The content of the invention
In order to overcome the shortcomings of that existing multi-receiver label decryption method solution label Migong levelling is poor, the present invention provides a kind of based on many
The multi-receiver label decryption method of variable, many security attributes.Key pair of this method comprising generation systematic parameter and each user
Algorithm KeyGen, the close algorithm Signcrypt of label conciliate the close algorithm Designcrypt of label.It is the limited of q to sign close algorithm feature based
N+ τ participants, including N number of close person of label and the τ close person (N >=t) of solution label are had in domain F, system, it is close that label are conciliate in the close person's set of label
Person's set is not occured simultaneously.This method one leader L of selection from actual label close person, the actual close person of label is with the key of oneself to message
Carry out label close.In order to hide the identity of the close person of actual label, leader L can calculate interference data, and these data are that L is not knowing non-
Calculate what is obtained in the case of the key of the actual close person of label for each non-actual close person of label.Data and reality is disturbed to sign the true of close person
Real data is mixed, and allows recipient can not judge the identity of the close person of actual label.The present invention ensure that hair using threshold technique
The person's of sending anonymity;The list of identities of recipient is no longer directly given in communication data, it is ensured that recipient's anonymity and in advance
Judgement property;The information fusion of the close key message of label and authorized receiver will be solved into a parameter list, it is ensured that understand label close
Fairness.
The technical solution adopted for the present invention to solve the technical problems is:It is a kind of based on multivariable, many security attributes it is many
Recipient signs decryption method, is characterized in using following steps:
Step 1: producing user i public key pk by KeyGen algorithmsiWith user i private key ski, wherein i=1 ..., N.
System selects a leader L in the colony of the actual close person's composition of t label, is t blocks by whole clear-text message M points.Selection
One Com function and five Hash functions, Com:Fn||Fm→Fo, n>M, | | it is cascade symbol, Com functions meet statistics and hidden
With bind calculation attribute, o=128 is selected.H0:{0,1}*→{0,1}l, H1:{0,1}*→{0,1,2,3}k, H2:{0,1}l+m→
Zq*, H3:Zq*→Zq*, H4:Zq*→{0,1}n+M/t.Systematic parameter is obtained for params=(H0,H1,H2,H3,H4,q,Com).Letter
Several detailed processes is as follows,
The hiding statistical attribute of Com functions represents the output knot that different input parameters is obtained after the calculating of Com functions
Fruit is different, and result is for recipient's undistinguishable.The bind calculation attribute of Com functions represents that input data passes through Com functions
Calculating is obtained after output result, and sender can not deny the value of input data.
Sender determines the length of the input parameter of Com functions.The length of the input parameter of Com functions is n+m, Com letters
Several input parameters includes two parameters, and first parameter is the n-dimensional vector based on finite field F, and second parameter is based on F
M dimensional vectors.Definition input parameter is Χ.The security parameter that ω is Com functions is defined, φ=(n+m)+4 of 2 ω+2 is defined.Selection
One is collided the Hash functions h avoided5:{0,1}φ→{0,1}ω, it is known that one is collided the function group H avoided6:{0,1}φ→{0,
1,}n+m.Com output includes two parts, is designated as c and d.C and d are sent to recipient by sender.h5It is disclosed Hash letters
Number.
A) sender random selection r ∈ { 0,1 }φ, calculate y=h5(r).
B) sender is from H6Hash function groups in select a h6∈H6, meet h6(r)=X.
C) Com is output as c=(h6, y), d=r.
Recipient verifies y=h5And h (r)6(r)=X, due to h6And h5All it is the function that collision is avoided, therefore in the absence of one
Meet h6(r ')=X and y=h5The r ' of (r ').Sender can not deny X.
User i selects a transformation equation group Fi, the reversible affine transformation Γ of simultaneous selection twoi∈FnAnd △i∈Fm.It is required that
User i selection random vectors si∈Fn, user i private key isMeetAndIn be free of constant term,
Specific method is as follows.
EnsureAnd do not include constant term, this algorithm acquiescence in equationMonomial coefficient be 1;
A) vectorial s of the system in user ii=(s1i,s2i,…,sni) in find the component that first is not 0 from right turn left,
The subscript value of the component is assigned to variable x.System is that user i randomly chooses a multinomial with n variable and m equation
Equation groupEquation group does not have constant term.CalculateNowValue not necessarily
For 0, it is necessary to change equation group according to process b)The coefficient of middle equation, untilEach component value be equal to
Untill 0.
B) Equation f is selected from equation group successivelyj, j=1 ..., m.SelectionJ-th of component
IfValue not be 0, according to below equation to fjMake an amendment, untilValue be 0 untill.In below equationRepresent equation
fjIn x-th of monotropic quantifier coefficient, sxIt is si=(s1i,s2i,…,sni) in subscript value be x component:
Value be changed into after 0, select next equation, the coefficient of equation, Zhi Daofang changed using the method for formula (4)
All equations of Cheng Zuzhong are all met after requirement, stop aforesaid operations.
As long as si=0 can just meetIt is the non-actual close person's simulated operation of label to facilitate leader L.User i public affairs
Key includes two parts, and Part I isWherein.It is the composite symbol of mapping, Part II is zi=Pi
(si).User i public key is (Pi,zi)。
Step 2: signing close process using Signcrypt, six steps are divided into.
step1:Calculate the commitment value of the close person of label.
The actual close person i of label selects k parameter tuple (ri,tj,em), wherein i=0,1, j=0,1, m=0,1, each parameter
The value of tuple is different from, and meets si=r0 (j)+r1 (j), r0 (j)=t1 (j)+t0 (j),It is as follows.
Each actual close person of label calculates commitment value using k group parameters tuple, and obtaining commitment value using i-th group of parameter tuple isWithComputational methods are as follows:
Sign close person i selections γi={ 0,1 }n, then to message blocks MiCalculated, obtainedFinally sign
Close person i will It is sent to L.
step2:Leader L calculates main promise and challenging value.
Leader L receives the commitment value of the close person of other t-1 label.Leader L calculates the commitment value of oneself and basis's
Principle is the N-t non-close person's simulation commitment values of label.Leader L calculates main promise after collecting the promise for each signing close user.By
In all close same challenging values of users to share of label, so leader L must be directed to each challenging value component, all label are close
The commitment value of user relevant position is arranged to together.Likewise, responseIt is also to be organized according to the component of challenging value to one
Rise.Φj、ΨjAnd ΛjBe by the jth group commitment value taxonomic revisions of the close users of all label together.I.e. all close users' of label InIt is organized and obtains Φ together1,It is organized and obtains Φ together2, the like, until all close users' of labelIt is organized and obtains Λ togetherk.γ is
The message blocks of all close users of labelArrangement result.θi,jIt is the θ for signing close user iiJ-th of component, that is, sign close
User i's It is the close user i of labelJ-th of component, that is, sign close user i'sπi,jIt is the π for signing close user ii
J-th of component, that is, sign close user i'sWherein j=1 ..., k, i=1 ..., N.
Φj=H0(θ1,j||...||θN,j)
Λj=H0(π1,j||...||πN,j)
The main promise of all senders
Leader L uses H1To the promise receivedHash calculating is carried out with γ, challenge vector is obtainedI.e.
For the vector in k gts.
Leader L willIt is sent to remaining the t-1 close person of label.
step3:Sign close person and calculate response.
The response for signing close person i is ζi。ζiJth position component ζi,j, 1≤j≤k is according to challenging valueJth position componentCalculate what is obtained.According toValue,Jth position componentFor 0,1 and 2, then sign close user i and need to use the jth group of oneself
Parameter member set constructor response componentCalculating process is as follows:
Ifζi,j=(r0 (j),t1 (j),e1 (j))
Ifζi,j=(r1 (j),t1 (j),e1 (j))
Ifζi,j=(r1 (j),t0 (j),e0 (j))
WhenFor 3 when represent to skip calculating group response.Close person i is finally signed ζi=(ζi,1,ζi,2,…,ζi,k) hair
Give leader L, herein ζiThere is k component, this is situation when element 3 being not present in challenging value, because working asDuring equal to 3, need
Skip this group of response component of calculating.IfIt is middle to there is the component that x value is 3, ζiComponent number then be k-x.In the present invention
Middle acquiescence ζiThere is k component.
step4:L calculates main response value and specifies recipient.
Leader L calculates the response of oneself, and collects the response that other t-1 signer is sent.Simulate N-t non-realities
Sign the response of close user in border.Leader L calculates main responseIt isJ-th of component, according to j-th of component of challenging valueCalculate what is obtained.
If
If
If
IfCorresponding response is not calculated.
Assuming that there is τ recipient.For recipient i, L random selections Qi∈Fm, 1≤i≤τ, and be calculated as below:
Ri=H3(Si)
Here SiAnd RiIt is to be calculated for each authorized receiver, recipient can only be according to SiAnd RiOneself could be judged
Whether it is authorized to.Lead L to arrange the identity information of sender and recipients to together, be designated as U.
step5:The actual close person of label calculates ciphertext and the identity information of recipient.
Actual label close person i, i=1 ..., t, select a secret parameter ui∈Zq*, the secret parameter is used for encrypting message,
Only authorized receiver could obtain this secret parameter.The actual close person i of label uses uiMessage is encrypted, ciphering process is as follows:
Wi=H4(ui)⊕(γi||Mi)
In order to reach that only authorized receiver could obtain secret parameter, the actual close person i of label authorizes solution label are close to use by all
The information at family and the secret parameter are stashed by following mode.
The actual close person i of label obtains parameter list ηi=(ι1 (i),…,ιτ (i)).It is actual to sign close person i by (Wi,ηi) it is sent to neck
Lead L.
step6:Leader L arranges the label confidential information of all close users of label and is sent to verifier.
Lead L that together, the close message coalescing of all label being collected into is finally obtained into message ciphertext C.Have:
W=(W1,…,Wt)
R=(R1,…,Rτ)
C=(R, U, η1,…,ηt,W)
Step 3: using the close process of Designcypt algorithm solution label, being divided into two steps.
step1:Verify the legitimacy of recipient.
Recipient V is received after ciphertext C, according to challenging value componentJ=1 ..., k, obtain N group commitment values WithI=1 ..., N.Three classes of calculating process point:
When the jth position component of challenging valueBe worth for 0 when, V can only be from main responseJth position componentIn obtain N groups ginseng
Number r0 (i), t1 (i), e1 (i), main responseInclude k component, each componentInclude the response of N number of sender.Recipient V
Use i-th group of data r0 (i), t1 (i), e1 (i)Be calculated as below the commitment value for obtaining signing close user iWith
V-arrangement is into the responses of the close users of all label, Ψ 'jIt is basisTo allResult of calculation.Λ′jIt is basis
To allResult of calculation.
WhenBe worth for 1 when, V can only be fromIn obtain N group parameters r1 (i), t1 (i), e1 (i).V uses the data for signing close user i
r1 (i), t1 (i), e1 (i)Be calculated as below the commitment value for obtaining signing close user iWith
V-arrangement is into the responses of the close users of all label, Φ 'jIt is basisTo allResult of calculation.Λ′jIt is basis
To allResult of calculation.
WhenBe worth for 2 when, V can only be fromIn obtain N group parameters r1 (i), t0 (i), e0 (i), the close user i of V use label data
r1 (i), t0 (i), e0 (i)Be calculated as below the commitment value for obtaining signing close user iWithIt is calculated as follows:
V-arrangement is into the responses of the close users of all label, Φ 'jIt is basisTo allResult of calculation.Ψ′jIt is basis
To allResult of calculation.
WhenBe worth for 3 when, recipient stop checkingJudge next bitValue, is not 3 until finding a valueWhen
Just continue to verifyObtain main promise
V verifies whether oneself is authorized receiver, and following i represents sender, and j represents recipient:
V judges equation Rj=H3(S′j) whether set up.If set up, V is then a member in authorized receiver, and otherwise V is put
Abandon solution label close.
step2:Verify the correctness of message and obtain message.
For the actual close person i of label, 1≤i≤t, authorized receiver V passes through equation below:
F (x)=ι1 (i)+ι2 (i)x+…+ιτ (i)xτ-1+xτ
Obtain the close person i of actual label secret parameter f (S 'j)=u 'i, and non authorized recipients are correct due to that can not obtain
S′jAnd the secret parameter of decryption can not be obtained.V is by being calculated as below:
(γ′i||M′i)=H4(u′i)⊕Wi
Obtain signing the close cleartext information M ' of close user i labeli, but can't now verify whether message is correct.V is calculatedAnd verifyWhether set up.If set up, V receives the cipher-text message, clear-text message
For M=M '1||M′2||…||M′t.Otherwise V refuses the ciphertext.
The beneficial effects of the invention are as follows:The algorithm of key pair of this method comprising generation systematic parameter and each user
KeyGen, the close algorithm Signcrypt of label conciliate the close algorithm Designcrypt of label.The finite field F that close algorithm feature based is q is signed,
N+ τ participants, including N number of close person of label and the τ close person (N >=t) of solution label are had in system, close person's set is signed and conciliates label Mi Zheji
Conjunction is not occured simultaneously.This method one leader L of selection from actual label close person, the actual close person of label is carried out with the key of oneself to message
Label are close.In order to hide the identity of the close person of actual label, leader L can calculate interference data, and these data are that L is not knowing non-reality
Sign in the case of the key of close person and to calculate what is obtained for each non-actual close person of label.Disturb the true number of data and the actual close person of label
According to mixing, allow recipient can not judge the identity of the close person of actual label.The present invention ensure that sender using threshold technique
Anonymity;The list of identities of recipient is no longer directly given in communication data, it is ensured that recipient's anonymity and judge in advance
Property;The information fusion of the close key message of label and authorized receiver will be solved into a parameter list, it is ensured that understand label Migong and put down
Property.
The present invention is elaborated with reference to the accompanying drawings and detailed description.
Embodiment
Reference picture 1-2.Multi-receiver label decryption method of the invention based on multivariable, many security attributes is comprised the following steps that:
Explanation of nouns:
pki:User i public key, wherein i are positive integer;
ski:User i private key;
l:Positive integer;
F:Rank is 2 finite field;
G:Multiple variant equation P polar form;
Fn:N-dimensional vector space on finite field F;
Fm:M gts on finite field F;
u:A n-dimensional vector on finite field F;
v:A n-dimensional vector on finite field F;
w:A n-dimensional vector on finite field F;
L:The leader selected in the actual close person of label;
V:Recipient;
Params:System public parameter;
*:Represent random length;
ο:Composition operation symbol between mapping;
mod:Modulo operation is accorded with;
||:Linked operation is accorded with;
⊕:Step-by-step xor operation is accorded with, i.e., XOR operation is accorded with;
Zq*:The vector of random length in the finite field that rank is q;
q:Positive integer, the exponent number of finite field is represented in finite field only containing q element;
t:Positive integer, represents the close person's number of actual label;
N:Sign close person's quantity, including the actual close person of label and the actual close persons of label of non-;
τ:Positive integer, represents the number of authorized receiver;
M:Clear-text message;
Mi:I-th of close person of label signs close message blocks;
Com:Promise to undertake function;
ω:The security parameter of Com functions;
φ:The length of Com function input parameters;
X:The input parameter of Com functions;
r:Length is φ binary vector;
y:Length is ω binary vector;
h5:The Hash functions avoided are collided, the string of binary characters that can be φ by length is calculated as two that length is ω and entered
Character string processed;
H6:The Hash function groups avoided are collided, the string of binary characters that can be φ by length is calculated as two that length is m+n
System character string;
h6:H6In a Hash function.
c:A part for Com functions output, c=(h6,y)。
d:A part for Com functions output, d=r.
r′:Length is φ binary vector
Γi:The F of user i selectionsn→FnOn reversible affine transformation, the structure for hiding centralizing mapping;
△i:The F of user i selectionsm→FmOn reversible affine transformation, the structure for hiding centralizing mapping;
The F of user i selectionsn→FmCentralizing mapping;
Pi:A part for user's i public keys.
zi:User i is with the public key of oneself to siResult of calculation, i.e. zi=Pi(si);
H0:The string of binary characters of random length, can be calculated as the binary-coded character that length is l by one-way hash function
String;
H1:The string of binary characters of random length, can be calculated as the character string that length is k, character by one-way hash function
The element of string is 0,1,2,3;
H2:One-way hash function, can be calculated as q rank Arbitrary Blocklength in Finite Fields by the string of binary characters that length is l+m
Hashed value;
H3:One-way hash function, can be calculated as q rank finite fields by the character string of long q ranks Arbitrary Blocklength in Finite Fields and take up an official post
The hashed value for length of anticipating;
H4:One-way hash function, can be calculated as length by the character string of q rank Arbitrary Blocklength in Finite Fields | n+M/t |
String of binary characters;
si:A part in user's i private keys, a n-dimensional vector based on finite field F;
x:si=(s1i,s2i,…,sni) in from the subscript value of right first component being not zero of turning left;
fj:User i equation groupIn j-th of equation, wherein j be positive integer;
Represent Equation fjIn x-th of monotropic quantifier coefficient;
sx:si=(s1i,s2i,…,sni) in subscript value be x component;
User i'sJ-th of component;
k:Each sign the number of the parameter group of close person, it is necessary to meet
A n-dimensional vector in i-th group of parameter tuple, the vector is based on finite field F;
A n-dimensional vector in i-th group of parameter tuple, the vector is based on finite field F;
A m dimensional vector in i-th group of parameter tuple, the vector is based on finite field F;
A n-dimensional vector in i-th group of parameter tuple, the vector is based on finite field F;
A n-dimensional vector in i-th group of parameter tuple, the vector is based on finite field F;
A m dimensional vector in i-th group of parameter tuple, the vector is based on finite field F;
γi:Sign the string of binary characters that the length of close user i selections is n;
Using in i-th group of parameterWhen obtained commitment value;
Using in i-th group of parameterWhen obtained commitment value;
Using in i-th group of parameterWhen obtained commitment value;
The actual close person i of label uses parameter γiWith message blocks MiCalculate the binary vector that obtained length is l;
θi:It is the component in every group of promise for sign close user iSet;
It is the component in every group of promise for sign close user iSet;
πi:It is the component in every group of promise for sign close user iSet;
θi,j:It is the θ for signing close user iiJ-th of component, i.e. i's
It is the close user i of labelJ-th of component, i.e. i's
πi,j:It is the π for signing close user iiJ-th of component, i.e. i's
Φi:Use H0To i-th of all close users of labelCarry out Hash and calculate obtained value;
Ψi:Use H0To i-th of all close users of labelCarry out Hash and calculate obtained value;
Λi:Use H0To i-th of all close users of labelCarry out Hash and calculate obtained value;
γ:Use H0To all actual close persons' of labelCarry out Hash and calculate obtained value;
By H0The main commitment value obtained after calculating, is the binary vector that a length is l;
Use H1The challenging value obtained after calculating, is a k dimensional vector, and the vectorial element is 0,1,2,3;
Challenge vectorI-th of element value;
ζi:Sign close user i response;
ζi,j:Sign j component of close user i response;
The set of the jth group response of all close users of label;
Main response, kSet;
Qi:For recipient i on finite field F randomly selected m dimensional vectors;
To QiThe value obtained after encryption;
Si:Use H2Promised to undertake to mainWith parameter QiCalculate obtained value;
Ri:Use H3To SiCalculate obtained value;
U:The set associative of parameter;
ui:The secret parameter of the actual close person i selections of label, is the character string of random length on finite field F;
Wi:The actual close person i of label is to message MiBlocking message after encryption;
W:All WiSet;
f(x):Variable is x polynomial function;
ιj (i):The parameter for the f (x) that the actual close person i of label is calculated, containing authorized receiver's identity information, recipient can be with
The secret parameter decrypted with the gain of parameter;
ηi:The actual close person i of label ιj (i)Set;
C:Message ciphertext;
The main commitment value that recipient calculates;
Γ-1:Map Γ inverse operation;
△-1:Map △ inverse operation;
Q′j:Verifier coupleThe size obtained after decryption is m vector;
S′j:The value containing recipient information that verifier obtains;
γ′i:Length is n string of binary characters;
Recipient usesWhen obtained commitment value;
Recipient usesWhen obtained commitment value;
Recipient usesWhen obtained commitment value;
Length is l binary vector;
Φ′i:Recipient uses H0To i-th of all close users of labelCarry out Hash and calculate what is obtained
Value;
Ψ′i:Recipient uses H0To i-th of all close users of labelCarry out Hash and calculate what is obtained
Value;
Λ′i:Recipient uses H0To i-th of all close users of labelCarry out Hash and calculate what is obtained
Value;
γ′:Recipient uses H0To all actual close persons' of labelCarry out Hash and calculate obtained value;
u′i:The secret parameter for the close person i of actual label that recipient obtains;
M′i:The Plaintext block that recipient calculates, the Plaintext block is actually signed close person i encryptions.
The present embodiment proposes a close side of multi-receiver label that can be suitably used for low side devices based on multivariable encryption system
Method, to tackle privacy and safety problem present in existing multi-receiver stopover sites.The present embodiment meet sender anonymity,
Recipient's anonymity, in advance judgement property conciliate label Migong levelling.The technology mainly used have multivariable equation polar form,
Zero-knowledge proof, threshold technique.
One recipient receive first determined whether after ciphertext message source it is whether legal and oneself whether be authorize receive
Person, only authorized receiver could decrypt message with the private key of oneself.As shown in Fig. 2For verifying the conjunction of informed source
Method, R+Q is used to judge whether recipient is legal.ι1,…,ιτOnly it is authorized to recipient and uses the key that can be just decrypted
Information, is obtained after key message, recipient could solve the correctness signed close message and verify message by W+ γ.Embody this
The main information that ciphertext is included in stopover sites.Once the part error of ciphertext, whole ciphertext is destroyed.
The present embodiment is in order to judge that the legitimacy of informed source employs zero-knowledge proof technology, zero-knowledge proof process bag
Include three parts:Promise to undertake, challenge and respond.Zero-knowledge proof technology is related to two sides, sender and recipients.Sender gives first
One commitment value of recipient, then recipient give sender one challenging value, sender according to challenging value to recipient send one
Individual response, last recipient verifies the relation between this response and commitment value, if there is certain specific relation, that
Recipient demonstrates message and comes from sender, otherwise it is assumed that the informed source is unreliable.
Calculating in the present embodiment uses the polar form of multiple variant equation, and the polar form has two-wire
Property attribute.Multiple variant equation P:Fn→Fm(wherein m, n are positive integer, FnIt is the n-dimensional vector space on finite field F, FmIt is
M gts on finite field F, and have m<N) and shown in its polar form G relation such as formula (1), G bilinearity
Shown in attribute such as formula (2), wherein u, v and w are taken from finite field F vector, and their dimension is n, i.e. u, v, w ∈
Fn.G and P output result is the space vector of the m dimensions based on finite field F.
G (u, v)=P (u+v)-P (u)-P (v) (1)
G (u+v, w)=G (u, w)+G (v, w) (2)
The present embodiment includes three algorithms:KeyGen, Signcrypt and Designcrypt.Wherein KeyGen is generation system
The algorithm of the key pair of parameter of uniting and each user, Signcrypt is the close algorithm of label, and Designcrypt is the close algorithm of solution label.Should
Sign and N+ τ participants are had in the finite field F that close system feature based is q (wherein q=2), system, including the N number of close person of label (label
Close person includes t actual individual non-actual close person of label of the close person of label and (N-t)) and the τ close person (N >=t) of solution label, sign close person gather with
The close person's set of solution label is not occured simultaneously.Scheme one leader L of selection from reality label close person, reality signs close person with the key pair of oneself
It is close that message carries out label.In order to hide the identity of the close person of actual label, L can calculate interference data, and these data are that L is not knowing non-
Calculate what is obtained in the case of the key of the actual close person of label for each non-actual close person of label.Data and reality is disturbed to sign the true of close person
Real data is mixed, and allows recipient can not judge the identity of the close person of actual label.We are called at the process of L calculating interference data
L is the non-actual close person's analogue data of label.Threshold technique is used herein.
There is a vector s ∈ in multiple variant equation P, private key in this example, it is assumed that existing in the public key of user
Fn.S is divided into two parts r0∈FnAnd r1∈Fn, i.e.,:S=r0+r1.According to formula (1), there are P (r0+r1)=P (r0)+P(r1)+
G(r0,r1), in order to prevent s from being known by other users, user can not provide r simultaneously0And r1.By r0It is divided into two parts t0∈Fn
And t1∈Fn, G (r are had according to the bilinearity attribute of polar form0,r1)=G (t0,r1)+G(t1,r1).Define e1∈FmAnd e0=
P(r0)-e1(e0∈Fm), so P (s)=G (t0,r1)+e0+P(r1)+G(t1,r1)+e1.The equation can be seen as two parts G
(t0,r1)+e0With P (r1)+G(t1,r1)+e1, it is seen that parameter group is divided into two parts (t0,r1,e0) and (t1,r1,e1), from each portion
Complete s can not be all obtained in point.
KeyGen:Produce user i (i=1 ..., N) public key pkiWith private key ski.System is in the t actual close person's group of label
Into colony in select a leader L, be t blocks by whole clear-text message M point.Select a Com function and five Hash letters
Number:Com:Fn||Fm→Fo(n>M, | | it is cascade symbol, Com functions meet statistics and hidden and bind calculation attribute, the tool of function
Body calculating process is shown in algorithm 1, is typically chosen o=128), H0:{0,1}*→{0,1}l, H1:{0,1}*→{0,1,2,3}k, H2:
{0,1}l+m→Zq*, H3:Zq*→Zq*, H4:Zq*→{0,1}n+M/t.Systematic parameter is obtained for params=(H0,H1,H2,H3,H4,
q,Com)。
The present embodiment is using in multivariate public key cryptography system HFE (Hidden Fields Equations) multivariable
Heart mapping structure, its kernel kernal mapping F is Fn→Fm(m<N) the multivariable polynomial group on, shown in its structure such as formula (3).User i
Select a transformation equation groupThe reversible affine transformation Γ of simultaneous selection twoi∈FnAnd △i∈Fm.In the scheme of the present embodiment
In, it is desirable to user i selection random vectors si∈Fn, user i private key isMeetAndIn be free of
Constant term (method for meeting this requirement is shown in algorithm 2).As long as such si=0 can just meetThe leader L is facilitated to be
The non-actual close person's simulated operation of label.User i public key includes two parts, and Part I is(its
Middle ο is the composite symbol of mapping), Part II is zi=Pi(si).User i public key is (Pi,zi)。
Algorithm 1 (how Com functions, which are realized, is hidden statistics and bind calculation function):
The hiding statistical attribute of Com functions represents the output knot that different input parameters is obtained after the calculating of Com functions
Fruit is different, and result is for recipient's undistinguishable.The bind calculation attribute of Com functions represents that input data passes through Com functions
Calculating is obtained after output result, and sender can not deny the value of input data.
Sender determines the length of the input parameter of Com functions.In the present embodiment, the length of the input parameter of Com functions
For n+m, the input parameter of Com functions includes two parameters, and first parameter is the n-dimensional vector based on finite field F, second ginseng
Number is the m dimensional vectors based on F.Definition input parameter is Χ.The security parameter that ω is Com functions is defined, φ=(n of 2 ω+2 are defined
+m)+4.The Hash functions h avoided is collided in selection one5:{0,1}φ→{0,1}ω, it is known that one is collided the function group H avoided6:
{0,1}φ→{0,1,}n+m.Com output includes two parts, is designated as c and d.C and d are sent to recipient by sender.h5It is public
The Hash functions opened.
D) sender random selection r ∈ { 0,1 }φ, calculate y=h5(r).
E) sender is from H6Hash function groups in select a h6∈H6, meet h6(r)=X.
F) Com is output as c=(h6, y), d=r.
Recipient verifies y=h5And h (r)6(r)=X, due to h6And h5All it is the function that collision is avoided, therefore in the absence of one
Meet h6(r ')=X and y=h5The r ' of (r ').Sender can not deny X.
Algorithm 2 (ensuresAnd do not include constant term, this algorithm acquiescence in equationMonomial coefficient be
1):
C) vectorial s of the system in user ii=(s1i,s2i,…,sni) turn left searching first from the right side in (i=1 ..., N)
The component for 0, variable x is assigned to by the subscript value of the component.System is that user i randomly chooses one with n variable and m
The Polynomial equations of equationEquation group does not have constant term.CalculateNote nowValue differ be set to 0, it is necessary to according to process b) change equation groupThe coefficient of middle equation, untilEach component value be equal to 0 untill.
D) Equation f is selected from equation group successivelyj(j=1 ..., m).SelectionJ-th of componentIfValue not be 0, according to formula (4) to fjMake an amendment, untilValue be 0 untill.In formula (4)Expression side
Journey fjIn x-th of monotropic quantifier coefficient, sxIt is si=(s1i,s2i,…,sni) in (i=1 ..., N) subscript value for x point
Amount:
Value be changed into after 0, select next equation, the coefficient of equation, Zhi Daofang changed using the method for formula (4)
All equations of Cheng Zuzhong are all met after requirement, stop aforesaid operations.
Signcrypt:Close process is signed, six steps are divided into.
step1:Calculate the commitment value of the close person of label.
The actual close person i of label selects k parameter tuple (ri,tj,em) (wherein i=0,1, j=0,1, m=0,1), Mei Gecan
The value of number tuple is different from, and meets si=r0 (j)+r1 (j), r0 (j)=t1 (j)+t0 (j),Wherein j=
1 ..., k, it is as follows.
Each actual close person of label calculates commitment value, the commitment value obtained using i-th group of parameter tuple using k group parameters tuple
ForWithTheir computational methods are as follows:
Sign close person i selections γi={ 0,1 }n, then he is to message blocks MiCalculated.HaveFinally sign
Close person i will It is sent to L.
step2:L calculates main promise and challenging value.
L receives the commitment value of the close person of other t-1 label.L calculates the commitment value of oneself and basisPrinciple be N-
The t non-close person's simulation commitment values of label.L calculates main promise after have collected the promise of each close user of labelBecause all label are close
The same challenging value of users to shareSo L must be directed to each challenging value component, by all close user relevant positions of label
Commitment value is arranged to together.Likewise, responseIt is also to be organized together according to the component of challenging value.Φj, ΨjWith
ΛjBe by the jth group commitment value taxonomic revisions of the close users of all label together.I.e. all close users' of label InIt is organized and obtains Φ together1,It is organized and obtains together
To Φ2, the like, until all close users' of labelIt is organized and obtains Λ togetherk.γ is the message of all close users of label
BlockArrangement result.θi,jIt is the θ of the close user i of label (including actual and non-actual close person of label)iJ-th of component,
Sign close user i'sIt is the close user i of label (including actual and non-actual close person of label)J-th of component, that is, sign
Close user i'sπi,jIt is the π of the close user i of label (including actual and non-actual close person of label)iJ-th of component, that is, sign close user
I'sWherein j=1 ..., k, i=1 ..., N.
Φj=H0(θ1,j||...||θN,j)
Λj=H0(π1,j||...||πN,j)
The main promise of all senders
L uses H1To the promise receivedWithHash calculating is carried out, challenge vector is obtained(i.e.Tieed up for k
The vector of vector space).
L willIt is sent to remaining the t-1 close person of label.
step3:Sign close person and calculate response.
The response for signing close person i is ζiοζiJth position component ζi,j(1≤j≤k) is according to challenging valueJth position componentCalculate what is obtained.According toValue,Jth position componentFor 0,1,2 actual close user i of label need to use oneself the
J group parameter member set constructor response components ζi,j.Calculating process is as follows:
Ifζi,j=(r0 (j),t1 (j),e1 (j))
Ifζi,j=(r1 (j),t1 (j),e1 (j))
Ifζi,j=(r1 (j),t0 (j),e0 (j))
WhenFor 3 when represent to skip calculating group response.Close person i is finally signed ζi=(ζi,1,ζi,2,…,ζi,k) hair
Give L (ζ hereiniThere is k component, this is that situation when element is 3 is not present in challenging value, because working asDuring equal to 3, it is necessary to
Skip this group of response component of calculating.IfIt is middle to there is the component that x value is 3, ζiComponent number then be k-x.In the present embodiment
Middle acquiescence ζiThere is k component).
step4:L calculates main response value and specifies recipient.
L calculates the response of oneself, and collects the response that other t-1 signer is sent.The non-actual label of simulation N-t
The response of close user.L calculates main responseIt isJ-th of component, it is j-th of component according to challenging valueMeter
Obtain, wherein (1≤j≤k).
If
If
If
IfCorresponding response is not calculated.
Assuming that there is τ recipient.For recipient i, L random selections Qi∈Fm(1≤i≤τ) is simultaneously calculated as below:
Ri=H3(Si)
Here SiAnd RiIt is to be calculated for each authorized receiver, recipient can only be according to SiAnd RiOneself could be judged
Whether it is authorized to.L arranges the identity information of sender and recipients to together, is designated as U.
step5:The actual close person of label calculates ciphertext and the identity information of recipient.
The close person i of reality label (i=1 ..., t) select a secret parameter ui∈Zq*, the secret parameter is used for encrypting message,
Only authorized receiver could obtain this secret parameter.The actual close person i of label uses uiMessage is encrypted, ciphering process is as follows:
Wi=H4(ui)⊕(γi||Mi)
In order to reach that only authorized receiver could obtain secret parameter, the actual close person i of label uses all authorized receivers
The information at family and the secret parameter are stashed by following mode.
The actual close person i of label obtains parameter listIt is actual to sign close person i by (Wi,ηi) it is sent to L.
step6:L arranges the label confidential information of all close person users of label and is sent to verifier.
The close message coalescing of all label being collected into together, is finally obtained message ciphertext C by L.Have:
W=(W1,…,Wt)
R=(R1,…,Rτ)
C=(R, U, η1,…,ηt,W)
Designcrypt:The close process of solution label, is divided into two steps.
step1:Verify the legitimacy of recipient.
Recipient V is received after ciphertext C, according to challenging value componentObtain N group commitment valuesWith(i=1 ..., N).The following three kinds of situations of calculating process point:
When the jth position component of challenging valueBe worth for 0 when, V can only be from main responseJth position componentIn
Obtain N group parameters r0 (i), t1 (i), e1 (i)(wherein i=1 ..., N, main responseInclude k component, each componentInclude N
The response of individual sender).Recipient V uses i-th group of data r0 (i), t1 (i), e1 (i)(i=1 ..., N) be calculated as below
To the commitment value for signing close user iWith
V-arrangement is into the responses of the close users of all label, Ψ 'jIt is basisTo allThe Hash knots of calculating
Really, Λ 'jIt is basisTo allThe Hash results of calculating, are shown below.
WhenBe worth for 1 when, V can only be fromIn obtain N group parameters r1 (i), t1 (i), e1 (i)(i=1 ..., N).V is close using signing
User i data r1 (i), t1 (i), e1 (i)Be calculated as below the commitment value for obtaining signing close user iWith
V-arrangement is into the responses of the close users of all label, Φ 'jIt is basisTo allThe Hash knots that (i=1 ..., N) is calculated
Really.Λ′jIt is basisTo allThe Hash results that (i=1 ..., N) is calculated.
WhenBe worth for 2 when, V can only be fromIn obtain N group parameters r1 (i), t0 (i), e0 (i)(wherein i=1 ...,
N), V uses the data r for signing close user i1 (i), t0 (i), e0 (i)Be calculated as below the commitment value for obtaining signing close user iWithIt is calculated as follows:
V-arrangement is into the responses of the close users of all label, Φ 'jIt is basisTo allThe Hash knots that (i=1 ..., N) is calculated
Really.Ψ′jIt is basisTo allThe Hash results of calculating.
WhenBe worth for 3 when, recipient stop checkingJudge next bitValue, until looking for
It is not 3 to a valueWhen just continue verifyObtain main promise
V verifies whether oneself is authorized receiver, and following i represents sender, and j represents recipient:
V judges equation Rj=H3(S′j) whether set up.If set up, V is then a member in authorized receiver, and otherwise V is put
Abandon solution label close.
step2:Verify the correctness of message and obtain message.
For the actual close person i (1≤i≤t) of label, authorized receiver V passes through equation below:
F (x)=ι1 (i)+ι2 (i)x+…+ιτ (i)xτ-1+xτ
Obtain the close person i of actual label secret parameter f (S 'j)=u 'i, and non authorized recipients are correct due to that can not obtain
S′jAnd the secret parameter of decryption can not be obtained.V is by being calculated as below:
(γ′i||M′i)=H4(u′i)⊕Wi
It can obtain signing the close cleartext information M ' of close user i labeli, but can't now verify whether message is correct.V is calculatedAnd verifyWhether set up.If set up, V receives the cipher-text message,
Clear-text message is M=M '1||M′2||…||M′t.Otherwise V refuses the ciphertext.