CN102694654B

CN102694654B - Identity-based threshold ring signcryption method

Info

Publication number: CN102694654B
Application number: CN201210165402.8A
Authority: CN
Inventors: 孙华; 王爱民; 葛彦强; 熊晶; 孙虹; 韩娇红
Original assignee: Individual
Current assignee: Anyang Normal University
Priority date: 2012-05-25
Filing date: 2012-05-25
Publication date: 2015-03-25
Anticipated expiration: 2032-05-25
Also published as: CN102694654A

Abstract

An identity-based threshold ring signcryption method includes (1) system establishment, (2) private key extraction, (3) signcryption, and (4) signcryption decryption under a standard model. The method of the invention is constructed under the standard model, and compared with the scheme designed under the random oracle model, the security is better.

Description

Identity-based Threshold Ring Signcryption Method

技术领域technical field

本发明涉及一种环签密方法，尤其是一种基于身份的门限环签密方法。The invention relates to a ring signcryption method, in particular to an identity-based threshold ring signcryption method.

背景技术Background technique

在传统公钥密码体制中，一个重要的问题是公钥的真实性。一般来说，为了在现实世界中应用公钥密码算法，需要有一种机制能够随时验证某公钥与某主体身份之间的联系。通常采用的办法是建立公钥基础设施，通过其认证中心发布的公钥数字证书将公钥与用户的身份捆绑在一起。在这类基于公钥数字证书的系统中，在使用用户的公钥之前，人们需要获取该用户的公钥数字证书并验证其证书的正确性和合法性。这就需要较大的存储空间来存储不同用户的公钥证书，也需要较多的时间开销来验证用户的公钥证书。这是传统的公钥密码体制难以克服的缺点。In the traditional public key cryptosystem, an important issue is the authenticity of the public key. Generally speaking, in order to apply public key cryptography algorithms in the real world, there needs to be a mechanism that can verify the connection between a certain public key and a certain subject's identity at any time. The usual method is to establish a public key infrastructure, and bind the public key with the user's identity through the public key digital certificate issued by its certification center. In such systems based on public key digital certificates, before using the user's public key, people need to obtain the user's public key digital certificate and verify the correctness and legitimacy of the certificate. This requires a larger storage space to store the public key certificates of different users, and also requires more time overhead to verify the user's public key certificates. This is the shortcoming that the traditional public key cryptosystem is difficult to overcome.

为了解决传统公钥密码体制中庞大的公钥证书存储和验证开销问题，1984年Shamir创造性地提出了基于身份的公钥密码学思想。在基于身份的公钥密码体制中，用户的公钥可以是能够标识用户身份的信息，如E-mail、身份证号码等，用户的私钥则由可信第三方根据用户的身份信息产生。基于身份的密码体制使得任意两个用户都可以安全通信，用户的公钥和用户身份自然地绑定在一起，不需要公钥证书，也不必使用在线的第三方，只需一个可信的密钥发行中心为每个第一次接入系统的用户发行一个私钥就行。它解决了传统公钥密码学难以克服的缺点，并且由于其自身特点也使它拥有了广阔的应用领域。In order to solve the problem of huge public key certificate storage and verification overhead in traditional public key cryptography, in 1984 Shamir creatively proposed the idea of identity-based public key cryptography. In the identity-based public key cryptosystem, the user's public key can be information that can identify the user's identity, such as E-mail, ID number, etc., and the user's private key is generated by a trusted third party based on the user's identity information. The identity-based cryptographic system enables any two users to communicate securely. The user's public key and user identity are naturally bound together. There is no need for a public key certificate or an online third party. Only a trusted key is required. It is enough for the key distribution center to issue a private key for each user who accesses the system for the first time. It solves the insurmountable shortcomings of traditional public key cryptography, and because of its own characteristics, it has a wide range of applications.

由于基于身份密码学的优势，推出了不少基于身份的密码体制，基于身份的签密体制就是其中之一。同时，签密体制还可以和一些具有特殊性质的密码技术相结合，构造具有特殊性质的签密体制，如将环签密方案和秘密分享方案相结合，从而得到基于身份的门限环签密。Due to the advantages of identity-based cryptography, many identity-based cryptographic systems have been introduced, and the identity-based signcryption system is one of them. At the same time, the signcryption system can also be combined with some cryptographic techniques with special properties to construct a signcryption system with special properties, such as combining the ring signcryption scheme with the secret sharing scheme to obtain identity-based threshold ring signcryption.

双线性对是研究代数几何的重要工具，也是构造基于身份的密码体制的重要工具，在密码学领域扮演着非常重要的角色。Bilinear pairing is an important tool for studying algebraic geometry, and it is also an important tool for constructing identity-based cryptosystems. It plays a very important role in the field of cryptography.

另外，对于基于身份的公钥密码系统而言，目前比较好用的证明方法是随机预言机模型。然而对于基于随机预言模型的安全性证明，需要假设在公钥密码体制中使用的密码杂凑函数具有随机预言机的安全性质，可是随机预言模型下的安全密码方案在实际环境中不一定是安全的，而基于标准模型的安全性证明，其唯一依赖于公钥密码体制所包含陷门单向函数的困难性。因此，构造标准模型下基于身份的门限环签密方案既具有较高的安全性同时也具有现实意义，是亟待解决的问题。In addition, for identity-based public-key cryptosystems, the random oracle model is currently a relatively easy-to-use proof method. However, for the security proof based on the random oracle model, it is necessary to assume that the cryptographic hash function used in the public key cryptosystem has the security properties of the random oracle machine, but the security cryptographic scheme under the random oracle model is not necessarily safe in the actual environment , and the security proof based on the standard model only depends on the difficulty of the trapdoor one-way function contained in the public key cryptosystem. Therefore, constructing an identity-based threshold ring signcryption scheme under the standard model has both high security and practical significance, and it is an urgent problem to be solved.

有鉴于此，特提出本发明。In view of this, the present invention is proposed.

发明内容Contents of the invention

本发明要解决的技术问题在于克服现有技术的不足，提供一种与随机预言模型下设计的方案更具安全性的基于身份的门限环签密方法。The technical problem to be solved by the present invention is to overcome the deficiencies of the prior art and provide an identity-based threshold ring signcryption method that is more secure than the scheme designed under the random oracle model.

为解决上述技术问题，本发明采用技术方案的基本构思是：In order to solve the problems of the technologies described above, the present invention adopts the basic idea of technical solution to be:

一种基于身份的门限环签密方法，其特征在于：包括以下步骤：An identity-based threshold ring signcryption method, characterized in that: comprising the following steps:

(1)系统建立：随机选取参数，生成系统参数以及相应的主密钥，其中系统参数为公开参数，具体步骤为：(1) System establishment: randomly select parameters, generate system parameters and corresponding master keys, where system parameters are public parameters, and the specific steps are:

令G,G_T是阶为素数p的循环群，e:G×G→G_T是一个双线性映射，两个无碰撞的哈希函数 $H_{u} : {0,1}^{*} &RightArrow; {0,1}^{n_{u}}$ 和 $H_{m} : {0,1}^{*} &RightArrow; {0,1}^{n_{m}}$ 将任意长度的身份ID和消息m分别输出长度为n_u和n_m的位串；Let G, G _T be a cyclic group whose order is a prime number p, e: G×G→G _T is a bilinear map, two collision-free hash functions $h_{u} : {0,1}^{*} &Right Arrow; {0,1}^{{no}_{u}}$ and $h_{m} : {0,1}^{*} &Right Arrow; {0,1}^{{no}_{m}}$ Output the identity ID and message m of any length into bit strings with lengths n _u and n _m respectively;

可信第三方随机选取参数α∈Z_p，生成元g∈G，计算g₁＝g^a。随机选取参数g₂,u',m'∈G，n_u维向量n_m维向量其中u_i,m_i∈_RG，则系统参数为 $param = (G, G_{T}, e, g, g_{1}, g_{2}, u^{'}, \hat{U}, m^{'}, \hat{M}, H_{u}, H_{m}),$ 主密钥为 $msk = g_{2}^{a} .$ The trusted third party randomly selects the parameter α∈Z _p , generates the element g∈G, and calculates g ₁ =g ^a . Randomly select parameters g ₂ , u', m'∈G, n _u- dimensional vector n _m- dimensional vector where u _i ,m _i ∈ _R G, then the system parameters are $param = (G, G_{T}, e, g, g_{1}, g_{2}, u^{'}, \hat{u}, m^{'}, \hat{m}, h_{u}, h_{m}),$ The master key is $msk = g_{2}^{a} .$

(2)私钥提取：输入系统参数、主密钥和用户的身份，获得该用户身份的私钥，具体步骤为：(2) Private key extraction: input the system parameters, master key and user identity, and obtain the private key of the user identity. The specific steps are:

给定用户身份ID，通过哈希函数u＝H_u(ID)计算得到代表用户身份的长度为n_u的位串，令u[i]表示该位串中的第i位，定义位串中数值为1的序号集合Φ_ID；Given a user ID, a bit string representing the user identity with a length of n _u is obtained by calculating the hash function u=H _u (ID), let u[i] represent the i-th bit in the bit string, and define the bit string in the bit string The serial number set Φ _ID whose value is 1;

随机选取参数r_u∈Z_p，计算用户身份为ID的私钥Randomly select the parameter r _u ∈ Z _p , and calculate the private key whose user identity is ID

${d d}_{ID ID} = = (({d d}_{11},, {d d}_{22})) = = (({g g}_{22}^{α α} {(({u u}^{' '} \underset{{i i &Element; &Element; Φ Φ}_{ID ID}}{Π Π} {u u}_{i i}))}^{{r r}_{u u}},, {g g}^{{r r}_{u u}})) . .$

(3)签密：给定门限环签密中n个成员的集合L＝{ID₁,...,ID_n}，实际进行签密的t个签密者的身份下标为{1,2,...,t}，待签密消息m，签密接收者的身份ID_R，签密的具体步骤为：(3) Signcryption: Given a set L of n members in the threshold ring signcryption = {ID ₁ ,...,ID _n }, the identities of the t signcryptors who actually perform signcryption are subscripted as {1, 2,...,t}, the message to be signed encrypted m, the identity ID _R of the sign encrypted receiver, the specific steps of sign encrypted are:

各签密者ID_i(i＝1,...,t)随机选择其子秘密s_i∈Z_p，构造系数在Z_p的t-1次多项式f_i(x)＝a_i,0+a_i,1x+…+a_i,t-1x^t-1，其中s_i＝a_i,0；然后签密者ID_i计算公开参数 $C_{i, d} = g^{a_{i, d}} (d = 0,1, . ., t - 1)$ 并向其它签密者广播；Each signcrypter ID _i (i=1 _, ...,t) randomly selects its sub-secret s _i ∈ Z _p , and constructs a t-1 degree polynomial f _i (x)=a _i,0 + a _i,1 x+…+a _i,t-1 x ^t-1 , where s _i =a _i,0 ; then the signcrypter ID _i calculates the public parameters $C_{i, d} = g^{a_{i, d}} (d = 0,1, . ., t - 1)$ and broadcast to other signcrypters;

计算其它各签密者ID_j(j≠i)的秘密分享s_i,j＝f_i(j)，并将它们发送给其它签密者ID_j(j＝1,2,..,t；j≠i)，自己保留s_i,i＝f_i(i)；Calculate the secret shares si _,j = f _i (j) of other signcryptor ID _j (j≠i), and send them to other signcryptor ID _j (j=1,2,...,t; j≠i), keep s _i,i ＝f _i (i);

其他各签密者ID_j(j＝1,2,..,t；j≠i)从第i个签密者ID_i得到秘密分享s_i,j后，用如下等式验证其有效性：当确认秘密分享有效后，各签密者ID_i根据秘密分享计算其私有秘密为 After each other signcryptor ID _j (j=1,2,...,t; j≠i) obtains the secret share si _,j from the i-th signcryptor ID _i , use the following equation to verify its validity: After confirming that the secret sharing is valid, each signcryptor ID _i calculates its private secret according to the secret sharing as

根据环成员身份列表L＝{ID₁,...,ID_n}、t个签密者、待签密消息m以及t个签密者的私钥，环签密接收者身份ID_R，获得在待签密消息m下的(t,n)门限环签密C，(t,n)表示门限环签密中成员总数为n，t是门限值，实际参与生成门限环签密的成员数≥t，具体步骤为：According to the ring member identity list L={ID ₁ ,...,ID _n }, t signcryptors, the message m to be signedcrypted, and the private keys of t signcryptors, and the identity ID _R of the ring signcryptor receiver, we can obtain In the (t, n) threshold ring signcryption C under the message m to be signed encrypted, (t, n) indicates that the total number of members in the threshold ring signcryption is n, t is the threshold value, and the members who actually participate in generating the threshold ring signcryption Number ≥ t, the specific steps are:

令m∈G_T为待签密消息，该门限环签密者随机选取l₁,...,l_n∈Z_p，计算 $U_{i} = u^{'} \underset{{j &Element; Φ}_{{ID}_{i}}}{Π} {\hat{u}}_{j}, i = 1, . . ., n, R_{1} = σ_{16} g^{l_{1}}, . . ., R_{t} = σ_{t 6} g^{l_{t}}, R_{t + 1} = g^{l_{t + 1}}, . . ., R_{n} = g^{l_{n}} .$ 令 $σ_{1} = Π_{i = 1}^{t} σ_{i 1} \cdot m,$ $σ_{2} = Π_{i = 1}^{t} σ_{i 2}, σ_{3} = Π_{i = 1}^{t} σ_{i 3}, σ_{4} = Π_{i = 1}^{t} σ_{i 4} \cdot Π_{i = 1}^{n} {(U_{i})}^{l_{i}}, σ_{5} = Π_{i = 1}^{t} σ_{i 5},$ 则生成的门限环签密为C＝(σ₁,...σ₅,R₁,...R_n)。Let m∈G _T be the message to be signcrypted, the threshold ring signcryptor randomly selects l ₁ ,...,l _n ∈ Z _p , and calculates $u_{i} = u^{'} \underset{{j &Element; Φ}_{{ID}_{i}}}{Π} {\hat{u}}_{j}, i = 1, . . ., no, R_{1} = σ_{16} g^{l_{1}}, . . ., R_{t} = σ_{t 6} g^{l_{t}}, R_{t + 1} = g^{l_{t + 1}}, . . ., R_{no} = g^{l_{no}} .$ make $σ_{1} = Π_{i = 1}^{t} σ_{i 1} \cdot m,$ $σ_{2} = Π_{i = 1}^{t} σ_{i 2}, σ_{3} = Π_{i = 1}^{t} σ_{i 3}, σ_{4} = Π_{i = 1}^{t} σ_{i 4} &Center Dot; Π_{i = 1}^{no} {(u_{i})}^{l_{i}}, σ_{5} = Π_{i = 1}^{t} σ_{i 5},$ Then the generated threshold ring signcryption is C=(σ ₁ ,...σ ₅ ,R ₁ ,...R _n ).

(4)解签密：根据门限环签密和环签密接收者ID_R的私钥计算得到消息，将得到的消息带到公式 $e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (U_{1}, R_{1}) \cdot \cdot \cdot e (U_{n}, R_{n}) e (m^{'} \underset{i &Element; M}{Π} m_{i}, σ_{5})$ 中，当且仅当等式成立时，门限环签密有效，所得消息正确，否则所得门限环签密无效，所得消息错误，返回步骤(1)。(4) Signcryption decryption: Calculate the message according to the threshold ring signcryption and the private key of the ring signcryption recipient ID _R , and bring the obtained message to the formula $e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (u_{1}, R_{1}) &Center Dot; \cdot \cdot e (u_{no}, R_{no}) e (m^{'} \underset{i &Element; m}{Π} m_{i}, σ_{5})$ , if and only if the equation holds, the threshold ring signcryption is valid and the obtained message is correct, otherwise the obtained threshold ring signcryption is invalid and the obtained message is wrong, return to step (1).

优选的，所述步骤(3)签密中获得私有秘密后进行下列步骤获得门限环签密：：Preferably, after obtaining the private secret in the step (3) signcryption, perform the following steps to obtain the threshold ring signcryption:

对于i∈{1,2,...,t}，设每个签密者ID_i的私钥为(d_i1,d_i2)，计算M＝H_m(L,m)，令为消息m的位串中M[k]＝1的序号k的集合，随机选取r_i∈Z_p，计算部分门限环签密 $σ_{i 1} = e {(g_{1}, g_{2})}^{r_{i}}, σ_{i 2} = g^{r_{i}}, σ_{i 3} = {(u^{'} \underset{{j &Element; Φ}_{{ID}_{R}}}{Π} {\hat{u}}_{j})}^{r_{i}}, σ_{i 4} = d_{i 1} {(m^{'} \underset{i &Element; M}{Π} {\hat{m}}_{i})}^{x_{i} η_{i}}, σ_{i 5} = g^{x_{i} η_{i}},$ σ_i6＝d_i2，并把(σ_i1,σ_i2,σ_i3,σ_i4,σ_i5,σ_i6)发送给t个签密者中任一用以产生门限环签密的签密者，其中 $η_{i} = Π_{j = 1, j &NotEqual; i}^{t} \frac{j}{j - i} \mod p$ 为拉格朗日系数。For i∈{1,2,...,t}, let the private key of each signcrypter ID _i be (d _i1 ,d _i2 ), calculate M=H _m (L,m), let is the set of sequence number k with M[k]=1 in the bit string of message m, randomly select r _i ∈ Z _p , and calculate partial threshold ring signcryption $σ_{i 1} = e {(g_{1}, g_{2})}^{r_{i}}, σ_{i 2} = g^{r_{i}}, σ_{i 3} = {(u^{'} \underset{{j &Element; Φ}_{{ID}_{R}}}{Π} {\hat{u}}_{j})}^{r_{i}}, σ_{i 4} = d_{i 1} {(m^{'} \underset{i &Element; m}{Π} {\hat{m}}_{i})}^{x_{i} η_{i}}, σ_{i 5} = g^{x_{i} η_{i}},$ σ _i6 ＝d _i2 , and send (σ _i1 ,σ _i2 ,σ _i3 ,σ _i4 ,σ _i5 ,σ _i6 ) to any one of the t signcryptors to generate threshold ring signcryption, where $η_{i} = Π_{j = 1, j &NotEqual; i}^{t} \frac{j}{j - i} \mod p$ is the Lagrange coefficient.

优选的，所述的解签密的具体步骤如下：Preferably, the specific steps of the described deciphering are as follows:

当收到门限环签密后，门限环签密接收者利用其私钥首先计算出待签密消息m，m＝σ₁·e(d_R2,σ₃)·e(d_R1,σ₂)^-1，然后通过哈希函数计算得到待签密消息的长度为n_m的位串，定义位串中数值为1的序号集合M；After receiving the threshold ring signcryption, the recipient of the threshold ring signcryption uses its private key to first calculate the message m to be signedcrypted, m=σ ₁ ·e(d _R2 ,σ ₃ )·e(d _R1 ,σ ₂ ) ^-1 , and then calculate the bit string of the message to be signed encrypted with a length of n _m through the hash function, and define the serial number set M whose value is 1 in the bit string;

将消息代入式 $e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (U_{1}, R_{1}) \cdot \cdot \cdot e (U_{n}, R_{n}) e (m^{'} \underset{i &Element; M}{Π} m_{i}, σ_{5})$ 中，当且仅当等式成立时，门限环签密有效，所得消息正确，否则所得门限环签密无效，所得消息错误。Substitute the message into the formula $e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (u_{1}, R_{1}) &Center Dot; \cdot &Center Dot; e (u_{no}, R_{no}) e (m^{'} \underset{i &Element; m}{Π} m_{i}, σ_{5})$ In , if and only when the equation holds, the threshold ring signcryption is valid and the obtained message is correct, otherwise the threshold ring signcryption obtained is invalid and the obtained message is wrong.

采用上述技术方案后，本发明与现有技术相比具有以下有益效果：本发明的方法是在标准模型下构造的，与随机预言模型下设计的方案相比，安全性更好。After adopting the above technical solution, the present invention has the following beneficial effects compared with the prior art: the method of the present invention is constructed under the standard model, and compared with the scheme designed under the random oracle model, the security is better.

下面结合附图对本发明的具体实施方式作进一步详细的描述。The specific implementation manners of the present invention will be further described in detail below in conjunction with the accompanying drawings.

附图说明Description of drawings

图1是本发明的基本流程图；Fig. 1 is a basic flow chart of the present invention;

图2是从对门限签密算法的攻击到求解DBDH问题的规约；Figure 2 is the protocol from attacking the threshold signcryption algorithm to solving the DBDH problem;

图3是从伪造门限签密到求解CDH问题的规约。Figure 3 is the protocol from falsifying threshold signcryption to solving the CDH problem.

具体实施方式Detailed ways

如图1所示,一种基于身份的门限环签密方法，包括以下步骤：As shown in Figure 1, an identity-based threshold ring signcryption method includes the following steps:

S1、系统建立：随机选取参数，生成系统参数以及相应的主密钥，其中系统参数为公开参数，具体步骤为：S1. System establishment: randomly select parameters, generate system parameters and corresponding master keys, where system parameters are public parameters, and the specific steps are:

可信第三方随机选取参数α∈Z_p，生成元g∈G，计算g₁＝g^a。随机选取参数g₂,u',m'∈G，n_u维向量n_m维向量其中u_i,m_i∈_RG，则系统参数为 $param = (G, G_{T}, e, g, g_{1}, g_{2}, u^{'}, \hat{U}, m^{'}, \hat{M}, H_{u}, H_{m}),$ 主密钥为 $msk = g_{2}^{a};$ The trusted third party randomly selects the parameter α∈Z _p , generates the element g∈G, and calculates g ₁ =g ^a . Randomly select parameters g ₂ , u', m'∈G, n _u- dimensional vector n _m- dimensional vector where u _i ,m _i ∈ _R G, then the system parameters are $param = (G, G_{T}, e, g, g_{1}, g_{2}, u^{'}, \hat{u}, m^{'}, \hat{m}, h_{u}, h_{m}),$ The master key is $msk = g_{2}^{a};$

S2、私钥提取：输入系统参数、主密钥和用户的身份，获得该用户身份的私钥，具体步骤为：S2. Private key extraction: input the system parameters, master key and user identity, and obtain the private key of the user identity. The specific steps are:

${d d}_{ID ID} = = (({d d}_{11},, {d d}_{22})) = = (({g g}_{22}^{α α} {(({u u}^{' '} \underset{{i i &Element; &Element; Φ Φ}_{ID ID}}{Π Π} {u u}_{i i}))}^{{r r}_{u u}},, {g g}^{{r r}_{u u}}));;$

这里在计算私钥时用到了序号集合Φ_ID，对于公式中的d₁即这里的是n_u维向量，u_i就是集合Φ_ID中相应序号在中所对应的元素。Here, the serial number set Φ _ID is used in the calculation of the private key. For d ₁ in the formula, that is here is n _u- dimensional vector, u _i is the corresponding serial number in the set Φ _ID corresponding elements in .

S3、签密：给定门限环签密中n个成员的集合L＝{ID₁,...,ID_n}，实际进行签密的t个签密者的身份下标为{1,2,...,t}，待签密消息m，签密接收者的身份ID_R，签密的具体步骤为：S3. Signcryption: Given a set L of n members in the threshold ring signcryption = {ID ₁ ,...,ID _n }, the identities of the t signcryptors who actually perform signcryption are subscripted as {1,2 ,...,t}, the message to be signed encrypted m, the identity ID _R of the sign encrypted receiver, the specific steps of sign encrypted are:

各签密者ID_i(i＝1,...,t)随机选择其子秘密s_i∈Z_p，构造系数在Z_p的t-1次多项式f_i(x)＝a_i,0+a_i,1x+…+a_i,t-1x^t-1，其中s_i＝a_i,0；然后签密者ID_i计算公开参数并向其它签密者广播；(Z_p表示整数模p的剩余类群，这是密码学中通用的表示形式)Each signcrypter ID _i (i=1 _, ...,t) randomly selects its sub-secret s _i ∈ Z _p , and constructs a t-1 degree polynomial f _i (x)=a _i,0 + a _i,1 x+…+a _i,t-1 x ^t-1 , where s _i =a _i,0 ; then the signcrypter ID _i calculates the public parameters And broadcast to other signcrypters; (Z _p represents the remaining group of integer modulo p, which is a general representation in cryptography)

签密者ID_j(j＝1,2,..,t；j≠i)从签密者ID_i得到秘密分享s_i,j后，用如下等式验证其有效性：当确认秘密分享有效后，各签密者ID_i根据秘密分享计算其私有秘密为各签密者ID_i是所有接收到秘密分享的签密者。举个例子，假设这里有t个签密者，不妨设它们的编号是1,…,t。现在签密者1要向剩余的签密者计算秘密分享，同样的道理，剩余的每一个签密者也要向除它以外的t-1个签密者计算秘密分享，因此，这里的各签密者就是这里的t个签密者。After the signcrypter ID _j (j=1,2,..,t; j≠i) gets the secret share si _,j from the signcrypter ID _i , use the following equation to verify its validity: After confirming that the secret sharing is valid, each signcryptor ID _i calculates its private secret according to the secret sharing as Each signcrypter ID _i is all the signcryptors that received the secret share. For example, suppose there are t signcryptors here, let their numbers be 1,...,t. Now signcrypter 1 needs to calculate the secret share to the rest of the signcryptors. In the same way, each of the remaining signcryptors also needs to calculate the secret share from t-1 other signcryptors. Therefore, each The signcryptors are the t signcrypters here.

根据环成员身份列表L＝{ID₁,...,ID_n}、t个签密者、待签密消息m以及t个签密者的私钥，环签密接收者身份ID_R，获得在待签密消息m下的(t,n)门限环签密C，(t,n)为门限环签密中成员总数为n，t是门限值，实际参与生成门限环签密的成员数≥t，在表示门限的时候均采用这种表示形式。具体步骤为：According to the ring member identity list L={ID ₁ ,...,ID _n }, t signcryptors, the message m to be signedcrypted, and the private keys of t signcryptors, and the identity ID _R of the ring signcryptor receiver, we can obtain In the (t,n) threshold ring signcryption C under the message m to be signed encrypted, (t,n) is the total number of members in the threshold ring signcryption is n, t is the threshold value, and the members who actually participate in the generation of the threshold ring signcryption Number ≥ t, this expression is used when expressing the threshold. The specific steps are:

令m∈G_T为待签密消息，该门限环签密者随机选取l₁,...,l_n∈Z_p，计算 $U_{i} = u^{'} \underset{{j &Element; Φ}_{{ID}_{i}}}{Π} {\hat{u}}_{j}, i = 1, . . ., n, R_{1} = σ_{16} g^{l_{1}}, . . ., R_{t} = σ_{t 6} g^{l_{t}}, R_{t + 1} = g^{l_{t + 1}}, . . ., R_{n} = g^{l_{n}} .$ 令 $σ_{1} = Π_{i = 1}^{t} σ_{i 1} \cdot m,$ $σ_{2} = Π_{i = 1}^{t} σ_{i 2}, σ_{3} = Π_{i = 1}^{t} σ_{i 3}, σ_{4} = Π_{i = 1}^{t} σ_{i 4} \cdot Π_{i = 1}^{n} {(U_{i})}^{l_{i}}, σ_{5} = Π_{i = 1}^{t} σ_{i 5},$ 则生成的门限环签密为C＝(σ₁,...σ₅,R₁,...R_n)；Let m∈G _T be the message to be signcrypted, the threshold ring signcryptor randomly selects l ₁ ,...,l _n ∈ Z _p , and calculates $u_{i} = u^{'} \underset{{j &Element; Φ}_{{ID}_{i}}}{Π} {\hat{u}}_{j}, i = 1, . . ., no, R_{1} = σ_{16} g^{l_{1}}, . . ., R_{t} = σ_{t 6} g^{l_{t}}, R_{t + 1} = g^{l_{t + 1}}, . . ., R_{no} = g^{l_{no}} .$ make $σ_{1} = Π_{i = 1}^{t} σ_{i 1} &Center Dot; m,$ $σ_{2} = Π_{i = 1}^{t} σ_{i 2}, σ_{3} = Π_{i = 1}^{t} σ_{i 3}, σ_{4} = Π_{i = 1}^{t} σ_{i 4} &Center Dot; Π_{i = 1}^{no} {(u_{i})}^{l_{i}}, σ_{5} = Π_{i = 1}^{t} σ_{i 5},$ Then the generated threshold ring signcryption is C=(σ ₁ ,...σ ₅ ,R ₁ ,...R _n );

S4、解签密：根据门限环签密和环签密接收者ID_R的私钥计算得到消息，将得到的消息带到公式 $e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (U_{1}, R_{1}) \cdot \cdot \cdot e (U_{n}, R_{n}) e (m^{'} \underset{i &Element; M}{Π} m_{i}, σ_{5})$ 中，当且仅当等式成立时，门限环签密有效，所得消息正确，否则所得门限环签密无效，所得消息错误。S4. Signcryption decryption: Calculate the message according to the threshold ring signcryption and the private key of the ring signcryption recipient ID _R , and bring the obtained message to the formula $e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (u_{1}, R_{1}) &Center Dot; &Center Dot; &Center Dot; e (u_{no}, R_{no}) e (m^{'} \underset{i &Element; m}{Π} m_{i}, σ_{5})$ In , if and only when the equation holds, the threshold ring signcryption is valid and the obtained message is correct, otherwise the threshold ring signcryption obtained is invalid and the obtained message is wrong.

优选的，所述步骤S3签密中获得私有秘密后进行下列步骤获得门限环签密：Preferably, after the private secret is obtained in the step S3 signcryption, the following steps are performed to obtain the threshold ring signcryption:

将消息代入式 $e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (U_{1}, R_{1}) \cdot \cdot \cdot e (U_{n}, R_{n}) e (m^{'} \underset{i &Element; M}{Π} m_{i}, σ_{5})$ 中，当且仅当等式成立时，门限环签密有效，所得消息正确，否则所得门限环签密无效，所得消息错误。Substitute the message into the formula $e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (u_{1}, R_{1}) &Center Dot; &Center Dot; &Center Dot; e (u_{no}, R_{no}) e (m^{'} \underset{i &Element; m}{Π} m_{i}, σ_{5})$ In , if and only when the equation holds, the threshold ring signcryption is valid and the obtained message is correct, otherwise the threshold ring signcryption obtained is invalid and the obtained message is wrong.

这里在进行验证时用到了M，对于这里的是n_m维向量，m_i就是集合M中相应序号在中所对应的元素。M is used here for verification, for here is an n _m- dimensional vector, m _i is the corresponding sequence number in the set M corresponding elements in .

本发明的不可区分性安全性证明如图2所示，具体实施步骤为：The indistinguishable security proof of the present invention is shown in Figure 2, and the specific implementation steps are:

1.假设敌手A能以不可忽略的优势攻击本方案，则能够构造算法B，B可以利用A解决DBDH问题。给定B一个DBDH问题的实例(g,g^a,g^b,g^c,h)，其的目标是判断是否h＝e(g,g)^abc，B模仿A的挑战者。1. Assuming that adversary A can attack this scheme with a non-negligible advantage, algorithm B can be constructed, and B can use A to solve the DBDH problem. Given B an instance of the DBDH problem (g, g ^a , g ^b , g ^c , h), its goal is to judge whether h = e(g, g) ^abc , and B imitates A's challenger.

2.算法B设定l_u＝2(q_e+q_s)、l_m＝2q_s，其中q_e是A私钥询问的次数，q_s是A签密询问的次数。随机选择k_u和k_m，满足0≤k_u≤n_u和0≤k_m≤n_m，并假定l_u(n_u+1)<p和l_m(n_m+1)<p。B选择及长度为n_u的向量X＝(x_i)，其中选择及长度为n_m的向量Z＝(z_k)，其中最后B选择y',w'∈_RZ_p，长度为n_u的向量Y＝(y_i)，长度为n_m的向量W＝(w_i)，其中y_i,w_i∈_RZ_p。对于L中的成员身份ID和消息m的位串u＝H_u(ID)和M＝H_m(L,m)，定义以下几个函数：2. Algorithm B sets l _u = 2(q _e + q _s ), l _m = 2q _s , where q _e is the number of A private key queries, and q _s is the number of A signcryption queries. Randomly select k _u and k _m , satisfying 0≤k _u ≤n _u and 0≤k _m ≤n _m , and assuming l _u (n _u +1)<p and l _m (n _m +1)<p. Choice B and a vector X=( _xi ) of length n _u , where choose and a vector Z=(z _k ) of length n _m , where Finally, B chooses y', w'∈ _R Z _p , the vector Y=(y _i ) with length n _u , and the vector W=(w _i ) with length n _m , where y _i , w _i ∈ _R Z _p . For the membership ID in L and the bit string u=H _u (ID) and M=H _m (L,m) of the message m, the following functions are defined:

$F f ((ID ID)) = = {x x}^{' '} + + \underset{i i &Element; &Element; Φ Φ}{Σ Σ} {x x}_{i i} - - {l l}_{u u} {k k}_{u u},, J J ((ID ID)) = = {y the y}^{' '} + + \underset{i i &Element; &Element; Φ Φ}{Σ Σ} {y the y}_{i i}$

$K K ((M m)) = = {z z}^{' '} + + \underset{i i &Element; &Element; M m}{Σ Σ} {z z}_{i i} - - {l l}_{m m} {k k}_{m m},, L L ((M m)) = = {w w}^{' '} + + \underset{i i &Element; &Element; M m}{Σ Σ} {w w}_{i i}$

算法B构造本发明方案中的公开参数如下：Algorithm B constructs the public parameters in the scheme of the present invention as follows:

g₁＝g^a，g₂＝g^b； $u^{'} = g_{2}^{{- l}_{u} k_{u} + x^{'}} g^{y^{'}}, u_{i} = g_{2}^{x_{i}} g^{y_{i}}, 1 \leq i \leq n_{u}; m^{'} = g_{2}^{- l_{m} k_{m} + z^{'}} g^{w^{'}}, m_{i} = g_{2}^{z_{i}} g^{w_{i}},$ $1 \leq i \leq n_{m};$ 然后算法B将公开参数发送给敌手A。g ₁ = g ^a , g ₂ = g ^b ; $u^{'} = g_{2}^{{- l}_{u} k_{u} + x^{'}} g^{{the y}^{'}}, u_{i} = g_{2}^{x_{i}} g^{{the y}_{i}}, 1 \leq i \leq {no}_{u}; m^{'} = g_{2}^{- l_{m} k_{m} + z^{'}} g^{w^{'}}, m_{i} = g_{2}^{z_{i}} g^{w_{i}},$ $1 \leq i \leq {no}_{m};$ Algorithm B then sends the public parameters to Adversary A.

3.在第一阶段，当敌手A发起一定数量的询问时，算法B进行如下响应：3. In the first stage, when adversary A initiates a certain number of queries, algorithm B responds as follows:

(1)私钥询问：当敌手A询问身份ID的私钥时，虽然算法B不知道主密钥，但假定F(ID)≠0 mod p，B也能够构造其私钥d_ID。B任选r_u∈Z_p并计算：(1) Private key query: When adversary A asks for the private key of ID, although algorithm B does not know the master key, assuming F(ID)≠0 mod p, B can also construct its private key d _ID . B choose r _u ∈ Z _p and calculate:

$d_{ID} = (d_{1}, d_{2}) = (g_{1}^{- J (ID) / F (ID)} {(u^{'} \underset{{i &Element; Φ}_{ID}}{Π} u_{i})}^{r_{u}}, g_{1}^{- 1 / F (ID)} g^{r_{u}}),$ 如果F(ID)＝0 mod p，上面的计算将无法进行，B将失败退出。 $d_{ID} = (d_{1}, d_{2}) = (g_{1}^{- J (ID) / f (ID)} {(u^{'} \underset{{i &Element; Φ}_{ID}}{Π} u_{i})}^{r_{u}}, g_{1}^{- 1 / f (ID)} g^{r_{u}}),$ If F(ID)=0 mod p, the above calculation cannot be performed, and B will fail and exit.

(2)签密询问：当敌手A询问环成员身份为L＝{ID₁,...,ID_n}，门限值为t(t<n)，消息为m，实际签密者为ID_i(i＝1,...t)以及环签密接收者为ID_R的门限环签密时，算法B首先计算M＝H_m(L,m)，然后按照如下步骤输出门限环签密：(2) Signcryption query: When the adversary A queries the member identity of the ring as L={ID ₁ ,...,ID _n }, the threshold value is t(t<n), the message is m, and the actual signcryptor is ID When _i (i=1,...t) and the recipient of the ring signcryption is the threshold ring signcryption of ID _R , algorithm B first calculates M=H _m (L,m), and then outputs the threshold ring signcryption according to the following steps :

①算法B随机选择s,a₀,a₁,...,a_t-1∈Z_p，构造次数为t-1的多项式f(x)＝a₀+a₁x+…+a_t-1x^t-1，其中s＝a₀。① Algorithm B randomly selects s,a ₀ ,a ₁ ,...,a _t-1 ∈ Z _p , and constructs a polynomial f(x)=a ₀ +a ₁ x+...+a t-1 with _{degree t-1} x ^t-1 , where s=a ₀ .

②假定对于实际签密者ID_i(i＝1,...t)，满足F(ID_i)≠0 mod p，则算法B按照私钥询问中的方法构造它们的私钥，计算各签密者ID_i(i＝1,...t)的私有秘密x_i＝f(i)，然后利用签密算法生成相应的门限环签密C。②Assuming that for the actual signcrypter ID _i (i=1,...t), F(ID _i )≠0 mod p is satisfied, then Algorithm B constructs their private keys according to the method in the private key query, and calculates the The private secret x _i =f(i) of the cryptographer ID _i (i=1,...t), and then use the signcryption algorithm to generate the corresponding threshold ring signcryption C.

③如果条件F(ID_i)≠0 mod p,i＝1,...t不成立，那么算法B也可以像在私钥询问中构造私钥的方法那样构造该门限环签密。假定K(M)≠0 mod p，算法B随机选择r,r₁,...,r_n,r_m∈Z_p，计算：③ If the condition F(ID _i )≠0 mod p, i=1,...t is not established, then the algorithm B can also construct the threshold ring signcryption like the method of constructing the private key in the private key query. Assuming K(M)≠0 mod p, Algorithm B randomly selects r,r ₁ ,...,r _n ,r _m ∈ Z _p , and calculates:

σ₁＝e(g₁,g₂)^r·m，σ₂＝g^r， $σ_{3} = {(u^{'} \underset{j {&Element; Φ}_{{ID}_{R}}}{Π} {\hat{u}}_{j})}^{r},$ $σ_{4} = (Π_{i = 1}^{n} {(U_{i})}^{r_{i}}) g_{1}^{- tL (M) / K (M)} {(m^{'} \underset{i &Element; M}{Π} m_{i})}^{r_{m}}, σ_{5} = g^{r_{m}}, R_{1} = g^{r_{1}}, . . ., R_{n} = g^{r_{n}},$ 其中如果K(M)＝0 mod p，上面的计算将无法进行，B将失败退出。σ ₁ =e(g ₁ ,g ₂ ) ^r m, σ ₂ =g ^r , $σ_{3} = {(u^{'} \underset{j {&Element; Φ}_{{ID}_{R}}}{Π} {\hat{u}}_{j})}^{r},$ $σ_{4} = (Π_{i = 1}^{no} {(u_{i})}^{r_{i}}) g_{1}^{- tL (m) / K (m)} {(m^{'} \underset{i &Element; m}{Π} m_{i})}^{r_{m}}, σ_{5} = g^{r_{m}}, R_{1} = g^{r_{1}}, . . ., R_{no} = g^{r_{no}},$ in If K(M)=0 mod p, the above calculation cannot be performed, and B will fail and exit.

(3)解签密询问：当敌手A发起在环成员列表L、环签密接收者身份为ID_R以及密文C下的解签密询问时，算法B首先运行私钥提取算法得到ID_R的私钥然后运行解签密算法，如果C是一个有效的密文，则输出m，否则，输出false。(3) Signcryption query: When adversary A initiates a signcryption query under the ring member list L, the ring signcryption receiver’s identity is ID _R , and the ciphertext C, algorithm B first runs the private key extraction algorithm to obtain ID _R private key of Then run the decryption signcryption algorithm, if C is a valid ciphertext, output m, otherwise, output false.

4.在挑战阶段，敌手A任取两个相同长度的消息m₀、m₁，并将环成员列表以及环签密接收者的身份发送给算法B。如果A在第一阶段询问了的私钥，则B将失败退出。B任选一位b∈{0,1}，如果K(M_b)≠0 mod p，那么B将失败退出。如果L^*中不存在t个身份ID^*，满足F(ID^*)≠0 mod p，那么B将失败退出；否则，为描述方便起见，不妨设这t个身份为B随机选取r,r₁,...,r_n,r_m∈Z_P，构造如下：4. In the challenge phase, adversary A randomly takes two messages m ₀ and m ₁ of the same length, and lists the ring members and the identity of the ring signcryption receiver sent to Algorithm B. If A asked in the first stage private key, B will fail and exit. B chooses one bit b∈{0,1}, if K(M _b )≠0 mod p, Then B will fail and exit. If there are no t identities ID ^* in L ^* , satisfying F(ID ^* ) ≠ 0 mod p, then B will fail to exit; otherwise, for the convenience of description, it is advisable to set the t identities as B randomly selects r,r ₁ ,...,r _n ,r _m ∈ Z _P , and the structure is as follows:

${σ σ}_{11}^{* *} = = h h \cdot \cdot {m m}_{b b},, {σ σ}_{22}^{* *} = = {g g}^{c c},, {σ σ}_{33}^{* *} = = {g g}^{cJ cJ (({ID ID}_{R R}^{* *}))} = = {(({u u}^{' '} \underset{{j j &Element; &Element; Φ Φ}_{{ID ID}_{R R}^{* *}}}{Π Π} {\overset{^^}{u u}}_{j j}))}^{c c},,$

${σ σ}_{44}^{* *} = = {Π Π}_{i i = = 11}^{t t} {g g}_{11}^{\frac{- - J J (({ID ID}_{i i}^{* *}))}{F f (({ID ID}_{i i}^{* *}))}} {(({g g}_{22}^{F f (({ID ID}_{i i}^{* *}))} {g g}^{J J (({ID ID}_{i i}^{* *}))}))}^{{r r}_{i i}} \cdot \cdot {Π Π}_{i i = = t t + + 11}^{n no} {(({g g}_{22}^{F f (({ID ID}_{i i}^{* *}))} {g g}^{J J (({ID ID}_{i i}^{* *}))}))}^{{r r}_{i i}} \cdot \cdot {g g}^{{r r}_{m m} L L (({M m}_{b b}))},, {σ σ}_{55}^{* *} = = {g g}^{{r r}_{m m}},,$

${R R}_{11}^{* *} = = {g g}^{{\overset{~ ~}{r r}}_{11}},, . . . . . .,, {R R}_{t t}^{* *} = = {g g}^{{\overset{~ ~}{r r}}_{t t}},, {R R}_{t t + + 11}^{* *} = = {g g}^{{r r}_{t t + + 11}},, . . . . . .,, {R R}_{n no}^{* *} = = {g g}^{{r r}_{n no}},,$

其中如果h＝e(g,g)^abc，可知C^*是一个有效的门限环签密。in If h=e(g,g) ^abc , it can be known that C ^* is an effective threshold ring signcryption.

5.在第二阶段，敌手A可以如同阶段1那样，发出一定数量的私钥询问、签密询问以及解密询问，但是A不能询问的私钥以及对C^*进行解签密询问。5. In the second stage, adversary A can issue a certain number of private key queries, signcryption queries, and decryption queries as in phase 1, but A cannot query The private key and the decryption signcryption query to C ^* .

6.在猜测阶段，敌手A输出对b的猜测b'。如果b＝b'，则B输出1，将h＝e(g,g)^abc作为DBDH问题的解；否则，B输出0，终止游戏。6. In the guessing phase, adversary A outputs a guess b' of b. If b=b', then B outputs 1, taking h=e(g,g) ^abc as the solution to the DBDH problem; otherwise, B outputs 0, and terminates the game.

因此，如果存在一个敌手能够以不可忽略的概率进行CCA2攻击，那么就存在一个有效的算法能够以不可忽略的概率解决DBDH问题，而这与DBDH是一个困难问题相矛盾，故方案是IND-IDTRSC-CCA2安全的。Therefore, if there exists an adversary that can attack CCA2 with non-negligible probability, then there exists an efficient algorithm that can solve DBDH with non-negligible probability, and this contradicts that DBDH is a hard problem, so the solution is IND-IDTRSC -CCA2 safe.

本发明的存在不可伪造性安全性证明如图3所示，具体实施步骤为：The proof of the unforgeable security of the present invention is shown in Figure 3, and the specific implementation steps are:

1.假设伪造者A能以不可忽略的优势攻击本方案，则能够构造算法B，B可以利用A解决CDH问题。给定B一个CDH问题的实例(g,g^a,g^b)，其目标是计算出g^ab，B模仿A的挑战者。1. Assuming that counterfeiter A can attack this scheme with a non-negligible advantage, he can construct algorithm B, and B can use A to solve the CDH problem. Given B an instance of a CDH problem (g, g ^a , g ^b ), the goal is to compute g ^ab , where B imitates A's challenger.

2.算法B构造与前面证明中相同的系统公开参数，然后将其发送给敌手A。2. Algorithm B constructs the same system public parameters as in the previous proof, and then sends it to adversary A.

3.敌手A可如同前面证明中那样，适应性地发起一定数量的私钥询问、签密询问以及解签密询问。3. Adversary A can adaptively initiate a certain number of private key queries, signcryption queries, and signcryption decryption queries as in the previous proof.

4.在伪造阶段，敌手A输出在环成员列表门限值t、消息m^*以及环签密接收者身份为下的伪造门限环签密C^*。如果在整个过程中算法B没有失败退出，那么算法B检查下列条件是否成立：4. In the forgery stage, the adversary A outputs the list of members in the ring The threshold t, the message m ^* and the identity of the receiver of the ring signcryption are Forged Threshold Ring Signcryption under C ^* . If Algorithm B does not fail to exit during the entire process, Algorithm B checks whether the following conditions hold:

①对于所有的i∈(1,...,n)都成立；① It is true for all i∈(1,...,n);

②K(M^*)＝0 mod p，其中M^*＝H_m(L,m^*)。②K(M ^* )＝0 mod p, where M ^* ＝ _Hm (L,m ^* ).

如果上述条件不同时成立，那么算法B将失败退出；否则，B可计算 ${(\frac{σ_{4}^{*}}{{R_{1}}^{J ({ID}_{l}^{*})} \cdot \cdot \cdot {R_{n}}^{J ({ID}_{n}^{*})} {R_{m}}^{L (M^{*})}})}^{1 / t} = {(\frac{g_{2}^{ta} {(u^{'} \underset{{i &Element; Φ}_{{ID}_{i}^{*}}}{Π} u_{i})}^{r_{1}} \cdot \cdot \cdot {(u^{'} \underset{{i &Element; Φ}_{{ID}_{n}^{*}}}{Π} u_{i})}^{r_{i}} {(m^{'} \underset{k &Element; M}{Π} m_{j})}^{r_{m}}}{g^{J ({ID}_{1}^{*}) r_{1}} \cdot \cdot \cdot g^{J ({ID}_{n}^{*}) r_{n}} g^{L (M^{*}) r_{m}}})}^{1 / t} = {(g_{2}^{ta})}^{1 / t} = g_{2}^{a} = g^{ab}$ If the above conditions are not satisfied at the same time, then algorithm B will fail and exit; otherwise, B can calculate ${(\frac{σ_{4}^{*}}{{R_{1}}^{J ({ID}_{l}^{*})} \cdot &Center Dot; &Center Dot; {R_{no}}^{J ({ID}_{no}^{*})} {R_{m}}^{L (m^{*})}})}^{1 / t} = {(\frac{g_{2}^{ta} {(u^{'} \underset{{i &Element; Φ}_{{ID}_{i}^{*}}}{Π} u_{i})}^{r_{1}} \cdot &Center Dot; \cdot {(u^{'} \underset{{i &Element; Φ}_{{ID}_{no}^{*}}}{Π} u_{i})}^{r_{i}} {(m^{'} \underset{k &Element; m}{Π} m_{j})}^{r_{m}}}{g^{J ({ID}_{1}^{*}) r_{1}} \cdot \cdot \cdot g^{J ({ID}_{no}^{*}) r_{no}} g^{L (m^{*}) r_{m}}})}^{1 / t} = {(g_{2}^{ta})}^{1 / t} = g_{2}^{a} = g^{ab}$

这就是CDH问题的解。This is the solution to the CDH problem.

因此，如果存在一个敌手能够以不可忽略的概率伪造一个有效的门限环签密，那么就存在一个算法能够以不可忽略的概率解决CDH问题，而这与CDH问题是一个困难问题相矛盾，故方案是EUF-IDTRSC-CMIA安全的。Therefore, if there exists an adversary who can forge a valid threshold-ring signcryption with non-negligible probability, then there exists an algorithm that can solve the CDH problem with non-negligible probability, which contradicts that the CDH problem is a hard problem, so the scheme is EUF-IDTRSC-CMIA safe.

综上所述，依照本发明实现了在标准模型下构造基于身份门限环签密方案的新途径和新方法，并且通过具体的方案安全性证明表明了方案的安全可靠性，该方法的实现不仅具有理论意义，同时也具有现实意义。In summary, according to the present invention, a new approach and new method for constructing an identity-threshold ring signcryption scheme based on a standard model has been realized, and the security reliability of the scheme has been shown through specific scheme security proofs. The realization of the method not only It has both theoretical and practical significance.

由上可见，本发明是在标准模型下构造的，该方法通过实验证明具有不可区分性和不可伪造性，因此本方法相对于在随机预言模型下设计的方案而言，具有更好的安全性。It can be seen from the above that the present invention is constructed under the standard model, and the method is proved to be indistinguishable and unforgeable through experiments, so this method has better security than the scheme designed under the random oracle model .

以上所述仅是本发明的优选实施方式，应当指出，对于本技术领域的普通技术人员来说，在不脱离本发明原理的前提下，还可以做出若干改进和润饰，这些改进和润饰也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that for those skilled in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications are also It should be regarded as the protection scope of the present invention.

Claims

1. a threshold ring signcryption method based on identity, it is characterized in that: comprise the following steps:

(1) System establishment: randomly select parameters, generate system parameters and corresponding master keys, where system parameters are public parameters, and the specific steps are:

Let G, G _T be a cyclic group whose order is a prime number p, e: G×G→G _T is a bilinear map, two collision-free hash functions and Output the identity ID and message m of any length into bit strings with lengths n _u and n _m respectively;

A trusted third party randomly selects parameters α∈Z _p , generator g∈G, and calculates g ₁ =g ^a ; randomly selects parameters g ₂ , u',m'∈G, n _u- dimensional vector n _m- dimensional vector where u _i ,m _i ∈ _R G, then the system parameters are

param = (G, G_{T}, e, g, g_{1}, g_{2}, u^{'}, \hat{u}, m^{'}, \hat{m}, h_{u}, h_{m}),

The master key is

msk = g_{2}^{a};

(2) Private key extraction: input the system parameters, master key and user identity, and obtain the private key of the user identity. The specific steps are:

Given a user ID, a bit string representing the user identity with a length of n _u is obtained by calculating the hash function u=H _u (ID), let u[i] represent the i-th bit in the bit string, and define the bit string in the bit string The serial number set Φ _ID whose value is 1;

Randomly select the parameter r _u ∈ Z _p , and calculate the private key whose user identity is ID

{d d}_{ID ID} = = (({d d}_{11},, {d d}_{22})) = = (({g g}_{22}^{α α} {(({u u}^{' '} \underset{i i &Element; &Element; {Φ Φ}_{ID ID}}{Π Π} {u u}_{i i}))}^{{r r}_{u u}},, {g g}^{{r r}_{u u}}));;

(3) Signcryption: Given a set L of n members in the threshold ring signcryption = {ID ₁ ,...,ID _n }, the identities of the t signcryptors who actually perform signcryption are subscripted as {1, 2,...,t}, the message to be signed encrypted m, the identity ID _R of the sign encrypted receiver, the specific steps of sign encrypted are:

Each signcrypter ID _i (i=1 _, ...,t) randomly selects its sub-secret s _i ∈ Z _p , and constructs a t-1 degree polynomial f _i (x)=a _i,0 + a _i,1 x+…+a _i,t-1 x ^t-1 , where s _i =a _i,0 ; then the signcrypter ID _i calculates the public parameters Where d=0,1,...,t-1, and broadcast to other signcryptors;

Calculate the secret share si _,j =f i (j) of other signcryptor ID _j (j=1,2,..,t; _j ≠i), and send them to other signcryptor ID _j ( j＝1,2,..,t; j≠i), keep s _i,i ＝f _i (i);

After each other signcryptor ID _j (j=1,2,...,t; j≠i) obtains the secret share si _,j from the i-th signcryptor ID _i , use the following equation to verify its validity: After confirming that the secret sharing is valid, each signcryptor ID _i calculates its private secret according to the secret sharing as

According to the ring member identity list L={ID ₁ ,...,ID _n }, t signcryptors, the message m to be signedcrypted, and the private keys of t signcryptors, and the identity ID _R of the ring signcryptor receiver, we can obtain In the (t, n) threshold ring signcryption C under the message m to be signed encrypted, (t, n) indicates that the total number of members in the threshold ring signcryption is n, t is the threshold value, and the members who actually participate in generating the threshold ring signcryption Number ≥ t, the specific steps are:

Let m∈G _T be the message to be signcrypted, the threshold ring signcryptor randomly selects l ₁ ,...,l _n ∈ Z _p , and calculates

u_{i} = u^{'} \underset{j &Element; Φ_{{ID}_{i}}}{Π} {\hat{u}}_{j},

i=1,...,n,

R_{1} = σ_{16} g^{l_{1}}, . . ., R_{t} = σ_{t 6} g^{l_{t}}, R_{t + 1} = g^{l_{t + 1}}, . . ., R_{no} = g^{l_{no}};

make

σ_{1} = Π_{i = 1}^{t} σ_{i 1} \cdot m,

σ_{2} = Π_{i = 1}^{t} σ_{i 2},

σ_{3} = Π_{i = 1}^{t} σ_{i 3},

σ_{4} = Π_{i = 1}^{t} σ_{i 4} \cdot Π_{i = 1}^{no} {(u_{i})}^{l_{i}},

σ_{5} = Π_{i = 1}^{t} σ_{i 5},

Then the generated threshold ring signcryption is C=(σ ₁ ,...σ ₅ ,R ₁ ,...R _n );

(4) Signcryption decryption: Calculate the message according to the threshold ring signcryption and the private key of the ring signcryption recipient ID _R , and bring the obtained message to the formula

e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (u_{1}, R_{1}) &Center Dot; &Center Dot; &Center Dot; e (u_{no}, R_{no}) e (m^{'} \underset{i &Element; m}{Π} m_{i}, σ_{5})

, if and only when the equation holds, the threshold ring signcryption is valid and the obtained message is correct, otherwise the obtained threshold ring signcryption is invalid and the obtained message is wrong, return to step (1);

After the private secret is obtained in the step (3) signcryption, the following steps are performed to obtain the threshold ring signcryption:

For i∈{1,2,...,t}, let the private key of each signcrypter ID _i be (d _i1 ,d _i2 ), calculate M=H _m (L,m), let is the set of sequence number k with M[k]=1 in the bit string of message m, randomly select r _i ∈ Z _p , and calculate partial threshold ring signcryption

σ_{i 1} = e {(g_{1}, g_{2})}^{r_{i}},

σ_{i 2} = r^{r_{i}}, σ_{i 3} = {(u^{'} \underset{j &Element; Φ_{{ID}_{R}}}{Π} {\hat{u}}_{j})}^{r_{i}},

σ_{i 4} = d_{i 1} {(m^{'} \underset{i &Element; m}{Π} {\hat{m}}_{i})}^{x_{i} η_{i}},

σ_{i 5} = g^{x_{i} η_{i}},

σ _i6 ＝d _i2 , and send (σ _i1 ,σ _i2 ,σ _i3 ,σ _i4 ,σ _i5 ,σ _i6 ) to any one of the t signcryptors to generate threshold ring signcryption, where is the Lagrange coefficient.

2. The identity-based threshold ring signcryption method according to claim 1, characterized in that: the concrete steps of deciphering the signcryption are as follows:

After receiving the threshold ring signcryption, the recipient of the threshold ring signcryption uses its private key to first calculate the message m to be signedcrypted, m=σ ₁ ·e(d _R2 ,σ ₃ )·e(d _R1 ,σ ₂ ) ^-1 , and then calculate the bit string of the message to be signed encrypted with a length of n _m through the hash function, and define the serial number set M whose value is 1 in the bit string;

Substitute the message into the formula

e (σ_{4}, g) = e {(g_{1}, g_{2})}^{t} e (u_{1}, R_{1}) &Center Dot; &Center Dot; &Center Dot; e (u_{no}, R_{no}) e (m^{'} \underset{i &Element; m}{Π} m_{i}, σ_{5})

In , if and only when the equation holds, the threshold ring signcryption is valid and the obtained message is correct, otherwise the threshold ring signcryption obtained is invalid and the obtained message is wrong.