CN103986574B - A kind of Tiered broadcast encryption method of identity-based - Google Patents

A kind of Tiered broadcast encryption method of identity-based Download PDF

Info

Publication number
CN103986574B
CN103986574B CN201410209022.9A CN201410209022A CN103986574B CN 103986574 B CN103986574 B CN 103986574B CN 201410209022 A CN201410209022 A CN 201410209022A CN 103986574 B CN103986574 B CN 103986574B
Authority
CN
China
Prior art keywords
mrow
user
msub
private key
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410209022.9A
Other languages
Chinese (zh)
Other versions
CN103986574A (en
Inventor
刘建伟
周云雅
伍前红
刘巍然
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN201410209022.9A priority Critical patent/CN103986574B/en
Publication of CN103986574A publication Critical patent/CN103986574A/en
Application granted granted Critical
Publication of CN103986574B publication Critical patent/CN103986574B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

A kind of Tiered broadcast encryption method of identity-based, step is as follows:1st, PKG input systems safety coefficient, exports initiation parameter;2nd, PKG runs Generating Random Number, selects random number;3rd, PKG runs Bilinear map computing, exports public key, retains master key;4th, encryption side's operation Generating Random Number, multiplication and exponentiation, output par, c ciphertext;5th, encryption side's operation impact resistant hash function;6th, encryption side's operation multiplication and exponentiation, export complete ciphertext;7th, PKG or higher level user's operation Generating Random Number, the random number needed for generation private key;8th, PKG or higher level user's operation multiplication and exponentiation, export private key for user;9th, decryption side operation impact resistant hash function, verifies the validity of ciphertext, effectively carries out next step, invalid output NULL;10th, the user of decryption condition is met, is calculated by private key for user and obtains K;11st, decrypted user is according to K, operation Bilinear map computing and multiplying, and output is in plain text.

Description

A kind of Tiered broadcast encryption method of identity-based
(1) technical field:
The present invention relates to a kind of Tiered broadcast encryption method of identity-based, available for the user in network stratified structure it Between carry out secret communication, belong to field of cryptography in information security.
(2) technical background:
Into 21 century, the mankind have marched toward the epoch of informationization, the various advanced communication technologys, computer technology and net Network technological penetration has arrived the every aspect of our lives.The fast development popularization of information technology, pole is brought for our life Big facility, information globalization, information integral are just constantly changing our production and life style.But, information technology While bringing each side such as life, work to facilitate for us, also our individual privacy safety greatly threaten.Such as Information exchange is reliably and securely carried out under the network environment where opened, as one important subject under discussion of information security field.
Under information network security demand increasingly urgent environment, the Robust Security for the transmission that is designed to guarantee data security Technical method become most important, therefore standard PKIX --- Public Key Infrastructure (PKI) Arise at the historic moment.PKI can be verified during the network information is interacted to the letter of identity of user, ensure communicating pair Credibility.But, in application process, PKI is found the presence of many unsatisfactory places, it is contemplated that the structure of PKI system Into complex and cost is too high, practicality is not strong, how efficiently to verify that user identity turns into new challenge.
1984, Shamir took the lead in proposing Identity based encryption method --- Identity-based Encryption(IBE).Under IBE systems, the public key used when the identity information of user is as encryption, rather than demonstrate,proved from public key Obtained in book.The identity information of user can be the ID card No., network ip address or email address of user;Private key is then by private Center --- Private Key Generator (PKG) place uniformly generates and is distributed to each user, and data encryption side is or not key generation The encryption of data can also be completed with the public key certificate for obtaining other side.
Traditional IBE encryption methods, PKG carries the function that private key and certification user identity are generated for all users; Calculate after private key, PKG must also send private key to user by hidden passageway.This undoubtedly reduces the efficiency of system, even Bottleneck as whole encrypting and deciphering system;And because PKG stores the private key of all users, so easily turning into the mesh that enemy attacks Mark.Consideration solves the above problems, identity base encipherment scheme --- the Hierarchical Identity-based of layering Encryption (HIBE) is suggested.HIBE schemes organize user with tree structure, simulate many community organizations and hand over The situation of cooperation is pitched, actual life is more nearly.On the one hand, PKG can authorize upper-layer user to be to calculate to give birth to directly under underlying User Into private key, so as to alleviate PKG generations, the burden of distribution private key, PKG risks under attack are reduced.On the other hand, it is traditional IBE systems in ciphering process, encryption side be according to the single capacity ID of user encrypt;Fang Zefen is encrypted in HIBE schemes The identity vector ID=(ID of office the other user1, ID2..., IDd) information is encrypted, only identity appears in specified identity Validated user in vector can be decrypted.For example, in electronic health care network application environment, patient Alice thinks and certain hospital Doctor Bob secrets safely share the medical record information of oneself, and Alice only must be according to the identity vector specified:" hospital:XXX- sections Room:XXX- doctor:XXX " encrypts medical record data, and sends ciphertext to Bob.It is similar with above-mentioned application scenarios, encryption side It may think to carry out secret communication with the user in many levels structure simultaneously.For example, certain company is want with university of same institute from not With multiple a softwares of professor's cooperation joint development in laboratory.In IBE encryption systems, the said firm needs to teach with every respectively Carry out secret communication is awarded, but this must indicate the encryption path of each user one by one, and this will certainly bring heavy add to encryption side Close expense and tediously long ciphertext storage burden.In addition, under IP-based multiplex broadcasting network environment, using existing IBE systems System seems feasible, but when more child nodes from different IP paths are added, number of users is increased sharply, and the system just loses it High efficiency.
Under the driving of above-mentioned application demand, we have invented a kind of new encryption method --- the identity base broadcast of layering Encrypt (Hierarchical Identity-based Broadcast Encryption, HIBBE).Broadcast enciphering, i.e., it is a kind of The method that simultaneous transmission digital information gives multiple authorized users on non-security channel, the user only in authorized subset can be with complete The decryption of paired ciphertext.By introducing broadcast enciphering function, encryption side can set multi-user to connect according to the identity vector of user Collect to close and information is encrypted, while carrying out secret communication with multi-user, improve the operating efficiency of encryption side's encryption data.
The Tiered broadcast encryption method of identity-based proposed by the present invention supports the encryption to arbitrary size user's subset, only The upper-layer user for having user and such user in the subsets can decrypt;Have private key generation agent functionality concurrently simultaneously, work as system When middle user is more, the burden that PKG generates private key can be mitigated significantly;In addition, we pass through first in hierarchical user structure Layer adds dynamic virtual user node, and the identity vector set of adaptation Sexual behavior mode and chosen ciphertext attacks (IND- can be resisted by realizing CIVS-CCA2)。
(3) content of the invention:
1st, purpose:
It is an object of the invention to provide a kind of Tiered broadcast encryption method of identity-based, it is that a kind of network that is applied to is protected Safe and efficient Data Encryption Scheme in close communication, it has had the spy of existing hierarchical identity base encryption and broadcast encryption method concurrently Point, while overcoming the incomplete deficiency of prior art function, has the advantages that high flexibility and provable security.This method can Information is encrypted based on user identity vector with realizing, supports that upper-layer user replaces private to multipath user broadcast transmission ciphertext Key generation center (Private Key Generator, PKG) be following users generate private key, sharable content object ciphertext validity, And optimize the function of private key and ciphertext length.
2nd, technical scheme:
The present invention includes three entities, 1) private key generation center (Private Key Generator, PKG):With checking User identity, calculates generation, the mechanism of dispatch user private key functionality.2) data encryption side (Encrypting Party):Have The individual of encryption function or social framework;3) user (User):Individual or social framework with decryption function;Usually, use Family includes two classes, upper-layer user and subordinate subscriber, and this is determined by position of the user in hierarchical structure;Wherein upper-layer user has It is the function that private key is generated, distributed directly under subordinate subscriber to act on behalf of PKG.
First, for the ease of understanding that we define identity vector --- ID of the user in hierarchy, represent user and exist Identity in system, is expressed as ID=(ID1, ID2..., IDd);As shown in fig. 1, the Tiered broadcast encryption side of identity-based In case, user is organized with the tree structure of layering, and user has corresponding identity ID in each layeri, each user Identity vector ID be by every layer of identity IDiThe vector being composed in series.
Secondly, we define SID={ ID1, ID2..., IDdAnd V, SIDRepresent all of user identity vector ID associations IDiSet;When V represents that the side of encryption broadcasts ciphertext, the set of all reception user identity vectors.
Then we introduce prefix Pref () concept, the institute to isolate the user from the identity of user vector There is the identity vector of upper-layer user, be expressed as
Pref (ID)={ (IDi, ID2..., IDd′):d′≤d}
The set include user in itself and his all upper-layer users identity vector.So as to the vectorial set V of user identity All users included, and the identity vector of their upper-layer user can be expressed as
The present invention is a kind of Tiered broadcast encryption method of identity-based, and this method includes initialization module, data encryption Module, private key generation module and deciphering module, by four modules, totally 11 steps realize basic function, as shown in Fig. 2 each mould Block is performed according to " initialization module " → " data encryption module " → " private key generation module " → " deciphering module " order, its step It is as follows:
Module one:Initialization module
PKG in this module by system security parameter λ, the depth capacity D of user stratification structure and number of users most Big value n+1 exports master key MSK and public key PK as input.Public key PK can be disclosed, and master key MSK then must PKG strictly protect It is close.Implementing for the functions of modules is divided into three steps:
Step 1:PKG input system security parameter λ first, then run algorithmTwo exponent numbers of output are conjunction number N GroupWith a bilinear map computing e:Wherein N=p1p2p3, p1, p2, p3It is three of N respectively The discrete Big prime factor.
Step 2:PKG runs Generating Random Number, and random selection exponent number is p1GroupIn one generation member g, An element h in group, exponent number is p3GroupIn an element X3And ZN:A member in { 0,1 ..., N-1 } domain Plain α is used as Stochastic;And all n+1 users including dynamic virtual user are randomly assignedOne in group Element ui, i ∈ [1, n+1].
Step 3:Last PKG carries out once closing number rank Bilinear map computing, obtainsAn element e (g, g) in groupα。 The parameter obtained by above three step
(g, h, u1..., un+1, X3, e (g, g)α)
Can be with external disclosure, g as public key parameterαTaken care of as master key by PKG.
Wherein, described " operation algorithm in step 1", its way is as follows:PKG is according to the security parameter λ of input Size, select suitable elliptic curve:Y2=X3+ aX+b (a and b are coefficients).Group is constituted according to the point on selected elliptic curveA kind of Function Mapping e is selected, by groupIn element be mapped to groupIn;Security parameter numerical value is bigger, selected Point on elliptic curve is also more, and group is also bigger.
Wherein, described " Generating Random Number " in step 2, its way is as follows:According to ellipse selected in step 1 Curve:y2=x3+ ax+b, a random selection independent variable x value x1, calculate correspondence dependent variable y value y1;If point (x1, y1) We are wanted in the group of mapping, then have been successfully generated random element.If point (x1, y1) not in group, then continue to select x value, directly To finding the point that appears in group.The Generating Random Number being hereinafter related to, its way is identical.
Wherein, described " closing the computing of number rank Bilinear map " in step 3, its way is as follows:The input of independent variable is groupIn one generation member g, be output as groupIn element:E (g, g)α
Module two:Data encryption module
Encryption side is in this module by public key PK and message M to be encrypted and the identity vector set of reception ciphertext user V is closed as input, the ciphertext CT obtained after message M is encrypted in output.Three steps of the realization of the functions of modules point:
Step 4:Encryption side randomly chooses ZN:An element in { 0,1 ..., N-1 } domain completes to multiply for 1 time as index β Method and 2 exponentiations, are obtained
(C0, C2)←(gβ, e (g, g)αβ·M)
For the vectorial set V of identity for receiving user, our definition sets
Step 5:Encryption side operation impact resistant hash function H { }, calculating is obtainedIt is transported Row impact resistant hash function H { } computational methods are as follows:The input of hash function is ciphertext C0、C2, it is output as being mapped to ZN: Element in { 0,1 ..., N-1 } domain;The hash function can be from Pairing-Based Cryptosystems function bags Call and obtain in built-in function;
Step 6:Encryption side completes multinomial time multiplication and exponentiation, obtains C1,
Last ciphertext output:CT=(C0, C1, C2), the ciphertext is user oriented identity vector set V ∪ { (IDn+1)} Encryption.
Module three:Private key generation module
The module is participated in by two parts:A part is undertaken by PKG, and the identity vector ID and master that module inputs a certain user are close Key MSK, generates corresponding private key SKID.Another part is undertaken by the upper-layer user of the user of private key to be generated, acts on behalf of PKG completions The generation of private key for user and distributed tasks;Module inputs the private key SK of the upper-layer userID′With the identity ID of underlying User, output The corresponding private key SK of IDID
The private key systematic function undertaken by PKG is specifically divided into the realization of two steps:
Step 7:PKG randomly chooses ZN:An element r in { 0,1 ..., N-1 } domain is used as index, operation random selection TwoElements A in group0, A1.For the identity vector ID of user, we are definition set I={ i:IDi∈SID, and to institute There is the user not in set I to be randomly assignedAn element U in groupj, j ∈ [1, n+1 I].
Step 8:PKG completes multinomial time multiplication and exponentiation, obtains last private key for user
The private key systematic function undertaken by higher level user is equally divided into the realization of two steps:
Step 7*:Higher level user randomly chooses Z firstN:An element t in { 0,1 ..., N-1 } domain is used as index, fortune Row Generating Random Number randomly chooses twoElement R in group0, R1, and all users not in set I are divided at random Match somebody with somebodyAn element T in groupj, j ∈ [1, n+1] I.
Step 8*:Higher level user is by the private key SK of itselfID′Set out, make It can be used by multinomial time multiplication and exponentiation The corresponding private key SK of family identity vector ID=(ID ', ID)ID
Module four:Deciphering module
Decrypted user runs the validity that impact resistant hash function verifies ciphertext in this module, first, if ciphertext It is effective, then will receives identity vector set V the ∪ { (ID of ciphertext usern+1), the obtained ciphertext CT of encryption message M and use Family private key SKIDIt is used as input.If meeting condition ID ∈ V, the module exports correct clear-text message M.If ciphertext is invalid, System output NULL (unblind).The realization of the functions of modules is specifically divided into three steps:
Step 9:Decryption side first verifies that the validity of ciphertext, operation impact resistant hash function H { }:Whether detection following equalities are set up:
If equation is set up, following steps 10,11 are carried out, if not, system exports NULL.
Wherein, described " operation impact resistant hash function H { } ", described in its method and step 5 for running and calculating It is identical;
Step 10:User for meeting ID ∈ Pref (V) condition, by the private key SK of itselfIDIt can first calculate and obtain
Step 11:The K that decrypted user is obtained according to upper step, carries out Bilinear map computing twice and multiplication operation, meter Calculate output clear-text message M:
Especially, in such scheme deciphering module the first step, open checking can be carried out.Because the input of checking is public affairs Key parameter and ciphertext, are external disclosures, thus HIBBE schemes of the present invention can be used for constructing senior safety association View.
Tree-like user identity hierarchy under Optimizing Mode:The Tiered broadcast encryption side of identity-based of the present invention Method, when user stratification constructional depth is d, each private key for user includes n-d+2 element, and ciphertext includes three group elements.Examine Consider the limited situation of the data storage capacities of some reception ciphertext users, we make between private key length and ciphertext length It is compromise, it is proposed that the tree-like user identity hierarchy under Optimizing Mode, shown in such as Fig. 5 (b).
Wherein, Fig. 5 (a) is the system of most original, and all users arrange according to one tree T structure organization, and tree node is total Number is n;Figure is right, and we split to tree T, are divided intoStalk tree, the nodes included per stalk tree are niIt is individual,The principle of segmentation is:1. the nodes per stalk tree are as far as possible equal, i.e.,2. all subtrees, which are tried one's best, shares Minimum upper level node.It can regard independent HIBBE systems as per stalk tree, can normally run each function in the present invention program Module.When broadcast enciphering ciphertext, if user's set is carried out from different subtrees to all access structure trees being related to Broadcast.
By above-mentioned optimization, the length of private key is down toThe order of magnitude, the length of ciphertext be slightly increased toQuantity Level;If we makeThen ciphertext and the length of private key are changed intoThe order of magnitude, the storage for greatly reducing user is born Load.
3rd, advantage and effect:
The present invention provides a kind of Tiered broadcast encryption method of identity-based, available under complicated hierarchical network environment Secret communication between user, its advantage and effect are:
1) this method extends broadcast enciphering function first on the basis of the identity base encipherment scheme being layered, can be real Now to the encryption of any user identity vector set, the higher level user of the only user in recipient gathers or such user can To decrypt;
2) the present invention program, which has taken into account the advantage of hierarchy, i.e. higher level user, can act on behalf of PKG completion subordinate subscriber private keys Generation and distributed tasks, reduce PKG work load, improve system effectiveness;
3) dynamic virtual user node is introduced by the first layer in hierarchy, original can be resisted into selection identity vector set The scheme closed with chosen -plain attact (IND-CIVS-CPA), which is converted to, can resist the identity vector set of adaptation Sexual behavior mode and select The scheme of ciphertext only attack (IND-CIVS-CCA2), supports the validity of ciphertext to disclose checking, safe class is higher, available for structure Make the agreement of higher level;
4) proposition of the tree-like user identity hierarchy under Optimizing Mode, alleviates memory when user stores long key Off-capacity problem, makes this programme more flexible and changeable, and practicality is stronger.
(4) illustrate:
Fig. 1 is general tree-like user identity hierarchy.
Fig. 2 is the FB(flow block) of the method for the invention.
Fig. 3 is a special case of tree-like user identity hierarchy of the invention.
Fig. 4 is the special case for Fig. 3, the specific composition of each private key for user in tree structure.
Fig. 5 (a) is the tree-like user identity hierarchy under primal system of the present invention.
Fig. 5 (b) is the tree-like user identity hierarchy under Optimizing Mode of the present invention.
Symbol description is as follows in figure:
In Fig. 1, the node on behalf PKG of grid, the node on behalf of twill is receiving the user during user gathers, white The user of node on behalf not in user's set is received;ID1, ID2..., ID11Represent the identity of each node.
In figure 3, the node on behalf PKG of grid, the user of the node on behalf of twill in ciphertext user's set V is received, The user of the node on behalf of white not in user's set is received, uiRepresent the random number that each identifier node is assigned to, ID1, ID2..., ID8Represent the identity of each node.
In Fig. 4, IDiRepresent each identity vector, a0, a1, b1..., b8The part of each private key for user is represented, It is sky to represent private key content.
In Fig. 5 (a) and (b), the node on behalf PKG of grid, the node on behalf of twill is receiving the use during user gathers Family, white node on behalf is not receiving the user during user gathers.
(5) embodiment
See Fig. 1-Fig. 5 (b), main mathematic sign and algorithmic translation:
(1) the bilinear map e of number rank is closed:In the initialization module of the present invention program, pacified by inputting Overall coefficient λ, runs algorithmTwo exponent numbers can be obtained to close number N groupWith a bilinear map computing e:Wherein N=p1p2p3, p1, p2, p3It is N three discrete Big prime factors respectively.
The bilinear map for closing number rank meets following three characteristics:
1. bilinear characteristics:ForThere are e (ga, hb)=e (g, h)abSet up;
2. non-degeneracy:At least there is element g in group so that the e (g, g) after calculating isSome generation of group Member;
3. computability:In the presence of effective algorithm so that allE (u, v) value can effectively be calculated;
Especially,Group is p comprising three exponent numbers1, p2, p3Subgroup, be expressed asWithFor this The bilinear map of element also meets orthogonal property in three subgroups:
For allIf i ≠ j, there are e (hi, hj)=1.
(2) impact resistant hash algorithm:The impact resistant hash function used in the present invention possesses two Fundamental characteristics:One-way and anti-collision;One-way, which refers to input from hash function, derive output, and can not be from Hash Function output calculates input;Anti-collision refers to can not be while finding two different inputs makes the complete phase of its Hash result Together.Hash algorithm input in the present invention is ciphertext, is output as being mapped to domain ZN:Element in { 0,1 ..., N-1 }.
The present invention is a kind of Tiered broadcast encryption method of identity-based, and this method is by initialization module, data encryption mould This four modules of block, private key generation module and deciphering module are realized, see Fig. 2.It is as follows that this method implements step:
Module one:The realization of the initialization module functions of modules is specifically divided into three steps:
Step 1:PKG input system security parameter λ first, run algorithmTwo exponent numbers of output are the group for closing number NWith a bilinear map computing e:Wherein N=p1p2p3, p1, p2, p3It is three of N discrete respectively The Big prime factor
Step 2:
PKG runs Generating Random Number, random selectionA generation member g in group,An element h in group,An element X in group3AndAn element α in domain is used as Stochastic;And to including dynamic virtual user All (n+1) individual users be randomly assignedAn element u in groupi, i ∈ [1, n+1] are randomly assigned to real user node Element be ui, i ∈ [1, n], the element for being randomly assigned to dynamic virtual user node is un+1
Step 3:PKG carries out once closing number rank Bilinear map computing, obtainsAn element e (g, g) in groupα.By The parameter that above three step is obtained
(g, h, u1..., un+1, X3, e (g, g)α)
Can be with external disclosure, g as the parameter of public keyαTaken care of as master key by PKG.
Wherein, described " operation algorithm in step 1", its way is as follows:PKG is according to the security parameter λ of input Size, select suitable elliptic curve:Y2=X3+ aX+b (a and b are coefficients).Group is constituted according to the point on selected elliptic curveA kind of Function Mapping e is selected, by groupIn element be mapped to groupIn;Security parameter numerical value is bigger, selected Point on elliptic curve is also more, and group is also bigger.
Wherein, described " Generating Random Number " in step 2, its way is as follows:According to ellipse selected in step 1 Curve:y2=x3+ ax+b, a random selection independent variable x value x1, calculate correspondence dependent variable y value y1;If point (x1, y1) We are wanted in the group of mapping, then have been successfully generated random element.If point (x1, y1) not in group, then continue to select x value, directly To finding the point that appears in group.Generating Random Number principle hereinafter is identical.
Wherein, described " closing the computing of number rank Bilinear map " in step 3, its way is as follows:The input of independent variable is groupIn one generation member g, be output as groupIn element:E (g, g)α
Module two:Three steps of the realization of the data encryption module functions of modules point:
Step 4:Encryption side randomly chooses ZN:An element in { 0,1 ..., N-1 } domain is complete as index β β power operations are sought into a multiplication and twice, obtained
(C0, C2)←(gβ, e (g, g)αβ·M)
Step 5:Encryption side operation impact resistant hash function H { }, calculating is obtained
Step 6:For the vectorial set V, Wo Menling of identity for receiving ciphertext user.Encryption side is completed Multinomial time multiplication and exponentiation, obtain C1,
Last ciphertext output:CT=(C0, C1, C2), the ciphertext is user oriented identity vector set V ∪ { (IDn+1)} Encryption.
It is wherein, described in steps of 5 that " encryption side operation impact resistant hash function H { }, calculating is obtained", its computational methods is as follows:The input of hash function is ciphertext C0、C2, it is output as being mapped to ZN: Element in { 0,1 ..., N-1 } domain.The hash function can be from Pairing-Based Cryptosystems function bags Call and obtain in built-in function.
Module three:The private key generation module module is participated in by two parts:
(1) the private key systematic function undertaken by PKG is specifically divided into the realization of two steps:
Step 7:
PKG runs Generating Random Number, random selectionAn element r in domain randomly chooses two as indexElements A in group0, A1.For the identity vector ID of user, we make I={ i:IDi∈SID, and to all not in set I In user be randomly assignedAn element U in groupj, j ∈ [1, n+1 I].
Step 8:PKG completes multinomial time multiplication and exponentiation, obtains last private key for user
ID in above formulaiIt is by introducing impact resistant hash function, by user identity IDi∈SIDIt is mapped toObtained in domain Element, be expressed asUser stratification model as shown in Figure 3, the private key of each user is constituted as shown in Figure 4.
(2) the private key systematic function undertaken by higher level user is equally divided into the realization of two steps:
Step 7*For the identity vector of user ID, we make I={ i:IDi∈SID,
Higher level user runs Generating Random Number first, random selectionAn element t in domain is as index, at random Selection twoElement R in group0, R1, and all users not in set I are randomly assignedAn element in group Tj, j ∈ [1, n+1] I.
Step 8*:Order
Higher level user is by the private key SK of itselfID′=(a0, a1, { bj}J ∈ [1, n+1] I ') set out, by multinomial time multiplication and Exponentiation can obtain the corresponding private key SK of user identity vector ID=(ID ', ID)ID
By implicitly setting, order WithThe private key of user agent's generation is consistent with the private key form that PKG is generated, and is expressed as:
Higher level user, which so far acts on behalf of, completes the private key for being equal to PKG generation task.
In special case as shown in Figure 3, user's access structure of layering, ID1, ID3, ID4, ID6, ID7It is in set V In, then their private key for user each several part composition is as shown in Figure 4.
Module four:The realization of the deciphering module functions of modules is specifically divided into three steps:
Step 9:Decryption side first verifies that the validity of ciphertext, runs impact resistant hash function:Whether detection following equalities are set up:
If equation is set up, following steps 10,11 are carried out, if not, system exports NULL.
Step 10:User for meeting ID ∈ Pref (V) condition, by the private key SK of itselfID=(a0, a1, {bj}J ∈ [1, n+1] I) can first calculate and obtain
Wherein, I={ i:IDi∈SID,
Step 11:The K that decrypted user is obtained according to upper step, carries out Bilinear map computing twice and multiplication operation, meter Calculate output clear-text message M:
Orthogonal property based on Bilinear map, ownsElement in group can be withElement in group passes through bilinearity Mapping disappears:
I.e.
Wherein, " impact resistant hash function " operation method in step 9 is identical with step 5.

Claims (4)

1. a kind of Tiered broadcast encryption method of identity-based, it is characterised in that:This method is by four modules totally 11 steps Basic function is realized, each module is according to " initialization module " → " data encryption module " → " private key generation module " → " decryption mould Block " order is performed, and its step is as follows:
Module one:Initialization module
Private key generation center is PKG, by system security parameter λ, the depth capacity D of user stratification structure and use in this module The maximum n+1 of amount amount exports master key MSK and public key PK as input;Public key PK can be disclosed, and master key MSK is then It need to be holded in close confidence by PKG;Implementing for the functions of modules is divided into three steps:
Step 1:PKG input system security parameter λ first, then run algorithmTwo exponent numbers of output are the group for closing number NWith a bilinear map computingWherein N=p1p2p3, p1,p2,p3It is three of N discrete respectively The Big prime factor;
Step 2:PKG runs Generating Random Number, and random selection exponent number is p1GroupIn one generation member g,In group An element h, exponent number is p3GroupIn an element X3And ZN:An element α in { 0,1 ..., N-1 } domain makees For Stochastic;And all n+1 users including dynamic virtual user are randomly assignedAn element u in groupi, Integer in i ∈ [1, n+1];
Step 3:Last PKG carries out once closing number rank Bilinear map computing, obtainsAn element e (g, g) in groupα;By The parameter that above three step is obtained:
(g,h,u1,...,un+1,X3,e(g,g)α)
It is used as public key energy external disclosure, gαTaken care of as master key by PKG;
Module two:Data encryption module
Encryption side is in this module by the vectorial set V of the identity of public key PK and message M to be encrypted and reception ciphertext user As input, the ciphertext CT obtained after output encryption message M;Three steps of the realization of the functions of modules point:
Step 4:Encryption side randomly chooses ZN:An element in { 0,1 ..., N-1 } domain completes 1 multiplication and 2 as index β Secondary exponentiation, is obtained:
(C0,C2)←(gβ,e(g,g)αβ·M)
For the vectorial set V of identity for receiving user, our definition sets
Step 5:Encryption side operation impact resistant hash function H { }, calculating is obtained
The computational methods that it runs impact resistant hash function H { } are as follows:The input of hash function is ciphertext C0、C2, it is output as reflecting It is mapped to ZN:Element in { 0,1 ..., N-1 } domain, the hash function can be from Pairing-Based Cryptosystems function bags In built-in function in call and obtain;
Step 6:Encryption side completes polynomial multiplication and exponentiation, obtains C1,
Last ciphertext output:CT=(C0,C1,C2),
The ciphertext is user oriented identity vector set V ∪ { (IDn+1) encryption;
Module three:Private key generation module
The module is participated in by two parts:A part is undertaken by PKG, and module inputs the identity vector ID and master key of a certain user MSK, generates corresponding private key SKID;Another part is undertaken by the upper-layer user of the user of private key to be generated, is acted on behalf of PKG and is completed use The generation of family private key and distributed tasks;Module inputs the private key SK of the upper-layer userID‘With the identity ID of underlying User, ID is exported Corresponding private key SKID
The private key systematic function undertaken by PKG is specifically divided into the realization of two steps:
Step 7:PKG randomly chooses ZN:An element r in { 0,1 ..., N-1 } domain is used as index, operation random selection twoElements A in group0,A1;For the identity vector ID of user, we are definition set I={ i:IDi∈SID, and to it is all not User in set I is randomly assignedAn element U in groupj, j ∈ [1, n+1] integer in I;
Step 8:PKG completes polynomial multiplication and exponentiation, obtains last private key for user
<mrow> <msub> <mi>SK</mi> <mrow> <mi>I</mi> <mi>D</mi> </mrow> </msub> <mo>&amp;LeftArrow;</mo> <mrow> <mo>(</mo> <msup> <mi>g</mi> <mi>&amp;alpha;</mi> </msup> <msup> <mrow> <mo>(</mo> <mrow> <mi>h</mi> <mo>&amp;CenterDot;</mo> <munder> <mi>&amp;Pi;</mi> <mrow> <mi>i</mi> <mo>&amp;Element;</mo> <mi>I</mi> </mrow> </munder> <msubsup> <mi>u</mi> <mi>i</mi> <mrow> <msub> <mi>ID</mi> <mi>i</mi> </msub> </mrow> </msubsup> </mrow> <mo>)</mo> </mrow> <mi>r</mi> </msup> <msub> <mi>A</mi> <mn>0</mn> </msub> <mo>,</mo> <msup> <mi>g</mi> <mi>r</mi> </msup> <msub> <mi>A</mi> <mn>1</mn> </msub> <mo>,</mo> <msub> <mrow> <mo>{</mo> <msubsup> <mi>u</mi> <mi>j</mi> <mi>r</mi> </msubsup> <msub> <mi>U</mi> <mi>j</mi> </msub> <mo>}</mo> </mrow> <mrow> <mi>j</mi> <mo>&amp;Element;</mo> <mo>&amp;lsqb;</mo> <mn>1</mn> <mo>,</mo> <mi>n</mi> <mo>+</mo> <mn>1</mn> <mo>&amp;rsqb;</mo> <mo>\</mo> <mi>I</mi> </mrow> </msub> <mo>)</mo> </mrow> </mrow>
The private key systematic function undertaken by higher level user is equally divided into the realization of two steps:
Step 7*:Higher level user randomly chooses Z firstN:An element t in { 0,1 ..., N-1 } domain is as index, and operation is random Number generating algorithm randomly chooses twoElement R in group0,R1, and all users not in set I are randomly assigned An element T in groupj, j ∈ [1, n+1] integer in I;
Step 8*:Higher level user is by the private key SK of itselfID‘Set out, makea1=gr′A1′,User identity can be obtained by polynomial multiplication and exponentiation The corresponding private key SK of vectorial ID=(ID ', ID)ID
<mrow> <msub> <mi>SK</mi> <mrow> <mi>I</mi> <mi>D</mi> </mrow> </msub> <mo>=</mo> <mrow> <mo>(</mo> <mrow> <msub> <mi>a</mi> <mn>0</mn> </msub> <msub> <mrow> <mo>(</mo> <msubsup> <mi>b</mi> <mi>i</mi> <mrow> <mi>I</mi> <mi>D</mi> </mrow> </msubsup> <mo>)</mo> </mrow> <mrow> <mi>i</mi> <mo>&amp;Element;</mo> <mi>I</mi> <mo>\</mo> <msup> <mi>I</mi> <mo>&amp;prime;</mo> </msup> </mrow> </msub> <msup> <mrow> <mo>(</mo> <mrow> <mi>h</mi> <mo>&amp;CenterDot;</mo> <munder> <mi>&amp;Pi;</mi> <mrow> <mi>i</mi> <mo>&amp;Element;</mo> <mi>I</mi> </mrow> </munder> <msubsup> <mi>u</mi> <mi>i</mi> <mrow> <msub> <mi>ID</mi> <mi>i</mi> </msub> </mrow> </msubsup> </mrow> <mo>)</mo> </mrow> <mi>t</mi> </msup> <msub> <mi>R</mi> <mn>0</mn> </msub> <mo>,</mo> <msub> <mi>a</mi> <mn>1</mn> </msub> <msup> <mi>g</mi> <mi>t</mi> </msup> <msub> <mi>R</mi> <mn>1</mn> </msub> <mo>,</mo> <msub> <mrow> <mo>{</mo> <mrow> <msub> <mi>b</mi> <mi>j</mi> </msub> <msubsup> <mi>u</mi> <mi>j</mi> <mi>t</mi> </msubsup> <msub> <mi>T</mi> <mi>j</mi> </msub> </mrow> <mo>}</mo> </mrow> <mrow> <mi>j</mi> <mo>&amp;Element;</mo> <mrow> <mo>&amp;lsqb;</mo> <mrow> <mn>1</mn> <mo>,</mo> <mi>n</mi> <mo>+</mo> <mn>1</mn> </mrow> <mo>&amp;rsqb;</mo> </mrow> <mo>\</mo> <mi>I</mi> </mrow> </msub> </mrow> <mo>)</mo> </mrow> </mrow>
Module four:Deciphering module
Decrypted user runs the validity that impact resistant hash function H { } verifies ciphertext in this module, first, if ciphertext It is effective, then will receives identity vector set V the ∪ { (ID of ciphertext usern+1), the obtained ciphertext CT of encryption message M and use Family private key SKIDIt is used as input;If meeting condition ID ∈ V, the module exports correct clear-text message M;If ciphertext is invalid, System output NULL is unblind;The realization of the functions of modules is specifically divided into three steps:
Step 9:Decryption side first verifies that the validity of ciphertext, operation impact resistant hash function H { }:Whether detection following equalities are set up:
If equation is set up, following steps 10,11 are carried out, if not, system exports NULL;
Wherein, described " operation impact resistant hash function H { } ", its method and the phase described in step 5 for running and calculating Together;
Step 10:User for meeting ID ∈ Pref (V) condition, by the private key SK of itselfIDCalculate and obtain first
Step 11:The K that decrypted user is obtained according to upper step, carries out Bilinear map computing twice and multiplication operation, calculates defeated Go out clear-text message M:
<mrow> <mi>M</mi> <mo>=</mo> <msub> <mi>C</mi> <mn>2</mn> </msub> <mfrac> <mrow> <mi>e</mi> <mrow> <mo>(</mo> <msub> <mi>C</mi> <mn>1</mn> </msub> <mo>,</mo> <msub> <mi>a</mi> <mn>1</mn> </msub> <mo>)</mo> </mrow> </mrow> <mrow> <mi>e</mi> <mrow> <mo>(</mo> <mi>K</mi> <mo>,</mo> <msub> <mi>C</mi> <mn>0</mn> </msub> <mo>)</mo> </mrow> </mrow> </mfrac> </mrow>
The first step of deciphering module in such scheme, can carry out open checking;Because the input of checking is public key parameter and ciphertext, It is external disclosure, thus the Tiered broadcast encryption HIBBE methods of identity can be used to construct senior security protocol;
Tree-like user identity hierarchy under Optimizing Mode:The Tiered broadcast encryption method of involved identity-based, when with When family hierarchy depth is d, each private key for user includes n-d+2 element, and ciphertext includes three group elements;In view of some The limited situation of the data storage capacities of ciphertext user is received, we make compromise between private key length and ciphertext length, carried The tree-like user identity hierarchy gone out under Optimizing Mode;
All users of system of most original arrange according to one tree T structure organization, and tree node sum is n;We are carried out to tree T Segmentation, is divided intoStalk tree, the nodes included per stalk tree are niIt is individual,Interior integer;The principle of segmentation is: 1. the nodes per stalk tree are as far as possible equal, i.e.,2. all subtrees, which are tried one's best, shares minimum upper level node;Per stalk Tree regards independent HIBBE systems as, each functional module in normal operation the technical program;When broadcast enciphering ciphertext, if User gathers from different subtrees, then is broadcasted to all access structure trees being related to;
By above-mentioned optimization, the length of private key is down toThe order of magnitude, the length of ciphertext is increased toThe order of magnitude;If we OrderThen ciphertext and the length of private key are changed intoThe order of magnitude, greatly reduces the storage burden of user.
2. a kind of Tiered broadcast encryption method of identity-based according to claim 1, it is characterised in that:In step 1 Described " operation algorithmIts way is as follows:PKG selects predetermined ellipse according to the security parameter λ of input size Curve:Y2=X3+ aX+b, a and b are coefficients;Group is constituted according to the point on selected elliptic curveA kind of function is selected to reflect E is penetrated, by groupIn element be mapped to groupIn;Security parameter numerical value is bigger, and the point on selected elliptic curve is also more, Group is also bigger.
3. a kind of Tiered broadcast encryption method of identity-based according to claim 2, it is characterised in that:In step 2 Described " Generating Random Number ", its way is as follows:According to elliptic curve selected in step 1:Y2=X3+ aX+b, random choosing Select an independent variable x value x1, calculate correspondence dependent variable y value y1;If point (x1,y1) we want mapping group in, then into Work(generates random element;If point (x1,y1) not in group, then continue to select x value, until finding the point appeared in group.
4. a kind of Tiered broadcast encryption method of identity-based according to claim 1, it is characterised in that:In step 3 Described " closing the computing of number rank Bilinear map ", its way is as follows:The input of independent variable is groupIn one generation member g, export For groupIn element:e(g,g)α
CN201410209022.9A 2014-05-16 2014-05-16 A kind of Tiered broadcast encryption method of identity-based Active CN103986574B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410209022.9A CN103986574B (en) 2014-05-16 2014-05-16 A kind of Tiered broadcast encryption method of identity-based

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410209022.9A CN103986574B (en) 2014-05-16 2014-05-16 A kind of Tiered broadcast encryption method of identity-based

Publications (2)

Publication Number Publication Date
CN103986574A CN103986574A (en) 2014-08-13
CN103986574B true CN103986574B (en) 2017-10-13

Family

ID=51278401

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410209022.9A Active CN103986574B (en) 2014-05-16 2014-05-16 A kind of Tiered broadcast encryption method of identity-based

Country Status (1)

Country Link
CN (1) CN103986574B (en)

Families Citing this family (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301327B (en) * 2014-10-29 2017-07-07 东北大学 The intimacy protection system and method for the P2P social networks based on broadcast enciphering
CN104320249B (en) * 2014-11-04 2017-09-19 马鞍山城智信息技术有限公司 A kind of elastoresistance leakage encryption method of identity-based
CN104796260B (en) * 2015-04-03 2018-03-02 北京航空航天大学 A kind of short ciphertext identity base encryption method for meeting forward secrecy
CN104868963B (en) * 2015-05-11 2017-11-28 电子科技大学 A kind of broadcast encryption scheme based on multilinear pairing
CN107852324B (en) * 2015-06-02 2020-11-10 瑞典爱立信有限公司 Method for encrypting messages and encryption node
CN105068756B (en) * 2015-07-08 2018-06-19 北京航空航天大学 The storage access method of electronic health care case history
CN105743646B (en) * 2016-02-03 2019-05-10 四川长虹电器股份有限公司 A kind of Identity based encryption method and system
CN105978869B (en) * 2016-05-06 2018-11-30 西安电子科技大学 A kind of identity-based broadcast encryption method that can be cross-domain in Information Network
CN106130992B (en) * 2016-06-30 2019-10-22 北京航空航天大学 The level identity base encryption method of attack is opened in anti-selection
CN109691010B (en) 2017-07-06 2021-01-08 北京嘀嘀无限科技发展有限公司 System and method for data transmission
CN109257165B (en) * 2017-07-12 2020-08-21 北京嘀嘀无限科技发展有限公司 Encryption and decryption method and encryption and decryption system for fine-grained mobile access
CN107682149A (en) * 2017-10-25 2018-02-09 重庆邮电大学 A kind of method of the vehicular ad hoc network secret protection close based on label
CN109067520B (en) * 2018-07-26 2020-06-05 北京航空航天大学 Revocable broadcast encryption method and system based on hierarchical identity
CN109409100B (en) * 2018-09-10 2020-11-06 北京航空航天大学 Information storage and sharing platform applied to medical data
CN109379345B (en) * 2018-09-28 2021-02-19 创新先进技术有限公司 Sensitive information transmission method and system
CN109471610B (en) * 2018-10-25 2021-03-19 北京链化未来科技有限公司 Serial random number generation method, device and storage medium
CN110677238B (en) * 2019-03-11 2022-08-05 深圳奥联信息安全技术有限公司 Broadcast encryption method and device
CN110120871B (en) * 2019-05-23 2021-09-28 福建师范大学 Broadcast encryption method and system with fixed private key and ciphertext length
CN112580064B (en) * 2019-09-27 2023-01-13 华控清交信息科技(北京)有限公司 Data processing method and device and data processing device
CN112583764B (en) * 2019-09-27 2022-12-20 华控清交信息科技(北京)有限公司 Data processing method and device and data processing device
CN112580063B (en) * 2019-09-27 2023-01-13 华控清交信息科技(北京)有限公司 Data processing method and device and data processing device
CN112733176B (en) * 2021-01-26 2023-07-11 中国人民解放军国防科技大学 Identification password encryption method based on global hash
CN113347211B (en) * 2021-08-04 2021-11-23 北京微芯感知科技有限公司 Identity hierarchical encryption method, device, system, computer equipment and storage medium
CN113824559B (en) * 2021-09-29 2023-05-12 福建师范大学 SM 9-based efficient hierarchical encryption method
CN113852465B (en) * 2021-09-29 2023-05-30 福建师范大学 SM 9-based hierarchical encryption method
GB2619272A (en) * 2022-05-23 2023-12-06 Arqit Ltd Key distribution to a proxy server

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101807991B (en) * 2009-02-18 2014-03-12 上海交通大学 Ciphertext policy attribute-based encryption system and method
CN102810141A (en) * 2011-06-01 2012-12-05 哈尔滨市和协岛数码科技有限公司 Software lease authorization method based on attribute encryption
CN102624522B (en) * 2012-03-30 2015-08-19 华中科技大学 A kind of key encryption method based on file attribute
CN103647644B (en) * 2013-12-26 2017-02-08 北京航空航天大学 Attribute-based encryption method for achieving hierarchical certification authority

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"基于身份密码体制的研究";张新方;《中国优秀硕士学位论文全文数据库》;20090131;正文第37-39页 *
Experimental Performance Comparisons between (H)IBE Schemes over Composite-Order and Prime-Order Bilinear Groups;Weiran Liu, Xiao Liu, Qianhong Wu, Bo Qin;《Proceedings of 2014 11th International Bhurban Conference on Applied Science & Technology (IBCAST)》;20140228;全文 *

Also Published As

Publication number Publication date
CN103986574A (en) 2014-08-13

Similar Documents

Publication Publication Date Title
CN103986574B (en) A kind of Tiered broadcast encryption method of identity-based
CN104038341B (en) A kind of cross-system of identity-based acts on behalf of re-encryption method
Ting et al. Signcryption method suitable for low-power IoT devices in a wireless sensor network
CN105024994B (en) Without the safety to computing label decryption method is mixed without certificate
CN105406967B (en) A kind of hierarchical attribute encipherment scheme
CN104135473B (en) A kind of method that identity base broadcast enciphering is realized by the attribute base encryption of Ciphertext policy
CN103004129B (en) Encryption device, decryption device, encryption method, decryption method, program, and recording medium
CN105635135B (en) A kind of encryption system and access control method based on property set and relationship predicate
CN105933102A (en) Identity-based and hidden matrix-constructed fully homomorphic encryption method
CN108667616A (en) Across cloud security Verification System based on mark and method
WO2009143713A1 (en) Two-factor combined public key generation and authentication method
CN105162589B (en) It is a kind of to can verify that encryption attribute method based on lattice
CN104219047B (en) A kind of method and apparatus of signature verification
Farash et al. A Pairing-free ID-based Key Agreement Protocol with Different PKGs.
CN102957538A (en) Information processing apparatus and information processing method
CN105763528B (en) The encryption device of diversity person&#39;s anonymity under a kind of mixed mechanism
CN107154845A (en) A kind of BGN types ciphertext decryption outsourcing scheme based on attribute
WO2005078991A1 (en) A method of multi- centric identity-based key management
CN102594570A (en) Key threshold algorithm based on level identity encryption
CN105141419B (en) The attribute base endorsement method and system in large attribute domain
CN103746811A (en) Anonymous signcryption method from identity public key system to certificate public key system
CN108462575A (en) Upload data ciphering method based on no trusted party thresholding Hybrid Encryption
CN106790259A (en) A kind of asymmetric across cryptographic system re-encryption, decryption method and system
CN107086912A (en) Ciphertext conversion method, decryption method and system in a kind of heterogeneous storage system
CN104993929B (en) A kind of attribute-based encryption system that system property is supported to extend and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant