CN102064946A - Secret key sharing method based on identity-based encryption - Google Patents

Abstract

The invention provides a secret key sharing method based on identity-based encryption, belonging to the technical field of computer network and information security. Aiming at the storage and the use of an encrypted secret key in the distributed network group communication, the invention ensures that a network node with lawful authority can obtain a shared secret key. The method has the security of an IBE (Internet Booking Engine) public key encrypting mechanism and the fault tolerance of the threshold secret key sharing. Firstly, a secret key distributor divides the secret key into n sub secret keys and a checking evidence is generated; secondly, the sub secret keys are distributed in an authorization set; and all authorized sub sets meeting the threshold condition t can restore the shared secret key. All nodes check the correctness of the sub secret keys through a public evidence and can be updated when the life cycle of the sub secret keys is ended. The identity-based encrypting and decrypting algorithm is an elliptic curve type encrypting method, has higher security strength and lower communication overhead, and can reduce the power consumption of the nodes and prolong the life cycle of the network.

Description

A kind of key sharing method based on identity ciphering

Technical field:

The present invention relates to a kind of key sharing method that is used for information network, particularly distributed system, belong to computer network and field of information security technology based on identity ciphering.

Background technology:

It is that PKG is in charge of the pairing private key of each ID that one of system's needs based on identity ciphering are concentrated, and this centralized management mode is difficult to satisfy the demand of Distributed Application scene.Can improve the flexibility and the fault-tolerance of the key management of IBE system based on the cipher key shared management method.This method manages decrypted private key as shared secret information, the hidden danger such as single point failure that can effectively avoid the right undue concentration to bring, and under the situation that the part secret information is lost, still can recover to share key, strengthened the robustness of system.

Summary of the invention

Technical problem to be solved of the present invention is at the technical problem in the background technology, for distributed network system (DNS) provides a kind of distributed secret information management method.

The present invention adopts following technical scheme for achieving the above object:

A kind of key sharing method based on identity ciphering may further comprise the steps:

Step 1 is set up system's common parameter;

Step 1-1: positive integer q of picked at random, choose two q rank group G respectively ₁, G ₂, and the bilinearity mapping

: G ₁* G ₁→ G ₂, select G at random ₁Generator P ∈ G ₁

Step 1-2: select four hash function H at random ₁, H ₂, H ₃, H ₄H wherein ₁, H ₄: 0,1} ^*A G ^*, H ₂, H ₃: GF (P ²) ^*A{0,1} ^l

Step 1-3: select master key

Computing system PKI P _Pub=sP, output system common parameter π={ G ₁, G ₂, q, P,

, l, H ₁, H ₂, H ₃, P _Pub, wherein

Represent q rank group of integers, l is a cryptogram space size;

Step 2, key distribution and authentication secret generate;

The Extract algorithm that key distribution person D carries out in the IBE public key system generates the PKI of specific ID correspondence to Q _ID=H ₁(ID) and private key to D _ID=sQ _IDWith D _IDAs shared key, use and to share algorithm based on the secret of Lagrange's interpolation and generate the shadow key, be distributed to the participant and gather member among the R, generate public informations such as key authentication evidence simultaneously;

Step 3, the shadow key authentication;

After the participant gathers member among the R and receives the shadow key, participant R _iPublic information by step 2 is calculated intermediate variable

By checking equation c _i≡ H ₃(Y _i|| y _i|| E _1i|| E _2i) judge the correctness of shadow key; Y wherein _iBe the shadow secret after the mapping; T represents threshold value, 0≤t≤n; 1≤i≤n, 0≤j≤t-1, n represent participant's sum; r _i, c _iThe intermediate object program of the open evidence of representative;

Step 4, the shadow key updating;

Secret distributor D safeguards a uni-directional hash chain L simultaneously, and each cycle of operation, secret distributor D sent undated parameter to participant R by privately owned channel _i, participant R _iUpgrade the shadow key S that is held _i

Step 5 is shared cipher key reconstruction;

The participant who satisfies threshold condition is by the synthetic key of sharing of exchange shadow key;

Step 5-1: given IBE ciphertext (U, V), P _iCalculate intermediate variable

Wherein

Be Lagrangian coefficient, set | Φ | 〉=t;

Step 5-2:, draw expressly according to the IBE cryptographic algorithm $M=V\⊕H_2\left(k\right).$

Further, aforesaid key sharing method based on identity ciphering, the step that key distribution and authentication secret generate in the step 2 is specially:

Step A: the coefficient sets { α that selects interpolation polynomial at random _j| α _j∈ G ^*J=1,2, L, t-1; α _T-1≠ 0} structure t-1 rank multinomial $F\left(x\right)=D_{\mathrm{ID}}+{\mathrm{\Σ}}_{j=1}^{t-1}{a}_j{x}^j;$

Step B: calculate participant R _iShadow key S _i=F (i) calculates the shadow key after shining upon

, 1≤i≤n;

Step C: calculate authentication secret

, 0≤j≤t-1, $U_0=\hat{e}(D_{\mathrm{ID}},P_{\mathrm{pub}})$ ；

Step D: send shadow key S by privately owned channel _iGive participant R _i, by the shadow key y after the broadcast channel announcement mapping _i, key U _j, 1≤i≤n, 0≤j≤t-1;

Step E: distributor D generates evidence;

Substep1: select w at random _i∈ (G ,+), intermediate variable calculated , , c _i=H ₃(Y _i|| y _i|| E _1i|| E _2i), r _i=w _i-S _ic _iModq;

Substep2: open evidence PROOF _i=(r _i, c _i), 1≤i≤n.

Further, aforesaid key sharing method based on identity ciphering, the step of shadow key updating is in the step 4:

Step 4-1: select at random

Generate uni-directional hash chain L: α, H ₄(α),

L,

Step 4-2: upgrade at the τ time, secret distributor D extracts hashed value from uni-directional hash chain L

The structure multinomial

Wherein τ is a natural number, and N represents hash chain length;

Step 4-3: the shadow key updating value of calculating participant Ri

1≤i≤n;

Step 4-4: calculate authentication secret $U^{\left(\mathrm{\τ}\right)}=\mathrm{gexp}\left(H_3^{N-\mathrm{\τ}}\left(\mathrm{\α}\right)\right);$

Step 4-5: send shadow key updating value by privately owned channel

Give participant R _i, announce authentication secret U ^(τ)

Step 4-6: participant R _iCalculate undated parameter

Upgrade the secret key of shadow: Destroy original shadow key.

The present invention adopts technique scheme to have following beneficial effect:

The present invention designs and a kind ofly is applicable to distributed system, based on the key sharing method of identity ciphering.Be characterized in conjunction with advantages such as the fail safe of IBE public key encryption system and threshold secret sharing thought and extensibilities, be implemented in the distributed system flexibly, key management efficiently.Based on the characteristic of bilinearity mapping, realize functions such as shadow key updating, checking simultaneously.

The present invention adopts the encrypting and decrypting algorithm based on identity, is a kind of encryption method of elliptic curve class, has higher security intensity, has improved the fail safe of whole system.

Description of drawings:

Fig. 1 is the flow chart of key sharing method of the present invention.

Specific embodiments:

Be described in further detail below in conjunction with the enforcement of accompanying drawing technical scheme:

As shown in Figure 1, the solution of the present invention fail safe is based on the complexity of the calculating elliptic curve bilinearity mapping in the mathematics and the fail safe of threshold secret sharing, at present from the mathematics formal proof its fail safe.

In the distributed network group communication environment, each group comprises unique identify label ID.Be designated ID ^*Group at first with ID ^*Corresponding IBE private key is distributed in group member.When sending one, Alice uses ID ^*During the secret information of pairing public key encryption, the legal person who satisfies threshold condition in this group can recover decruption key, thereby obtains sharing key.

Step 1 is set up system's common parameter;

Step 1: positive integer q of picked at random, choose two q rank group G respectively ₁, G ₂, and the bilinearity mapping

: G ₁* G ₁→ G ₂, select G at random ₁Generator P ∈ G ₁

Step 2: select four hash function H at random ₁, H ₄: 0,1} ^*A G ^*, H ₂, H ₃: GF (P ²) ^*A{0,1} ^l;

Step 3: select master key

Computing system PKI P _Pub=sP, output system common parameter π={ G ₁, G ₂, q, P,

, l, H ₁, H ₂, H ₃, P _Pub, wherein l is a cryptogram space size.

Step 2, key distribution and authentication secret generate;

Key distribution person D carries out the public private key pair Q of the Extract algorithm generation specific ID correspondence in the IBE public key system _ID=H ₁(ID) and D _ID=sQ _ID, use based on the secret of Lagrange's interpolation and share algorithm D _IDGather member among the P as sharing key distribution to the participant.Generate public informations such as key authentication evidence simultaneously.

Step A: the coefficient sets { α that selects interpolation polynomial at random _j| α _j∈ G ^*J=1,2, L, t-1; α _T-1≠ 0} structure t-1 rank multinomial $F\left(x\right)=D_{\mathrm{ID}}+{\mathrm{\Σ}}_{j=1}^{t-1}{a}_j{x}^j;$

Step B: calculate participant P _iShadow key S _i=F (i) calculates

, 1≤i≤n;

Step C: calculate authentication secret

, 1≤j≤t-1, $U_0=\hat{e}(D_{\mathrm{ID}},P_{\mathrm{pub}})$ ；

Step D: send S by privately owned channel _iGive P _i, announce y by broadcast channel _i, U _j, 1≤i≤n, 0≤j≤t-1.

Step E: distributor D generates evidence.

Substep1: select w at random _i∈ (G ,+), calculate

,

, c _i=H ₃(Y _i|| y _i|| E _1i|| E _2i), r _i=w _i-S _ic _iModq;

Substep2: open evidence PROOF _i=(r _i, c _i), 1≤i≤n.

Step 3, the shadow key authentication;

Step A: the participant calculates by public information $Y_i=\underset{j=0}{\overset{t-1}{\mathrm{\Π}}}{U}_j^{i^j};$

Step B: participant P _iCalculate by public information

Checking equation c _i≡ H ₃(Y _i|| y _i|| E _1i|| E _2i).If set up, illustrate that the shadow key that D sends is correct.

Step 4, the shadow key updating;

Secret distributor D safeguards a uni-directional hash chain L simultaneously, and each cycle of operation distributor D sends undated parameter to participant P by privately owned channel _i, P _iUpgrade the shadow key S that is held _i

Step A: select at random

Generate uni-directional hash chain L: α, H ₄(α),

L,

Step B: (secret distributor D extracts hashed value from uni-directional hash chain L for τ=1,2, L) inferior renewal at τ

The structure multinomial

Step C: calculate participant P _iShadow key updating value

1≤i≤n;

Step D: calculate authentication secret $U^{\left(\mathrm{\τ}\right)}=\mathrm{gexp}\left(H_3^{N-\mathrm{\τ}}\left(\mathrm{\α}\right)\right);$

Step E: send by privately owned channel

Give P _i, announce U ^(τ)

Step F:P _iCalculate

Upgrade the secret key of shadow:

Destroy the secret key of original shadow.

Step 5 is shared cipher key reconstruction;

The participant who satisfies threshold condition is by the synthetic key of sharing of exchange shadow key.

Step A: given IBE ciphertext (U, V), P _iCalculate

Wherein

Be Lagrangian coefficient, set

| Φ | 〉=t.

Step B: according to the IBE cryptographic algorithm, expressly $M=V\⊕H_2\left(k\right).$

The content that does not specify among the present invention and explain is the known method in this area.

Claims (3)

1. the key sharing method based on identity ciphering is characterized in that, may further comprise the steps:

Step 1 is set up system's common parameter;

Step 1-1: positive integer q of picked at random, choose two q rank group G respectively ₁, G ₂, and the bilinearity mapping

: G ₁* G ₁→ G ₂, select G at random ₁Generator P ∈ G ₁

Step 1-2: select four hash function H at random ₁, H ₂, H ₃, H ₄H wherein ₁, H ₄: 0,1} ^*A G ^*, H ₂, H ₃: GF (P ²) ^*A{0,1} ^l

Step 1-3: select master key

Computing system PKI P _Pub=sP, output system common parameter π={ G ₁, G ₂, q, P,

, l, H ₁, H ₂, H ₃, P _Pub, wherein

Represent q rank group of integers, l is a cryptogram space size;

Step 2, key distribution and authentication secret generate;

The Extract algorithm that key distribution person D carries out in the IBE public key system generates the PKI of specific ID correspondence to Q _ID=H ₁(ID) and private key to D _ID=sQ _IDWith D _IDAs shared key, use and to share algorithm based on the secret of Lagrange's interpolation and generate the shadow key, be distributed to the participant and gather member among the R, generate public informations such as key authentication evidence simultaneously;

Step 3, the shadow key authentication;

After the participant gathers member among the R and receives the shadow key, participant R _iPublic information by step 2 is calculated intermediate variable

By checking equation c _i≡ H ₃(Y _i|| y _i|| E _1i|| E _2i) judge the correctness of shadow key; Y wherein _iBe the shadow secret after the mapping; T represents threshold value, 0≤t≤n; 1≤i≤n, 0≤j≤t-1, n represent participant's sum; r _i, c _iThe intermediate object program of the open evidence of representative;

Step 4, the shadow key updating;

Secret distributor D safeguards a uni-directional hash chain L simultaneously, and each cycle of operation, secret distributor D sent undated parameter to participant R by privately owned channel _i, participant R _iUpgrade the shadow key S that is held _i

Step 5 is shared cipher key reconstruction;

The participant who satisfies threshold condition is by the synthetic key of sharing of exchange shadow key;

Step 5-1: given IBE ciphertext (U, V), P _iCalculate intermediate variable Wherein

Be Lagrangian coefficient, set

| Φ | 〉=t;

Step 5-2:, draw expressly according to the IBE cryptographic algorithm $M=V\⊕H_2\left(k\right).$

2. the key sharing method based on identity ciphering according to claim 1 is characterized in that: the step that key distribution and authentication secret generate in the step 2 is specially:

Step A: the coefficient sets { α that selects interpolation polynomial at random _j| α _j∈ G ^*J=1,2, L, t-1; α _T-1≠ 0} structure t-1 rank multinomial $F\left(x\right)=D_{\mathrm{ID}}+{\mathrm{\Σ}}_{j=1}^{t-1}{a}_j{x}^j;$

Step B: calculate participant R _iShadow key S _i=F (i) calculates the shadow key after shining upon $y_i=\hat{e}(S_i,P),1\≤i\≤n$ ；

Step C: calculate authentication secret

, 0≤j≤t-1,

Step D: send shadow key S by privately owned channel _iGive participant R _i, by the shadow key y after the broadcast channel announcement mapping _i, key U _j, 1≤i≤n, 0≤j≤t-1;

Step E: distributor D generates evidence;

Substep1: select w at random _i∈ (G ,+), intermediate variable calculated

,

, c _i=H ₃(Y _i|| y _i|| E _1i|| E _2i), r _i=w _i-S _ic _iModq;

Substep2: open evidence PROOF _i=(r _i, c _i), 1≤i≤n.

3. the key sharing method based on identity ciphering according to claim 1 is characterized in that: the step of shadow key updating is in the step 4:

Step 4-1: select at random

Generate uni-directional hash chain L: α, H ₄(α),

L,

Step4-2: upgrade at the τ time, secret distributor D extracts hashed value from uni-directional hash chain L The structure multinomial

Wherein τ is a natural number, and N represents hash chain length;

Step 4-3: calculate participant R _iShadow key updating value

1≤i≤n;

Step 4-4: calculate authentication secret $U^{\left(\mathrm{\τ}\right)}=\mathrm{gexp}\left(H_3^{N-\mathrm{\τ}}\left(\mathrm{\α}\right)\right);$

Step 4-5: send shadow key updating value by privately owned channel

Give participant R _i, announce authentication secret U ^(τ)

Step 4-6: participant R _iCalculate undated parameter

Upgrade the secret key of shadow:

Destroy original shadow key.

Images