CN103368741B - The multi-receiver label decryption method of participant's identity anonymous - Google Patents

Abstract

The invention discloses the multi-receiver label decryption method of a kind of participant's identity anonymous, for solving the technical problem of existing multi-receiver label decryption method poor stability.Technical scheme is, (1) sender signs close.Sender ID_sChoose n authorized receiver ID₁,ID₂,...,ID_n, set up authorized receiver identity information list L={ID₁,ID₂,...,ID_n, sign ciphertext C=＜ Y, X, U, σ, W, T, J ＞ by structure, and close for label ciphertext C is broadcasted, complete to sign close operation.(2) recipient's deciphering.Recipient ID_iFirst h '=H is calculated according to the element signed in ciphertext C₄(σ, X, U, T, J), then judges equation e (W, P)=e (X+h ' Y, P_pub) whether set up, utilize symmetrical decipherment algorithm D_k() message cipher text σ is decrypted and obtains clear-text message M=D_K(σ), decrypting process is completed.Owing to sender realizes sender anonymity by the pseudo-PKI of structure, use lagrange-interpolation that the identity information of all authorized receivers merges the identity anonymous realizing authorized receiver to non authorized recipients simultaneously, improve the safety of multi-receiver label decryption method.

Description

The multi-receiver label decryption method of participant's identity anonymous

Technical field

The present invention relates to a kind of multi-receiver label decryption method, particularly to the multi-receiver label of a kind of participant's identity anonymous Decryption method.

Background technology

In distributed network application (such as Web conference, roundtable conference and pay TV), in order to protect communication system In all participant's privacy of identities of conversating, and guarantee that session content only correctly can be deciphered with authorized user, rather than Authorized user cannot correctly decipher, and needs secure broadcast technology as support.Secure broadcast is to realize a sender to multiple Authorized receiver sends safely the technology of identical message, it is possible to realize the demand for security of above-mentioned network application.

Document " Anonymous ID Based Signcryption Scheme for Multiple Receivers, Cryptology ePrint Archive.Report2009/345 " disclose the connecing of sender anonymity of a kind of identity-based more Receipts person signs decryption method, having main steps that of the method: first, and user's (including sender and recipient) is with the identity information of self Registering to trusted third party TTP (Trusted Third Party), TTP is that each registration user calculates PKI and private Key, and the PKI of user is open, corresponding private key secret is distributed to each user；When signing close, sender randomly chooses Some registered subscriber identity informations also constitute an identity of the sender information aggregate together with self-identity information, with oneself Private key, the identity of the sender information aggregate of structure, the identity information of authorized receiver and message to be sent calculate Thus obtain ciphertext, and ciphertext is broadcasted；During deciphering, recipient first checks the authorized receiver in ciphertext after receiving ciphertext Identity information list, if oneself is not authorized receiver, is not decrypted；If oneself being authorized receiver, then with certainly Oneself private key is verified the identity of sender and is decrypted.But there are some defects in the program: first, although sender passes through Self-identity information is hidden in identity of the sender information aggregate and realizes the method that identity of the sender is anonymous, but such Method can not stop assailant to use the identity of the sender information aggregate employing cross validation's attack in multiple ciphertexts and collusion The method attacked reduces the conjecture scope to identity of the sender, even can directly obtain transmission when conjecture scope is sufficiently small Person's identity；Secondly, in the scheme that the document proposes, comprise the identity information set of all authorized receivers in ciphertext, i.e. appoint What receives the identity information that the recipient of this ciphertext can know the authorized receiver of this message, thus it cannot be guaranteed that connects The identity anonymous of receipts person (includes that authorized receiver is to the body between identity anonymous and the authorized receiver of non authorized recipients Part is anonymous).

Summary of the invention

In order to overcome the deficiency of existing multi-receiver label decryption method poor stability, the present invention provides a kind of participant's identity Anonymous multi-receiver label decryption method.The sender of the method constructs one according to oneself PKI when each broadcast communication Pseudo-PKI communicates, and can inquire the identity of the sender information of its correspondence owing to assailant passes through PKI, thus pseudo-public The true identity of sender can be stashed by the use of key, such that it is able to realize sender anonymity；Sender is signing close disappearing Lagrange's interpolation technology is used to be merged by the identity information of all authorized receivers as sign ciphertext one during breath Part, thus in signing ciphertext, the most directly expose the identity information list of sender, and then authorized receiver couple can be realized The identity anonymous of non authorized recipients；Meanwhile, can not be by signing the relation meter between ciphertext element between authorized receiver Calculate the identity information of the other side, such that it is able to the identity anonymous realized between authorized receiver.When preventing broadcast communication potential The identity information leakage problem of participant, protect the privacy of communication parties, improve the peace of multi-receiver label decryption method Quan Xing.

The technical solution adopted for the present invention to solve the technical problems: the multi-receiver label of a kind of participant's identity anonymous are close Method, is characterized in comprising the following steps:

(1) the close process of the label of sender；

Sender ID_sTo the label of clear-text message M close time,

(1a) sender ID_sChoose n authorized receiver ID₁,ID₂,...,ID_n, set up authorized receiver's identity information row Table L={ID₁,ID₂,...,ID_n, wherein n is the integer more than zero；

(1b) sender ID_sChoose random number r ∈ Z_q ^*, calculate the pseudo-PKI Y=rQ of sender_s, wherein Q_sFor sender ID_s PKI, Z_q ^*For non-zero multiplicative group based on prime number q；

(1c) for each authorized receiver ID_i, wherein i=1,2 ..., n, sender ID_sEvaluation x_i=H₂(ID_i) With numerical value y_i=α_i(Q_i+P₁), then, utilize lagrange-interpolation to construct polynomial function f_iX () is as follows:

$f_i\left(x\right)=\underset{1\≤l\≠j\≤n}{\mathrm{\Π}}\frac{{x-x}_j}{x_l-x_j}=a_{i,1}+a_{i,2}x+...+a_{i,n}{x}^{n-1}$

Wherein, x is polynomial function f_iThe independent variable of (x)；

Then, sender ID_sIt is calculated as follows information:

$T_i=\underset{j=1}{\overset{n}{\mathrm{\Σ}}}{a}_{j,i}{y}_j$

$J_i=\underset{j=1}{\overset{n}{\mathrm{\Σ}}}{a}_{j,i}{J^{\text{'}}}_j$

Wherein, H₂For password one-way Hash function, Q_iFor authorized receiver ID_iPKI, P₁For sender ID_sFrom group G₁In The element arbitrarily chosen, a_i,jIt is polynomial function f_iThe coefficient of (x) and i ≠ j, i=1,2 ..., n, j=1,2 ..., n, J_i ^′=α α_i ^-1P_pub, α_iFor sender ID_sThe positive integer randomly choosed,

(1d) construction set T={T₁,T₂,...,T_nAnd set J={J₁,J₂,...,J_n}；

(1e) sender ID_sEvaluation U=α P, and utilize sender ID_sPseudo-PKI Y evaluation X=α Y and key K =H₃(e(P_pub,P₁)^α), wherein, H₃For password one-way Hash function, e is bilinear map, P_pubFor system Your Majesty's key；

(1f) sender ID_sUtilize symmetric encipherment algorithm E_kClear-text message M is encrypted by (), obtains message ciphertext σ=E_K (M)；

(1g) sender ID_sCalculate h=H₄(σ, X, U, T, J), then, calculates signing messages W=(α+h) rD_s, wherein D_s For sender ID_sPrivate key, H₄For password one-way Hash function.

(1h) sender ID_sStructure signs ciphertext C=＜ Y, X, U, σ, W, T, J ＞, and close for label ciphertext C is broadcasted, Complete to sign close operation；

(2) decrypting process of recipient；

Recipient ID_i, wherein i=1,2 ..., n, to sign ciphertext C deciphering time,

(2a) recipient ID_iFirst according to element σ, X, U, T, the J signed in ciphertext C, h '=H is calculated₄(σ, X, U, T, J), Then equation e (W, P)=e (X+h ' Y, P is judged_pub) whether set up, wherein, W, X, Y are to sign the element in ciphertext C, P and P_pub For the open parameter of system, e is bilinear map；

If equation is false, then ciphertext C is signed in explanation is invalid or recipient ID_iIt not authorized receiver, at this moment, Recipient ID_iExit decrypting process；If equation is set up, then signing ciphertext C is effective and recipient ID_iIt is authorized receiver, Then, recipient ID_iContinue executing with procedure below；

(2b) recipient ID_iEvaluation x_i=H₂(ID_i), then utilize the element T signed in ciphertext C and J to calculate middle Parameter ${\mathrm{\η}}_i=T_1+x_i{T}_2+...+\left(X_i^{n-1}\mathrm{mod}q\right)T_n$ With ${\mathrm{\τ}}_i=J_1+x_i{J}_2+...+\left(x_i^{n-1}\mathrm{mod}q\right)J_n;$

(2c) recipient ID_iUse the element U and intermediate parameters η signed in ciphertext C_iAnd τ_iEvaluation ω=e (τ_i, η_i)e(U,D_i)^-1, wherein D_iFor recipient ID_iPrivate key, then, computation key K=H₃(ω)；

(2d) recipient ID_iUtilize symmetrical decipherment algorithm D_k() message cipher text σ is decrypted and obtains clear-text message M=D_K (σ), decrypting process is completed.

The invention has the beneficial effects as follows: due to the sender of the method when each broadcast communication all according to the PKI of oneself Construct a pseudo-PKI to communicate, the identity of the sender information of its correspondence can be inquired owing to assailant passes through PKI, So the true identity of sender can be stashed by the use of pseudo-PKI, it is achieved thereby that sender anonymity；Sender exists Lagrange's interpolation technology is used to be merged by the identity information of all authorized receivers as signing when signing close message close A part for literary composition, thus in signing ciphertext, the most directly expose the identity information list of sender, and then achieve mandate reception Person's identity anonymous to non authorized recipients；Can not calculate by signing the relation between ciphertext element between authorized receiver Go out the identity information of the other side, it is achieved thereby that the identity anonymous between authorized receiver.Ginseng potential when preventing broadcast communication With the identity information leakage problem of person, protect the privacy of communication parties, improve the safety of multi-receiver label decryption method.

With embodiment, the present invention is elaborated below in conjunction with the accompanying drawings.

Accompanying drawing explanation

Fig. 1 is the flow chart of the multi-receiver label decryption method of participant's identity anonymous of the present invention.

Detailed description of the invention

The present invention is described in detail with reference to Fig. 1.

Explanation of nouns.

TTP: trusted third party, is often taken on by key generation centre, is responsible for producing the private key of sender and recipient；

Z: the security of system parameter that trusted third party TTP chooses；

Q: the Big prime that trusted third party TTP chooses, meets q > 2^z；

G₁: the q rank addition cyclic group that trusted third party TTP chooses；

G₂: the q factorial method cyclic group that trusted third party TTP chooses；

E: the G that trusted third party TTP chooses₁And G₂On bilinear map, i.e. e:G₁×G₁→G₂；

A → B: the mapping of definition territory A to codomain B；

P:G₁On generation unit, trusted third party TTP randomly select；

S: system master key, is randomly selected by trusted third party TTP；

Z_q ^*: non-zero multiplicative group based on prime number q；

P_pub: system Your Majesty's key, P_pub=sP；

H_i: password one-way Hash function, wherein i=1,2,3,4；

{0,1}^*: the string that arbitrarily long " 0 " or " 1 " is constituted；

M: clear-text message；

The length of | M |: clear-text message M；

E_k(): symmetric encipherment algorithm, wherein k is key；

E_k(m): utilize symmetric encipherment algorithm E_kMessage m is encrypted by ()；

D_k(): symmetrical decipherment algorithm, with symmetric encipherment algorithm E_k() is corresponding, and wherein k is key；

D_k(c): utilize symmetrical decipherment algorithm D_kCiphertext c is decrypted by ()；

The open parameter of params: system；

ID: subscriber identity information, user includes sender and recipient；

ID_s: the identity information of sender；

Q_s: sender ID_sPKI, Q_s=H₁(ID_s)；

D_s: sender ID_sPrivate key, D_s=sQ_s；

Y: sender ID_sPseudo-PKI；

The number of n: authorized receiver；

ID_i: the identity information of authorized receiver i, wherein i=1,2 ..., n；

Q_i: authorized receiver ID_iPKI, Q_i=H₁(ID_i), wherein i=1,2 ..., n；

D_i: authorized receiver ID_iPrivate key, D_i=sQ_i, wherein i=1,2 ..., n；

L: authorized receiver's identity information list；

P₁: the element arbitrarily chosen from group G1；

f_i(x): utilizing the polynomial function that Lagrange's interpolation constructs, wherein x is independent variable, i=1,2 ..., n；

A mod q: represent that A is divided by the remainder after q；

σ: message ciphertext；

C: sign ciphertext；

<a, b ..., c>: by element a, b ..., the sequential element set that c is constituted；

Specific implementation method is as follows:

Step 1, system is set up.

Key generation centre chooses Big prime q, wherein a q according to security parameter z > 2^z, the addition on one q rank of structure follows Ring group G₁With q factorial method cyclic group G₂；Construct a bilinear map e:G₁×G₁→G₂；From group G₁On randomly select generation Unit P, and randomly select system master key s ∈ Z_q ^*, calculate corresponding system Your Majesty key P_pub=sP；Construct 4 password one-way hash functions Function, is designated as: H₁: { 0,1}^*→G₁；H₂: { 0,1}^*→Z_q ^*；H₃: G₂→{0,1}^|M|；H₄: { 0,1}^|M|×G₁ ⁿ⁺³→Z_q ^*；Choose Symmetric encipherment algorithm E_k() and symmetrical decipherment algorithm D_k(), wherein k is key；

Key generation centre structure public address system parameter params, params building method is:

params=<G₁,G₂,q,e,P,P_pub,H₁,H₂,H₃,H₄,E_k(),D_k()>

Meanwhile, key generation centre safe storage system master key s.

Step 2, user registers.

User submits identity information ID ∈ { 0,1} to key generation centre^*, key generation centre is according to systematic parameter Params, system master key s and subscriber identity information ID ∈ { 0,1}^*Calculate the PKI Q of user_ID=H₁(ID), the private key of user D_ID=sQ_ID, externally announce the PKI of this user and the private key of user be sent to user safely.

Step 3, sender signs close.

Sender ID_sChoose n authorized receiver ID₁,ID₂,...,ID_n, wherein n be integer and n more than 0, structure authorizes Recipient identity information list L={ID₁,ID₂,...,ID_n}；Sender ID_sAs follows to the close process of label of clear-text message M:

Sender ID_sChoose random number r ∈ Z_q ^*, calculate the pseudo-PKI Y=rQ of sender_s, wherein Q_sFor sender ID_sPublic affairs Key；

Sender ID_sFrom group G₁In randomly select the element P of₁, for each authorized receiver ID_i, i=1, 2 ..., n, sender ID_sChoose random number α_i∈Z_q ^*, evaluation x_i=H₂(ID_i) and numerical value y_i=α_i(Q_i+P₁), utilize glug Bright day interpolation method structure n-1 order polynomial function f_i(x):

$f_i\left(x\right)=\underset{1\&le;l\&NotEqual;j\&le;n}{\mathrm{\&Pi;}}\frac{{x-x}_j}{x_l-x_j}=a_{i,1}+a_{i,2}x+...+a_{i,n}{x}^{n-1}$

Wherein, x is polynomial function f_iThe independent variable of (x)；

Then, sender ID_sIt is calculated as follows information:

$T_i=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{y}_j$

$J_i=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{J^{\text{'}}}_j$

Wherein, H₂For password one-way Hash function, Q_iFor authorized receiver ID_iPKI, a_i,jIt is polynomial function f_i(x) Coefficient and i ≠ j, i=1,2 ..., n, j=1,2 ..., n, J_i ^′=α α_i ^-1P_pub,α_iFor sender ID_sRandomly choose Positive integer；

Sender ID_sEvaluation U=α P, and utilize sender ID_sPseudo-PKI Y evaluation X=α Y, then, utilize double Linearly to and password one-way Hash function H₃Computation key K=H₃(ω), wherein ω=e (P_pub,P₁)^α；Symmetric cryptography is utilized to calculate Method E_kClear-text message M is encrypted and obtains message ciphertext σ=E by ()_K(M)；

Sender ID_sCalculate h=H₄(σ, X, U, T, J), then, calculates signing messages W=(α+h) rD_s, wherein D_sFor sending out The person of sending ID_sPrivate key, H₄For password one-way Hash function；

Sender ID_sIt is C=＜ Y, X, U, σ, W, T, J ＞ that structure signs ciphertext, and close for label ciphertext C is broadcasted.

Step 4, recipient deciphers.

Recipient ID_i, wherein i=1,2 ..., n, as follows to the decrypting process signing ciphertext C:

First according to signing ciphertext C calculating h '=H₄(σ, X, U, T, J), then according to element X, Y, the W signed in ciphertext C Parameter P open with system and P_pubJudge equation e (W, P)=e (X+h'Y, P_pub) whether set up；

If equation is false, then ciphertext C is signed in explanation is invalid or recipient ID_iIt not authorized receiver, at this moment, Recipient ID_iExiting decrypting process, if setting up, then signing ciphertext C is effective and recipient ID_iIt is authorized receiver, continues Perform procedure below；

Recipient ID_iUtilize password one-way Hash function H₂Evaluation x_i=H₂(ID_i), utilize numerical value x_iWith label ciphertext C In set T and J calculate intermediate parameters η_i=T₁+x_iT₂+...+(x_i ^n-1modq)T_nAnd τ_i=J₁+x_iJ₂+...+(x_i ^n-1modq) J_n；

Recipient ID_iUse the element U and parameter η signed in ciphertext C_iAnd τ_iEvaluation ω=e (τ_i,η_i)e(U, D_i ^-1) then computation key K=H₃(ω)；Finally utilize the decipherment algorithm D in systematic parameter_k() message cipher text σ is decrypted Obtain message plaintext M=D_K(σ), decrypting process is completed.

Claims (1)

1. the multi-receiver label decryption method of participant's identity anonymous, it is characterised in that comprise the following steps:

Key generation centre chooses Big prime q, wherein a q according to security parameter z > 2^z, the addition cyclic group on one q rank of structure G₁With q factorial method cyclic group G₂；Construct a bilinear map e:G₁×G₁→G₂；From group G₁On randomly select generation unit P, And randomly select system master key s ∈ Z_q ^*, calculate corresponding system Your Majesty key P_pub=sP；Construct 4 password one-way hash function letters Number, is designated as: H₁: { 0,1}^*→G₁；H₂: { 0,1}^*→Z_q ^*；H₃: G₂→{0,1}^|M|；H₄: { 0,1}^|M|×G₁ ⁿ⁺³→Z_q ^*, wherein, | M | it is the length of clear-text message M, { 0,1}^*It is arbitrarily long 0 or 1 string constituted, { 0,1}^|M|It it is the string of 0 or 1 long for | M | composition； Choose symmetric encipherment algorithm E_k() and symmetrical decipherment algorithm D_k(), wherein k is key；

(1) the close process of the label of sender；

Sender ID_sTo the label of clear-text message M close time,

(1a) sender ID_sChoose n authorized receiver ID₁,ID₂,...,ID_n, set up authorized receiver identity information list L= {ID₁,ID₂,...,ID_n, wherein n is the integer more than zero；

(1b) sender ID_sChoose random number r ∈ Z_q ^*, calculate the pseudo-PKI Y=rQ of sender_s, wherein Q_sFor sender ID_s's PKI, Z_q ^*For non-zero multiplicative group based on prime number q；

(1c) for each authorized receiver ID_i, wherein i=1,2 ..., n, sender ID_sEvaluation x_i=H₂(ID_i) and Numerical value y_i= _i(Q_i+P₁), then, utilize lagrange-interpolation to construct polynomial function f_iX () is as follows:

Wherein, x is polynomial function f_iThe independent variable of (x)；

Then, sender ID_sIt is calculated as follows information:

Wherein, H₂For password one-way Hash function, Q_iFor authorized receiver ID_iPKI, P₁For sender ID_sFrom group G₁In arbitrarily The element chosen, a_i,jIt is polynomial function f_iThe coefficient of (x) and i ≠ j, i=1,2 ..., n, j=1,2 ..., n, _iFor sender ID_sThe positive integer randomly choosed,

(1d) construction set T={T₁,T₂,...,T_nAnd set J={J₁,J₂,...,J_n}；

(1e) sender ID_sEvaluation U=P, and utilize sender ID_sPseudo-PKI Y evaluation X=Y and key K= H₃(e(P_pub,P₁)), wherein, H₃For password one-way Hash function, e is bilinear map, P_pubFor system Your Majesty's key；

(1f) sender ID_sUtilize symmetric encipherment algorithm E_kClear-text message M is encrypted by (), obtains message ciphertext σ=E_K (M)；

(1g) sender ID_sCalculate h=H₄(σ, X, U, T, J), then, calculating signing messages W=(+h)rD_s, wherein D_sFor sending out The person of sending ID_sPrivate key, H₄For password one-way Hash function；

(1h) sender ID_sStructure signs ciphertext C=＜ Y, X, U, σ, W, T, J ＞, and close for label ciphertext C is broadcasted, and completes to sign Close operation；

(2) decrypting process of recipient；

Recipient ID_i, wherein i=1,2 ..., n, to sign ciphertext C deciphering time,

(2a) recipient ID_iFirst according to element σ, X, U, T, the J signed in ciphertext C, h '=H is calculated₄(σ, X, U, T, J), then Judge equation e (W, P)=e (X+h ' Y, P_pub) whether set up, wherein, W, X, Y are to sign the element in ciphertext C, and e is bilinearity Map；

If equation is false, then ciphertext C is signed in explanation is invalid or recipient ID_iIt not authorized receiver, at this moment, receive Person ID_iExit decrypting process；If equation is set up, then signing ciphertext C is effective and recipient ID_iIt is authorized receiver, connects , recipient ID_iContinue executing with procedure below；

(2b) recipient ID_iEvaluation x_i=H₂(ID_i), then utilize the element T signed in ciphertext C and J to calculate intermediate parameters η_i=T₁+x_iT₂+...+(x_i ^n-1 mod q)T_nAnd τ_i=J₁+x_iJ₂+...+(x_i ^n-1 mod q)J_n；

(2c) recipient ID_iUse the element U and intermediate parameters η signed in ciphertext C_iAnd τ_iEvaluation ω=e (τ_i,η_i)e (U,D_i)^-1, wherein D_iFor recipient ID_iPrivate key, then, computation key K=H₃(ω)；

(2d) recipient ID_iUtilize symmetrical decipherment algorithm D_k() message cipher text σ is decrypted and obtains clear-text message M=D_K(σ), Complete decrypting process.