CN104038341B - A kind of cross-system of identity-based acts on behalf of re-encryption method - Google Patents

Abstract

A kind of cross-system of identity-based acts on behalf of re-encryption method, the step of PKG runs：1st, input coefficient λ, output system parameter；2nd, run Generating Random Number；3rd, Bilinear map, exponentiation and multiplication are calculated；4th, a kind of impact resistant hash function is selected, exports public key；5th, run impact resistant hash function；6th, calculate addition, ask down and power, export private key；The step of authorized party runs：7th, run impact resistant hash function；8th, Generating Random Number, multiplication and exponentiation are run, exports ciphertext；9th, select blinding factor k；10th, run impact resistant hash function；11st, Generating Random Number, multiplication and exponentiation are run, exports transition key；The step of agent runs：12nd, Bilinear map and division are calculated, exports re-encryption ciphertext；The step of being authorized to side's operation：13rd, run impact resistant hash function；14th, Bilinear map, addition are calculated, is connected and is taken advantage of and division, export k；15th, Bilinear map and multiplication are calculated, output is in plain text.

Description

A kind of cross-system of identity-based acts on behalf of re-encryption method

(1) technical field：

The present invention relates to a kind of cross-system of identity-based acts on behalf of re-encryption method, ciphertext under difference encryption system is capable of achieving Agency conversion, belong to field of cryptography in information security.

(2) technical background：

With the raising of communications security, various cipher systems are suggested data are encrypted with transmission, it is ensured that Communication privacy safety between user, identity-based encryption schemes system are exactly the one kind being widely used.It is double according to communication Whether the key adopted by side is identical, and the system of data encryption is divided into two kinds：Single key encryption system and public encryption system；It is public Key encryption is a kind of encryption system relative with the encryption of single key, and both of which emphasizes that AES can be disclosed, and decruption key must Must hold in close confidence, it is dangerous once the data entirely encrypted if the Key Exposure.Both differences are that single key is encrypted Encryption key and decruption key be identical, and the encryption key of public key encryption is different from decruption key.In public key plus In dense body system, public key is to information to be encrypted (here we term it in plain text) encryption, and private key is then for after to encryption Information (here we term it ciphertext) encryption.

Identity based encryption method --- Identity-Based Encryption (IBE) are most initially by Shamir Propose, belong to public encryption system.Participant is usually Encrypt and Decrypt side and private key generates center.In IBE systems, decryption Public key of identity ID of side as encryption, identity ID can be ID card No., email address or the phone number of decryption side Code etc..Encryption root is encrypted to plaintext according to public key, and private key generates center --- Private Key Generator (PKG) It is responsible for providing private key to user according to the identity of user in system, the identity of only decryption side is consistent with public key, can decrypt.Should The advantage of encryption method is to relieve PKIX --- Public Key Infrastructure (PKI) is to user The link of certification certificate is provided, the expense of system is alleviated, it is more of practical meaning.

The multi-functional encryption side of many identity-baseds is derived on the basis of the AES of this efficient quicks of IBE again Method, wherein just including broadcast encryption method --- the Identity-Based Broadcast Encryption of identity-based (IBBE).IBBE encryption methods are mainly used in solving encryption user while the application that many decrypted users are carried out with broadcast enciphering is needed Ask, the public key that encryption user is used in encryption is the set of the identity composition of all decrypted users, only in the identity set In user just can successfully to ciphertext decrypt.For example, we refer to such a application scenarios：The doctor in charge A of certain hospital Want that the n positions doctor with other various big hospitals discusses the medical record information of certain patient of analysis jointly, it is contemplated that patient information Sensitiveness the consideration for protection patient privacy, doctor A were encrypted to medical record information before case history is sent.If herein Using IBE encryption methods, A first needs to encrypt medical record information according to the identity of n doctor respectively, generates n part ciphertexts；If adopting Use IBBE encryption methods, A only must be encrypted once to medical record information according to the identity set of the identity of n doctor composition, generate one Part ciphertext, the doctor in identity set can be decrypted to ciphertext；The method greatlys save the time of encryption user and energy, drop The expense of low ciphertext storage, method are more efficient.

In addition, it is contemplated that another kind of application scenarios：Mailbox user Alice has an envelope privacy enhanced mail to think and another use Family Bob shares, but the mail is, using the identity of Alice as public key, to encrypt under IBE encryption systems, and Bob is unaware of Decryption cannot be completed during the private key of Alice.And on the premise of Alice is not desired to reveal oneself private key, traditional way is：Alice Mail is decrypted using the private key of oneself, the identity for reusing Bob is encrypted again to the plaintext after decryption.Ciphertext is transmitted To Bob；Ciphertext decryption of the Bob using the private key of oneself to receiving, so as to complete the shared of Mail Contents.Undoubtedly above-mentioned way It is numerous and diverse and time-consuming, thus derives one kind and be referred to as：" acting on behalf of re-encryption " --- Proxy re-encryption's (PRE) Solution.The concept for acting on behalf of re-encryption is in Europe of 1998 earliest by tri- scientists of Blaze, Bleumer and Strauss Proposing in the cryptography annual meeting of continent, in PRE schemes, communication participant is respectively private key and generates center --- PKG, decryption are authorized Square (Delegator), act on behalf of re-encryption side (Proxy) and be authorized to side (Delegatee).Under above-mentioned application scenarios, if adopting With re-encryption method is acted on behalf of, Alice only needs as Delegator the identity of the private key and Bob according to oneself to calculate and generates one Transition key --- Re-encryption Key (RK), and ciphertext and transition key are acted on behalf of into re-encryption side while being sent to；Generation Reason re-encryption side uses transition key, by only Alice on the premise of clear content and Alice private key informations is unaware of completely The ciphertext re-encryption that can decrypt of private key obtain the ciphertext that the private key of Bob can be decrypted.So, Bob only need to be from acting on behalf of re-encryption side Place downloads the ciphertext after re-encryption, completes the decryption of ciphertext using the private key of oneself.Act on behalf of the mistake of re-encryption method operation Cheng Zhong, eliminates Delegator and first decrypts the step of re-encrypting to original cipher text, saved the spending of user and system；Except this Outside, to act on behalf of re-encryption side and not would know that any about information in plain text with private key for user in re-encryption link, data are whole All it is exist with ciphertext form during individual extraneous storage, has ensured the data peace under the distributed network environment of complexity Entirely.

According to the difference in the encryption direction for acting on behalf of re-encryption, act on behalf of re-encryption and can be divided into and unidirectional act on behalf of re-encryption and double To act on behalf of re-encryption；It is unidirectional to act on behalf of re-encryption and realize being converted into being awarded by the ciphertext of the public key encryption of Delegator The ciphertext of the public key encryption of power side Delegatee, reversely cannot；Two-way re-encryption of acting on behalf of then can be while realize reverse Ciphertext is changed.

With the proposition for acting on behalf of re-encryption method, increasing encryption method is combined with the thought for acting on behalf of re-encryption Define and act on behalf of re-encryption scheme under different encryption systems.Consideration is existing at present to act on behalf of re-encryption scheme, before ciphertext conversion Encryption system afterwards is identical；If that is, after acting on behalf of re-encryption using the ciphertext process that IBE encryption systems are encrypted It is still the ciphertext under IBE encryption systems, this has limited to the scope of application of user under some application scenarios.With the use under cloud environment As a example by the information encryption storage of family, under the not enough restriction of oneself storage capacity, selection upload the data to high in the clouds clothes to such user Business device, the purpose of security and saving storage overhead for protection data, will hold the user of distributed storage data with IBE Encryption system is organized, and each data is held user and is assigned with unique public, private key pair by PKG；Hold use in data Before family upload the data to cloud server, the public key being assigned to according to oneself first is encrypted to data, then is transmitted Store to high in the clouds.Data after encryption only have the user oneself decrypt, it is to avoid data suffer what malicious server was divulged a secret It is dangerous.

However, when data are held user and want to carry out data sharing with multiple users, acting on behalf of re-encryption according to existing Method, then occur in that 2 points of restrictions：Authorized user needs also exist for possessing legal identity among the IBE encryption systems first； Secondly authorized user needs to be sent to agent according to the identity of each authorized user generation transition key.It is square when being authorized to Be organized with other encryption systems in the case of, it is existing to act on behalf of re-encryption and just successfully carry out.Therefore, we invent A kind of scope of application wider, function more comprehensive " acting on behalf of re-encryption across encryption system " method --- can easily realize from IBE encryption systems are changed to the ciphertext of acting on behalf of of IBBE encryption systems.IBE encryption systems and IBBE encrypt system in the methods of the invention System is exist independently of one another, respectively the systematic parameter with oneself, and agent act as bridge beam action in transfer process, IBE systems are got up with IBBE interconnections.By transition key, the ciphertext after public key encryption in IBE systems is converted into Ciphertext in IBBE systems after public key encryption, realizes the cross-system decryption of user.

Due to IBE encryption systems it is different with the public key not only used by IBBE encryption systems and close in IBE encryption systems Text is that, according to an identity ciphering, IBBE is the identity set encryption constituted according to multiple identity, close after both encryptions Literary version necessarily has very big difference, how successfully to realize that ciphertext is changed, and is the problem that our invention is mainly solved.Base In a kind of existing efficiently succinct IBBE encipherment schemes, we construct a kind of brand-new IBE encryption systems.First, we Make authorized party that origination message is used the public key of oneself, the IBE encryption systems encryption designed according to us, only authorized party are certainly Oneself private key can be with successful decryption.Subsequently, authorized party side selects random number, blinds the private key of oneself, by the random number according to quilt The identity set of authorized user, is encrypted using the systematic parameter in IBBE systems.Meet identity authorized user set in User can obtain the random value with successful decryption, finally recover cleartext information.Additionally, the present invention acts on behalf of re-encryption for unidirectional Method, authorized party cannot conspire to reach the purpose of the ciphertext that decryption is authorized to side with agent, so as to farthest protect The data safety of licensee.

(3) content of the invention：

1st, purpose：A kind of cross-system of identity-based acts on behalf of re-encryption method

The purpose of the present invention is to propose to a kind of cross-system of identity-based acts on behalf of re-encryption method, it is that one kind adds different Identity base under close system acts on behalf of re-encryption method, and the method combines existing identity base encryption technology and acts on behalf of Re-encryption Technology Advantage, easily can realize from authorized party to the ciphertext of authorized side change, while protect cleartext information in whole re-encryption Will not suffer in journey that the malice for acting on behalf of re-encryption side is revealed；We are according to existing identity base broadcast enciphering (IBBE) scheme simultaneously Identity base encryption (IBE) system of novelty is redesigned, existing IBBE encryption systems decryption speed is fast, ciphertext remaining While the characteristic such as short, the ciphertext across IBE to IBBE systems is made to be converted into possibility.

2nd, technical scheme：

The present invention includes five entities：1) private key generates center (Private Key Generator, PKG)：With checking User identity, calculates generation, the mechanism of dispatch user private key functionality；2) decrypt authorized party (Delegator)：With encryption, life Into the personal or social framework of transition key function；3) act on behalf of re-encryption side (Proxy)：With according to re-encrypted private key Re- The personal or social framework of encryption Key (RK) conversion ciphertexts；4) decrypt and be authorized to side (Delegatee)：With decryption The personal or social framework of function；5) file management side (File Manager)：Social framework with data storage function.

First, we define the identity of user --- ID, represent user's identity in systems, be expressed as a string it is arbitrary Character string.Secondly, we define user identity set --- S in IBBE systems, represent broadcast enciphering towards user identity collection Close, the element in set is the identity of user in IBBE systems.As bilinearity is reflected used in the algorithm designed by the present invention Penetrate the mathematical knowledge with impact resistant hash function these two aspects.The special definition at this to bilinear map and impact resistant hash function Make explanations with characteristic.

2.1 Bilinear map

We define a kind of Function Mapping e (. .), by groupIn element be mapped to groupIn, i.e.,:

The characteristic that Bilinear map meets has：

1. bilinear characteristics：ForThere are e (g^a,h^b)=e (g, h)^abSet up；

2. non-degeneracy：At least there is an element g in group so that the e (g, g) after calculating isCertain generation of group Unit；

3. computability：There is effective algorithm so that all ofThe value of e (u, v) can effectively be calculated；

Wherein, Z_pExpression set 0,1,2 ..., p-1 }.

2.2 impact resistant hash functions

Hash function used in the present invention possesses two fundamental characteristics：One-way and anti-collision；One-way is only referred to Output can be derived from the input of hash function, and input can not be calculated from the output of hash function；Anti-collision is referred to not Two different hash functions inputs can be found makes the result after its Hash identical.Hash algorithm input in the present invention is user Identity ID, represented with arbitrary string form；It is output as being mapped to domain Z_pIn element.

2.3 plan content

The present invention acts on behalf of re-encryption method for a kind of cross-system of identity-based, and the method is added by initialization module, data Close module, private key generation module, transition key generation module, re-encryption module and deciphering module are acted on behalf of, six modules totally 15 Step realizes its function, and the system architecture diagram for acting on behalf of re-encryption method designed by the present invention will be as shown in figure 1, will in conjunction with Fig. 1 The function introduction of the method for the invention and each module is as follows.

A kind of cross-system of identity-based of the present invention acts on behalf of re-encryption method, and its practice is as follows：

Module one：Initialization module

The user that authorized user's set in system security parameter λ, IBBE system can be included in this module by PKG Transformation (m-1) exports master key MSK as input_IBE、MSK_IBBE, and public key PK_IBE、PK_IBBE.Public key can be disclosed, And master key then must PKG hold in close confidence, can not reveal.The realization of the functions of modules is specifically divided into following four steps：

Step 1：PKG input system security parameter λ first, then run algorithm g (1^λ), two exponent numbers of output are prime number p GroupWith a bilinear map computing

Step 2：

Next PKG runs Generating Random Number, random selectionCertain in group generates unit g,One in group Element h, andAn element α in domain is used as Stochastic；

Step 3：PKG runs a Bilinear map computing, twice exponentiation and (m-1) secondary multiplying, obtainsGroup In element e (g, h), and(m+1) individual element in group

Step 4：Finally, PKG selects a kind of impact resistant hash function H (), the function to meet impact resistant hash function All characteristics, input can be arbitrary character string, be output as being mapped to domainIn a certain element.Walk through aforementioned four Suddenly the parameter for obtaining：

Can be with external disclosure as the public key of IBBE encryption systems；The public key of IBE encryption systems is different from above-mentioned public key, For：

The master key of IBE with IBBE encryption systems is identical, is：

MSK_IBE=MSK_IBBE=(g, α)

Taken care of by PKG；

Wherein, " algorithm g (1 described in step 1^λ) ", its operation method is as follows：Private key generates center (PKG) input System security parameter λ, according to the size of λ, the corresponding elliptic curve of Systematic selection：Y²=X³+ aX+b (a and b are coefficients), then by Point on elliptic curve constitutes the group of two prime number p ranksA kind of Function Mapping e is selected, by groupIn element mapping To groupIn；Security parameter numerical value is bigger, and the point on selected elliptic curve is also more, and group is also bigger.

Wherein, described in step 2 " Generating Random Number ", its way are as follows：According to ellipse selected in step 1 Curve：Y²=X³+ aX+b, randomly chooses value x of independent variable X₁, calculate value y of correspondence dependent variable Y₁；If point (x₁,y₁) We are wanted in the group for mapping, then be successfully generated random element.If point (x₁,y₁) not in group, then continue to select the value of X, directly To finding the point occurred in group.Additionally, domainSet { 1,2 ..., p-1 } is represented, domain is randomly choosedMiddle element it is random Number generating function can call built-in function to run from Pairing-Based Cryptosystems function bags.Hereinafter mention Generating Random Number all run as stated above.

Wherein, described in step 3 " operation Bilinear map computing ", its way is as follows：The input of independent variable is group In element g, h, be output as groupIn element：e(g,h).

Wherein, described in step 4 " impact resistant hash function H () ", equally can be from Pairing-Based Built-in function is called to run in Cryptosystems function bags.

Module two：Private key generation module

The module is input into a certain user and is existed by the user's distribution private key in PKG respectively IBE systems and IBBE systems, module Identity ID and master key MSK in system_IBEOr MSK_IBBE, generate corresponding private key SK_IBEOr SK_IBBE, and the private key of output is sent out Give each system user keeping.The functions of modules is embodied as following two steps：

Step 5：PKG operations impact resistant hash function H (), is calculated

ID in formula_IBERepresent the identity of user in IBE encryption systems, ID_IBBERepresent user in IBBE encryption systems Identity, with a string arbitrary string representations；

Step 6：PKG runs an add operation, once seeks derivative action and seeks exponent arithmetic, calculates according to formula below Obtain the private key for user in IBE encryption systems：

And, the private key of user in IBBE encryption systems：

Module three：Data encryption module

Authorized party (Delegator) in IBE encryption systems is in this module by public key PK_IBEWith the identity of oneself ID_IBEAnd message M to be encrypted is used as input, ciphertext CT after output encryption_IBE, and ciphertext data are uploaded to into file management Square outsourcing storage.The realization of the functions of modules is divided to following two steps：

Step 7：Authorized party is Delegator operations impact resistant hash function H (), is calculated

Step 8：Authorized party is Delegator operation Generating Random Numbers, randomly chooses domainIn element s make For index, multiplication and three exponentiations twice are run according to formula below, obtained：

C₀=Me (g, h)^s,

Last ciphertext is output as：CT_IBE=(C₀,C₁), the ciphertext is identity ID according to Delegator_IBEEncryption, therefore The private key SK of only Delegator oneself_IBECan decrypt；

Module four：Transition key generation module

The private that from PKG at obtain of the authorized party (Delegator) in IBE encryption systems in this module according to oneself Key SK_IBE, in IBBE encryption systems the identity set S and IBBE encryption system of authorized user (Delegatee) public key PK_IBBE, calculate and generate transition key --- RK_IBE→IBBE, and the transition key of generation is sent to act on behalf of re-encryption side to weight Use during encryption.The realization of the functions of modules is specifically divided into following three steps：

Step 9：Authorized party is that Delegator runs Generating Random Number first, random selectionCertain unit in group ElementAs blinding factor；

Step 10：For each identity in authorized user (Delegatee) identity set S, Delegator operation n Secondary impact resistant hash function H (), obtains：

H(ID_1IBBE),H(ID_2IBBE)…H(ID_nIBBE)

Wherein n represents the identity quantity in user's set；

Step 11：Authorized party is Delegator operation Generating Random Numbers, randomly chooses domainIn an element v As index；Multinomial time exponentiation and multiplying are run according to the following formula, are obtained：

C₀'=ke (g, h)^v,

The result for obtaining is expressed as by we：

R=(C₀',C₁')

Through final step multiplying SK_IBEK, mandate conveniently generate transition key：

RK_IBE→IBBE=(SK_IBE·k,R)

Wherein, the use that the identity set S of authorized user (Delegatee) is defaulted as in all set knows per family.

Module five：Act on behalf of re-encryption module

Act on behalf of re-encryption side (Proxy) obtain Delegator generation transition key after, from from file management side under Carry encryption data CT that authorized party uploads_IBE, and according to transition key RK_IBE→IBBEWith ciphertext CT for needing conversion_IBE, calculating side Ciphertext after must changing, the function of the module is calculated by following steps to be realized：

Step 12：Proxy runs a Bilinear map and a division arithmetic according to the following formula, obtains：

Ciphertext after acting on behalf of re-encryption is：

CT_IBE→IBBE=(D₀,C₁,R)；

Module six：Deciphering module

We assume that identity of a certain authorized side (Delegatee) in the identity set S of authorized user is ID_iIBBE, the private key in correspondence IBBE encryption systems is SK_iIBBE.Delegatee receives the private key of PKG generations and adds from agency again Download and obtain re-encryption ciphertext CT in close side (Proxy) place_IBE→IBBEAfterwards, private key information SK according to oneself_IBBEWith authorized use The identity set S at family, can decrypt and obtain blinding factor k, and mono- step simple calculations of Jing is just obtained clear-text message M, the module Functional realiey be specifically divided into following 3 steps：

Step 13：Be authorized to side be Delegatee first against each identity in the identity set S of authorized user, Impact resistant hash function H () of operation obtains：

H(ID_1IBBE),H(ID_2IBBE)…H(ID_nIBBE)

N in formula represents the identity quantity in user's set；

Step 14：Be authorized to side be Delegatee run according to the following formula Bilinear map computing twice and multinomial sub-addition, Even multiplication is obtained：

A division arithmetic is carried out again, and blinding factor k is obtained：

Step 15：Finally, be authorized to side be Delegatee according to the following formula through a Bilinear map and multiplying, obtain To last clear-text message M：

3rd, advantage and effect：

The present invention provides a kind of cross-system of identity-based and acts on behalf of re-encryption method, can be used at authorized party and authorized side Ciphertext conversion under different encryption systems, its advantage and effect are：

1) the inventive method constructs a kind of identity base first on the basis of existing identity base broadcast enciphering (IBBE) scheme Encryption (IBE) scheme, the program have the advantages that key is little, ciphertext is short.

2) the inventive method is introduced and acts on behalf of re-encryption side, and the ciphertext of the public key encryption with authorized party is converted into being awarded The ciphertext of the public key encryption of Quan Fang so that the ciphertext that can only be decrypted with the private key of authorized party before re-encryption is converted to authorized The ciphertext that can also decrypt of private key of side so that the step of encryption information shared had both been saved loaded down with trivial details decryption and re-encrypt, together When ensured the security of sharing information.

3) the inventive method with the conventional maximum advantage of re-encryption method of acting on behalf of with innovative point is：The method passes through generation User under different encryption systems is connected by the thought of reason re-encryption, easily realizes the shared of encryption information；It is existing Act on behalf of re-encryption method to be only applicable to authorized party and be authorized to situation of the side under identical encryption system, which greatly limits use The scope of application at family.The inventive method combines the encryption of identity base and identity base broadcast enciphering side extensively come into operation now Method, causes the encryption file-sharing of cross-system to be possibly realized by the participation of agent.

4) authorized party in the inventive method only need to be according to the private key of oneself and IBBE encryption systems before proxy-encrypted Under user identity set S, transition key can be generated according to the public key information of IBBE systems；Blind authorized party's oneself first Private key, then IBBE system encryptions are used to blinding information, it is ensured that only user of the identity in S can decrypt the information of blinding So as to recover final plaintext.

5) in the inventive method act on behalf of ciphertext and transition key of the re-encryption side in the case where IBE systems are obtained after ciphertext is entered During row re-encryption, any information of relevant user private key and plaintext can not be known, the method is particularly suitable in agency's weight In encryption side's not exclusively believable applied environment.

(4) illustrate：

System architecture diagrams of the Fig. 1 for the method for the invention.

FB(flow block)s of the Fig. 2 for the method for the invention.

(5) specific embodiment

The present invention acts on behalf of re-encryption method for a kind of cross-system of identity-based, and as shown in Fig. 1,2, the method is by initializing Module, private key generation module, data encryption module, transition key generation module, act on behalf of re-encryption module and deciphering module this six Individual module is realized.The system flow for entirely acting on behalf of the operation of re-encryption method is shown in Fig. 2, with reference to FB(flow block), by the concrete of the method Realize that step is described below：

Module one：Initialization module

The realization of the functions of modules is specifically divided into four steps：

Step 1：PKG input system security parameter λ first, operation algorithm g (1^λ), export group of two exponent numbers for prime number pWith a bilinear map computing

Step 2：

Next PKG runs Generating Random Number, random selectionCertain in group generates unit g,A unit in group Plain h, andAn element α in domain is used as Stochastic.

Step 3：PKG runs a Bilinear map computing, twice exponentiation and (m-1) secondary multiplying, obtainsGroup In element e (g, h), and(m+1) individual element in group

Step 4：Finally, PKG selects a kind of impact resistant hash function H (), the function to meet impact resistant hash function All characteristics, input can be the character string of random length, be output as being mapped to domainIn a certain element.

Through the parameter that aforementioned four step is obtained：

Can be with external disclosure as the public key of IBBE encryption systems；The public key of IBE encryption systems is different from above-mentioned public key, For：

The master key of IBE with IBBE encryption systems is identical, is：

MSK_IBE=MSK_IBBE=(g, α)

Taken care of by PKG.

Wherein, " algorithm g (1 described in step 1^λ) ", its operation method is as follows：Private key generates center (PKG) input System security parameter λ, according to the size of λ, the corresponding elliptic curve of Systematic selection：Y²=X³+ aX+b (a and b are coefficients), then by Point on elliptic curve constitutes the group of two prime number p ranksA kind of Function Mapping e is selected, by groupIn element mapping To groupIn；Security parameter numerical value is bigger, and the point on selected elliptic curve is also more, and group is also bigger.

Wherein, " Generating Random Number " described in step 2, its way are as follows：It is bent according to ellipse selected in step 1 Line：Y²=X³+ aX+b, randomly chooses value x of independent variable X₁, calculate value y of correspondence dependent variable Y₁；If point (x₁,y₁) at me Want map group in, then be successfully generated random element.If point (x₁,y₁) not in group, then continue to select the value of X, until Find the point occurred in group.Additionally, domainSet { 1,2 ..., p-1 } is represented, domain is randomly choosedThe random number of middle element Generating function can call built-in function to run from Pairing-Based Cryptosystems function bags.Hereinafter mention Generating Random Number is all run as stated above.

Wherein, " the operation Bilinear map computing " described in step 3, its way is as follows：The input of independent variable is groupIn Element g, h, are output as groupIn element：e(g,h).

Wherein, impact resistant hash function H () described in step 4 equally can be from Pairing-Based Built-in function is called to run in Cryptosystems function bags.

Module two：Private key generation module

The functions of modules is embodied as two steps：

Step 5：PKG operations impact resistant hash function H (), is calculated：

ID in formula_IBERepresent the identity of user in IBE encryption systems, ID_IBBERepresent user in IBBE encryption systems Identity, with a string arbitrary string representations.

Step 6：PKG runs an add operation, once seeks derivative action and seeks exponent arithmetic, calculates according to formula below Obtain the private key for user in IBE encryption systems：

And, the private key of user in IBBE encryption systems：

Module three：Data encryption module

Three steps of the realization of the functions of modules point：

Step 7：Delegator operations impact resistant hash function H (), is calculated

Step 8：Delegator runs Generating Random Number, randomly chooses domainIn an element s as index, Multiplication and three exponentiations twice are run according to formula below, is obtained：

Last ciphertext is output as：CT_IBE=(C₀,C₁), the ciphertext is identity ID according to Delegator_IBEEncryption, therefore The private key SK of only Delegator oneself_IBECan decrypt.

Module four：Transition key generation module

The realization of the functions of modules is specifically divided into three steps：

Step 9：Delegator runs Generating Random Number first, random selectionCertain element in group As blinding factor.

Step 10：For each identity in authorized user (Delegatee) identity set S, Delegator operation n Secondary impact resistant hash function H (), obtains：

H(ID_1IBBE),H(ID_2IBBE)…H(ID_nIBBE)

Wherein n represents the identity quantity in user's set.

Step 11：Delegator runs Generating Random Number, randomly chooses domainIn an element v as index； Multinomial time exponentiation and multiplying are run according to the following formula, are obtained：

C₀'=ke (g, h)^v,

The result for obtaining is expressed as by we：

R=(C₀',C₁')

Through final step multiplying SK_IBEK, mandate conveniently generate transition key：

RK_IBE→IBBE=(SK_IBE·k,R)

Wherein, the use that the identity set S of authorized user (Delegatee) is defaulted as in all set knows per family.

Module five：Act on behalf of re-encryption module

The function of the module is calculated by a step and is realized：

Step 12：Proxy runs a Bilinear map and a division arithmetic according to the following formula, obtains：

Ciphertext after acting on behalf of re-encryption is：

CT_IBE→IBBE=(D₀,C₁,R)

Module six：Deciphering module

The functional realiey of the module is specifically divided into 3 steps：

Step 13：Delegatee once resists first against each identity in the identity set S of authorized user, operation Collision hash function H () is obtained：

H(ID_1IBBE),H(ID_2IBBE)…H(ID_nIBBE)

N in formula represents the identity quantity in user's set.

Step 14：Delegatee runs Bilinear map computing twice according to the following formula and multinomial sub-addition, company's multiplication are obtained Arrive：

A division arithmetic is carried out again, and blinding factor k is obtained：

Step 15：Finally, Delegatee is according to the following formula through a Bilinear map and multiplying, obtains last bright Literary message M：

Claims (5)

1. a kind of cross-system of identity-based acts on behalf of re-encryption method, and the enforcement of the method is based on following modules：

Module one：Initialization module

Private key generate center be PKG in this module by system security parameter λ, the broadcast encryption method i.e. IBBE of identity-based Number of users upper limit m-1 that authorized user's set can be included in system exports master key MSK as input_IBE、MSK_IBBE, And public key PK_IBE、PK_IBBE；Public key can disclose, and master key then must PKG hold in close confidence, can not reveal；

Module two：Private key generation module

The module is input into a certain user in system by the user's distribution private key in PKG respectively IBE systems and IBBE systems, module In identity ID and master key MSK_IBEOr MSK_IBBE, generate corresponding private key SK_IBEOr SK_IBBE, and the private key of output is sent to Each system user keeping；

Module three：Data encryption module

Authorized party Delegator in IBE encryption systems is in this module by public key PK_IBEWith identity ID of oneself_IBEAnd Message M to be encrypted is used as input, ciphertext CT after output encryption_IBE, and ciphertext data are uploaded to into the outsourcing of file management side deposit Storage；

Module four：Transition key generation module

Authorized party in IBE encryption systems is the private keys that from PKG at obtain of the Delegator according to oneself in this module SK_IBE, authorized user is the public key of the identity set S and IBBE encryption system of Delegatee in IBBE encryption systems PK_IBBE, calculate and generate transition key --- RK_IBE→IBBE, and the transition key of generation is sent to act on behalf of re-encryption side to weight Use during encryption；

Module five：Act on behalf of re-encryption module

Re-encryption side i.e. Proxy is acted on behalf of after the transition key for obtaining Delegator generations, is downloaded from from file management side and is awarded Encryption data CT that Quan Fang is uploaded_IBE, and according to transition key RK_IBE→IBBEWith ciphertext CT for needing conversion_IBE, calculate Fang get Zhuan Ciphertext after changing；

Module six：Deciphering module

Assume that identity of a certain i.e. Delegatee of authorized side in the identity set S of all authorized sides is ID_iIBBE, correspondence Private key in IBBE encryption systems is SK_iIBBE；It is that Delegatee receives the private key of PKG generations and adds from agency again to be authorized to side Close side is to download to obtain re-encryption ciphertext CT at Proxy_IBE→IBBEAfterwards, private key information SK according to oneself_IBBEAwarded with all The identity set S of Quan Fang, can decrypt and obtain blinding factor k, and mono- step simple calculations of Jing can just obtain clear-text message M；

It is characterized in that：The encryption method step is as follows：

Step 1：PKG input system security parameter λ first, then run algorithmGroup of two exponent numbers of output for prime number p With a bilinear map computing

Step 2：

Next PKG runs Generating Random Number, random selectionCertain in group generates unit g,An element h in group, AndAn element α in domain is used as Stochastic；

Step 3：PKG runs a Bilinear map computing, twice exponentiation and (m-1) secondary multiplying, obtainsIn group One element e (g, h), and(m+1) individual element in group

Step 4：PKG selects a kind of impact resistant hash function H (), the function to meet all characteristics of impact resistant hash function, It is input into as arbitrary character string, is output as being mapped to domainIn a certain element；

Through the parameter that aforementioned four step is obtained：

${\mathrm{PK}}_{IBBE}=\left(g^{\mathrm{\α}},e\left(g,h\right),h,h^{\mathrm{\α}},\mathrm{...},h^{{\mathrm{\α}}^m},H(\·)\right)$

As the public key energy external disclosure of IBBE encryption systems；The public key of IBE encryption systems is different from above-mentioned public key, is：

${\mathrm{PK}}_{IBE}=\left(g^{\mathrm{\α}},e\left(g,h\right),h,h^{\mathrm{\α}},h^{{\mathrm{\α}}^2},H(\·)\right)$

The master key of IBE with IBBE encryption systems is identical, is：

MSK_IBE=MSK_IBBE=(g, α)

Taken care of by PKG；

Step 5：PKG operations impact resistant hash function H (), is calculated

$H\left({\mathrm{ID}}_{IBE}\right),H\left({\mathrm{ID}}_{IBBE}\right)\∈Z_p^{*}$

ID in formula_IBERepresent the identity of user in IBE encryption systems, ID_IBBEThe identity of user in IBBE encryption systems is represented, With a string arbitrary string representations；

Step 6：PKG runs an add operation, once seeks derivative action and seeks exponent arithmetic, is calculated according to formula below Private key for user in IBE encryption systems：

${\mathrm{SK}}_{IBE}=g^{\frac{1}{\mathrm{\α}+H\left({\mathrm{ID}}_{IBE}\right)}}$

And, the private key of user in IBBE encryption systems：

${\mathrm{SK}}_{IBBE}=g^{\frac{1}{\mathrm{\α}+H\left({\mathrm{ID}}_{IBBE}\right)}}$

Step 7：Authorized party is Delegator operations impact resistant hash function H (), is calculated

Step 8：Authorized party is Delegator operation Generating Random Numbers, randomly chooses domainIn an element s as finger Number, runs multiplication and three exponentiations twice according to formula below, obtains：

$C_0=M\·e{(g,h)}^s,C_1=h^{\mathrm{\α}s}{h}^{H\left(ID\right)s}=h^{s(\mathrm{\α}+H({\mathrm{ID}}_{IBE}\left)\right)}$

Last ciphertext is output as：CT_IBE=(C₀,C₁), the ciphertext is identity ID according to Delegator_IBEEncryption, therefore only Authorized party is the private key SK of Delegator oneself_IBECan decryption；

Step 9：Authorized party is that Delegator runs Generating Random Number first, random selectionCertain element in groupAs blinding factor；

Step 10：It is each identity in Delegatee identity set S for being authorized to side, authorized party is Delegator operations N impact resistant hash function H (), obtains：

H(ID_1IBBE),H(ID_2IBBE)…H(ID_nIBBE)

Wherein n represents the identity quantity in user's set；

Step 11：Authorized party is Delegator operation Generating Random Numbers, randomly chooses domainIn an element v conduct Index；Multinomial time exponentiation and multiplying are run according to the following formula, are obtained：

C₀'=ke (g, h)^v,By the result for obtaining It is expressed as：

R=(C₀',C₁')

Through final step multiplying SK_IBEK, authorized party are that Delegator just generates transition key：

RK_IBE→IBBE=(SK_IBE·k,R)

Wherein, it is authorized to the use that is defaulted as in all set of identity set S that side is Delegatee to know per family；

Step 12：Act on behalf of re-encryption side i.e. Proxy and run a Bilinear map and a division arithmetic according to the following formula,

Obtain：

Ciphertext after acting on behalf of re-encryption is：

CT_IBE→IBBE=(D₀,C₁,R)；

Step 13：Authorized side is Delegatee first against each identity in the identity set S of authorized user, operation One time impact resistant hash function H () obtains：

H(ID_1IBBE),H(ID_2IBBE)…H(ID_nIBBE)

N in formula represents the identity quantity in user's set；

Step 14：It is that Delegatee runs Bilinear map computing twice and multinomial sub-addition, Lian Cheng according to the following formula to be authorized to side Computing is obtained：

$\begin{array}{c}A={\left(e\left(g^{-\mathrm{\α}v},h^{\frac{1}{\mathrm{\α}}\left(\underset{j=1,j\≠i}{\overset{n}{\mathrm{\Π}}}\left(\mathrm{\α}+H\left({\mathrm{ID}}_{jIBBE}\right)\right)-\underset{j=1,j\≠i}{\overset{n}{\mathrm{\Π}}}H\left({\mathrm{ID}}_{jIBBE}\right)\right)}\right)\·e\left({\mathrm{SK}}_{iIBBE},{C_1}^{\′}\right)\right)}^{\frac{1}{{\mathrm{\Π}}_{j=1,j\≠i}^{n}H\left({\mathrm{ID}}_{jIBBE}\right)}}\\ (e{\left(g,h\right)}^{-v\left(\underset{j=1,j\≠i}{\overset{n}{\mathrm{\Π}}}\left(\mathrm{\α}+H\left({\mathrm{ID}}_{jIBBE}\right)\right)-\underset{j=1,j\≠i}{\overset{n}{\mathrm{\Π}}}H\left({\mathrm{ID}}_{jIBBE}\right)\right)}\\ \·e{\left(g^{\frac{1}{\mathrm{\α}+H\left({\mathrm{ID}}_{iIBBE}\right)}},g^{\frac{1}{v(\underset{j=1}{\overset{n}{\mathrm{\Π}}}\mathrm{\α}+H\left({\mathrm{ID}}_{jIBBE}\right)}})\right)}^{\frac{1}{{\mathrm{\Π}}_{j=1,j\≠i}^{n}H\left({\mathrm{ID}}_{jIBBE}\right)}}\\ =e{\left(g,h\right)}^v\end{array}$

A division arithmetic is carried out again can obtain blinding factor k：

$k=\frac{{C_0}^{\′}}{A}A=\frac{ke{(g,h)}^v}{e{(g,h)}^v};$

Step 15：Finally, be authorized to side be Delegatee according to the following formula through a Bilinear map and multiplying, obtain most Clear-text message M afterwards：

$\begin{array}{c}M=D_0\·e\left(k,C_1\right)\\ =\frac{M}{e\left(k,h^{s(\mathrm{\α}+H\left({\mathrm{ID}}_{IBE}\right)}\right)}\·e\left(k,h^{s\left(\mathrm{\α}+H\left({\mathrm{ID}}_{IBE}\right)\right)}\right)\end{array}.$

2. a kind of cross-system of identity-based according to claim 1 acts on behalf of re-encryption method, it is characterised in that：In step " algorithm described in 1", its operation method is as follows：It is PKG input system security parameter λ that private key generates center, according to λ Size, the corresponding elliptic curve of Systematic selection：Y²=X³+ aX+b, a and b are coefficients, then constitute two by the point on elliptic curve The group of individual prime number p rank A kind of Function Mapping e is selected, by groupIn element be mapped to groupIn；Security parameter number Value is bigger, and the point on selected elliptic curve is also more, and group is also bigger.

3. a kind of cross-system of identity-based according to claim 2 acts on behalf of re-encryption method, it is characterised in that：Step 1 In selected elliptic curve：Y²=X³+ aX+b, randomly chooses value x of independent variable X₁, calculate value y of correspondence dependent variable Y₁； If point (x₁,y₁) in the group for wanting to map, then it has been successfully generated random element；If point (x₁,y₁) not in group, then continue choosing The value of X is selected, until finding the point occurred in group；Additionally, domainSet { 1,2 ..., p-1 } is represented, domain is randomly choosedIn The random number generation function of element can call built-in function to run from Pairing-BasedCryptosystems function bags.

4. a kind of cross-system of identity-based according to claim 1 acts on behalf of re-encryption method, it is characterised in that：In step " operation Bilinear map computing " described in 3, its way is as follows：The input of independent variable is groupIn element g, h, be output as groupIn element：e(g,h).

5. a kind of cross-system of identity-based according to claim 1 acts on behalf of re-encryption method, it is characterised in that：In step " impact resistant hash function H () " described in 4, equally can adjust from Pairing-Based Cryptosystems function bags Run with built-in function.