract

The present invention provides a hierarchical identity-based encryption and signature schemes. Methods are provided for encoding and decoding a digital message between a sender and a recipient in a system including a plurality of private key generators (PKGs). The PKGs include at least a root PKG and n lower-level PKG in the hierarchy between the root PKG and the recipient. A root key generation secret is selected and is known only to the root PKG (102). A root key generation parameter (104) is generated based on the root key generation secret. A lower-level key generation secret is selected for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG (106). A lower-level key generation ciphertext (108) also is generated for each of the n lower-level PKGs using at least the lower-level key generation secret for its associated lower-level private key generator.

Description

Graded encryption and signature scheme based on identity

The application is that application number is 03803910.9, the applying date is on March 18th, 2003, denomination of invention is divided an application for the application for a patent for invention of " based on the graded encryption and the signature scheme of identity ".

Related application

The applicant requires the priority of interim U.S. Patent application of submitting on March 21st, 2,002 60/366292 and the interim U.S. Patent application of submitting on March 21st, 2,002 60/366196 hereby according to 35 U.S.C § 119 (e), described two temporary patent applications all comprise in this application by reference.

Technical field

The secure communication that the present invention relates generally to cryptographic technique and undertaken by computer network or system and equipment by other types, and relate in particular to and be used for communication is carried out the hierarchy plan based on identity of encryption and decryption.

Background technology

In general, be public key cryptography based on the cryptographic system of identity, in this type systematic, the public keys of an entity is to be got by the information relevant with this identity of entity.For example, described identity information can be personal information (being name, address, E-mail address etc.) or computerized information (being IP address etc.).But identity information not only can comprise and the strict relevant information of entity identities, also comprise available information widely, such as time or date.That is to say that the importance of identity information notion does not lie in the strict relationship of it and entity identities, and be that any hope can both obtain this information easily to the people that entity sends encrypting messages.

The private cipher key of an entity is produced by a entrusted or logical process and distributes, and described the entrusted or logical process are commonly called private cipher key maker (" PKG ").PKG utilizes a main cipher-text information to produce private cipher key.Because the public keys of an entity can be known by inference according to its identity, therefore when Alice wanted to Bob transmission a piece of news, she just needn't fetch the public keys of Bob from database.But Alice only needs directly to know key by inference according to the identifying information of Bob.It is unnecessary that the public keys database just becomes, and Certificate Authority (" CAs ") also is unnecessary.Need not identity " binding " with Bob to his public keys, because his identity promptly is his public keys.

Based on the notion of the system of identity and stale.It just is suggested in " the Identity-Based Cryptosystems and Signatures Schemes (based on the encryption system and the signature scheme of identity) " that A.Shamir showed, this article is published in ADVANCES INCRYPTOGRAPHY-CRYPTO ' 84, Lecture Notes in ComputerScience 196 (1984), Springer, 47-53.Yet, but the encipherment scheme based on identity of practical application is not found yet so far.For example, scheme based on identity just is suggested in following document, " the An Identity-Based Encryption SchemeBased on Quadratic Residues (based on the encipherment scheme based on identity of squared residual) " that C.Cocks showed, this article can Http:// www.cesg.gov.uk/technology/id-pkc/media / ciren.pdfObtain; D.Boneh, " Identity BasedEncryption from the Weil Pairing (the encryption that obtains by Weil pairing) " that M.Franklin showed based on identity, this article is published in ADVANCES IN CRYPTOGRAPHY-CRYPTO2001, Lecture Notes in Computer Science2139 (2001), Springer, 213-229; And D.Boneh, " Identity BasedEncryption from the Weil Pairing (extended version) (encryption based on identity (extended version) that obtains by Weil pairing) " that M.Franklin showed, this article can Http:// www.cs.stanford.edu/～dabo/papers/ibe.pdfObtain.The scheme of Cocks is based on " squared residual problem ", although encryption and decryption all considerably fast (approximately being the speed of RSA) have significant extension of message (being that the ciphertext bit length is the manyfold of plaintext bit length).The Boneh-Franklin scheme is based upon the basis of its fail safe on " bilinear Diffie-Hellman problem ", and when Weil on using super unusual elliptic curve or Abelian variety curve or Tate pairing, this scheme is quite fast with efficient.

Yet the known encipherment scheme based on identity all has a significant defective---they are not hierarchies.In non-public key encryption technology based on identity, the hierarchy of CA can be set, in this structure, root CA can provide certificate for other CA, and the latter can provide certificate for the user in the special domain.It is very worth doing like this, because it has alleviated the workload of root CA.Can also not be developed for the practical hierarchy plan that uses based on the encryption technology of identity.

The hierarchy that ideally, will comprise an actual PKG of logic OR based on the graded encryption scheme of identity.For example, a root PKG can provide private cipher key to other PKG, and the latter can the user in special domain provide private cipher key.Simultaneously, as long as transmit leg has obtained the common parameter of root PKG, even transmit leg not in system, also can send an enciphered message under the situation of the public keys of searching the recipient or rudimentary common parameter of not reaching the standard grade.Another advantage based on the graded encryption scheme of identity is to damage control.For example, the leakage of the ciphertext of a territory PKG can't jeopardize the ciphertext of higher level PKG, also not entail dangers to any other be not the ciphertext of PKG of the direct subordinate of this damaged territory PKG.And the scheme that Cocks and Boneh-Franklin advocated does not have these characteristics.

Safe and the practical graded encryption scheme based on identity also is not developed.A kind of have part collusion repellence share scheme based on the grading key of identity and in following document, be suggested: G.Hanaoka, T.Nishioka, Y.Zheng, " AnEfficient Hierarchical Identity-Based Key-Sharing Method ResistantAgainst Collusion Attacks (a kind of can resist collusion attack share method based on the grading key of identity efficiently) " that H.Imai showed, this article is published in ADVANCES INCRYPTOGRAPHY-ASIACRYPT 1999, Lecture Notes in ComputerScience 1716 (1999), Springer, 348-362; And G.Hanaoka, T.Nishioka, Y.Zheng, H.Imai showed " A Hierarchical Non-InteractiveKey-Sharing Scheme With Low Memory Size and High ResistanceAgainst Collusion Attacks (and a kind of have low memory size, high collusion attack repellence the non-interactive key of classification share scheme) ", this article will be published in THE COMPUTERJOURNAL.In addition, at J.Horwitz, also provide in " TowardHierarchical Identity-Based Encryption the graded encryption of identity (trend based on) " literary composition that B.Lynn showed introduction based on the graded encryption of identity, this article is about to be published in ADVANCES IN CRYPTOGRAPHY-EUROCRYPT 2002, LectureNotes in Computer Science, Springer.Horwitz and Lynn have proposed a kind of hierarchy plan of two-stage, this scheme has in the first order conspires repellence completely, and has a collusion repellence (that is, the user can conspire the ciphertext with the territory PKG that obtains them, and disguises oneself as into territory PKG in view of the above) of part in the second level.But the complexity of Horwitz-Lynn system can improve along with the collusion repellence on the second level, so this scheme can not be accomplished not only practicality but also safety.

Therefore need a kind of safe and practical graded encryption scheme based on identity.A target of the present invention is exactly that a kind of safe and practical graded encryption scheme based on identity will be provided.Another target of the present invention is that a kind of safe and practical classification signature scheme based on identity will be provided.Another target of the present invention is that described encryption and signature scheme all are adjustable fully.Another target of the present invention is that described encryption and signature scheme all have on the rank of any amount and conspire repellence completely, and they have the selected ciphertext fail safe of foretelling at random in the model.

Summary of the invention

According to the present invention, it provides the method that is used for realizing safe and reliable and practical graded encryption and signature scheme based on identity.

Content according to an aspect of the present invention, it provides a kind of method that is used for Code And Decode digital massage between transmit leg in a system and the recipient, comprises a plurality of private cipher key makers (" PKG ") in the described system.At least comprise n rudimentary PKG, wherein n 〉=1 in the hierarchy between a root PKG and root PKG and the recipient among these PKG.Root key generates ciphertext and is selected, and only is known to the root PKG.Generate ciphertext according to described root key and produce a root key generation parameter.Generate ciphertext for n rudimentary PKG respectively chooses a rudimentary key, wherein each rudimentary key generation ciphertext is only known to its relevant rudimentary PKG.Also will be for n rudimentary PKG respectively produce a rudimentary cipher generating parameter, the rudimentary key that wherein will use at least corresponding to relevant rudimentary private cipher key maker generates ciphertext.At least utilize root key generation parameter and recipient's identity information to come described message is encoded, to form a ciphertext.Produce recipient's private cipher key, make this recipient's private cipher key generate with root key at least that n relevant rudimentary key of n rudimentary PKG in the hierarchy between ciphertext, root PKG and the recipient generates one or more in the ciphertext and recipient's identity information is relevant.At least utilize recipient's private cipher key to decipher described ciphertext to recover described message.

Content according to a further aspect in the invention, it provides a kind of method that is used for Code And Decode digital massage between transmit leg in a system and the recipient, comprises a plurality of private cipher key makers (" PKG ") in the described system.At least comprise m the rudimentary PKG in the hierarchy between a root PKG, root PKG and the transmit leg among these PKG, m 〉=1 wherein, the n in the hierarchy between root PKG and the recipient rudimentary PKG, wherein n 〉=1, and PKG _l, it is the common older generation PKG of transmit leg and recipient.In this hierarchy, the l in m private cipher key maker is the common older generation PKG of transmit leg and recipient, wherein l 〉=1.

This content on the one hand according to the present invention will generate ciphertext for the m in the hierarchy between root PKG and the transmit leg rudimentary PKG respectively chooses a rudimentary key.Generate a transmit leg private cipher key, make this transmit leg private cipher key generate with root key at least that m relevant rudimentary key of m rudimentary PKG in the hierarchy between ciphertext, root PKG and the transmit leg generates one or more in the ciphertext and the transmit leg identity information is relevant.Generate recipient's private cipher key, make this recipient's private cipher key generate with root key at least that n relevant rudimentary key of n rudimentary PKG in the hierarchy between ciphertext, root PKG and the recipient generates one or more in the ciphertext and recipient's identity information is relevant.At least utilize recipient's identity information, transmit leg private cipher key and and be positioned at or be lower than public older generation PKG _lIn the relevant rudimentary cipher generating parameter of level other (m-l+1) individual private cipher key maker 0 or a plurality of, come described message is encoded, but can not use and be higher than public older generation PKG _lThe relevant rudimentary cipher generating parameter of (l-1) individual PKG in any one.At least utilize transmit leg identity information, recipient's private cipher key and and be positioned at or be lower than public older generation PKG _lIn the relevant rudimentary cipher generating parameter of level other (n-l+1) individual private cipher key maker 0 or a plurality of, come described message is decoded, but can not use and be higher than public older generation PKG _lThe relevant rudimentary cipher generating parameter of (l-1) individual PKG in any one.

Content according to a further aspect in the invention, it provides a kind of and has been used for producing between transmit leg in a system and the recipient and the method for the digital signature of checking a piece of news, comprises a plurality of PKG in the described system.At least comprise n rudimentary PKG, wherein n 〉=1 in the hierarchy between a root PKG and root PKG and the transmit leg among these PKG.Root key generates ciphertext and is selected, and only is known to the root PKG.Generate ciphertext according to described root key and produce a root key generation parameter.Generate ciphertext for n rudimentary PKG respectively chooses a rudimentary key, wherein each rudimentary key generation ciphertext is only known to its relevant rudimentary PKG.Also will be for n rudimentary PKG respectively produce a rudimentary cipher generating parameter, the rudimentary key that wherein will use at least corresponding to relevant rudimentary private cipher key maker generates ciphertext.For transmit leg generates a private cipher key, make this private cipher key relevant with root key generation ciphertext and transmit leg identity information at least.At least utilize the transmit leg private cipher key to sign described message to generate a digital signature.At least utilize root key generation parameter and transmit leg identity information to verify described digital massage.

Description of drawings

Below to the explanation of the preferred embodiment of the present invention with reference to accompanying drawing, wherein:

Fig. 1 shows a flow chart, the method that this figure currently preferred embodiment according to the present invention has been showed a kind of Code And Decode digital massage;

Fig. 2 shows a flow chart, this figure another currently preferred embodiment according to the present invention showed a kind of between transmit leg y and recipient z the coding and the method for decoded digital message;

Fig. 3 shows a block diagram, and this figure has showed a kind of typical hierarchy, can realize method shown in Figure 2 in this structure;

Fig. 4 shows a flow chart, the method that this figure another currently preferred embodiment according to the present invention has been showed a digital massage M of a kind of Code And Decode, and described digital massage transmits between transmit leg y and recipient z;

Fig. 5 shows a flow chart, the method that this figure another currently preferred embodiment according to the present invention has been showed a digital massage M of a kind of Code And Decode, and described digital massage transmits between transmit leg y and recipient z;

Fig. 6 shows a flow chart, the method that this figure another currently preferred embodiment according to the present invention has been showed a digital massage M of a kind of Code And Decode, and described digital massage transmits between transmit leg y and recipient z;

Fig. 7 shows a flow chart, and this figure another currently preferred embodiment according to the present invention has been showed a kind of method that generates and verify a digital signature;

Fig. 8 shows a flow chart, and this figure another currently preferred embodiment according to the present invention has been showed a kind of method that generates and verify the digital signature Sig of a digital massage M, and described digital massage transmits between transmit leg y and recipient z; And

Fig. 9 shows a flow chart, and this figure another currently preferred embodiment according to the present invention has been showed a kind of method that generates and verify the digital signature Sig of a digital massage M, and described digital massage transmits between transmit leg y and recipient z.

Embodiment

Current method for optimizing of the present invention provides safe and reliable and the practical graded encryption based on identity (" HIDE ") and signature (" HIDS ") scheme.Described hierarchy plan is adjustable fully, all has on the rank of any amount and conspires repellence completely, and have the selected ciphertext fail safe of foretelling at random in the model.These targets partly realize by introduce additional random information in each rudimentary PKG.These schemes are aspect surprising one on intuitively, even rudimentary PKG has produced additional random information, also can force below the root rank of hierarchy and add common parameter.In addition, the random information that rudimentary PKG produced can not cause negative effect to the ability that does not send enciphered message the user of the user below the rudimentary PKG below rudimentary PKG.

Each HIDE of the present invention and HIDS scheme all need the hierarchy of PKG, comprise a root PKG and a plurality of rudimentary PKG in this structure at least.Hierarchy and rudimentary PKG can be logics, also can be actual.For example, a single entity just can produce root key and generate ciphertext and rudimentary key generation ciphertext, and rudimentary user's encryption or signature key are all generated by the latter.In this case, rudimentary PKG is not an independent entity, and is process or information with the logical hierarchy tissue, and the offspring PKG and the user that are utilized in the hierarchy generate key.Perhaps, each rudimentary PKG also can be an independent entity.Another kind of alternative relates to mixed form actual and the rudimentary PKG of logic.For the open illustrative purposes of this paper, phrase " rudimentary PKG " generally is used to refer to any one in these alternatives.

Under the classification cryptographic system environment based on identity disclosed herein, can be based on the time cycle based on the public keys of identity.For example, a specific recipient's identity can change with each later time cycle.Perhaps, the recipient also can be arranged to the time cycle its own offspring or subordinate in hierarchy, and transmit leg can use the identity of orthochronous on the cycle when coded message.No matter adopt which kind of mode, each key all only could effectively be used for signing the message that will give Bob in the relevant time cycle.

HIDE scheme of the present invention generally includes 5 randomized algorithms: root setting, rudimentary setting, extraction, encryption and deciphering.Three identity that depend on related entities in the hierarchy in these algorithms.Every user preferably has a position in hierarchy, this hierarchy can be by its ID tuple (ID ₁..., ID _t) definition.The older generation of described user in hierarchy is that root PKG and ID tuple are { (ID ₁..., ID _i): 1≤i≤(t-1) user or PKG.For computation purpose, the most handy binary word string list of ID tuple shows.

Be provided with in the algorithm at root, root PKG uses a security parameter k to produce public system parameter p arams and a root key generates ciphertext.Described system parameters comprises the description to message space M and cryptogram space X.Described system parameters is public use, but has only root PKG to know that root key generates ciphertext.

Be provided with in the algorithm rudimentary, for the purpose that extracts, the rudimentary key that each rudimentary PKG preferably produces it generates ciphertext.Perhaps, rudimentary PKG also can produce disposable ciphertext for each the extraction.

In extraction algorithm, a PKG (root PKG or rudimentary PKG) produces a private cipher key for its any one offspring.This private cipher key is to utilize the private cipher key of system parameters, the side of bearing PKG and any other preferred cipher-text information to produce.

In cryptographic algorithm, transmit leg preferably receives by some secure way beyond the native system from root PKG receiving system parameter.Transmit leg needn't receive any rudimentary cipher generating parameter.Described transmit leg utilizes params and expectation recipient's the ID tuple a piece of news M ∈ M that encodes, to produce a ciphertext C ∈ X.On the contrary, in decoding algorithm, the recipient utilizes params and recipient's the private cipher key d ciphertext C that decodes, to recover message M.The consistency constraint of standard is preferably all satisfied in encryption and decryption:

$\∀M\∈M:$ Decryption?(params，d，C)＝M

Wherein C=Encryption (params, the ID tuple, M).

As the HIDE scheme, HIDS scheme of the present invention generally also comprises 5 randomized algorithms: root setting, rudimentary setting, extraction, signature and checking.In root was provided with, system parameters can be replenished to comprise into the explanation to the signature space ∑.Rudimentary setting is the same with algorithm in extracting best and above-mentioned HIDE.

In the signature algorithm, the transmit leg of digital massage utilizes the private cipher key d signature message M ∈ M of params and transmit leg, to generate a signature S ∈ ∑.In verification algorithm, the recipient who is signed message utilizes the ID tuple of params and transmit leg to come certifying signature S.Verification algorithm is preferably exported " effectively " or engineering noise.Signature is preferably also satisfied consistency constraint with checking:

$\∀M\∈M:$ Verification (params, the ID tuple, S)=" effectively "

Wherein S=Signing (params, d, M).

The fail safe of HIDE and HIDS scheme

To at HIDE and HIDS the fail safe that has realized the solution of the present invention be described respectively below.People have been noted that the standard definition that is necessary for based on the selected ciphertext fail safe of system enhancement of identity under based on the non-graded encryption technology environment of identity.This is because in order to carry out safety analysis, should suppose that an adverse party can obtain the private cipher key relevant with any identity of its selection (except specific identity under attack).This point is equally applicable to the graded encryption technology based on identity.Therefore, have selected ciphertext safety, just can allow a simulated strike person carry out key and extract inquiry in order to ensure HIDE scheme of the present invention.Simultaneously, also to allow this simulation adverse party to select the identity of its desired challenge.

Be also to be noted that an adverse party can adaptivity or non-self-adapting choose the identity of its object.Choose the adverse party of its object adaptively and will at first carry out out of order inquiry and extract inquiry, and then choose its target according to the result of these inquiries.Such adverse party does not have specific target when beginning to attack.But as long as it can crack someone, this adverse party is exactly successful.On the other hand, the adverse party of a non-self-adapting can and not extract the result who inquires about and choose its target according to out of order inquiry.For example, such adverse party can be a target with a personal rival.This adverse party still can be carried out out of order inquiry and be extracted inquiry, but its target selection is strict with target identities, but not according to Query Result.Obviously, the fail safe of the adverse party of choosing at adaptive targets is stronger, also is superior more desirable fail safe notion therefore.But, the safety analysis of HIDE scheme among the present invention mentioned two types fail safe.

If in following contest, there is not the adverse party A that is subjected to multinomial restriction that the challenger is had the advantage of can not ignore, chooses the attack of target and have semantically fail safe with regard to claiming the HIDE scheme that self adaptation is chosen ciphertext and self adaptation so.

Be provided with: the challenger obtains a security parameter k and moves root algorithm is set.It offers adverse party with the system parameters params that obtains.It generates ciphertext with root key and leaves oneself for.

Stage 1: adverse party proposes inquiry q ₁..., q _m, q wherein _iBe a kind of in the following inquiry:

1. public keys is inquired about (ID tuple _i): the challenger is to the ID tuple _iMove an out of order algorithm, to obtain corresponding to the ID tuple _iPublic keys H (ID tuple _i).

2. extract inquiry (ID tuple _i): the challenger moves extraction algorithm to generate corresponding to the ID tuple _iPrivate cipher key d _i, and with d _iSend to adverse party.

3. (ID tuple is inquired about in deciphering _i, C _i): the challenger moves extraction algorithm to generate corresponding to the ID tuple _iPrivate cipher key d _i, utilize d _iThe operation decipherment algorithm is with deciphering C _i, and the plaintext that the result obtains sent to adverse party.

These inquiries can propose adaptively.In addition, the ID tuple of being inquired about _iCan be corresponding to the position on any one rank of hierarchy.

Challenge: in case adverse party decision stage 1 has finished, it will export the plaintext M of two equal in length ₀, M ₁∈ M, and the ID tuple of its hope challenge.Unique is limited in, and any private cipher key that this ID tuple and its older generation can not appear in the stage 1 extracts in the inquiry.The challenger arbitrarily choose a random bit b ∈ 0,1}, and establish C=Encryption (params, ID tuple, M _b).It sends to adverse party with C as once challenging.

Stage 2: adverse party proposes more inquiry q _M+1..., q _n, q wherein _iBe a kind of in the following inquiry:

1. public keys is inquired about (ID tuple _i): the challenger responds as in the stage 1.

2. extract inquiry (ID tuple _i): the challenger responds as in the stage 1.

3. (C, ID tuple are inquired about in deciphering _i): the challenger responds as in the stage 1.

Inquiry in stage 2 is subjected to following restriction, and promptly the challenger can not extract inquiry to the ID tuple relevant with challenge ciphertext C, or utilizes that ID tuple and ciphertext C to be decrypted inquiry.This restriction is equally applicable to all older generations of this ID tuple.

Conjecture: conjecture value b ' ∈ of adverse party output 0,1}.If b=b ', then adverse party is won the game.The advantage that adverse party is had in attacking this programme is defined as | Pr[b=b ']-1/2|.

In the contest of the following stated, if there is no have the polynomial time adverse party of the advantage of can not ignore, the HIDE scheme just is called as the One-Way Encryption scheme so.In this contest, adverse party A is given a public keys K at random _PubWith a ciphertext C, and export one to conjecture value expressly, described ciphertext C utilizes K _PubRandom message M encrypted obtain.If ε is the probability of A output M, so just claim described adverse party that this programme is had advantage ε.Described contest is following to be carried out:

Be provided with: the challenger obtains a security parameter k and moves root algorithm is set.It offers adverse party with the system parameters params that obtains.It generates ciphertext with root key and leaves oneself for.

Stage 1: adverse party is with regard to as carrying out public keys and/or extracting inquiry in the stage 1 of above-mentioned selected ciphertext safety analysis.

Challenge: in case adverse party decision stage 1 has finished, it will export the new ID tuple ID of its hope challenge.The challenger arbitrarily chooses a M ∈ M at random, and establish C=Encryption (params, the ID tuple, M).It sends to adverse party with C as once challenging.

Stage 2: other identity except the ID and the older generation thereof are proposed more public keys inquiry to adverse party and more the extraction inquired about, and the challenger then can respond as in the stage 1.

Conjecture: conjecture value M ' ∈ M of adverse party output.If M=M ', then adverse party is won the game.The advantage that adverse party is had in attacking this programme is defined as Pr[M=M '].

The solution of the present invention is safe and reliable for above-mentioned challenge.In addition, HIDS scheme of the present invention also is safe and reliable at the existing forgery of choosing message at self adaptation.Even after (adaptively) obtained the signature of target on the selected message of adverse party, adverse party can not pseudo-be produced its signature of target on other message of not signing before it.HIDS adverse party also will have except its target and other entities the older generation carry out the public keys inquiry and private cipher key extracts the ability of inquiring about, and the ability of choosing its target.For HIDE, the target selection of adverse party can be adaptive also can right and wrong adaptive.

Pairing

Current preferred HIDE of the present invention and HIDS scheme all are based on pairing, and for example Weil or the Tate with elliptic curve or Abelian variety curvilinear correlation matches.Described method also can be based on the bilinear Diffie-Hellman problem.They use two cyclic group Γ ₁And Γ ₂, these two cyclic groups preferably have onesize Prime Orders q.First crowd of Γ ₁The preferably a group point on elliptic curve or the Abelian variety curve, and Γ ₁On group rule can be write as additivity.Second crowd of Γ ₂Preferably a finite field takes advantage of temper group and Γ ₂On group rule can be write as the property taken advantage of.But the group that also can use other types is as Γ according to the invention ₁And Γ ₂

Described method has also been utilized first crowd of Γ ₁Maker P ₀In addition, a pairing or function are also provided $\hat{e}:{\mathrm{\Γ}}_1\×{\mathrm{\Γ}}_1\→{\mathrm{\Γ}}_2,$ Be used for first crowd of Γ ₁Two element map become second crowd of Γ ₂An element.Function Preferably satisfy three conditions.At first, function

Preferably bilinear, if Q and R are at Γ ₁In, and a and b be integer, so $\hat{e}(\mathrm{aQ},\mathrm{bR})=\hat{e}{(Q,R)}^{\mathrm{ab}}.$ The second, function

Preferably nonsingular, thus make that this mapping can be with Γ ₁* Γ ₁In all pairings change Γ into ₂In identity.The 3rd, function

Preferably can efficient calculation.Satisfy the function of these three conditions Be considered to feasible.

Function

Had better be symmetrical, thereby to all Q, R ∈ Γ ₁Have $\hat{e}(Q,R)=\hat{e}(R,Q).$ Yet symmetry directly comes from bilinearity and Γ ₁It is the such fact of cyclic group.Can revise and the Weil of super unusual elliptic curve and Abelian variety curvilinear correlation and Tate pairing according to method well known in the prior art, to create such bilinearity mapping.But, even with the first cyclic group Γ ₁Element be called " point " can the hint function

Be a kind of Weil or Tate pairing, but it should be noted any feasible pairing through revising

Can both play a role.

The fail safe of HIDE and HIDS scheme mainly is based on the bilinear Diffie-Hellman problem among the present invention.The bilinear Diffie-Hellman problem is at the P of given picked at random ∈ Γ ₁, and the situation of aP, bP and cP (for a of the picked at random of the unknown, b, c ∈ Z/qZ) under, obtain Problem.At Γ ₁In solve the Diffie-Hellman problem and just solved the bilinear Diffie-Hellman problem, this be because $\hat{e}{(P,P)}^{\mathrm{abc}}=\hat{e}(\mathrm{abP},\mathrm{cP}).$ Similarly, at Γ ₂The middle Diffie-Hellman problem that solves has also just solved the bilinear Diffie-Hellman problem, because if $g=\hat{e}(P,P),$ G so ^Abc=(g ^Ab) ^c, wherein $g^{\mathrm{ab}}=\hat{e}(\mathrm{aP},\mathrm{bP})$ And $g^c=\hat{e}(P,\mathrm{cP}).$ In order to make the bilinear Diffie-Hellman problem become difficult, just should be to Γ ₁And Γ ₂Choose, make at Γ ₁Or Γ ₂In do not have the algorithm known that can solve the Diffie-Hellman problem effectively.

If a randomized algorithm I Γ has adopted security parameter k＞0, moved and exported two group Γ in the polynomial time of k ₁And Γ ₂Description and a feasible pairing $\hat{e}:{\mathrm{\Γ}}_1\×{\mathrm{\Γ}}_1\→{\mathrm{\Γ}}_2$ Description, wherein said two groups preferably have identical Prime Orders q, this algorithm I Γ is exactly a bilinear Diffie-Hellman maker so.If I Γ is a bilinear Diffie-Hellman parameter generators, the advantage Adv that in solving the bilinear Diffie-Hellman problem, had of algorithm B so _{I Γ}(B) just be defined as, when the input item of sending into algorithm is Γ ₁, Γ ₂, When P, aP, bP and cP, algorithm B output

Probability, wherein Be the output of I Γ at enough big secret coefficient k, P is Γ ₁Random generator, a, b and c then are the random elements of Z/qZ.Hypothesis under the bilinear Diffie-Hellman problem is Adv _{I Γ}(B) all be insignificant for all efficient algorithm B.

The HIDE scheme

Referring now to accompanying drawing,, the method that flow chart shown in Figure 1 a kind of currently preferred embodiment according to the present invention has been showed a kind of Code And Decode digital massage.This method is carried out in comprising the HIDE system of a plurality of PKG.At least comprise n rudimentary PKG, wherein n 〉=1 in the hierarchy between a root PKG and root PKG and the recipient among the described PKG.

In module 102, root PKG chooses a root key that has only root PKG to know and generates ciphertext.This root key generates ciphertext can be utilized for that following PKG and/or the user of root PKG generates private cipher key in the hierarchy.Then, in module 104, root PKG generates ciphertext according to root key and produces a root key generation parameter.This root key generates parameter and is used to cover up root key generation ciphertext.This root key generates parameter can be revealed to rudimentary PKG, and don't the entail dangers to root key generates ciphertext.In module 106, rudimentary PKG chooses rudimentary key and generates ciphertext.The rudimentary key relevant with given rudimentary PKG generates ciphertext can be utilized for that PKG and/or the user under this relevant rudimentary PKG generates private cipher key in the hierarchy.Similar with root key generation ciphertext, it is only known to its relevant rudimentary PKG that each rudimentary key generates ciphertext.

In module 108, for n rudimentary PKG produces rudimentary cipher generating parameter separately.The generation of each rudimentary cipher generating parameter will utilize the rudimentary key of its relevant rudimentary PKG to generate ciphertext at least.Similar with root key generation parameter, each rudimentary cipher generating parameter has been covered up relative rudimentary key and has been generated ciphertext.

In module 110, transmit leg utilizes root key to generate parameter at least and the identity information relevant with the recipient comes coded message to form a ciphertext.For example, the identity that can only utilize root key to generate parameter and the recipient described message of encoding.Perhaps, also can utilize in the rudimentary cipher generating parameter, just as what will be described in more detail according to two HIDE schemes hereinafter.In module 112, a rudimentary PKG is for the recipient generates a private cipher key, make this private cipher key at least with root key generate ciphertext, with hierarchy in the identity informations one or more and recipient in relevant n the rudimentary key generation ciphertext of n rudimentary PKG between root PKG and the recipient be correlated with.For example, except root key generated ciphertext and recipient's identity information, preferably also the rudimentary key generation ciphertext with the PKG that provides private cipher key to the recipient was relevant at least for recipient's private cipher key.Perhaps, recipient's private cipher key also can be relevant with rudimentary key generation ciphertext and the root key generation ciphertext of all n older generation PKG.In module 114, the recipient utilizes decode ciphertext and recover message of its private cipher key at least.Except utilizing its private cipher key decodes, the recipient preferably also utilize with hierarchy in the relevant individual rudimentary cipher generating parameter of n of n rudimentary PKG between root PKG and the recipient.

Each rudimentary PKG has a key to generate ciphertext, just as root PKG.As mentioned above, rudimentary PKG preferably utilizes this ciphertext to come to generate private cipher key for its each offspring, and PKG does just as root.Like this, just the key generation ciphertext with rudimentary PKG is relevant for offspring's private cipher key.Even rudimentary PKG uses its key to generate ciphertext for the purpose that limits key escrow (escrow) revision was hidden that ciphertext originally, this point is also set up, as hereinafter will more completely illustrating.Simultaneously, rudimentary PKG needn't always be to use identical ciphertext to carry out each private cipher key and extract, and generates ciphertext but can produce a new key for each offspring of PKG at random, thereby obtains different cipher generating parameters for each offspring.

Because a rudimentary PKG can generate a private cipher key (module 112) for the recipient, so root PKG needn't oneself generate all private cipher keys.In addition, come to produce private cipher key, therefore expose a rudimentary key generation ciphertext and only can cause limited security damage hierarchy for their offspring because rudimentary PKG uses their key to generate ciphertext.With all private cipher keys in its exposure hierarchy, not as those private cipher keys that allow the unlawful practice of a rudimentary PKG only expose the private cipher key of this PKG and to utilize the key of that PKG to generate ciphertext to produce (that is, as those users of the lineal descent of PKG in hierarchy that be exposed private cipher key).

Another advantage of present embodiment is that transmit leg needn't be in the hierarchy can send a coded message to the recipient.This transmit leg only need be known identity information relevant with the recipient and the system parameters that is generated by root PKG.But when transmit leg was in the hierarchy, HIDE scheme of the present invention also had some extra advantage to embody.For example, when transmit leg and recipient are in the hierarchy, just can improve the efficient of message encryption by the identity of utilizing both sides.This class HIDE scheme can be called as two HIDE, because transmit leg and recipient's identity all is used as the input of encryption and decipherment algorithm.The encoding and decoding method of having used two HIDE schemes is described now with reference to Fig. 2 and Fig. 3.

Two HIDE

Flow chart shown in Figure 2 another currently preferred embodiment according to the present invention showed a kind of between transmit leg y and recipient z the coding and the method for decoded digital message.Block diagram shows shown in Figure 3 a kind of typical hierarchy, in this structure, can realize this method.Similar to previous embodiment, this method can realize in a HIDE system, comprises a root PKG 302 at least in the described HIDE system, and the n in the hierarchy between root PKG 302 and the recipient z 308 rudimentary PKG 304a, b, d, wherein n 〉=1.Transmit leg y 306 among this embodiment must be also in hierarchy, and also comprises m rudimentary PKG 304a between root PKG 302 and the transmit leg y 306, b, c, wherein m 〉=1 in this hierarchy.M PKG 304a between root PKG 302 and transmit leg y 306, b, c, and n PKG 304a between root PKG 302 and the recipient z 308, b among the d, has l PKG304a, b is transmit leg y 306 and the public older generation of recipient z 308,1≤l≤m wherein, n.For example, figure 3 illustrates this l two (PKG among the public older generation PKG _Y1/ PKG _Z1304a and PKG _Yl/ PKG _Zl304b).

The method of this embodiment begins in module 202, and in this module, root PKG 302 chooses a root key that has only root PKG 302 to know and generates ciphertext.Then, in module 204, root PKG 302 generates ciphertext according to root key and produces a root key generation parameter.In module 206, rudimentary PKG 304a-d chooses rudimentary key and generates ciphertext.Similar with root key generation ciphertext, it is only known to relative rudimentary PKG 304a-d that each rudimentary key generates ciphertext.In module 208, for n rudimentary PKG 304a-d produces rudimentary cipher generating parameter separately.The rudimentary key that the generation of each rudimentary cipher generating parameter will be used at least corresponding to its relevant rudimentary PKG 304a-d generates ciphertext.

In module 210, the previous generation PKG of transmit leg _Ym304c is that transmit leg y 306 generates a private cipher key, make this private cipher key at least and root key generate ciphertext, with root PKG302 and transmit leg y 306 between the individual rudimentary PKG 304a of m, b, the identity information that m the rudimentary key that c is relevant generates the one or more and transmit leg in the ciphertext is relevant.For example, except root key generates the identity information of ciphertext and transmit leg, the private cipher key of transmit leg preferably at least also with the previous generation PKG of transmit leg _YmIt is relevant that the rudimentary key of 304c generates ciphertext.Perhaps, the private cipher key of transmit leg also can be relevant with rudimentary key generation ciphertext and the root key generation ciphertext of the individual lineal older generation PKG of its all m.In module 212, recipient's previous generation PKG _Zn304d generates a private cipher key, the previous generation PKG of the mode of generation and transmit leg for recipient z _Ym304c is similar with the mode that generates the transmit leg private cipher key.

In module 214, transmit leg y coded message to be forming a ciphertext, this process to use at least transmit leg private cipher key and and root PKG 302 and transmit leg y 306 between (m-l+1) individual PKG (that is PKG, _Yl304b and PKG _Ym304c) one or more in the relevant rudimentary cipher generating parameter, and described PKG is positioned at the public older generation PKG of the lowermost level (PKG of transmit leg y 306 and recipient z308 _Yl/ PKG _ZlRank 304b) or be lower than this rank.When message was encoded, transmit leg y 306 had better not use and be higher than the public older generation PKG of lowermost level (PKG _Yl/ PKG _Zl(l-1) individual PKG 304b) (is PKG _Y1304a) relevant any rudimentary cipher generating parameter.

Then, in module 216, recipient z 308 decoding ciphertexts to be recovering described message, this process to use at least the recipient private cipher key and and root PKG 302 and recipient z 308 between (n-l+1) individual PKG (that is PKG, _Zl304b and PKG _Zn304c) one or more in the relevant rudimentary cipher generating parameter, and described PKG is positioned at the public older generation PKG of the lowermost level (PKG of transmit leg y 306 and recipient z 308 _Yl/ PKG _ZlRank 304b) or be lower than this rank.When message was decoded, recipient z 308 had better not use and be higher than the public older generation PKG of lowermost level (PKG _Yl/ PKG _Zl(l-1) individual PKG 304b) (is PKG _Z1304a) relevant any rudimentary cipher generating parameter.

This couple of HIDE embodiment of the present invention provides the scheme more efficiently of message being carried out Code And Decode, because only need use less cipher generating parameter.For example, the decoding in the common HIDE scheme approximately needs all n cipher generating parameter, but the decoding in two HIDE schemes only needs (n-l+1) individual cipher generating parameter.Two HIDE schemes require transmit leg y 306 at the private cipher key that obtained it before coded message of recipient z 308 transmissions earlier, and this is opposite with the public system parameter that only needs acquisition root PKG.Two HIDE schemes also make transmit leg y 306 and recipient z 308 can limit the scope of key escrow, just as hereinafter more the complete description.This ciphertext of sharing is except the public older generation PKG of their lowermost level _Yl/ PKG _ZlThird party institute beyond the 304b is ignorant.

Basic HIDE

The method that flow chart shown in Figure 4 another currently preferred embodiment according to the present invention has been showed a digital massage M of a kind of Code And Decode, described digital massage transmits between transmit leg y and recipient z.As shown in Figure 3, low n+1 the rank of recipient z 308 beguine PKG in hierarchy, and with ID tuple (ID _Z1..., ID _{Z (n+1)}) be associated.Comprise the identity information ID relevant in recipient's the ID tuple with the recipient _{Z (n+1)}, and with the relevant identity information ID of the rudimentary PKG of its older generation of n in hierarchy _ZiThis method begins in module 402, first and second cyclic group Γ of generting element in this module ₁And Γ ₂In module 404, choose a function

Make this function

Can be by the first cyclic group Γ ₁Two elements generate the second cyclic group Γ ₂An element.Function Preferably a kind of feasible pairing, as mentioned above.In module 406, choose the first cyclic group Γ ₁A root maker P ₀In module 408, choose a root key generation ciphertext s at random ₀, this ciphertext and root PKG 302 are relevant and have only root PKG 302 to know.s ₀Cyclic group Z/qZ element preferably.In module 410, produce a root key and generate parameter Q ₀=s ₀P ₀Q ₀The first cyclic group Γ preferably ₁An element.In module 412, choose one first function H ₁, make H ₁Can generate the first cyclic group Γ by the first string binary number ₁An element.In module 414, choose one second function H ₂, make H ₂Can be by the second cyclic group Γ ₂Element generate the second string binary number.The function of module 402 to 414 all is the part that above-mentioned HIDE root is provided with algorithm, and preferably all finishes in the roughly the same moment.As example, just can be used as H such as those disclosed functions in Boneh-Franklin ₁And H ₂

Ensuing a series of module (module 416 to 424) shows the function that the part of algorithm is set and carries out as rudimentary.In module 416, for recipient's n the rudimentary PKG of the older generation respectively generates a common element P _ZiEach common element P _Zi=H ₁(ID ₁..., ID _Zi) preferably all be the first cyclic group Γ ₁An element, 1≤i≤n wherein.Although represent with individual module, all common element P _ZiGeneration need carry out a period of time, and non-once is all finished.

Be recipient's the rudimentary PKG 304a of n the older generation, b, d respectively choose a rudimentary key and generate ciphertext s _Zi(module 418).This rudimentary key generates ciphertext s _ZiThe element of cyclic group Z/qZ preferably, 1≤i≤n wherein, and each rudimentary key generates ciphertext s _ZiThe rudimentary PKG that preferably has only it to be correlated with knows.Equally, although be to represent with individual module, all rudimentary keys generate ciphertext s _ZiChoose and need carry out a period of time, and non-once is all finished.

For n the rudimentary PKG of the older generation of transmit leg respectively generates a rudimentary secret element S _Zi(module 420).Each rudimentary secret element S _Zi=S _{Z (i-1)}+ s _{Z (i-1)}P _ZiThe first cyclic group Γ preferably ₁An element, 1≤i≤n wherein.Although with common element P _ZiAnd ciphertext s _ZiEqually all represent with individual module, but all secret element S _ZiGeneration also need to carry out a period of time, and non-once is all finished.For the cause of the key generative process of these repetitions, can be with S ₀Be decided to be Γ ₁The identity element.

Also to respectively produce a rudimentary cipher generating parameter Q for recipient's n the rudimentary PKG of the older generation _Zi(module 422).Each cipher generating parameter Q _Zi=s _ZiP ₀Preferably all be the first cyclic group Γ ₁Element, 1≤i≤n wherein.Equally, although represent with individual module, all cipher generating parameter Q _ZiGeneration also need to carry out a period of time, and non-once is all finished.

Function with latter two module (module 424 and 426) is to carry out as the part of above-mentioned extraction algorithm.In module 424, generate the recipient common element P relevant with recipient z _{Z (n+1)}This recipient's common element, P _{Z (n+1)}=H ₁(ID _Z1... ID _{Z (n+1)}), the first cyclic group Γ preferably ₁ An element.In module 426, generate the recipient secret element S relevant then with recipient z _{Z (n+1)}This recipient's secret element, $S_{z(n+1)}=S_{\mathrm{zn}}+s_{\mathrm{zn}}{P}_{z(n+1)}={\mathrm{\Σ}}_{i=1}^{n+1}{s}_{z(i-1)}{P}_{\mathrm{zi}},$ Preferably also be the first cyclic group Γ ₁An element.

For simplicity, the first function H ₁Can be chosen as a kind of iteration function, thus can be according to for example H ₁(P _{Z (i-1)}, ID _Zi) but not H ₁(ID ₁... ID _Zi) calculate common point P _i

Latter two module (module 428 and 430) shown in Fig. 4 has been represented above-mentioned encrypt and decrypt algorithm.In module 428, message M is encoded to generate a ciphertext C.This cataloged procedure is preferably used root key at least and is generated parameter Q ₀And ID tuple (ID _Z1... ID _{Z (n+1)}).Ciphertext C in module 430, decode then to recover message M.This decode procedure is preferably used rudimentary cipher generating parameter Q at least _ZiAnd recipient's secret element S _{Z (n+1)}, 1≤i≤n wherein.

Module shown in Fig. 4 needn't occur fully in turn.For example, a transmit leg of knowing recipient's identity can be encrypted communication before the recipient obtains private cipher key.

Now with reference to Fig. 5 and Fig. 6, be described in detail in message M and ciphertext C are carried out the parameter mentioned in the Code And Decode and the concrete utilization of element.The method that flow chart shown in Figure 5 another currently preferred embodiment according to the present invention has been showed a digital massage M of a kind of Code And Decode, described digital massage transmits between transmit leg y and recipient z.Be called as in the scheme of basic HIDE at this, root setting, rudimentary setting and extraction algorithm are all identical with the embodiment shown in the module 402 to 426 among Fig. 4.Flow chart shown in Figure 5 has been showed the encrypt and decrypt algorithm, it in module 528a from choosing an accidental enciphering parameter r.R is an integer among the cyclic group Z/qZ preferably.In module 528b, utilize formula C=[U then ₀, U ₂..., U _N+1, V] and generation ciphertext C.Comprise element U among this ciphertext C _i=rP _Zi, i=0 and 2≤i≤n+1 wherein, these elements are relevant with the position of recipient in hierarchy.Other parts of ciphertext C are real messages of encrypted form, $V=M\⊕H_2\left(g^r\right),$ Wherein $g=\hat{e}(Q_0,P_{z1}).$ Element g is the second cyclic group Γ preferably ₂The member.After message is encoded, can be decrypted it according to basic HIDE decipherment algorithm, in this decipherment algorithm, utilize formula $M=V\⊕H_2\left(\frac{\hat{e}(U_0,S_{n+1})}{{\mathrm{\Π}}_{i=2}^{n+1}\hat{e}(Q_{i-1},U_i)}\right),$ From ciphertext C, recover message M (module 530).

Full HIDE

Utilize known method to make the One-Way Encryption scheme have the fail safe of attacking at selected ciphertext, basic HIDE scheme can be converted to full HIDE scheme, the latter is foretelling to have selected ciphertext fail safe in the model at random.Now with reference to Fig. 6 a kind of full HIDE scheme with selected ciphertext fail safe is described.

The method that flow chart shown in Figure 6 another currently preferred embodiment according to the present invention has been showed a digital massage M of a kind of Code And Decode, described digital massage transmits between transmit leg y and recipient z.In this embodiment of the present invention, root setting, rudimentary setting and extraction algorithm are all identical with the described embodiment of reference Fig. 4, and just the root of this embodiment is provided with algorithm needs two extra functions.Therefore, flow chart shown in Figure 6 is from the selection of extra function (module 615a and 615b), and proceeds encrypt and decrypt algorithm (module 628a to 630d).

By selecting one the 3rd function H ₃(module 615a) and one the 4th function H ₄(module 615b) finishes root algorithm is set.The 3rd function H ₃Preferably can produce the integer of cyclic group Z/qZ by two string binary numbers.The 4th function H ₄Preferably can produce a binary string by another binary string.

Cryptographic algorithm is from module 628a, and this module shows choosing of random binary string σ.Then, this random binary string σ is used to generate a random integers r=H ₃(σ, M, W), shown in module 628b.Wherein W is the symmetric cryptography of real messages M.This encryption preferably utilizes symmetric encipherment algorithm E to generate, and uses H ₄(σ) as encryption key.Accordingly, $W=E_{H_4\left(s\right)}\left(M\right).$ In module 628c, generate ciphertext C=[U ₀, U ₂..., U _N+1, V, W].Comprise element U among this ciphertext C _i=rP _Zi, i=0 and 2≤i≤n+1 wherein, it is relevant with the position of recipient in hierarchy.The random binary string σ that second part of ciphertext C is encrypted form, $V=\mathrm{\σ}\⊕H_2\left(g^r\right),$ Wherein $g=\hat{e}(Q_0,P_{z1}).$ Element g is the second cyclic group Γ preferably ₂The member.The 3rd part of ciphertext C is W, and as mentioned above, it is the real messages of symmetric cryptography form.

Decipherment algorithm is from module 630a, and this module shows the recovery of random binary string σ.Random binary string σ utilizes formula $s=V\⊕H_2\left(\frac{\hat{e}(U_0,S_{n+1})}{{\mathrm{\Π}}_{i=2}^{n+1}\hat{e}(Q_{i-1},U_i)}\right)$ Recover.Utilize formula then $M=E_{H_4\left(s\right)}^{-1}\left(W\right)$ From ciphertext C, recover message M (module 630b).Can check ciphertext, with the check internal consistency.For example, can generate an experimental random integers r '=H ₃(σ, M, W), as shown in module 630c.Then, just can in module 630d, utilize this experimental random integers r ' to check U ₀=r ' P ₀And U _i=r ' P _Zi, 2≤i≤n+1 wherein.If set up, can think that then ciphertext C is real.

This HIDE of double-basis and the HIDE that enjoys a double blessing

Can be applied to basic HIDE and full HIDE scheme with reference to Fig. 2 and described pair of HIDE notion of Fig. 3.When transmit leg and recipient were in the hierarchy, as shown in Figure 3, two HIDE just can make their improve the efficient and the fail safe of their coded communication.Need determine additional information to basic HIDE and the two HIDE of full HIDE scheme application, these information are to determine by the above-mentioned rudimentary algorithm that is provided with mostly.For example, be necessary for the rudimentary PKG decision of m the older generation common element P of transmit leg _Yi, rudimentary key generates ciphertext s _Yi, rudimentary secret element S _YiAnd rudimentary cipher generating parameter Q _YiBut be noted that these parameters are preferably identical for the rudimentary PKG as the public older generation of transmit leg y and recipient z, (that is to say preferably have for all i≤l: P so that transmit leg y and recipient z analyzed _Yi=P _Zi, s _Yi=s _Zi, S _Yi=S _ZiAnd Q _Yi=Q _Zi).Two HIDE also need to determine a transmit leg common element P for transmit leg _{Y (m+1)}With a transmit leg secret element S _{Y (m+1)}, the method for using is identical with above-mentioned method used when determining these parameters as the recipient.

These additional parameters have been arranged, just can encode to generate a ciphertext C to message M according to two HIDE principles, the process of coding will be utilized rudimentary cipher generating parameter Q _Yi(i 〉=l) and transmit leg secret element S wherein _{Y (m+1)}, but can not use the rudimentary cipher generating parameter Q of i＜l _YiTo utilize rudimentary cipher generating parameter Q when similarly, decoding with recovery message M to ciphertext C _Yi(i 〉=l) and recipient secret element S wherein _{Z (n+1)}, but can not use the rudimentary cipher generating parameter Q of i＜l _Zi

For example, in basic HIDE scheme (Fig. 4 and Fig. 5), the application of two HIDE has changed the coding of message M to generate a ciphertext C=[U ₀, U _L+1..., U _N+1, V], wherein, U is arranged for i=0 and l+1≤i≤n+1 _i=rP _Zi, wherein $V=M\⊕H_2\left(g_{\mathrm{yl}}^r\right),$ And wherein $g_{\mathrm{yl}}=\frac{\hat{e}(P_0,S_{y(m+1)})}{{\mathrm{\Π}}_{i=l+1}^{m+1}\hat{e}(Q_{y(i-1)},P_{\mathrm{yi}})}.$ U _iThe calculating of the factor still only needs to calculate small part wherein with identical in the past.Yet this HIDE of double-basis requires transmit leg y to use more than the necessary cipher generating parameter Q of above-mentioned generation g _YiGenerate g _YlThis is to have suffered to cryptographic algorithm because the identity of transmit leg is involved.

The efficient of decipherment algorithm improves more surprising.Message M utilizes

$M=V\⊕H_2\left(\frac{\hat{e}(U_0,S_{z(n+1)})}{{\mathrm{\Π}}_{i=l+1}^{n+1}\hat{e}(Q_{z(i-1)},U_{\mathrm{zi}})}\right)$ Recover.Equally, still, only need less U _iParameter.Similarly, the recipient need be used for the cipher generating parameter Q of two HIDE _ZiThan necessary lacking under other situations.

Full HIDE also can be modified to create a kind of HIDE of enjoying a double blessing scheme.The generation of ciphertext C is modified to C=[U in the cryptographic algorithm ₀, U _L+1..., U _N+1, V, W], wherein, U is arranged for i=0 and l+1≤i≤n+1 _i=rP _ZiParameter W and r still generate with same method, $W=E_{H_4\left(s\right)}\left(M\right),$ And $V=\mathrm{\σ}\⊕H_2\left(g_{\mathrm{yl}}^r\right)$ In parameter $g_{\mathrm{yl}}=\frac{\hat{e}(P_0,S_{y(m+1)})}{{\mathrm{\Π}}_{i=l+1}^{m+1}\hat{e}(Q_{y(i-1)},P_{\mathrm{yi}})}.$

In the HIDE scheme of enjoying a double blessing, decipherment algorithm also is modified.Random binary string σ utilizes $\mathrm{\σ}=V\⊕H_2\left(\frac{\hat{e}(U_0,S_{z(n+1)})}{{\mathrm{\Π}}_{i=l+1}^{n+1}\hat{e}(Q_{z(i-1)},U_{\mathrm{zi}})}\right)$ Recover.In addition, the recovery of message M is constant.

Although used PKG _l304b has illustrated these pairs HIDE scheme as the minimum public older generation PKG of transmit leg y and recipient z, but PKG _l304b can be public arbitrarily older generation PKG.The encrypt and decrypt algorithm is identical.But in order to obtain the highest efficient, PKG _lThe preferably minimum public older generation PKG of 304b.

Except the raising of efficient, of the present invention pair of HIDE scheme also provides higher fail safe by the restriction key escrow.In above-mentioned basic HIDE and full HIDE scheme, the lineal older generation PKG of all of recipient can both decipher the message of issuing the recipient.But, because two HIDE scheme has added PKG _L-1(PKG _lThe direct previous generation) key generate ciphertext, this ciphertext is for PKG _L-1Above public older generation PKG is unknown, so those public older generation PKG just can not decipher the message between transmit leg y and the recipient z.

Key escrow can further be limited, thus even PKG _lThe direct previous generation can not decipher message between transmit leg y and the recipient z.It is being that transmit leg y and recipient z generation private cipher key (or is PKG that this point can be passed through _lThe offspring simultaneously be again that the older generation's of transmit leg y and recipient z PKG generates private cipher key) process in hiding PKG _lPrivate cipher key realize.For example, for some b ∈ Z/qZ at random, PKG _l304b can be by being provided with S ' _l:=S _l+ bP _lAnd Q ' _L-1:=Q _L-1+ bP ₀And change its private cipher key easily.New private cipher key S ' _lEffectively same, but but be not PKG _lThe direct previous generation known to.Therefore, PKG _lAbove PKG can not decode to the message that encryption sends to recipient z.More particularly, has only recipient z at PKG _lThe territory in the older generation can decipher the message that sends to recipient z.

Work as PKG _l304b is by being provided with S ' _l:=S _l+ bP _lAnd Q ' _L-1:=Q _L-1+ bP ₀When changing its private cipher key, new private cipher key still with PKG _L-1Key generate ciphertext s _L-1Relevant, because new private cipher key is by PKG from one _L-1Utilize s _L-1The private cipher key that generates push away.Generally speaking, in all schemes discussed in this article, user or PKG can be by choosing b _iValue (1≤i≤n) and being provided with wherein ${S^{\′}}_{z(n+1)}:=S_{z(n+1)}+{\mathrm{\Σ}}_{i=1}^n{b}_i{P}_{z(i+1)}$ And Q ' _Zi:=Q _Zi+ b _iP ₀(1≤i≤n), change its secret element S wherein _{Z (n+1)}With cipher generating parameter Q _Zi(1≤i≤n) wherein.Yet for the purposes of the present invention, this new private cipher key still is considered to relevant with original private cipher key, thereby also generates ciphertext s with key _ZiInitial value relevant.

Have more two HIDE schemes of encryption and decryption technique

In above-mentioned two HIDE schemes, the quantity of the paired value that encryption equipment must be able to be calculated reduces one, and don't can improve the quantity of the paired value that decipher must calculate.For example, above-mentioned this HIDE of double-basis cryptographic algorithm can be modified, thus ciphertext

$C=[P_0,r(P_{y(l+1)}-P_{z(l+1)}),r{P}_{z(l+2)},K,r{P}_{z(n+1)},M\⊕H_2\left(g_{y(l+1)}^r\right)],$ Wherein

$g_{y(l+1)}=\frac{\hat{e}(P_0,S_{y(n+1)})}{{\mathrm{\Π}}_{i=l+2}^m\hat{e}(Q_{y(i-1)},P_{\mathrm{yi}})}=\hat{e}(P_0,S_{y(l+1)}).$ If ciphertext is represented as

C=[U ₀, U _L+1, K, U _N+1, V], so just can utilize $M=V\⊕H_2\left[\frac{\hat{e}(U_0,S_{z(n+1)})\hat{e}(U_{l+1},Q_{\mathrm{zl}})}{{\mathrm{\Π}}_{i=l+2}^n\hat{e}(Q_{z(i-1)},U_i)}\right]$ Come it is decrypted.

Similarly, also the quantity of the paired value that decipher must be able to be calculated reduces one, and don't can improve the quantity of the value that encryption equipment must calculate.For example, this HIDE of double-basis cryptographic algorithm can be modified, thus ciphertext $C=[P_0,r{P}_{y(l+2)},K,r{P}_{y\left(n\right)},M\⊕H_2\left(g_{z(l+1)}^r\right)],$ Wherein

$g_{z(l+1)}=\frac{\hat{e}(P_0,S_{y(m+1)})\hat{e}(Q_{\mathrm{yl}},(P_{z(l+1)}-P_{y(l+1)}))}{{\mathrm{\Π}}_{i=l+2}^m\hat{e}(Q_{y(i-1)},P_{\mathrm{yi}})}=\hat{e}(P_0,S_{z(l+1)}).$ If ciphertext is represented as

C=[U ₀, U _L+2, K, U _n, V], so just can utilize $M=V\⊕H_2\left[\frac{\hat{e}(U_0,S_{z(n+1)})}{{\mathrm{\Π}}_{i=l+2}^n\hat{e}(Q_{z(i-1)},U_i)}\right]$ Come it is decrypted.

Rudimentary PKG through authentication

Can the high efficiency of above-mentioned pair of HIDE scheme be expanded to the message sender that is positioned at outside the hierarchy by creating a rudimentary PKG through authentication.Will " authenticate,, rudimentary PKG, root PKG can propose an additional parameter, such as a random message M '.Then, rudimentary PKG " signature " M ' generates signature Sig=S _Zl+ s _ZlP _{M '}, S wherein _lBe the private cipher key of rudimentary PKG, s _lThen be that its rudimentary key generates ciphertext.Rudimentary PKG also can announce the Q corresponding to 1≤i≤t _i

Utilize rudimentary PKG, be positioned at the common element P that transmit leg outside the hierarchy need not to calculate all n of recipient older generation PKG through authentication _ZiCan send encrypting messages to recipient z.Transmit leg can utilize corresponding to the parameter of rudimentary authentication root PKG encrypting messages more efficiently.Specifically, transmit leg calculates P _Zi=H ₁(ID ₁..., ID _Zi) ∈ Γ ₁, l+1≤i≤n+1 wherein.Transmit leg is chosen a r ∈ Z/qZ at random then, and generates ciphertext $C=[P_0,r{P}_{z(l+1)},...,r{P}_{z(n+1)},M\⊕H_2\left(g_{\mathrm{zl}}^r\right)],$ Wherein

$g_{\mathrm{zl}}=\frac{\hat{e}(P_0,\mathrm{Sig})}{\hat{e}(s_{\mathrm{zl}}{P}_0,P_{M^{\′}})}=\hat{e}(P_0,S_{\mathrm{zl}}).$ Suppose the ciphertext C=[U that receives ₀, U _L+1..., U _N+1, V], then the recipient can decipher this ciphertext to recover message $M=V\⊕H_2\left[\frac{\hat{e}(U_0,S_{z(n+1)})}{{\mathrm{\Π}}_{i=l+1}^{n+1}\hat{e}(Q_{z(i-1)},U_i)}\right],$ S wherein _{Z (n+1)}It is recipient's private cipher key.

Distributed PKG

For the further key of the above-mentioned HIDE scheme of protection generates ciphertext, and make these schemes have robustness, can utilize known threshold encryption technology that key is generated ciphertext and private cipher key is distributed for dishonest PKG.

Encryption technology more efficiently

By the highest two-stage in the hierarchy is merged into single PKG, just can improve the efficient of the encryption technology that is used for above-mentioned HIDE scheme.Under the sort of situation, $g=\hat{e}(Q_0,P_1)$ Be comprised in the system parameters.So just saved the task that encryption equipment calculates this paired value.Yet decipher must calculate an extra pairing (this is it in the result of the next stage of tree).

The HIDS scheme

Consider signature scheme of the present invention or HIDS scheme now, flow chart shown in Figure 7 another currently preferred embodiment according to the present invention has been showed a kind of method that generates and verify a digital signature.This method realizes in a HIDS system that comprises a plurality of PKG.At least comprise n rudimentary PKG, wherein n 〉=1 in the hierarchy between a root PKG and root PKG and transmit leg or the signer among the described PKG.In module 702, root PKG chooses a root key that has only root PKG to know and generates ciphertext.This root key generation ciphertext can be utilized for the PKG or the user that are lower than root PKG in the hierarchy and produce private cipher key.In module 704, root PKG generates ciphertext according to root key and produces a root key generation parameter then.In module 706, rudimentary PKG chooses rudimentary key and generates ciphertext.The rudimentary key relevant with given rudimentary PKG generates ciphertext and can be utilized for PKG or user of being lower than this relevant rudimentary PKG in the hierarchy and generate private cipher key.Similar with root key generation ciphertext, it is only known to its relevant rudimentary PKG that each rudimentary key generates ciphertext.In module 708, for n rudimentary PKG produces rudimentary cipher generating parameter separately.The rudimentary key that the generation of each rudimentary cipher generating parameter all will be used its relevant rudimentary PKG at least generates ciphertext.

In module 710, a rudimentary PKG is for the recipient generates a private cipher key, and of making this private cipher key generate in the ciphertext with n rudimentary key at least is relevant.For example, the private cipher key of transmit leg at least can be relevant with the rudimentary key generation ciphertext of the PKG that provides from private cipher key to the recipient.But recipient's private cipher key preferably rudimentary key generation ciphertext and the root key generation ciphertext with its all n older generation PKG is relevant.In module 712, transmit leg utilizes its private cipher key to sign message at least and generates digital signature.In module 714, recipient or checker utilize one of rudimentary cipher generating parameter to verify this digital signature at least then.For example, can only utilize root key to generate parameter and verify this signature.Perhaps, also can utilize one or more in the rudimentary cipher generating parameter.

Flow chart shown in Figure 8 another currently preferred embodiment according to the present invention has been showed a kind of method that generates and verify the digital signature Sig of a digital massage M, and described digital massage transmits between transmit leg y and recipient z.As shown in Figure 3, low m+1 the rank of transmit leg y 306 beguine PKG in hierarchy, and with ID tuple (ID _Y1..., ID _{Y (m+1)}) be associated.Comprise the identity information ID relevant in the ID tuple of transmit leg with transmit leg _{Y (m+1)}, and with each relevant identity information ID of its m in hierarchy rudimentary PKG of the older generation _YiThis method is from module 802, first and second cyclic group Γ of generting element ₁And Γ ₂In module 804, choose a function

Make this function Can be by the first cyclic group Γ ₁Two elements generate the second cyclic group Γ ₂An element.Function

Preferably a kind of feasible pairing, as mentioned above.In module 806, choose the first cyclic group Γ ₁A root maker P ₀In module 808, choose a root key generation ciphertext s at random ₀, this ciphertext and root PKG 302 are relevant and have only root PKG 302 to know.s ₀Cyclic group Z/qZ element preferably.In module 810, produce a root key and generate parameter Q ₀=s ₀P ₀Q ₀The first cyclic group Γ preferably ₁An element.In module 812, choose one first function H ₁, make H ₁Can generate the first cyclic group Γ by the first string binary number ₁An element.In module 814, choose one second function H ₃, make H ₃Can be by the second cyclic group Γ ₂Element generate the second string binary number.The function of module 802 to 814 all is the part that above-mentioned HIDS root is provided with algorithm, and preferably all finishes in the roughly the same moment.As example, just can be used as H such as those disclosed functions in Boneh-Franklin ₁And H ₃In fact, function H ₁And H ₃It can be identical function.But have a potential hidden danger.An assailant may attempt allowing the signer sign M=ID _t, ID wherein _tRepresented an actual identity.In this case, in fact signer's signature can be a private cipher key, and after this this key can be used to decrypt and forge a signature.But, can distinguish the means that signature and private cipher key extract by adopting some---such as a bit prefix or be H ₃Adopt different functions, this hidden danger is avoidable.

Ensuing a series of module (module 816 to 824) shows the function that the part of algorithm is set and carries out as rudimentary.In module 816, for m the rudimentary PKG of the older generation of transmit leg respectively generates a common element P _YiEach common element P _Yi=H ₁(ID ₁..., ID _Yi) preferably all be the first cyclic group Γ ₁An element, 1≤i≤m wherein.Although represent with individual module, all common element P _YiGeneration need carry out a period of time, and non-once is all finished.

Be the rudimentary PKG 304a of m the older generation of transmit leg, b, d respectively choose a rudimentary key and generate ciphertext s _Yi(module 818).This rudimentary key generates ciphertext s _YiThe element of cyclic group Z/qZ preferably, 1≤i≤m wherein, and each rudimentary key generates ciphertext s _YiPreferably have only the rudimentary PKG relevant to know with it.Equally, although be to represent with individual module, all rudimentary keys generate ciphertext s _YiChoose and need carry out a period of time, and non-once is all finished.

For m the rudimentary PKG of the older generation of transmit leg respectively generates a rudimentary secret element S _Yi(module 820).Each rudimentary secret element S _Yi=S _{Y (i-1)}+ s _{Y (i-1)}P _YiThe first cyclic group Γ preferably ₁An element, 1≤i≤m wherein.Although with common element P _YiAnd ciphertext s _YiEqually all represent with individual module, but all secret element S _YiGeneration also need to carry out a period of time, and non-once is all finished.For the cause of the key generative process of these repetitions, can be with S ₀Be decided to be Γ ₁The identity element.

Also to respectively produce a rudimentary cipher generating parameter Q for m the rudimentary PKG of the older generation of transmit leg _Yi(module 822).Each cipher generating parameter Q _Yi=s _YiP ₀Preferably all be the first cyclic group Γ ₁Element, 1≤i≤m wherein.Equally, although represent with individual module, all cipher generating parameter Q _YiGeneration also need to carry out a period of time, and non-once is all finished.

Function with latter two module (module 824 and 826) is to carry out as the part of above-mentioned extraction algorithm.In module 824, generate the transmit leg common element P relevant with transmit leg y _{Y (m+1)}This transmit leg common element, P _{Y (m+1)}=H ₁(ID _Y1... ID _{Y (m+1)}), the first cyclic group Γ preferably ₁An element.In module 826, generate the transmit leg secret element S relevant then with transmit leg y _{Y (m+1)}This transmit leg secret element, $S_{y(m+1)}=S_{\mathrm{ym}}+s_{\mathrm{ym}}{P}_{y(m+1)}={\mathrm{\Σ}}_{i=1}^{m+1}{s}_{y(i-1)}{P}_{\mathrm{yi}},$ Preferably also be the first cyclic group Γ ₁An element.

For simplicity, the first function H ₁Can be chosen as a kind of iteration function, thus can be according to for example H ₁(P _{Y (i-1)}, ID _Yi) but not H ₁(ID ₁... ID _Yi) calculate common point P _i

Latter two module (module 828 and 830) shown in Fig. 8 has been represented above-mentioned signature and verification algorithm.In module 828, message M is signed to generate a digital signature Sig.This signature process is preferably used transmit leg secret element S at least _{Y (m+1)}Certifying digital signature Sig in module 830 then.This proof procedure is preferably used root key at least and is generated parameter Q ₀And rudimentary cipher generating parameter Q _YiNow with reference to Fig. 9 these parameters and the detailed directions of element when signing message M and certifying digital signature Sig are described.

Flow chart shown in Figure 9 another currently preferred embodiment according to the present invention has been showed a kind of method that generates and verify the digital signature Sig of a digital massage M, and described digital massage transmits between transmit leg y and recipient z.In this scheme, root setting, rudimentary setting and extraction algorithm are all identical with the embodiment shown in the module 802 to 826 among Fig. 8.Therefore, flow chart shown in Figure 9 generates ciphertext s from choosing a transmit leg key in module 927a _{Y (m+1)}Beginning, this ciphertext has only transmit leg y to know.In module 927b, utilize formula Q _{Y (m+1)}=s _{Y (m+1)}P ₀Produce a transmit leg cipher generating parameter Q who is associated with transmit leg _{Y (m+1)}Then, the signature algorithm generates a message element P from transmit leg among module 928a _M=H ₃(ID _Y1..., ID _{Y (m+1)}, M).This message element P _MThe first cyclic group Γ preferably ₁A member.In module 928b, utilize equation Sig=S _{Y (m+1)}+ s _{Y (m+1)}P _MGenerate digital signature Sig itself.The recipient is by the check equation $\frac{\hat{e}(P_0,\mathrm{Sig})}{\hat{e}(Q_{y(m+1)},P_M){\mathrm{\Π}}_{i=2}^{m+1}\hat{e}(Q_{y(i-1)},P_{\mathrm{yi}})}=\hat{e}(Q_0,P_1)$ Whether satisfy and come certifying digital signature Sig.

This paper has been described in detail the present invention with reference to the preferred embodiments of the present invention and illustrated example, still should be understood that in thought of the present invention and scope and can realize various variations and improvement.

Claims (48)

1. a computer-implemented encryption method is used in the graded encryption scheme message M that is used to decipher the cipher-text information of expecting recipient's entity E being encrypted, and this method comprises:

(1) obtains variate-value r;

(2) obtain first of described message M and encrypt use value g ^rCan decipher described first and encrypt, wherein

G is that a pre-defined function is in value ê (p0, the value of p1) locating; ê: G ₁* G ₁→ G ₂Be the mapping of non degenerate bilinearity, wherein G ₁And G ₂Be the group, and ê, G ₁And G ₂To be used for deciphering;

P0, p1 are G ₁Element, wherein at least one depends on the ID of the previous generation of E in the graded encryption system;

(3) obtain the first ciphertext part, comprise a plurality of values, each value is crowd G ₁Element and be that the linearity of the value of rF form is expressed, wherein each F is E and/or the pre-defined function of the previous generation's of E ID at least, wherein at least one value F depends at least one previous generation's of E ID; And

(4) produce the ciphertext of using first of described first ciphertext part and described message M to encrypt and forming.

2. according to the process of claim 1 wherein that described first ciphertext does not partly rely on M.

3. according to the method for claim 1 or 2, wherein said graded encryption scheme is for making:

Root entity E ₀Generate its ciphertext integer s ₀

Each entity E the previous generation of the E of classification level i＞0 _iGenerate ciphertext integer s separately _i

To each integer i ∈ [1, t], t＞1st wherein, the classification level of E and E wherein _t=E, each entity E _iAcquisition equals S _I-1+ s _I-1P _iValue, and E is set _iCiphertext S _iBe the described S that equals _I-1+ s _I-1P _iValue or by revising the described S of equaling _I-1+ s _I-1P _iValue and the value that obtains, wherein each P _iBe to comprise E _iThe function of one or more ID of ID, and S ₀Be G ₁The identity element, P _iCan be used for described deciphering;

Each entity E _i(i ∈ [1, t-1]) generting element Q _i, and Q _i=s _iP ₀, each entity E _i(i ∈ [2, be that all k ∈ [1, i-1] obtain a group element Q t-11) _k, and revise one or more Q _kPerhaps keep it not to be modified with corresponding to S _i, and entity E _tReceive element Q ₁..., Q _T-1

4. according to the method for claim 3, wherein at least one is worth i ∈ [2, t-1], E _iS is set _iEqual S _I-1+ s _I-1P _i, and element Q _kNot by E _iRevise.

5. according to the method for claim 3, wherein at least one is worth i ∈ [2, t-1]:

E _iFor one or more integer value c ∈ [1, i-1] generate one or more variable integer value b _c, and use the described S of equaling _I-1+ s _I-1P _iValue generate S _iAs value b _cP _C+1And; And

E _iBy each described c is used Q _c+ b _cP ₀Replace element Q _cThereby, revise element Q _k

6. according to the method for claim 3, wherein each F is one or more element P ₀..., P _tLinearity express, make value F define together except that P _jAll outer P _0,..., P _tValue;

To some j ∈ [1, t-1], g=ê (Q ₀, P _j), and

g ^rCan followingly calculate

$g^r=\frac{\hat{e}(U_0,S_t)}{{\mathrm{\Π}}_{1\≤i\≤t,i\≠j}\hat{e}(Q_{i-1},U_i)}$

U wherein ₀=rP _0,Each U _i=rP _i

7. according to the method for claim 6, wherein said value F is to all i ∈ [0, t] thereby the value P of i ≠ 1 and j=1 _i

8. according to the method for claim 3, wherein obtain described first encryption and comprise:

From another entity acquisition value Sig=S _l+ s _lP _{M '}, l is the integer of selecting, l＜t, wherein S _lBe not used in and encrypt described message M, and P _{M '}Can be used for encrypting, and long-pending s _lP ₀As Q _lBe used to encrypt described message M;

Calculate g:

$g=\frac{\hat{e}(P_0,\mathrm{Sig})}{\hat{e}(s_1{P}_0,P_{M^{\′}})}$

G wherein ^rCan be calculated as follows

$g^r=\frac{\hat{e}(U_0,S_t)}{{\mathrm{\Π}}_{i=l+1}^t\hat{e}(Q_{i-1},U_i)}$

Wherein to each i ∈ [l+1, t], U _i=rP _iAnd

Value F has defined P together ₀With all P _L+1,..., P _t

9. method according to Claim 8, wherein g=ê (P ₀, S _l).

10. according to the method for claim 3, wherein:

Represent entity E _YmCarry out described method, its in the graded encryption scheme the m level and be the E of some l＜t _lThe offspring;

E in classification i＞0 grade _YmEach entity E of the previous generation _Yi, generate corresponding ciphertext integer s _Yi

To each integer i ∈ [1, m], each entity E _YiFrom equaling S _{Y (i-1)}+ s _{Y (i-1)}P _YiValue obtain E _YiCiphertext S _Yi, each P wherein _YiBe to comprise E _YiThe function of one or more ID of ID, and can be used for deciphering and S _Y0Be G ₁The identity element;

Each entity E _Yi(i ∈ [1, m-1]) generates a first Q _Yi, Q _Yi=s _YiP _0,For all k ∈ [1, i-1] obtain a group element Q _Yk, and provide and revise or the element Q of unmodified _YkAnd Q _YiGive E _{Y (i+1)}

11. according to the method for claim 10, wherein:

$g=\frac{\hat{e}(P_0,S_{\mathrm{ym}})}{{\mathrm{\Π}}_{i=l+1}^m\hat{e}(Q_{y(i-1)},P_{\mathrm{yi}})}$

And g ^rCan be calculated as follows

$g^r=\frac{\hat{e}(U_0,S_t)}{{\mathrm{\Π}}_{i=l+1}^t\hat{e}(Q_{i-1},U_i)}$

Wherein to each i ∈ [l+1, t], U _i=rP _iAnd

Value F has defined P together ₀With all P _L+1,..., P _t

12. according to the method for claim 11, wherein from s _lWith s _YlProduce as variate-value discretely.

13. according to the method for claim 10, wherein s _Yl=s _l, and

$g=\frac{\hat{e}(P_0,S_{\mathrm{ym}})}{{\mathrm{\Π}}_{i=l+2}^m\hat{e}({Q^{\′}}_{y(i-1)},P_{\mathrm{yi}})}$

And g ^rCan be calculated as follows

$g^r=\frac{\hat{e}(U_0,S_t)\hat{e}(U_{l+1},{Q^{\′}}_l)}{{\mathrm{\Π}}_{i=l+2}^t\hat{e}({Q^{\′}}_{i-1},U_i)}$

U wherein _L+1=r (P _{Y (l+1)}-P _L+1), and to i=0 and each i ∈ [l+2, t], U _i=rP _i, and

Value F has defined P together ₀, P _{Y (l+1)}-P _L+1And all P _L+2,..., P _t

14. according to the method for claim 3, wherein to each i＞1, P _iBe (ID _1,..., ID _i) function.

15. a computer-implemented decryption method is used for recovering message M from ciphertext C, representative has one or more values that the previous generation of the one or more Es of use from the graded encryption scheme obtains and the entity E of the cipher-text information of the E that obtains, and the cipher-text information of E comprises crowd G ₁Element S (E), wherein S (E) is crowd G ₁First member's linear combination, each first member is associated with a respective integer coefficient in described linear combination, described first member comprises crowd G ₁One or more first elements, it depends on the ID of E separately, described first member comprises crowd G ₁One or more second elements, it is independent of the ID of E separately, this method comprises:

(1) according to following calculated value g _r:

Ciphertext C;

Element S (E); With

Group G ₁One group of one or more element Q;

Wherein each element Q is independent of ciphertext C, but depends on the coefficient of one or more first and second elements, its intermediate value g _rThe ID that does not rely on E still depends on the coefficient of one or more second elements, value g _rAs the function of ratio A/B and calculate, wherein:

(i) A is crowd G ₂First product of one or more elements, one or more elements of described first product comprise an element, this element is two bilinearity non degenerates mapping ê: G on the element ₁* G ₁→ G ₂, at least one element depends on S (E) and at least one element depends on ciphertext C in described two elements; And

(ii) B is crowd G ₂Second product of one or more elements, one or more elements of described second product comprise one or more elements of the value that equals the mapping ê on two elements separately, and at least one depends on one or more element Q and at least one depends on ciphertext C in described two elements;

(2) use value g _rCome to recover message M from C.

16. according to the method for claim 15, wherein the information that exists in A and/or B and/or ciphertext C, any information of the coefficient of described first element is not used in operation (2)

17. according to the method for claim 15, wherein the information that exists in A and/or B and/or ciphertext C, the information on the ID of any E is not used in operation (2).

18. according to the method for claim 17, its intermediate value g _rDepend on one or more previous generations' of E ID.

19. according to the method for claim 15, the coefficient of wherein said first element each naturally the previous generation of E ciphertext and can not be used to decipher E.

20. according to the method for claim 19, the coefficient of wherein said second element each naturally the previous generation of E ciphertext and can not be used to decipher E.

21. according to the method for claim 15, wherein one or more described second elements depend on the previous generation's of one or more E ID.

22. according to the method for claim 15, wherein

$S\left(E\right)={\mathrm{\Σ}}_{i=1}^t{s}_{i-1}{P}_i$

Wherein:

T＞1st, the classification level of E;

{ P _iBe described first member and { s _I-1It is described coefficient;

To each i ∈ [1, t-1], E _t=E and E _iBe the previous generation of the classification level i of E, and wherein to each i＜t, P _iBe ID _iFunction, described ID _iBe corresponding entity E _iID, but to any k＞i, P _iBe independent of any ID _kAnd

To one or more integer i ∈ [1, t], described one or more element Q are one or more element Q _i=s _I-1P _0,P wherein ₀Be crowd G ₁The predefine element.

23. according to the method for claim 22, wherein

$g_r=\frac{\hat{e}(U_0,S\left(E\right))}{{\mathrm{\Π}}_{1\≤i\≤t,i\≠j}\hat{e}(Q_{i-1},U_i)}$

Wherein

J is an integer selected in [1, t-1];

Obtain described element U from described ciphertext C _0,U _i(1≤i≤t}, i ≠ j).

24. according to the method for claim 23, each U wherein _i=rP _i, wherein r is the disabled integer of E.

25. according to the method for claim 22, following conditions (a) or one of (b) set up wherein:

$\left(a\right)g_r=\frac{\hat{e}(U_0,S\left(E\right))}{{\mathrm{\Π}}_{i=l+1}^t\hat{e}(Q_{i-1},U_i)}$

Wherein:

L is an integer selected in [2, t-1];

Obtain described element U from described ciphertext C _0,U _i(i=l+1 ..., t);

$\left(b\right)g_r=\frac{\hat{e}(U_0,S_t)\hat{e}(U_{l+1},Q_l)}{{\mathrm{\Π}}_{i=l+2}^t\hat{e}(Q_{i-1},U_i)}$

Wherein:

L is an integer selected in [2, t-2];

Obtain described element U from described ciphertext C _0,U _i(i=l+2 ..., t)

26. according to the method for claim 22, wherein said graded encryption scheme is feasible:

Each entity E _i(0≤i＜t) generates ciphertext integer s separately _i

To each integer i ∈ [1, t], each entity E _iFrom equaling S _I-1+ s _I-1P _iValue obtain E _iCiphertext S _i, S (E)=S wherein _tAnd S wherein ₀Be G ₁The identity element;

Each entity E _i(i ∈ [1, t-1]) generates Q _iAnd Q _i=s _iP ₀, to all k ∈ [1, i-1], each entity E _i(i ∈ [2, t-1]) obtain a group element Q _kAnd revise one or more Q _kOr keep its unmodified with corresponding to S _i

27. a computer implemented key extraction method is used to comprise the graded encryption scheme of a plurality of entities, each entity is associated with encrypting ciphertext value S (" S value "), and encryption ciphertext value S is crowd G ₁An element, this method comprises, represents the entity E of one of described entity _T-1,It has classification level t-1, wherein t＞1 and wherein root entity E ₀Have classification level 0:

(1) from E _T-1The data that receive of the lineal previous generation in obtain corresponding to E _T-1The first ciphertext value;

(2) from corresponding to E _T-1The first ciphertext value obtain E _T-1S value S _T-1

(3) to E _T-1One or more lineal descent E _tEach:

Acquisition value P _t, it is E _tID function and be crowd G ₁Element;

Generation comprises value S _T-1+ s _T-1P _tData as corresponding to E _tFirst ciphertext value, the wherein s _T-1Be E _T-1The ciphertext value that generates; And

Provide and comprise the described first ciphertext value S _T-1+ s _T-1P _tDescribed data give E _t, make E _tProduce E _tCiphertext S value.

28. according to the method for claim 27, t＞2 wherein, wherein operation (2) comprises S is set _T-1Equal described corresponding to E _T-1The first ciphertext value, and this method also comprises, represents E _T-1,:

To each grade i of 1≤i≤t-2, obtain group G ₁Element Q _i, each element Q _iPrevious generation E with grade i _T-1Be associated;

To each E _T-1Lineal descent E _t, element Q is provided _i(1≤i≤t-2) and Q _T-1Give E _t, Q wherein _T-1By E _T-1Be generated as Q _T-1=s _T-1P ₀, P wherein ₀Be crowd G ₁The predefine common element, P wherein ₀Be independent of offspring E _tWith entity E _T-1

29. according to the method for claim 27, wherein t＞2 are wherein operated (2) and are comprised the one or more variable integer value b of one or more value c ∈ that choose [1, t-2] generation _c, and S is set _T-1The value of equaling b _cP _C+1And corresponding to E _T-1The described first ciphertext value sum;

Wherein said method also comprises, represents E _T-1:

To each grade i of 1≤i≤t-2, obtain group G ₁Element Q _i, each element Q _iPrevious generation E with grade i _T-1Be associated;

To each described value c, use Q _c+ b _cP ₀Substitute Q _cAnd then

To E _T-1Each lineal descent E _t:

To E _T-1Each lineal descent E _t, element Q is provided _i(1≤i≤t-2) and Q _T-1Give E _t, Q wherein _T-1By E _T-1Be generated as Q _T-1=s _T-1P ₀, P wherein ₀Be crowd G ₁The predefine common element, P wherein ₀Be independent of offspring E _tWith entity E _T-1

30. according to the method for claim 27, wherein E _T-1Has lineal descent E more than one _t, and to all offspring E _tGeneration is as the s of single value _T-1

31. according to the method for claim 27, wherein E _T-1Has lineal descent E more than one _t, and to each offspring E _tProduce independent value s _T-1

32. one kind computer-implemented is signer E on message M _tGenerate the method for digital signature, described signer E _tBe to comprise entity E at least _0,E _1,..., E _t, in the hierarchy system of t 〉=2 than entity E ₀The entity of inferior grade t, wherein each entity E in this hierarchy system _i(i=1 ..., t) be entity E _I-1The offspring, this method comprises:

(1) acquisition signer's key S _t, it is crowd G ₁The member;

(2) acquisition signer's integer ciphertext s _t

(3) on message M, generate signature composition Sig, as value Sig=S _t+ s _tP _M

Wherein:

"+" is crowd G ₁Group operation; And

P _MBe to depend on the value of message M and be crowd G ₁The member.

33. the digital signature on the computer-implemented checking message M is to verify that this digital signature is signer E _tThe method of correct signature, described signer E _tBe to comprise entity E at least _0,E _1,..., E _t, in the hierarchy system of t 〉=2 than entity E ₀The entity of inferior grade t, wherein each entity E in this hierarchy system _i(i=1 ..., t) be entity E _I-1The offspring, this method comprises:

(1) obtain signature composition Sig, it is predefined group G ₁Element;

(2) acquisition and one or more entity E separately _iThe one or more value Q that are associated _i, described one or more value Q _iComprise value Q _t

(3) confirm

$\frac{\hat{e}(P_0,\mathrm{Sig})}{\hat{e}(Q_t,P_M){\mathrm{\Π}}_i\hat{e}(Q_{i-1},P_i)}=V$

Wherein:

P ₀Be crowd G ₁The predefine element;

Described long-pending ∏ _iê (Q _I-1, P _i) all integer i in the suitable subclass that comprises 1 to t integer are carried out;

Each Q _I-1=s _I-1P _0,S wherein _I-1Be entity E _I-1The integer ciphertext;

Q _t=s ₀P _0,S wherein _iBe entity E _tThe integer ciphertext;

ê is G ₁* G ₁To predefined group G ₂Bilinearity non degenerate mapping;

P _MBe to depend on the value of message M and be crowd G ₁The member;

Each P _iDepend on entity E _iIdentity;

V is crowd G ₂Element.

34. according to the method for claim 32 or 33, wherein:

Each entity E _i(i＞0) is from entity E _I-1Receive its key S _i

Each entity E _i(i＜t) generates its ciphertext s _iAnd generation key S _I+1As follows:

S _i+1＝S _i+s _iP _i+1

And provide key S _I+1Give described entity E _I+1

Each entity E _i(0≤i≤t) generation value Q _i=s _iP _0,P wherein ₀Be crowd G ₁Predefined element.

35. the method for claim 34, wherein said signature composition Sig will be provided for validator, wherein at the value i that comprises from the subclass of 0 to t integer, described validator access value { Q _i.

36., wherein saidly comprise that from the subclass of 0 to t integer be the set that comprises from all integers of 1 to t-1 according to the method for claim 35.

37. an equipment is used to carry out the method according to arbitrary aforementioned claim.

38. an equipment is used for generating digital signature according to claim 32.

39. according to the equipment of the method or the claim 38 of claim 32, wherein

$S_t={\mathrm{\Σ}}_{i=1}^t{s}_{i-1}{P}_i$

Each P wherein _iBe entity E _iThe public function of identity, and each s _I-1Be entity E _I-1The integer ciphertext.

40. according to the method or the equipment of claim 39, wherein in operation (1), described signer is from described entity E _T-1Obtain S _t, and in operation (2), described signer generates s _t

41. according to the method or the equipment of claim 39, wherein each P _iDepend on each entity E _jIdentity, make 1≤j≤i.

42. according to the method or the equipment of claim 39, wherein:

Each entity E _i(i＞0) is from described entity E _I-1Receive its key S _i

Each entity E _i(i＜t) generates its key s _iAnd generation key S _I+1As follows:

S _i+1＝S _i+s _iP _i+1

And provide described key S _I+1To described entity E _I+1

Each entity E _i(0≤i≤t) generation value Q _i=s _iP _0,P wherein ₀Be crowd G ₁Predefined element.

43. according to the method or the equipment of claim 42, wherein said signature composition Sig will be provided for validator, wherein at the value i that comprises from the subclass of 0 to t integer, described validator access value { Q _i.

44., wherein saidly comprise that from 0 to t integer subclass be the set that comprises from all integers of 1 to t-1 according to the method or the equipment of claim 43.

Thereby 45. one kind can operate with the digital signature on the checking message M and determine that described digital signature is signer E _tThe equipment of correct signature, described signer E _tBe to comprise entity E at least _0,E _1,..., E _t, in the hierarchy system of t 〉=2 than entity E ₀The entity of inferior grade t, wherein each entity E in this hierarchy system _i(i=1 ..., t) be entity E _I-1The offspring, this operation of equipment can be used for:

(1) obtain signature composition Sig, it is predefined group G ₁Element;

(2) acquisition and one or more entity E separately _iThe one or more value Q that are associated _i, described one or more value Q _iComprise value Q _t

(3) confirm

$\frac{\hat{e}(P_0,\mathrm{Sig})}{\hat{e}(Q_t,P_M){\mathrm{\Π}}_i\hat{e}(Q_{i-1},P_i)}=V$

Wherein:

P ₀Be crowd G ₁The predefine common element;

ê is G ₁* G ₁To predefined group G ₂Bilinearity non degenerate mapping;

P _MBe to depend on the value of message M and be crowd G ₁The member;

Each P _iDepend on entity E _iIdentity;

V is crowd G ₂Element.

46. according to the equipment of the method or the claim 45 of claim 43, wherein said long-pending ∏ _iê (Q _I-1, P _i) except integer i ₀Comprising from all integer i of 1 to t in addition carried out, and V=ê (Q ₀, P _I0).

47. according to the method or the equipment of claim 46, wherein said long-pending ∏ _iê (Q _I-1, P _i) comprising that all the integer i from 2 to t carry out, and V=ê (Q ₀, P ₁).

48. according to the equipment of the method or the claim 45 of claim 33, wherein:

Each entity E _i(i＞0) is from entity E _I-1Receive its key S _i

Each entity E _i(i＜t) generates its ciphertext s _iAnd generation key S _I+1As follows:

S _i+1＝S _i+s _iP _i+1

And provide key S _I+1Give described entity E _I+1

Each entity E _i(0≤i≤t) generation value Q _i=s _iP _0,P wherein ₀Be crowd G ₁Predefined element.

Images