CN102694654B - Identity-based threshold ring signcryption method - Google Patents

Abstract

An identity-based threshold ring signcryption method includes (1) system setup (2) private key extraction (3) signcryption and (4) de-signcryption under a standard model. The identity-based threshold ring signcryption method is constructed under the standard model and better in safety as compared with that of design schemes under random prediction models.

Description

The thresholding ring label decryption method of identity-based

Technical field

The present invention relates to a kind of ring label decryption method, especially a kind of thresholding ring label decryption method of identity-based.

Background technology

In conventional public-key cryptographic system, an important problem is the authenticity of PKI.In general, in order to apply public key algorithm in real world, needing a kind of mechanism and can verify contacting between certain PKI and certain subject identity at any time.The way of usual employing sets up PKIX, and the identity of PKI and user is bundled by the public key digital certificate issued by its authentication center.In this kind of system based on public key digital certificate, before the PKI using user, people need to obtain the public key digital certificate of this user and verify correctness and the legitimacy of its certificate.This, with regard to the public key certificate needing larger memory space to store different user, also needs more time overhead to carry out the public key certificate of authentication of users.This is the shortcoming that traditional public-key cryptosystem is difficult to overcome.

Store and checking overhead issues to solve public key certificate huge in conventional public-key cryptographic system, within 1984, Shamir creatively proposes the public key cryptography thought of identity-based.In the public-key cryptosystem of identity-based, the PKI of user can be can the information of identifying user identity, and as E-mail, ID card No. etc., the private key of user is then produced according to the identity information of user by trusted third party.Identity-based cryptography makes any two users can secure communication, PKI and the user identity of user bind together naturally, do not need public key certificate, also need not use online third party, only need a believable Key Distribution Center to be that each first time user of connecting system issues a private key just.It solve the shortcoming that conventional public-key cryptography is difficult to overcome, and also make it have wide application due to himself feature.

Due to the advantage of ID-based cryptosystem, be proposed many Identity-based cryptography, the label dense body system of identity-based is exactly one of them.Meanwhile, the cryptographic technique that dense body system of signing can also have special nature with some combines, and there is the label dense body system of special nature, as ring stopover sites and Secret Sharing Scheme combined, thus the thresholding ring label obtaining identity-based are close.

Bilinear map is the algebro geometric important tool of research, is also the important tool of structure Identity-based cryptography, plays very important role in field of cryptography.

In addition, for identity-based public key cryptosystem, current relatively good method of proof is random oracle.But for the Security Proof based on random oracle model, need to suppose that the cryptographic Hash function used in public-key cryptosystem has the security property of random oracle, security password scheme under random oracle model not necessarily safety in actual environment, and based on the Security Proof of master pattern, its uniquely depend on public-key cryptosystem comprise the difficulty of trap door onr way function.Therefore, under structure master pattern, the thresholding ring stopover sites of identity-based had both had higher fail safe and had also had realistic meaning simultaneously, was problem demanding prompt solution.

In view of this, special proposition the present invention.

Summary of the invention

The technical problem to be solved in the present invention is to overcome the deficiencies in the prior art, provide a kind of with random oracle model under the scheme that designs have more the thresholding ring label decryption method of the identity-based of fail safe.

For solving the problems of the technologies described above, the present invention adopts the basic conception of technical scheme to be:

A thresholding ring label decryption method for identity-based, is characterized in that: comprise the following steps:

(1) system is set up: random selecting parameter, generation system parameter and corresponding master key, and wherein system parameters is open parameter, and concrete steps are:

Make G, G _tthe cyclic group of prime number p that to be rank be, e:G × G → G _ta bilinear map, two collisionless hash functions $H_u:{\left\{\mathrm{0,1}\right\}}^{*}\→{\left\{\mathrm{0,1}\right\}}^{n_u}$ With $H_m:{\left\{\mathrm{0,1}\right\}}^{*}\→{\left\{\mathrm{0,1}\right\}}^{n_m}$ It is n that the identity ID of random length and message m are exported length respectively _uand n _mbit string;

Trusted third party random selecting parameter alpha ∈ Z _p, generator g ∈ G, calculates g ₁=g ^a.Random selecting parameter g ₂, u', m' ∈ G, n _udimensional vector n _mdimensional vector wherein u _i, m _i∈ _rg, then system parameters is $\mathrm{param}=(G,G_T,e,g,g_1,g_2,u^{\′},\hat{U},m^{\′},\hat{M},H_u,H_m),$ Master key is $\mathrm{msk}=g_2^a.$

(2) private key extracts: the identity of input system parameter, master key and user, and obtain the private key of this user identity, concrete steps are:

Given user identity ID, by hash function u=H _u(ID) length calculating representative of consumer identity is n _ubit string, make i-th that u [i] represents in this bit string, in definition bit string, numerical value is the sequence number set Φ of 1 _iD;

Random selecting parameter r _u∈ Z _p, calculating user identity is the private key of ID

$d_{\mathrm{ID}}=(d_1,d_2)=(g_2^{\mathrm{\α}}{\left(u^{\′}\underset{{i\∈\mathrm{\Φ}}_{\mathrm{ID}}}{\mathrm{\Π}}{u}_i\right)}^{r_u},g^{r_u}).$

(3) sign close: the set L={ID of the close middle n member of given thresholding ring label ₁..., ID _n, actual carry out signing the identity of close t the close person of label under be designated as 1,2 ..., t}, waits to sign close message m, signs the identity ID of close recipient _r, signing close concrete steps is:

The close person ID of each label _i(i=1 ..., t) its sub secret s of Stochastic choice _i∈ Z _p, structure coefficient is at Z _pt-1 order polynomial f _i(x)=a _{i, 0}+ a _{i, 1}x+ ... + a _{i, t-1}x ^t-1, wherein s _i=a _{i, 0}; Then close person ID is signed _icalculate open parameter $C_{i,d}=g^{a_{i,d}}(d=\mathrm{0,1},..,t-1)$ And sign close person broadcast to other;

Calculate other and respectively sign close person ID _jthe secret sharing s of (j ≠ i) _i,j=f _i(j), and they sent to other to sign close person ID _j(j=1,2 .., t; J ≠ i), oneself retains s _i,i=f _i(i);

Other respectively sign close person ID _j(j=1,2 .., t; J ≠ i) sign close person ID from i-th _iobtain secret sharing s _i,jafter, verify its validity with following equation: when after confirmation secret sharing effectively, the close person ID of each label _icalculating its privately owned secret according to secret sharing is

According to ring members list of identities L={ID ₁..., ID _n, t signs close person, waits to sign the private key of close message m and t the close person of label, the close recipient identity ID of ring label _r, obtain and waiting to sign the close C of (t, n) thresholding ring label under close message m, (t, n) represents that the close middle membership of thresholding ring label be n, t is threshold value, and actual participation generates the close number of members>=t of thresholding ring label, and concrete steps are:

Make m ∈ G _tfor waiting to sign close message, these thresholding ring label close person's random selecting l ₁..., l _n∈ Z _p, calculate $U_i=u^{\′}\underset{{j\∈\mathrm{\Φ}}_{{\mathrm{ID}}_i}}{\mathrm{\Π}}{\hat{u}}_j,i=1,...,n,R_1={\mathrm{\σ}}_{16}{g}^{l_1},...,R_t={\mathrm{\σ}}_{t6}{g}^{l_t},R_{t+1}=g^{l_{t+1}},...,R_n=g^{l_n}.$ Order ${\mathrm{\σ}}_1={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i1}\·m,$ ${\mathrm{\σ}}_2={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i2},{\mathrm{\σ}}_3={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i3},{\mathrm{\σ}}_4={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i4}\·\underset{i=1}{\overset{n}{\mathrm{\Π}}}{\left(U_i\right)}^{l_i},{\mathrm{\σ}}_5={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i5},$ The thresholding ring label then generated are close is C=(σ ₁... σ ₅, R ₁... R _n).

(4) label are separated close: the close and close recipient ID of ring label according to thresholding ring label _rprivate key calculate message, take the message obtained to formula $e({\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)\·\·\·e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, during equation establishment that and if only if, thresholding ring label are effectively close, and gained message is correct, otherwise gained thresholding ring label are close invalid, gained message error, return step (1).

Preferably, described step (3) is carried out the following step to obtain thresholding ring label close after signing the privately owned secret of close middle acquisition::

For i ∈ 1,2 ..., t}, if the close person ID of each label _iprivate key be (d _i1, d _i2), calculate M=H _m(L, m), order for the set of the sequence number k of M [k]=1 in the bit string of message m, random selecting r _i∈ Z _p, calculating section thresholding ring label are close ${\mathrm{\σ}}_{i1}=e{(g_1,g_2)}^{r_i},{\mathrm{\σ}}_{i2}=g^{r_i},{\mathrm{\σ}}_{i3}={\left(u^{\′}\underset{{j\∈\mathrm{\Φ}}_{{\mathrm{ID}}_R}}{\mathrm{\Π}}{\hat{u}}_j\right)}^{r_i},{\mathrm{\σ}}_{i4}=d_{i1}{\left(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{\hat{m}}_i\right)}^{x_i{\mathrm{\η}}_i},{\mathrm{\σ}}_{i5}=g^{x_i{\mathrm{\η}}_i},$ σ _i6=d _i2, and (σ _i1, σ _i2, σ _i3, σ _i4, σ _i5, σ _i6) send to t to sign in close person arbitrary in order to produce the close close person of label of thresholding ring label, wherein ${\mathrm{\η}}_i={\mathrm{\Π}}_{j=1,j\≠i}^t\frac{j}{j-i}\mathrm{mod}p$ For Lagrange coefficient.

Preferably, it is as follows that described solution signs close concrete steps:

When receive thresholding ring label close after, the close recipient of thresholding ring label utilizes its private key first to calculate and waits to sign close message m, m=σ ₁e (d _r2, σ ₃) e (d _r1, σ ₂) ^-1, then calculating by hash function the length waiting to sign close message is n _mbit string, definition bit string in numerical value be 1 sequence number set M;

Message is substituted into formula $e({\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)\·\·\·e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, during equation establishment that and if only if, thresholding ring label are effectively close, and gained message is correct, otherwise gained thresholding ring label are close invalid, gained message error.

After adopting technique scheme, the present invention compared with prior art has following beneficial effect: method of the present invention constructs under master pattern, and compared with the scheme designed under random oracle model, fail safe is better.

Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in further detail.

Accompanying drawing explanation

Fig. 1 is basic flow sheet of the present invention;

Fig. 2 be to the attack of Threshold Signcryption algorithm to the stipulations solving DBDH problem;

Fig. 3 is from forgery Threshold Signcryption to the stipulations solving CDH problem.

Embodiment

As shown in Figure 1, a kind of thresholding ring label decryption method of identity-based, comprises the following steps:

S1, system are set up: random selecting parameter, generation system parameter and corresponding master key, and wherein system parameters is open parameter, and concrete steps are:

Make G, G _tthe cyclic group of prime number p that to be rank be, e:G × G → G _ta bilinear map, two collisionless hash functions $H_u:{\left\{\mathrm{0,1}\right\}}^{*}\→{\left\{\mathrm{0,1}\right\}}^{n_u}$ With $H_m:{\left\{\mathrm{0,1}\right\}}^{*}\→{\left\{\mathrm{0,1}\right\}}^{n_m}$ It is n that the identity ID of random length and message m are exported length respectively _uand n _mbit string;

Trusted third party random selecting parameter alpha ∈ Z _p, generator g ∈ G, calculates g ₁=g ^a.Random selecting parameter g ₂, u', m' ∈ G, n _udimensional vector n _mdimensional vector wherein u _i, m _i∈ _rg, then system parameters is $\mathrm{param}=(G,G_T,e,g,g_1,g_2,u^{\′},\hat{U},m^{\′},\hat{M},H_u,H_m),$ Master key is $\mathrm{msk}=g_2^a;$

S2, private key extract: the identity of input system parameter, master key and user, and obtain the private key of this user identity, concrete steps are:

Given user identity ID, by hash function u=H _u(ID) length calculating representative of consumer identity is n _ubit string, make i-th that u [i] represents in this bit string, in definition bit string, numerical value is the sequence number set Φ of 1 _iD;

Random selecting parameter r _u∈ Z _p, calculating user identity is the private key of ID

$d_{\mathrm{ID}}=(d_1,d_2)=(g_2^{\mathrm{\α}}{\left(u^{\′}\underset{{i\∈\mathrm{\Φ}}_{\mathrm{ID}}}{\mathrm{\Π}}{u}_i\right)}^{r_u},g^{r_u});$

Here sequence number set Φ has been used when calculating private key _iD, for the d in formula ₁namely here n _udimensional vector, u _igather Φ exactly _iDin corresponding sequence number exist in corresponding element.

S3, sign close: the set L={ID of the close middle n member of given thresholding ring label ₁..., ID _n, actual carry out signing the identity of close t the close person of label under be designated as 1,2 ..., t}, waits to sign close message m, signs the identity ID of close recipient _r, signing close concrete steps is:

The close person ID of each label _i(i=1 ..., t) its sub secret s of Stochastic choice _i∈ Z _p, structure coefficient is at Z _pt-1 order polynomial f _i(x)=a _{i, 0}+ a _{i, 1}x+ ... + a _{i, t-1}x ^t-1, wherein s _i=a _{i, 0}; Then close person ID is signed _icalculate open parameter and sign close person broadcast to other; (Z _prepresent the residue class group of integer mould p, this is representation general in cryptography)

Calculate other and respectively sign close person ID _jthe secret sharing s of (j ≠ i) _i,j=f _i(j), and they sent to other to sign close person ID _j(j=1,2 .., t; J ≠ i), oneself retains s _i,i=f _i(i);

Sign close person ID _j(j=1,2 .., t; J ≠ i) from the close person ID of label _iobtain secret sharing s _i,jafter, verify its validity with following equation: when after confirmation secret sharing effectively, the close person ID of each label _icalculating its privately owned secret according to secret sharing is the close person ID of each label _iall close persons of label receiving secret sharing.Give an example, suppose have t to sign close person here, their numbering might as well be established to be 1 ..., t.The close person of present label 1 will calculate secret sharing to the close person of remaining label, same reason, remaining each sign close person and also will sign close person to the t-1 except it and calculate secret sharing, therefore, the close person of each label is here exactly here t the close person of label.

According to ring members list of identities L={ID ₁..., ID _n, t signs close person, waits to sign the private key of close message m and t the close person of label, the close recipient identity ID of ring label _r, obtain and waiting to sign the close C of (t, n) thresholding ring label under close message m, (t, n) is threshold value for the close middle membership of thresholding ring label is n, t, actual participation generates the close number of members>=t of thresholding ring label, all adopts this representation when expression thresholding.Concrete steps are:

Make m ∈ G _tfor waiting to sign close message, these thresholding ring label close person's random selecting l ₁..., l _n∈ Z _p, calculate $U_i=u^{\′}\underset{{j\∈\mathrm{\Φ}}_{{\mathrm{ID}}_i}}{\mathrm{\Π}}{\hat{u}}_j,i=1,...,n,R_1={\mathrm{\σ}}_{16}{g}^{l_1},...,R_t={\mathrm{\σ}}_{t6}{g}^{l_t},R_{t+1}=g^{l_{t+1}},...,R_n=g^{l_n}.$ Order ${\mathrm{\σ}}_1={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i1}\·m,$ ${\mathrm{\σ}}_2={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i2},{\mathrm{\σ}}_3={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i3},{\mathrm{\σ}}_4={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i4}\·\underset{i=1}{\overset{n}{\mathrm{\Π}}}{\left(U_i\right)}^{l_i},{\mathrm{\σ}}_5={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i5},$ The thresholding ring label then generated are close is C=(σ ₁... σ ₅, R ₁... R _n);

S4, solution are signed close: the close and close recipient ID of ring label according to thresholding ring label _rprivate key calculate message, take the message obtained to formula $e({\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)\·\·\·e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, during equation establishment that and if only if, thresholding ring label are effectively close, and gained message is correct, otherwise gained thresholding ring label are close invalid, gained message error.

Preferably, the following step acquisition thresholding ring label are carried out after the privately owned secret of the described step S3 close middle acquisition of label close:

For i ∈ 1,2 ..., t}, if the close person ID of each label _iprivate key be (d _i1, d _i2), calculate M=H _m(L, m), order for the set of the sequence number k of M [k]=1 in the bit string of message m, random selecting r _i∈ Z _p, calculating section thresholding ring label are close ${\mathrm{\σ}}_{i1}=e{(g_1,g_2)}^{r_i},{\mathrm{\σ}}_{i2}=g^{r_i},{\mathrm{\σ}}_{i3}={\left(u^{\′}\underset{{j\∈\mathrm{\Φ}}_{{\mathrm{ID}}_R}}{\mathrm{\Π}}{\hat{u}}_j\right)}^{r_i},{\mathrm{\σ}}_{i4}=d_{i1}{\left(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{\hat{m}}_i\right)}^{x_i{\mathrm{\η}}_i},{\mathrm{\σ}}_{i5}=g^{x_i{\mathrm{\η}}_i},$ σ _i6=d _i2, and (σ _i1, σ _i2, σ _i3, σ _i4, σ _i5, σ _i6) send to t to sign in close person arbitrary in order to produce the close close person of label of thresholding ring label, wherein ${\mathrm{\η}}_i={\mathrm{\Π}}_{j=1,j\≠i}^t\frac{j}{j-i}\mathrm{mod}p$ For Lagrange coefficient.

Preferably, it is as follows that described solution signs close concrete steps:

When receive thresholding ring label close after, the close recipient of thresholding ring label utilizes its private key first to calculate and waits to sign close message m, m=σ ₁e (d _r2, σ ₃) e (d _r1, σ ₂) ^-1, then calculating by hash function the length waiting to sign close message is n _mbit string, definition bit string in numerical value be 1 sequence number set M;

Message is substituted into formula $e({\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)\·\·\·e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, during equation establishment that and if only if, thresholding ring label are effectively close, and gained message is correct, otherwise gained thresholding ring label are close invalid, gained message error.

Here M has been used when verifying, for here n _mdimensional vector, m _ibe exactly gather corresponding sequence number in M to exist in corresponding element.

As shown in Figure 2, concrete implementation step is indistinguishability Security Proof of the present invention:

1. suppose that opponent A can attack this programme with the advantage of can not ignore, then can construction algorithm B, B A can be utilized to solve DBDH problem.Example (g, the g of a given B DBDH problem ^a, g ^b, g ^c, h), its target judges whether h=e (g, g) ^abc, B imitates the challenger of A.

2. algorithm B sets l _u=2 (q _e+ q _s), l _m=2q _s, wherein q _ethe number of times of A private key inquiry, q _sit is the number of times that A signs close inquiry.Stochastic choice k _uand k _m, meet 0≤k _u≤ n _uwith 0≤k _m≤ n _m, and suppose l _u(n _u+ 1) <p and l _m(n _m+ 1) <p.B selects and length is n _uvectorial X=(x _i), wherein select and length is n _mvector Z=(z _k), wherein last B selects y', w' ∈ _rz _p, length is n _uvectorial Y=(y _i), length is n _mvectorial W=(w _i), wherein y _i, w _i∈ _rz _p.For the bit string u=H of the member identities ID in L and message m _uand M=H (ID) _m(L, m), defines following function:

$F\left(\mathrm{ID}\right)=x^{\&prime;}+\underset{i\&Element;\mathrm{\&Phi;}}{\mathrm{\&Sigma;}}{x}_i-l_u{k}_u,J\left(\mathrm{ID}\right)=y^{\&prime;}+\underset{i\&Element;\mathrm{\&Phi;}}{\mathrm{\&Sigma;}}{y}_i$

$K\left(M\right)=z^{\&prime;}+\underset{i\&Element;M}{\mathrm{\&Sigma;}}{z}_i-l_m{k}_m,L\left(M\right)=w^{\&prime;}+\underset{i\&Element;M}{\mathrm{\&Sigma;}}{w}_i$

The open parameter that algorithm B constructs in the present invention program is as follows:

g ₁＝g ^a，g ₂＝g ^b； $u^{\&prime;}=g_2^{{-l}_u{k}_u+x^{\&prime;}}{g}^{y^{\&prime;}},u_i=g_2^{x_i}{g}^{y_i},1\&le;i\&le;n_u;m^{\&prime;}=g_2^{-l_m{k}_m+z^{\&prime;}}{g}^{w^{\&prime;}},m_i=g_2^{z_i}{g}^{w_i},$ $1\&le;i\&le;n_m;$ Then open parameter is sent to opponent A by algorithm B.

3., in the first stage, when opponent A initiates the inquiry of some, algorithm B responds as follows:

(1) private key inquiry: when opponent A inquires the private key of identity ID, although algorithm B does not know master key, supposition F (ID) ≠ 0 mod p, B also can construct its private key d _iD.The optional r of B _u∈ Z _pand calculate:

$d_{\mathrm{ID}}=(d_1,d_2)=(g_1^{-J\left(\mathrm{ID}\right)/F\left(\mathrm{ID}\right)}{\left(u^{\&prime;}\underset{{i\&Element;\mathrm{\&Phi;}}_{\mathrm{ID}}}{\mathrm{\&Pi;}}{u}_i\right)}^{r_u},g_1^{-1/F\left(\mathrm{ID}\right)}{g}^{r_u}),$ If F (ID)=0 mod is p, calculating above cannot be carried out, and B will unsuccessfully exit.

(2) close inquiry is signed: when opponent A inquires that ring members identity is L={ID ₁..., ID _n, threshold value is t (t<n), and message is m, and the close person of actual label is ID _i(i=1 ... t) and the close recipient of ring label be ID _rthresholding ring label close time, first algorithm B calculates M=H _m(L, m), then exports thresholding ring label close in accordance with the following steps:

1. algorithm B Stochastic choice s, a ₀, a ₁..., a _t-1∈ Z _p, structure number of times is polynomial f (the x)=a of t-1 ₀+ a ₁x+ ... + a _t-1x ^t-1, wherein s=a ₀.

2. suppose close person ID is signed for reality _i(i=1 ... t), meet F (ID _i) ≠ 0 mod p, then algorithm B is according to their private key of method construct in private key inquiry, calculates the close person ID of each label _i(i=1 ... privately owned secret x t) _i=f (i), then utilizes the close algorithm of label to generate the close C of corresponding thresholding ring label.

If 3. condition F (ID _i) ≠ 0 mod p, i=1 ... t is false, and so also can to construct these thresholding ring label as the method constructing private key in private key inquiry close for algorithm B.Assuming that K (M) ≠ 0 mod p, algorithm B Stochastic choice r, r ₁..., r _n, r _m∈ Z _p, calculate:

σ ₁＝e(g ₁,g ₂) ^r·m，σ ₂＝g ^r， ${\mathrm{\&sigma;}}_3={\left(u^{\&prime;}\underset{j{\&Element;\mathrm{\&Phi;}}_{{\mathrm{ID}}_R}}{\mathrm{\&Pi;}}{\hat{u}}_j\right)}^r,$ ${\mathrm{\&sigma;}}_4=\left(\underset{i=1}{\overset{n}{\mathrm{\&Pi;}}}{\left(U_i\right)}^{r_i}\right)g_1^{-\mathrm{tL}\left(M\right)/K\left(M\right)}{\left(m^{\&prime;}\underset{i\&Element;M}{\mathrm{\&Pi;}}{m}_i\right)}^{r_m},{\mathrm{\&sigma;}}_5=g^{r_m},R_1=g^{r_1},...,R_n=g^{r_n},$ Wherein if K (M)=0 mod is p, calculating above cannot be carried out, and B will unsuccessfully exit.

(3) the close inquiry of label is separated: initiate in ring members list L, the close recipient's identity of ring label to be ID as opponent A _rand during the close inquiry of solution label under ciphertext C, first algorithm B runs private key extraction algorithm and obtains ID _rprivate key then run to separate and sign close algorithm, if C is an effective ciphertext, then export m, otherwise, export false.

4., in the challenge stage, opponent A appoints the message m of getting two equal length ₀, m ₁, and by ring members list and the identity of the close recipient of ring label send to algorithm B.If A inquired in the first stage private key, then B will unsuccessfully exit.{ 0,1}, if K is (M for the optional b ∈ of B _b) ≠ 0 mod p, so B will unsuccessfully exit.If L ^*in there is not t identity ID ^*, meet F (ID ^*) ≠ 0 mod p, so B will unsuccessfully exit; Otherwise, for convenience of description, might as well set this t identity as b random selecting r, r ₁..., r _n, r _m∈ Z _p, be constructed as follows:

${\mathrm{\&sigma;}}_1^{*}=h\&CenterDot;m_b,{\mathrm{\&sigma;}}_2^{*}=g^c,{\mathrm{\&sigma;}}_3^{*}=g^{\mathrm{cJ}\left({\mathrm{ID}}_R^{*}\right)}={\left(u^{\&prime;}\underset{{j\&Element;\mathrm{\&Phi;}}_{{\mathrm{ID}}_R^{*}}}{\mathrm{\&Pi;}}{\hat{u}}_j\right)}^c,$

${\mathrm{\&sigma;}}_4^{*}=\underset{i=1}{\overset{t}{\mathrm{\&Pi;}}}{g}_1^{\frac{-J\left({\mathrm{ID}}_i^{*}\right)}{F\left({\mathrm{ID}}_i^{*}\right)}}{\left(g_2^{F\left({\mathrm{ID}}_i^{*}\right)}{g}^{J\left({\mathrm{ID}}_i^{*}\right)}\right)}^{r_i}\&CenterDot;\underset{i=t+1}{\overset{n}{\mathrm{\&Pi;}}}{\left(g_2^{F\left({\mathrm{ID}}_i^{*}\right)}{g}^{J\left({\mathrm{ID}}_i^{*}\right)}\right)}^{r_i}\&CenterDot;g^{r_{m}L\left(M_b\right)},{\mathrm{\&sigma;}}_5^{*}=g^{r_m},$

$R_1^{*}=g^{{\tilde{r}}_1},...,R_t^{*}=g^{{\tilde{r}}_t},R_{t+1}^{*}=g^{r_{t+1}},...,R_n^{*}=g^{r_n},$

Wherein if h=e (g, g) ^abc, known C ^*that effective thresholding ring label are close.

5., in second stage, opponent A as the stage 1, send the private key inquiry of some, sign close inquiry and deciphering inquiry, but A can not inquire private key and to C ^*carry out solution and sign close inquiry.

6., in the conjecture stage, opponent A exports the conjecture b' to b.If b=b', then B exports 1, by h=e (g, g) ^abcas the solution of DBDH problem; Otherwise B exports 0, stop game.

Therefore, if there is an opponent can carry out CCA2 attack with the probability of can not ignore, so there is an effective algorithm and can solve DBDH problem with the probability of can not ignore, and this and DBDH to be a difficult problem contradict, therefore scheme is IND-IDTRSC-CCA2 safety.

Of the present invention exist unforgeable Security Proof as shown in Figure 3, and concrete implementation step is:

1. suppose that adulterator A can attack this programme with the advantage of can not ignore, then can construction algorithm B, B A can be utilized to solve CDH problem.Example (g, the g of a given B CDH problem ^a, g ^b), its target calculates g ^ab, B imitates the challenger of A.

2. algorithm B construct with prove above in identical system parameter is disclosed, then send it to opponent A.

3. opponent A can as above prove in, initiate adaptively some private key inquiry, sign close inquiry and separate label close inquiry.

4., in the forgery stage, opponent A exports in ring members list threshold value t, message m ^*and the close recipient's identity of ring label is under the close C of forgery thresholding ring label ^*.If algorithm B does not unsuccessfully exit in whole process, so algorithm B checks whether following condition is set up:

1. for all i ∈ (1 ..., n) all set up;

2. K (M ^*)=0 mod p, wherein M ^*=H _m(L, m ^*).

If set up when above-mentioned condition is different, so algorithm B will unsuccessfully exit; Otherwise B can calculate ${\left(\frac{{\mathrm{\&sigma;}}_4^{*}}{{R_1}^{J\left({\mathrm{ID}}_l^{*}\right)}\&CenterDot;\&CenterDot;\&CenterDot;{R_n}^{J\left({\mathrm{ID}}_n^{*}\right)}{R_m}^{L\left(M^{*}\right)}}\right)}^{1/t}={\left(\frac{g_2^{\mathrm{ta}}{\left(u^{\&prime;}\underset{{i\&Element;\mathrm{\&Phi;}}_{{\mathrm{ID}}_i^{*}}}{\mathrm{\&Pi;}}{u}_i\right)}^{r_1}\&CenterDot;\&CenterDot;\&CenterDot;{\left(u^{\&prime;}\underset{{i\&Element;\mathrm{\&Phi;}}_{{\mathrm{ID}}_n^{*}}}{\mathrm{\&Pi;}}{u}_i\right)}^{r_i}{\left(m^{\&prime;}\underset{k\&Element;M}{\mathrm{\&Pi;}}{m}_j\right)}^{r_m}}{g^{J\left({\mathrm{ID}}_1^{*}\right)r_1}\&CenterDot;\&CenterDot;\&CenterDot;g^{J\left({\mathrm{ID}}_n^{*}\right)r_n}{g}^{L\left(M^{*}\right)r_m}}\right)}^{1/t}={\left(g_2^{\mathrm{ta}}\right)}^{1/t}=g_2^a=g^{\mathrm{ab}}$

The solution of CDH problem that Here it is.

Therefore, if there is an opponent, can to forge effective thresholding ring label with the probability of can not ignore close, so just there is an algorithm and can solve CDH problem with the probability of can not ignore, and this and CDH problem are difficult problems contradicts, therefore scheme is EUF-IDTRSC-CMIA safety.

In sum, according to present invention achieves the new way and new method that construct identity-based thresholding ring stopover sites under master pattern, and the security reliability of scheme is understood by concrete solution security proof list, the realization of the method not only has theory significance, also has realistic meaning simultaneously.

Therefore the present invention constructs under master pattern, the method proves to have indistinguishability and unforgeable by experiment, and therefore this method is for the scheme designed under random oracle model, has better fail safe.

The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (2)

1. a thresholding ring label decryption method for identity-based, is characterized in that: comprise the following steps:

(1) system is set up: random selecting parameter, generation system parameter and corresponding master key, and wherein system parameters is open parameter, and concrete steps are:

Make G, G _tthe cyclic group of prime number p that to be rank be, e:G × G → G _ta bilinear map, two collisionless hash functions with it is n that the identity ID of random length and message m are exported length respectively _uand n _mbit string;

Trusted third party random selecting parameter alpha ∈ Z _p, generator g ∈ G, calculates g ₁=g ^a; Random selecting parameter g ₂, u', m' ∈ G, n _udimensional vector n _mdimensional vector wherein u _i, m _i∈ _rg, then system parameters is $\mathrm{param}=(G,G_T,e,g,g_1,g_2,u^{\&prime;},\hat{U},m^{\&prime;},\hat{M},H_u,H_m),$ Master key is $\mathrm{msk}=g_2^a;$

(2) private key extracts: the identity of input system parameter, master key and user, and obtain the private key of this user identity, concrete steps are:

Given user identity ID, by hash function u=H _u(ID) length calculating representative of consumer identity is n _ubit string, make i-th that u [i] represents in this bit string, in definition bit string, numerical value is the sequence number set Φ of 1 _iD;

Random selecting parameter r _u∈ Z _p, calculating user identity is the private key of ID

$d_{\mathrm{ID}}=(d_1,d_2)=(g_2^{\mathrm{\&alpha;}}{\left(u^{\&prime;}\underset{i\&Element;{\mathrm{\&Phi;}}_{\mathrm{ID}}}{\mathrm{\&Pi;}}{u}_i\right)}^{r_u},g^{r_u});$

(3) sign close: the set L={ID of the close middle n member of given thresholding ring label ₁..., ID _n, actual carry out signing the identity of close t the close person of label under be designated as 1,2 ..., t}, waits to sign close message m, signs the identity ID of close recipient _r, signing close concrete steps is:

The close person ID of each label _i(i=1 ..., t) its sub secret s of Stochastic choice _i∈ Z _p, structure coefficient is at Z _pt-1 order polynomial f _i(x)=a _{i, 0}+ a _{i, 1}x+ ... + a _{i, t-1}x ^t-1, wherein s _i=a _{i, 0}; Then close person ID is signed _icalculate open parameter wherein d=0,1 .., t-1, and sign close person broadcast to other;

Calculate other and respectively sign close person ID _j(j=1,2 .., t; J ≠ i) secret sharing s _i,j=f _i(j), and they sent to other to sign close person ID _j(j=1,2 .., t; J ≠ i), oneself retains s _i,i=f _i(i);

Other respectively sign close person ID _j(j=1,2 .., t; J ≠ i) sign close person ID from i-th _iobtain secret sharing s _i,jafter, verify its validity with following equation: when after confirmation secret sharing effectively, the close person ID of each label _icalculating its privately owned secret according to secret sharing is

According to ring members list of identities L={ID ₁..., ID _n, t signs close person, waits to sign the private key of close message m and t the close person of label, the close recipient identity ID of ring label _r, obtain and waiting to sign the close C of (t, n) thresholding ring label under close message m, (t, n) represents that the close middle membership of thresholding ring label be n, t is threshold value, and actual participation generates the close number of members>=t of thresholding ring label, and concrete steps are:

Make m ∈ G _tfor waiting to sign close message, these thresholding ring label close person's random selecting l ₁..., l _n∈ Z _p, calculate $U_i=u^{\&prime;}\underset{j\&Element;{\mathrm{\&Phi;}}_{{\mathrm{ID}}_i}}{\mathrm{\&Pi;}}{\hat{u}}_j,$ i＝1,...,n， $R_1={\mathrm{\&sigma;}}_{16}{g}^{l_1},...,R_t={\mathrm{\&sigma;}}_{t6}{g}^{l_t},R_{t+1}=g^{l_{t+1}},...,R_n=g^{l_n};$ Order ${\mathrm{\&sigma;}}_1={\mathrm{\&Pi;}}_{i=1}^t{\mathrm{\&sigma;}}_{i1}\&CenterDot;m,$ ${\mathrm{\&sigma;}}_2={\mathrm{\&Pi;}}_{i=1}^t{\mathrm{\&sigma;}}_{i2},$ ${\mathrm{\&sigma;}}_3={\mathrm{\&Pi;}}_{i=1}^t{\mathrm{\&sigma;}}_{i3},$ ${\mathrm{\&sigma;}}_4={\mathrm{\&Pi;}}_{i=1}^t{\mathrm{\&sigma;}}_{i4}\&CenterDot;\underset{i=1}{\overset{n}{\mathrm{\&Pi;}}}{\left(U_i\right)}^{l_i},$ ${\mathrm{\&sigma;}}_5={\mathrm{\&Pi;}}_{i=1}^t{\mathrm{\&sigma;}}_{i5},$ The thresholding ring label then generated are close is C=(σ ₁... σ ₅, R ₁... R _n);

(4) label are separated close: the close and close recipient ID of ring label according to thresholding ring label _rprivate key calculate message, take the message obtained to formula $e({\mathrm{\&sigma;}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)\&CenterDot;\&CenterDot;\&CenterDot;e(U_n,R_n)e(m^{\&prime;}\underset{i\&Element;M}{\mathrm{\&Pi;}}{m}_i,{\mathrm{\&sigma;}}_5)$ In, during equation establishment that and if only if, thresholding ring label are effectively close, and gained message is correct, otherwise gained thresholding ring label are close invalid, gained message error, return step (1);

Described step (3) carries out the following step acquisition thresholding ring label after signing the privately owned secret of close middle acquisition close:

For i ∈ 1,2 ..., t}, if the close person ID of each label _iprivate key be (d _i1, d _i2), calculate M=H _m(L, m), order for the set of the sequence number k of M [k]=1 in the bit string of message m, random selecting r _i∈ Z _p, calculating section thresholding ring label are close ${\mathrm{\&sigma;}}_{i1}=e{(g_1,g_2)}^{r_i},$ ${\mathrm{\&sigma;}}_{i2}=r^{r_i},{\mathrm{\&sigma;}}_{i3}={\left(u^{\&prime;}\underset{j\&Element;{\mathrm{\&Phi;}}_{{\mathrm{ID}}_R}}{\mathrm{\&Pi;}}{\hat{u}}_j\right)}^{r_i},$ ${\mathrm{\&sigma;}}_{i4}=d_{i1}{\left(m^{\&prime;}\underset{i\&Element;M}{\mathrm{\&Pi;}}{\hat{m}}_i\right)}^{x_i{\mathrm{\&eta;}}_i},$ ${\mathrm{\&sigma;}}_{i5}=g^{x_i{\mathrm{\&eta;}}_i},$ σ _i6=d _i2, and (σ _i1, σ _i2, σ _i3, σ _i4, σ _i5, σ _i6) send to t to sign in close person arbitrary in order to produce the close close person of label of thresholding ring label, wherein for Lagrange coefficient.

2. the thresholding ring label decryption method of identity-based according to claim 1, is characterized in that: it is as follows that described solution signs close concrete steps:

When receive thresholding ring label close after, the close recipient of thresholding ring label utilizes its private key first to calculate and waits to sign close message m, m=σ ₁e (d _r2, σ ₃) e (d _r1, σ ₂) ^-1, then calculating by hash function the length waiting to sign close message is n _mbit string, definition bit string in numerical value be 1 sequence number set M;

Message is substituted into formula $e({\mathrm{\&sigma;}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)\&CenterDot;\&CenterDot;\&CenterDot;e(U_n,R_n)e(m^{\&prime;}\underset{i\&Element;M}{\mathrm{\&Pi;}}{m}_i,{\mathrm{\&sigma;}}_5)$ In, during equation establishment that and if only if, thresholding ring label are effectively close, and gained message is correct, otherwise gained thresholding ring label are close invalid, gained message error.