CN104639322A - Identity-based encryption method with certificates and attributes - Google Patents

Abstract

An embodiment of the invention provides an identity-based encryption method with certificates and attributes. The identity-based encryption method includes enabling a certificate authorization center CA to select elliptical curves and sets of all the attributes, selecting master keys and security parameters and generating and distributing system parameters; enabling users to provide information for the certificate authorization center CA and acquire the certificates, verifying the certificates, generating private keys of the users by the aid of the certificates and the system parameters, and disclosing public keys of the users; allowing senders to use identities and the public keys of receivers, selecting linear key sharing schemes, encrypting messages in plain texts to obtain messages in cipher texts and sending the messages in the cipher texts to the receivers; enabling the receivers to verify whether requirements of access structures in the messages in the cipher texts are met by message receiver attribute sets or not, and decrypting the messages in the cipher texts by the aid of the private keys of the receivers to obtain the messages in the plain texts if the requirements of the access structures in the messages in the cipher texts are met by the message receiver attribute sets. The identity-based encryption method has the advantages that the identity-based encryption schemes are constructed by means of asynchronous bilinear pairing of the elliptical curves, and accordingly problems in the aspect of key recovery can be solved.

Description

With the method for the Identity-based encryption containing attribute of certificate

Technical field

The present invention relates to electronic information security technical field, particularly relate to a kind of method of the Identity-based encryption containing attribute with certificate.

Background technology

Along with development that is scientific and technological and information, information security obtains extensive concern, and in life, business, play irreplaceable effect in national defence, cryptography is the subject that development is also ripe gradually in order to ensure information security, then informationalized high speed development, had new requirement to cryptography, traditional cryptography can not meet new application demand.Public key cryptography introduced cryptography by Diffie and Hellman in 1976, created rsa cryptosystem system subsequently, Elgamal cryptographic system and elliptic curve cryptosystem.These public-key cryptosystems are applied rapidly, and obtain more deep research.

Shamir proposed Identity Based Cryptography in 1984, namely the key of user is relevant to identity, carry out message encryption and deciphering more easily, do not need the certificate in conventional public-key cryptography, a sender of the message only uses the identity information of recipient just can carry out message encryption.But in Identity Based Cryptography, user key is by private key generator (Private Key Generator, PKG) produce, PKG can use master key to carry out all encrypting messages of decrypted user, and can carry out information signature, thus occurs key escrow.

In order to the key escrow solved in Identity-based cryptography mainly contains following three kinds of methods in prior art: first method is, uses multiple PKG, only reaches the PKG of some, could obtain the private key of user together; Second method uses double-encryption, public encryption system and Identity based encryption system combined; The third method is the Identity based encryption scheme with certificate.

The method shortcoming of the key escrow in above-mentioned solution Identity-based cryptography of the prior art is: certificate can not disclose, and certificate needs to be transmitted by escape way, and scheme realizes complicated, and the fail safe of key escrow is not high.

Summary of the invention

The embodiment provides a kind of method of the Identity-based encryption containing attribute with certificate, thus solve key escrow in Identity-based cryptography, certificate can be announced, not need to be transmitted by escape way.

With a method for the Identity-based encryption containing attribute of certificate, it is characterized in that, described method comprises the steps:

Certificate authorization center CA by choosing the set of elliptic curve and all properties, and chooses master key and security parameter, generates and delivery system parameter;

User provides information to described CA, and obtains the certificate that this CA signs and issues described user, and verify this certificate, and use described certificate and described system parameters to generate the private key of described user, disclose the PKI of described user, described user comprises sender and recipient;

Sender uses the identity of recipient and described PKI, select linear Authentication theory scheme, uses access structure to be encrypted clear-text message and obtains cipher-text message, and described cipher-text message is sent to described recipient;

Described recipient receives described cipher-text message, after verifying the access structure that the community set of described message recipient meets in described cipher-text message, uses the private key of described recipient to be decrypted described cipher-text message and obtains described clear-text message.

Described certificate authorization center CA by choosing the set of elliptic curve and all properties, and chooses master key and security parameter, generates also delivery system parameter and comprises:

Described CA, based on security parameter k, chooses normal elliptic curve in finite field, and produces an asymmetric Bilinear Pairing e:G on it ₁× G ₂→ G _t, wherein G ₁and G ₂for the module on the prime number p rank on elliptic curve, G _tfor the p rank multiplicative group in finite field;

Get G ₁generator P ₁and Q ₁, G ₂generator P ₂and Q ₂; Note U is the set of all properties;

Get a non-zero entry α ∈ Z at random _pas described master key, wherein Z _p=0,1 ..., p-1}, and using α Q as open parameter, random selecting G ₁in some P ₀, P ₁..., P _{| U|}, wherein | U| is the number of all properties set;

Choose safe hash function H:{0,1} ^*→ Z _p;

System common parameter is params=(e, G ₁, G ₂, G _t, P, Q, α Q, P ₀, P ₁..., P _{| U|}), message space is G _t, master key is α.

Described user provides information to described CA, and obtain the certificate that this CA signs and issues described user, verify this certificate, and use described certificate and described system parameters to generate the private key of described user, disclose the PKI of described user, described user comprises sender and recipient comprises:

Described user has community set S, chooses secret parameter t ∈ Z _p, calculate e (tP, α Q)=e (P, Q) ^{t α}, by e (P, Q) ^{t α}as the PKI of correspondence, and relevant information InfoUser is sent to described CA, described information InfoUser comprises the identity information of user, attribute information S, and described PKI e (P, Q) ^{t α};

Described CA verifies the information of this user, random selecting s ∈ Z _p, and calculate certificate Cert=(the α P+h α sP of this user ₀, sQ, α sQ, { sP _i} _{i ∈ s}), wherein h=H (InfoUser, time, α Q), time is the time period, and certificate Cert is passed to described user;

User receives the certificate Cert of described CA, and verifies this certificate Cert, namely verifies e (α P+h α sP ₀, Q) and e (P, α Q) e (hP ₀, α sQ) whether equal, e (sP _i, Q) whether with e (P _i, sQ) and equal;

After described in described user rs authentication, certificate Cert passes through, calculating private key is (K, L, { K _i} _{i ∈ s}), wherein K=t α P+ht α sP ₀, L=t α sQ, K _i=tsP _i.

Described sender uses the identity of recipient and described PKI, select linear Authentication theory scheme, uses access structure to be encrypted clear-text message and obtains cipher-text message, and send to described recipient to comprise described cipher-text information:

Described sender sends clear-text message m, and according to common parameter, select a linear secret sharing scheme, its access structure is (M, ρ), and wherein M is a 1 × n matrix, ρ: and 1 ..., l} → U is a mapping;

Random selecting vector wherein r is secret.Calculate λ _i=vM _i, wherein represent the inner product of vector, M _ifor the i-th row vector of matrix M;

Random selecting parameter r ₁..., r _l∈ Z _p;

Cipher-text message CT is (C, C', { C _i, D _i} _{i=1 ..., l}), wherein C=me (P, Q) ^{t α r}, C'=rQ, C _i=λ _ip ₀-r _ip _{ρ (i)}, D _i=r _iα Q.

Described recipient receives described cipher-text message, after verifying the access structure that the community set of described message recipient meets in described cipher-text message, uses the private key of described recipient to be decrypted described cipher-text message and obtains described clear-text message and comprise:

After described recipient receives described cipher-text message, obtain the access structure (M, ρ) in described cipher-text message; Verify whether the community set S of described recipient meets described access structure (M, ρ), if so, then remember I={i| ρ (i) ∈ S}, calculating parameter { w _i} _{i ∈ I}meet ∑ _{i ∈ I}w _iλ _i=r, calculates clear-text message $m=C{\left[{\mathrm{\Π}}_{i\∈I}{\left(e(C_i,L)e(K_{\mathrm{\ρ}\left(i\right)},D_i)\right)}^{w_i}\right]}^h/e(K,C^{\′});$ Otherwise, stop the described cipher-text message of deciphering.

With a device for the Identity-based encryption containing attribute of certificate, it is characterized in that, comprising:

System parameters generation module, for certificate authorization center CA by choosing the set of elliptic curve and all properties, and chooses master key and security parameter, generates and delivery system parameter;

User certificate and key production module, information is provided to described CA for user, and obtain the certificate that this CA signs and issues described user, verify this certificate, and use described certificate and described system parameters to generate the private key of described user, disclose the PKI of described user, described user comprises sender and recipient;

Clear-text message encrypting module, uses the identity of recipient and described PKI for sender, select linear Authentication theory scheme, uses access structure to be encrypted clear-text message and obtains cipher-text message, and described cipher-text message is sent to described recipient;

Cipher-text message deciphering module, described cipher-text message is received for described recipient, after verifying the access structure that the community set of described message recipient meets in described cipher-text message, use the private key of described recipient to be decrypted described cipher-text message and obtain described clear-text message.

Described system parameters generation module, specifically for passing through described CA based on security parameter k, choosing normal elliptic curve in finite field, and producing an asymmetric Bilinear Pairing e:G on it ₁× G ₂→ G _t, wherein G ₁and G ₂for the module on the prime number p rank on elliptic curve, G _tfor the p rank multiplicative group in finite field;

Get G respectively ₁and G ₂generator P and Q; Note U is the set of all properties;

Get a non-zero entry α ∈ Z at random _pas described master key, wherein Z _p=0,1 ..., p-1}, and using α Q as open parameter, random selecting G ₁in some P ₀, P ₁..., P _{| U|}, wherein | U| is the number of all properties set;

Choose safe hash function H:{0,1} ^*→ Z _p;

System common parameter is params=(e, G ₁, G ₂, G _t, P, Q, α Q, P ₀, P ₁..., P _{| U|}), message space is G _t, master key is α.

User certificate and key production module, specifically for having community set S by described user, choose secret parameter t ∈ Z _p, calculate e (tP, α Q)=e (P, Q) ^{t α}, by e (P, Q) ^{t α}as the PKI of correspondence, and relevant information InfoUser is sent to described CA, described information InfoUser comprises the identity information of user, attribute information S, and described PKI e (P, Q) ^{t α};

Described CA verifies the information of this user, random selecting s ∈ Z _p, and calculate certificate Cert=(the α P+h α sP of this user ₀, sQ, α sQ, { sP _i} _{i ∈ s}), wherein h=H (InfoUser, time, α Q), time is the time period, and certificate Cert is passed to described user;

User receives the certificate Cert of described CA, and verifies this certificate Cert, namely verifies e (α P+h α sP ₀, Q) and e (P, α Q) e (hP ₀, α sQ) whether equal, e (sP _i, Q) whether with e (P _i, sQ) and equal;

After described in described user rs authentication, certificate Cert passes through, calculating private key is (K, L, { K _i} _{i ∈ s}), wherein l=t α sQ, K _i=tsP _i.

Described clear-text message encrypting module, sends clear-text message m specifically for described sender, according to common parameter, selects a linear secret sharing scheme, its access structure is (M, ρ), and wherein M is a 1 × n matrix, ρ: 1 ..., l} → U is a mapping;

Random selecting vector wherein r is secret, calculates λ _i=vM _i, wherein represent the inner product of vector, M _ifor the i-th row vector of matrix M;

Random selecting parameter r ₁..., r _l∈ Z _p;

Cipher-text message CT is (C, C', { C _i, D _i} _{i=1 ..., l}), wherein C=me (P, Q) ^{t α r}, C'=rQ, C _i=λ _ip ₀-r _ip _{ρ (i)}, D _i=r _iα Q.

Described cipher-text message deciphering module, after receiving described cipher-text message, obtains the access structure (M, ρ) in described cipher-text message specifically for described recipient; Verify whether the community set S of described recipient meets described access structure (M, ρ), if so, then remember I={i| ρ (i) ∈ S}, calculating parameter { w _i} _{i ∈ I}meet ∑ _{i ∈ I}w _iλ _i=r, calculates clear-text message $m=C{\left[{\mathrm{\Π}}_{i\∈I}{\left(e(C_i,L)e(K_{\mathrm{\ρ}\left(i\right)},D_i)\right)}^{w_i}\right]}^h/e(K,C^{\′});$ Otherwise, stop the described cipher-text message of deciphering.

The technical scheme provided as can be seen from the embodiment of the invention described above, the embodiment of the present invention is by combining public key cryptography system and Identity-based cryptography, combine their advantage, do not need just described certificate to be announced by escape way transmission, thus solve key escrow in Identity-based cryptography.With the addition of attribute properties, for each described user distributes a community set, the private key of described user is correlated with this community set, described sender uses the access structure in linear secret sharing scheme to encrypt described clear-text message, thus obtain described cipher-text message, when only having the community set of described recipient to meet access structure, just can be decrypted described clear-text message; And employ asymmetrical Bilinear Pairing, need normal elliptic curve, the asymmetric Bilinear Pairing on normal elliptic curve is selected more, and safer.

Accompanying drawing explanation

In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.

The flow chart of the method for a kind of Identity-based encryption containing attribute with certificate that Fig. 1 provides for the embodiment of the present invention one;

The schematic diagram of the device of a kind of Identity-based encryption containing attribute with certificate that Fig. 2 provides for the embodiment of the present invention two.

Embodiment

For ease of the understanding to the embodiment of the present invention, be further explained explanation below in conjunction with accompanying drawing for two specific embodiments, and each embodiment does not form the restriction to the embodiment of the present invention.

Along with the widespread demand of application, the cryptography based on attribute is introduced into, and based in the cryptography of attribute, the private key of a user and cipher-text message are associated with community set or access strategy.Encryption based on attribute can be divided into the encryption based on attribute of key strategy and the encryption based on attribute of Ciphertext policy by the situation according to association.At key strategy based in the encryption of attribute, the private key of user is associated with an access strategy, and cipher-text message is associated with community set; And at Ciphertext policy based in the encryption of attribute, the private key of user is associated with community set, and cipher-text message is then containing access strategy.

The embodiment of the present invention is by combining public key cryptography system and Identity-based cryptography, combine their advantage, do not need just above-mentioned certificate to be announced by escape way transmission, thus solve key escrow in Identity-based cryptography.

Embodiment one

This embodiment offers a kind of method of the Identity-based encryption containing attribute with certificate, its flow chart as shown in Figure 1, comprises following treatment step:

Step 11: certificate authorization center CA by choosing the set of elliptic curve and all properties, and chooses master key and security parameter, generates and delivery system parameter.

Above-mentioned CA, based on security parameter k, chooses the normal elliptic curve in finite field and finite field, on elliptic curve, then choose efficient asymmetric Bilinear Pairing e:G ₁× G ₂→ G _t, choose the generator in pairing group, wherein G ₁and G ₂for the module on the prime number p rank on elliptic curve, G _tfor the p rank multiplicative group in finite field;

Get G respectively ₁and G ₂generator P and Q; Note U is the set of all properties;

Get a non-zero entry α ∈ Z at random _pas above-mentioned master key, wherein Z _p=0,1 ..., p-1}, and using α Q as open parameter, random selecting G ₁in some P ₀, P ₁..., P _{| U|}, wherein | U| is the number of all properties set;

Choose safe hash function H:{0,1} ^*→ Z _p;

System common parameter is params=(e, G ₁, G ₂, G _t, P, Q, α Q, P ₀, P ₁..., P _{| U|}), message space is G _t, announcement master key is α, keeps private key; .

Step 12: user provides information to above-mentioned CA, and obtain the certificate that this CA signs and issues above-mentioned user, verify this certificate, and use above-mentioned certificate and said system parameter to generate the private key of above-mentioned user, disclose the PKI of above-mentioned user, above-mentioned user comprises sender and recipient;

Above-mentioned user has community set S, chooses secret parameter t ∈ Z _p, calculate e (tP, α Q)=e (P, Q) ^{t α}, by e (P, Q) ^{t α}as the PKI of correspondence, and relevant information InfoUser is sent to above-mentioned CA, above-mentioned information InfoUser comprises the identity information of user, attribute information S, and above-mentioned PKI e (P, Q) ^{t α};

Above-mentioned CA verifies the information of this user, random selecting s ∈ Z _p, and calculate certificate Cert=(the α P+h α sP of this user ₀, sQ, α sQ, { sP _i} _{i ∈ s}), wherein h=H (InfoUser, time, α Q), time is the time period, and certificate Cert is passed to above-mentioned user;

User receives the certificate Cert of above-mentioned CA, and verifies this certificate Cert, namely verifies e (α P+h α sP ₀, Q) and e (P, α Q) e (hP ₀, α sQ) whether equal, e (sP _i, Q) whether with e (P _i, sQ) and equal;

After the above-mentioned certificate Cert of above-mentioned user rs authentication passes through, calculating the private key that can decipher is (K, L, { K _i} _{i ∈ s}), wherein K=t α P+ht α sP ₀, L=t α sQ, K _i=tsP _i.

Step 13: sender uses the identity of recipient and above-mentioned PKI, select linear Authentication theory scheme, uses access structure to be encrypted clear-text message and obtains cipher-text message, and above-mentioned cipher-text message is sent to above-mentioned recipient;

Above-mentioned sender sends clear-text message m, and according to common parameter, select a linear secret sharing scheme, its access structure is (M, ρ), and wherein M is a 1 × n matrix, ρ: and 1 ..., l} → U is a mapping;

Random selecting vector wherein r is secret.Calculate λ _i=vM _i, wherein represent the inner product of vector, M _ifor the i-th row vector of matrix M;

Random selecting parameter r ₁..., r _l∈ Z _p;

Generating ciphertext message CT is (C, C', { C _i, D _i} _{i=1 ..., l}), wherein C=me (P, Q) ^{t α r}, C'=rQ, C _i=λ _ip ₀-r _ip _{ρ (i)}, D _i=r _iα Q, and cipher-text message is sent to recipient user.

Step 14: above-mentioned recipient receives above-mentioned cipher-text message, after verifying the access structure that the community set of above-mentioned message recipient meets in above-mentioned cipher-text message, uses the private key of above-mentioned recipient to be decrypted above-mentioned cipher-text message and obtains above-mentioned clear-text message.

After above-mentioned recipient receives above-mentioned cipher-text message, obtain the access structure (M, ρ) in above-mentioned cipher-text message; Verify whether the community set S of above-mentioned recipient meets above-mentioned access structure (M, ρ), if so, then remembers calculating parameter { w _i} _{i ∈ I}meet ∑ _{i ∈ I}w _iλ _i=r, calculates clear-text message $m=C{\left[{\mathrm{\Π}}_{i\∈I}{\left(e(C_i,L)e(K_{\mathrm{\ρ}\left(i\right)},D_i)\right)}^{w_i}\right]}^h/e(K,C^{\′}),$ Obtain expressly by decrypt ciphertext; Otherwise, stop the above-mentioned cipher-text message of deciphering.

CA(Certificate Authority, certificate authority): CA selects security parameter, is user's generation system parameter, generation system private key and PKI, and open system design parameter, keep private key; Receive the information such as the identity of user, the identity of authentication of users, and with private key, the information of user and community set are signed, obtain the certificate of user and send to user.

Above-mentioned sender: the identity and the PKI that use recipient, selects a secret sharing scheme, constructs access strategy, and be encrypted clear-text message, and cipher-text message is sent to recipient by access structure.

Above-mentioned recipient: recipient sends user profile to CA, and obtain the certificate of CA, authentication certificate, in conjunction with the private key of certificates constructing oneself; Receive cipher-text message, obtain clear-text message with the private key deciphering of oneself.

Pairing on elliptic curve plays irreplaceable effect in the cryptography of identity-based and attribute, due to the good nature of pairing, pairing can be used to construct different cryptographic schemes.The present invention uses the asymmetric Bilinear Pairing above elliptic curve to construct Identity based encryption scheme, and adds attribute properties, have employed certificate and solves key escrow.

Those skilled in the art will be understood that, above-mentioned lifted above-mentioned lifted meeting access structure according to the community set of checking recipient and determine whether the technical scheme that the embodiment of the present invention is described better is only to the method that cipher-text message is decrypted, but not to the restriction that the embodiment of the present invention is made.Any method whether be decrypted cipher-text message according to the information and determining of checking recipient, is all included in the scope of the embodiment of the present invention.

Embodiment two

This embodiment offers a kind of device of the Identity-based encryption containing attribute with certificate, its specific implementation structure as shown in Figure 2, specifically can comprise following module:

System parameters generation module 20, for certificate authorization center CA by choosing the set of elliptic curve and all properties, and chooses master key and security parameter, generates and delivery system parameter;

User certificate and key production module 30, information is provided to above-mentioned CA for user, and obtain the certificate that this CA signs and issues above-mentioned user, verify this certificate, and use above-mentioned certificate and said system parameter to generate the private key of above-mentioned user, disclose the PKI of above-mentioned user, above-mentioned user comprises sender and recipient;

Clear-text message encrypting module 40, uses the identity of recipient and above-mentioned PKI for sender, select linear Authentication theory scheme, uses access structure to be encrypted clear-text message and obtains cipher-text message, and above-mentioned cipher-text message is sent to above-mentioned recipient;

Cipher-text message deciphering module 50, above-mentioned cipher-text message is received for above-mentioned recipient, after verifying the access structure that the community set of above-mentioned message recipient meets in above-mentioned cipher-text message, use the private key of above-mentioned recipient to be decrypted above-mentioned cipher-text message and obtain above-mentioned clear-text message.

Further, said system parameter generation module 20, specifically for passing through above-mentioned CA based on security parameter k, choosing normal elliptic curve in finite field, and producing an asymmetric Bilinear Pairing e:G on it ₁× G ₂→ G _t, wherein G ₁and G ₂for the module on the prime number p rank on elliptic curve, G _tfor the p rank multiplicative group in finite field;

Get G respectively ₁and G ₂generator P and Q; Note U is the set of all properties;

Get a non-zero entry α ∈ Z at random _pas above-mentioned master key, wherein Z _p=0,1 ..., p-1}, and using α Q as open parameter, random selecting G ₁in some P ₀, P ₁..., P _{| U|}, wherein | U| is the number of all properties set;

Choose safe hash function H:{0,1} ^*→ Z _p;

System common parameter is params=(e, G ₁, G ₂, G _t, P, Q, α Q, P ₀, P ₁..., P _{| U|}), message space is G _t, master key is α.

Further, above-mentioned user certificate and key production module 30, specifically for having community set S by above-mentioned user, choose secret parameter t ∈ Z _p, calculate e (tP, α Q)=e (P, Q) ^{t α}, by e (P, Q) ^{t α}as the PKI of correspondence, and relevant information InfoUser is sent to above-mentioned CA, above-mentioned information InfoUser comprises the identity information of user, attribute information S, and above-mentioned PKI e (P, Q) ^{t α};

Above-mentioned CA verifies the information of this user, random selecting s ∈ Z _p, and calculate certificate Cert=(the α P+h α sP of this user ₀, sQ, α sQ, { sP _i} _{i ∈ s}), wherein h=H (InfoUser, time, α Q), time is the time period, and certificate Cert is passed to above-mentioned user;

User receives the certificate Cert of above-mentioned CA, and verifies this certificate Cert, namely verifies e (α P+h α sP ₀, Q) and e (P, α Q) e (hP ₀, α sQ) whether equal, e (sP _i, Q) whether with e (P _i, sQ) and equal;

After the above-mentioned certificate Cert of above-mentioned user rs authentication passes through, calculating private key is (K, L, { K _i} _{i ∈ s}), wherein K=t α P+ht α sP ₀, L=t α sQ, K _i=tsP _i.

Further, above-mentioned clear-text message encrypting module 40, sends clear-text message m, according to common parameter specifically for above-mentioned sender, select a linear secret sharing scheme, its access structure is (M, ρ), and wherein M is a 1 × n matrix, ρ: 1 ..., l} → U is a mapping;

Random selecting vector wherein r is secret.Calculate λ _i=vM _i, wherein represent the inner product of vector, M _ifor the i-th row vector of matrix M;

Random selecting parameter r ₁..., r _l∈ Z _p;

Cipher-text message CT is (C, C', { C _i, D _i} _{i=1 ..., l}), wherein C=me (P, Q) ^{t α r}, C'=rQ, C _i=λ _ip ₀-r _ip _{ρ (i)}, D _i=r _iα Q.

Further, above-mentioned cipher-text message deciphering module 50, after receiving above-mentioned cipher-text message, obtains the access structure (M, ρ) in above-mentioned cipher-text message specifically for above-mentioned recipient; Verify whether the community set S of above-mentioned recipient meets above-mentioned access structure (M, ρ), if so, then remember I={i| ρ (i) ∈ S}, calculating parameter { w _i} _{i ∈ I}meet ∑ _{i ∈ I}w _iλ _i=r, calculates clear-text message $m=C{\left[{\mathrm{\Π}}_{i\∈I}{\left(e(C_i,L)e(K_{\mathrm{\ρ}\left(i\right)},D_i)\right)}^{w_i}\right]}^h/e(K,C^{\′});$ Otherwise, stop the above-mentioned cipher-text message of deciphering.

Carry out the detailed process of Identity-based encryption with the device of the embodiment of the present invention and preceding method embodiment similar, repeat no more herein.

In sum, the embodiment of the present invention is by combining public key cryptography system and Identity-based cryptography, provide a kind of method of the Identity-based encryption containing attribute with certificate, by using the asymmetric Bilinear Pairing above elliptic curve to construct Identity based encryption scheme, solve the problem of key escrow.Because the asymmetric Bilinear Pairing on normal elliptic curve is selected more, therefore, the solution of the present invention is safer; The embodiment of the present invention, also in conjunction with the advantage of public key cryptography system and Identity-based cryptography, is used certificate, solves key escrow in Identity-based cryptography, certificate can be announced, do not need to be transmitted by escape way, and scheme realizes simple.

The embodiment of the present invention with the addition of attribute properties to user, for each user distributes a community set, the private key of user is correlated with community set, during sender's encrypting messages, the access control in linear secret sharing scheme is used to encrypt clear-text message, when only having the community set of recipient to meet access control, just can decipher, more ensure that the fail safe of trustship.

One of ordinary skill in the art will appreciate that: accompanying drawing is the schematic diagram of an embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.

As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.

Each embodiment in this specification all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually see, what each embodiment stressed is the difference with other embodiments.Especially, for device or system embodiment, because it is substantially similar to embodiment of the method, so describe fairly simple, relevant part illustrates see the part of embodiment of the method.Apparatus and system embodiment described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.

The above; be only the present invention's preferably embodiment, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (10)

1., with a method for the Identity-based encryption containing attribute of certificate, it is characterized in that, described method comprises the steps:

Certificate authorization center CA by choosing the set of elliptic curve and all properties, and chooses master key and security parameter, generates and delivery system parameter;

User provides information to described CA, and obtains the certificate that this CA signs and issues described user, and verify this certificate, and use described certificate and described system parameters to generate the private key of described user, disclose the PKI of described user, described user comprises sender and recipient;

Sender uses the identity of recipient and described PKI, select linear Authentication theory scheme, uses access structure to be encrypted clear-text message and obtains cipher-text message, and described cipher-text message is sent to described recipient;

Described recipient receives described cipher-text message, after verifying the access structure that the community set of described message recipient meets in described cipher-text message, uses the private key of described recipient to be decrypted described cipher-text message and obtains described clear-text message.

2. the method for the Identity-based encryption containing attribute with certificate according to claim 1, it is characterized in that, described certificate authorization center CA by choosing the set of elliptic curve and all properties, and chooses master key and security parameter, generates also delivery system parameter and comprises:

Described CA, based on security parameter k, chooses normal elliptic curve in finite field, and produces an asymmetric Bilinear Pairing e:G on it ₁× G ₂→ G _t, wherein G ₁and G ₂for the module on the prime number p rank on elliptic curve, G _tfor the p rank multiplicative group in finite field;

Get G ₁generator P ₁and Q ₁, G ₂generator P ₂and Q ₂; Note U is the set of all properties;

Get a non-zero entry α ∈ Z at random _pas described master key, wherein Z _p=0,1 ..., p-1}, and using α Q as open parameter, random selecting G ₁in some P ₀, P ₁..., P _{| U|}, wherein | U| is the number of all properties set;

Choose safe hash function H:{0,1} ^*→ Z _p;

System common parameter is params=(e, G ₁, G ₂, G _t, P, Q, α Q, P ₀, P ₁..., P _{| U|}), message space is G _t, master key is α.

3. the method for the Identity-based encryption containing attribute with certificate according to claim 1, it is characterized in that, described user provides information to described CA, and obtain the certificate that this CA signs and issues described user, verify this certificate, and use described certificate and described system parameters to generate the private key of described user, disclose the PKI of described user, described user comprises sender and recipient comprises:

Described user has community set S, chooses secret parameter t ∈ Z _p, calculate e (tP, α Q)=e (P, Q) ^{t α}, by e (P, Q) ^{t α}as the PKI of correspondence, and relevant information InfoUser is sent to described CA, described information InfoUser comprises the identity information of user, community set S, and described PKI e (P, Q) ^{t α};

Described CA verifies the information of this user, random selecting s ∈ Z _p, and calculate certificate Cert=(the α P+h α sP of this user ₀, sQ, α sQ, { sP _i} _{i ∈ s}), wherein h=H (InfoUser, time, α Q), time is the time period, and certificate Cert is passed to described user;

User receives the certificate Cert of described CA, and verifies this certificate Cert, namely verifies e (α P+h α sP ₀, Q) and e (P, α Q) e (hP ₀, α sQ) whether equal, e (sP _i, Q) whether with e (P _i, sQ) and equal;

After described in described user rs authentication, certificate Cert passes through, calculating private key is (K, L, { K _i} _{i ∈ s}), wherein l=t α sQ, K _i=tsP _i.

4. the method for the Identity-based encryption containing attribute with certificate according to claim 1, it is characterized in that, described sender uses the identity of recipient and described PKI, select linear Authentication theory scheme, use access structure to be encrypted clear-text message and obtain cipher-text message, and send to described recipient to comprise described cipher-text information:

Described sender sends clear-text message m, and according to common parameter, select a linear secret sharing scheme, its access structure is (M, ρ), and wherein M is a 1 × n matrix, ρ: and 1 ..., l} → U is a mapping;

Random selecting vector wherein r is secret, calculates λ _i=vM _i, wherein represent the inner product of vector, M _ifor the i-th row vector of matrix M;

Random selecting parameter r ₁..., r _l∈ Z _p;

Cipher-text message CT is (C, C', { C _i, D _i} _{i=1 ..., l}), wherein C=me (P, Q) ^{t α r}, C'=rQ, C _i=λ _ip ₀-r _ip _{ρ (i)}, D _i=r _iα Q.

5. the method for the Identity-based encryption containing attribute with certificate according to claim 1, it is characterized in that, described recipient receives described cipher-text message, after verifying the access structure that the community set of described message recipient meets in described cipher-text message, use the private key of described recipient to be decrypted described cipher-text message and obtain described clear-text message and comprise:

After described recipient receives described cipher-text message, obtain the access structure (M, ρ) in described cipher-text message; Verify whether the community set S of described recipient meets described access structure (M, ρ), if so, then remember I={i| ρ (i) ∈ S}, calculating parameter { w _i} _{i ∈ I}meet ∑ _{i ∈ I}w _iλ _i=r, calculates clear-text message $m=C{\left[{\mathrm{\Π}}_{i\∈I}{\left(e(C_i,L)e(K_{\mathrm{\ρ}\left(i\right)},D_i)\right)}^{w_i}\right]}^h/e(K,C^{\′});$ Otherwise, stop the described cipher-text message of deciphering.

6., with a device for the Identity-based encryption containing attribute of certificate, it is characterized in that, comprising:

System parameters generation module, for certificate authorization center CA by choosing the set of elliptic curve and all properties, and chooses master key and security parameter, generates and delivery system parameter;

User certificate and key production module, information is provided to described CA for user, and obtain the certificate that this CA signs and issues described user, verify this certificate, and use described certificate and described system parameters to generate the private key of described user, disclose the PKI of described user, described user comprises sender and recipient;

Clear-text message encrypting module, uses the identity of recipient and described PKI for sender, select linear Authentication theory scheme, uses access structure to be encrypted clear-text message and obtains cipher-text message, and described cipher-text message is sent to described recipient;

Cipher-text message deciphering module, described cipher-text message is received for described recipient, after verifying the access structure that the community set of described message recipient meets in described cipher-text message, use the private key of described recipient to be decrypted described cipher-text message and obtain described clear-text message.

7. the device of the Identity-based encryption containing attribute with certificate according to claim 6, is characterized in that,

Described system parameters generation module, specifically for passing through described CA based on security parameter k, choosing normal elliptic curve in finite field, and producing an asymmetric Bilinear Pairing e:G on it ₁× G ₂→ G _t, wherein G ₁and G ₂for the module on the prime number p rank on elliptic curve, G _tfor the p rank multiplicative group in finite field;

Get G ₁generator P ₁and Q ₁, G ₂generator P ₂and Q ₂; Note U is the set of all properties;

Get a non-zero entry α ∈ Z at random _pas described master key, wherein Z _p=0,1 ..., p-1}, and using α Q as open parameter, random selecting G ₁in some P ₀, P ₁..., P _{| U|}, wherein | U| is the number of all properties set;

Choose safe hash function H:{0,1} ^*→ Z _p;

System common parameter is params=(e, G ₁, G ₂, G _t, P, Q, α Q, P ₀, P ₁..., P _{| U|}), message space is G _t, master key is α.

8. the device of the Identity-based encryption containing attribute with certificate according to claim 6, is characterized in that,

Described user certificate and key production module, specifically for having community set S by described user, choose secret parameter t ∈ Z _p, calculate e (tP, α Q)=e (P, Q) ^{t α}, by e (P, Q) ^{t α}as the PKI of correspondence, and relevant information InfoUser is sent to described CA, described information InfoUser comprises the identity information of user, attribute information S, and described PKI e (P, Q) ^{t α};

Described CA verifies the information of this user, random selecting s ∈ Z _p, and calculate certificate Cert=(the α P+h α sP of this user ₀, sQ, α sQ, { sP _i} _{i ∈ s}), wherein h=H (InfoUser, time, α Q), time is the time period, and certificate Cert is passed to described user;

User receives the certificate Cert of described CA, and verifies this certificate Cert, namely verifies e (α P+h α sP ₀, Q) and e (P, α Q) e (hP ₀, α sQ) whether equal, e (sP _i, Q) whether with e (P _i, sQ) and equal;

After described in described user rs authentication, certificate Cert passes through, calculating private key is (K, L, { K _i} _{i ∈ s}), wherein , L=t α sQ, K _i=tsP _i.

9. the device of the Identity-based encryption containing attribute with certificate according to claim 6, is characterized in that,

Described clear-text message encrypting module, sends clear-text message m specifically for described sender, according to common parameter, selects a linear secret sharing scheme, its access structure is (M, ρ), and wherein M is a 1 × n matrix, ρ: 1 ..., l} → U is a mapping;

Random selecting vector wherein r is secret, calculates λ _i=vM _i, wherein represent the inner product of vector, M _ifor the i-th row vector of matrix M;

Random selecting parameter r ₁..., r _l∈ Z _p;

Cipher-text message CT is (C, C', { C _i, D _i} _{i=1 ..., l}), wherein C=me (P, Q) ^{t α r}, C'=rQ, C _i=λ _ip ₀-r _ip _{ρ (i)}, D _i=r _iα Q.

10. the device of the Identity-based encryption containing attribute with certificate according to claim 6, is characterized in that,

Described cipher-text message deciphering module, after receiving described cipher-text message, obtains the access structure (M, ρ) in described cipher-text message specifically for described recipient; Verify whether the community set S of described recipient meets described access structure (M, ρ), if so, then remember I={i| ρ (i) ∈ S}, calculating parameter { w _i} _{i ∈ I}meet ∑ _{i ∈ I}w _iλ _i=r, calculates clear-text message $m=C{\left[{\mathrm{\Π}}_{i\∈I}{\left(e(C_i,L)e(K_{\mathrm{\ρ}\left(i\right)},D_i)\right)}^{w_i}\right]}^h/e(K,C^{\′});$ Otherwise, stop the described cipher-text message of deciphering.