Summary of the invention
The object of this invention is to provide a kind of voidable Identity based encryption method on lattice, solve the encryption method existed in prior art and cause private key for user to be revealed and the problem being difficult to resist quantum attack.
The technical solution adopted in the present invention is, voidable Identity based encryption method on lattice, specifically implements according to following steps:
Step 1, system are set up;
Step 2, private key generate;
Step 3, renewal secret generating;
Step 4, decruption key generate;
Step 5, encryption;
Step 6, deciphering;
Step 7, to cancel.
Feature of the present invention is also,
Step 1 is specifically implemented according to following steps:
Step (1.1), input security parameter λ, and the maximum number N of user, parameters m=2n log q,
Make user identity
Time period
definition φ be man-to-man mapping: φ (id)=d, d ∈ 1 ..., N};
Step (1.2), use trapdoor generating algorithm TrapGen (q, n) based on lattice, generate the matrix of even random n × m dimension
to pass
short base
and meet
Step (1.3), selection l
1+ l
2the matrix of+2 even random n × m dimensions
Step (1.4), select even random vector
Step (1.5), revocation list RL are initially set to
state ST stores the user profile in current system, order
wherein comprise random vector corresponding to random vector corresponding to user identity, identity index, identity, time, initial setting up
Step (1.6), output common parameter PP and master key MK:
Step 2 is specifically implemented according to following steps:
The identity of step (2.1), input common parameter PP, a master key MK and user
State ST;
Step (2.2), if identity id is not at state in ST, by calculating φ (id)=d, obtains index d, even Stochastic choice
order
and add
to in state ST; If identity id is in state ST, retrieve from state ST
then, make
Step (2.3), sampling
E
id, ddistribution statistics close to
wherein F
id=A
0|| A
id, and
here mark || represent cascaded operational;
The initial private key of step (2.4), output identity id
with the state ST upgraded.
Step 3 is specifically implemented according to following steps:
Step (3.1), input common parameter PP, master key MK and time period
revocation list RL, state ST;
Step (3.2), be defined in time period t and cancel user identity collection
namely for arbitrary t '≤t, if exist (id ', t ') meet (id ', t ') ∈ RL, then add (id ', t ') to cancelling in user identity collection R;
Step (3.3), order
Step (3.4), for all
four-tuple is retrieved from ST
sampling
e
t,ddistribution statistics close to
wherein F
t=A
0|| C
t, and
here mark || represent cascaded operational;
More new key in step (3.5), output time section t
and they are disclosed.
Step 4 is specifically implemented according to following steps:
Step (4.1), input private key SK
id, more new key UK
t;
Step (4.2) if
with
corresponding identical index d, exports decruption key DK
id, t:=(SK
id, KU
t), otherwise, stop.
Step 5 is specifically implemented according to following steps:
Step (5.1), input common parameter PP, identity
time
And message m ∈ { 0,1};
Step (5.2), order
here mark || represent cascaded operational;
Step (5.3), select even random vector
Step (5.4), selection l
1+ l
2individual even random matrix R
i← {-1,1}
m × m, for i=1 ..., l
1+ l
2, definition
Step (5.5), selection noisy vector
order
order
Step (5.6), output ciphertext
Step 6 is specifically implemented according to following steps:
Step (6.1), input common parameter PP, decruption key DK
id, t, and ciphertext CT=(c
0, c
1);
Step (6.2) is if ciphertext CT
id, twith decruption key DK
id, tcorresponding different identity and time, then stop, otherwise carry out following step:
Step (6.2.1), c
1resolve to
Step (6.2.2), calculating
Step (6.2.3), compare integer w and
size, if
then export 1, otherwise, export 0.
Step 7 is specially:
Input identity
Time
Revocation list RL, state ST, then add to (id, t) in revocation list RL.
The invention has the beneficial effects as follows, voidable Identity based encryption method on lattice, based on lattice, quantum can be resisted and attack, and there is higher computational efficiency, adaptability identity security of the present invention, more previous scheme is compared, and its fail safe is more advanced, owing to the addition of user identity revocation mechanism, effectively can realize the Identity Management of user, ensure the fail safe of whole encryption system.
Embodiment
Below in conjunction with embodiment, the present invention is described in detail.
Voidable Identity based encryption method on lattice of the present invention, specifically implement according to following steps:
Step 1, system are set up:
Specifically implement according to following steps:
Step (1.1), input security parameter λ, and the maximum number N of user, parameters m=2n log q,
Make user identity
Time period
definition φ be man-to-man mapping: φ (id)=d, d ∈ 1 ..., N};
Step (1.2), use trapdoor generating algorithm TrapGen (q, n) based on lattice, generate the matrix of even random n × m dimension
to pass
short base
and meet
Step (1.3), selection l
1+ l
2the matrix of+2 even random n × m dimensions
Step (1.4), select even random vector
Step (1.5), revocation list RL are initially set to
state ST stores the user profile in current system, order
wherein comprise random vector corresponding to random vector corresponding to user identity, identity index, identity, time, initial setting up
Step (1.6), output common parameter PP and master key MK:
Step 2, private key generate:
Specifically implement according to following steps:
The identity of step (2.1), input common parameter PP, a master key MK and user
State ST;
Step (2.2), if identity id is not at state in ST, by calculating φ (id)=d, obtains index d, even Stochastic choice
order
and add
to in state ST; If identity id is in state ST, retrieve from state ST
then, make
Step (2.3), sampling
e
id, ddistribution statistics close to
wherein F
id=A
0|| A
id, and
here mark || represent cascaded operational;
The initial private key of step (2.4), output identity id
with the state ST upgraded;
Step 3, renewal secret generating:
Specifically implement according to following steps:
Step (3.1), input common parameter PP, master key MK and time period
revocation list RL, state ST;
Step (3.2), be defined in time period t and cancel user identity collection
namely for arbitrary t '≤t, if exist (id ', t ') meet (id ', t ') ∈ RL, then add (id ', t ') to cancelling in user identity collection R;
Step (3.3), order
Step (3.4), for all
four-tuple is retrieved from ST
sampling
e
t,ddistribution statistics close to
wherein F
t=A
0| C
t, and
More new key in step (3.5), output time section t
and they are disclosed.
Step 4, decruption key generate:
Specifically implement according to following steps:
Step (4.1), input private key SK
id, more new key UK
t;
Step (4.2) if
with
corresponding identical index d, exports decruption key DK
id, t:=(SK
id, KU
t), otherwise, stop;
Step 5, encryption:
Specifically implement according to following steps:
Step (5.1), input common parameter PP, identity
time
And message m ∈ { 0,1};
Step (5.2), order
here mark || represent cascaded operational;
Step (5.3), select even random vector
Step (5.4), selection l
1+ l
2individual even random matrix R
i← {-1,1}
m × m, for i=1 ..., l
1+ l
2, definition
Step (5.5), selection noisy vector
order
order
Step (5.6), output ciphertext
Step 6, deciphering:
Specifically implement according to following steps:
Step (6.1), input common parameter PP, decruption key DK
id, t, and ciphertext CT=(c
0, c
1);
Step (6.2) is if ciphertext CT
id, twith decruption key DK
id, tcorresponding different identity and time, then stop, otherwise carry out following step:
Step (6.2.1), c
1resolve to
Step (6.2.2), calculating
Step (6.2.3), compare integer w and
size, if
then export 1, otherwise, export 0;
Step 7, to cancel, be specially:
Input identity
Time
Revocation list RL, state ST, then add to (id, t) in revocation list RL.
The fail safe of voidable Identity based encryption method on lower surface analysis lattice of the present invention:
(1) verification of correctness:
The correctness derivation of scheme is as follows:
Theorem: the error term in above-mentioned correctness proof
Boundary be
Prove: in order to prove the boundary of error term, brief note e
id=e
id, d, e
t=e
t,d, make e
id=(e
id, 1| e
id, 2), e
t=(e
t, 1| e
t, 2), wherein
obtained by left sampling algorithm:
Then have
Because
Obtained by lemma 4, lemma 4 describes as follows:
Lemma 4: make R be that m × m ties up matrix, element is wherein from {-1,1}
m × mmiddle random selecting, then the constant C that existence one is large, meets
Then have
In like manner
Then have
Utilize lemma 5, lemma 5 is described below:
Lemma 5: make e be
in vector,
then | e
tthe value of y| is the integer in [0, q-1], and meets with the probability of can not ignore
Error term is defined as
The boundary of above-mentioned error term is
In order to the correctness of assured plan, by parameters q, n, m, σ, α, guarantee that error term is less than q/5, the parameter estimation procedure in scheme is as follows:
(1.1) error term need be less than q/5, that is
(1.2) trapdoor generating algorithm need meet m>2n log q,
(1.3) for left sampling algorithm and right sampling algorithm, σ will ensure it is enough large, namely
(1.4) use that scholar Regev's about subtract process, need meet
In order to meet above-mentioned requirement, parameters is as follows:
(a)、m=2n log q,
(b)、
(c), noise parameter
D (), modulus q are a prime number and meet:
(2) security verification:
Theorem: if exist a probabilistic polynomial time algorithm A under INDr-ID-CPA, break through RIBE scheme with advantage ε >0, then exist probabilistic polynomial time algorithm B so that mainly with
advantage judge
problem.
Prove: if opponent A breaks through scheme with the advantage of can not ignore, then challenger B can judge by opponent A
problem.Proof procedure carries out between a series of game, first game is identical with the INDr-ID-CPA game in security model, in the end in a game, the advantage A of opponent is 0, as long as prove that a probabilistic polynomial time opponent A can not distinguish any two game, namely demonstrate opponent and win original INDr-ID-CPA game with insignificant advantage.In i-th game, make W
irepresent opponent's correct conjecture challenge bit in this game, i=1,2,3,4.
L is selected in game 0: challenger B
1+ l
2+ 2 random matrixes
generate common parameter PP and master key MK.In the challenge stage, challenger generates challenge ciphertext CT
*.Order
for i=1 ... l
1+ l
2, represent and create ciphertext CT
*time use l
1+ l
2individual of short duration random matrix.
Game 1: in game 1, challenger changes generation common parameter matrix A
i, C
jmode, to i ∈ 1 ..., l
1, j ∈ 1 ..., l
2.Challenger selects random matrix at establishment stage
and select l
1+ l
2individual random scalar
wherein i=1 ..., l
1+ l
2.Next, generator matrix A as game 0
0, B
1, B
2, for i=1 ... l
1, j=1 ..., l
2, structural matrix A
i, C
jas follows:
Remaining parameter constant in game.Notice
select in advance at establishment stage, and about challenge identity id
*knowledge be unwanted.
Lemma 3: suppose m> (n+1) logq+w (logn), q is prime number.Order
be uniform design, make R be the matrix that m × m ties up, {-1,1}
m × mthe upper uniform design of modq.Then, for all vectors
distribution (A, AR, R
tw) be that statistics is close to distribution (A, B, R
tw).
By using lemma 3, prove that game 0 and game 1 are undistinguishables.Observe in game 1, matrix
only be used to structural matrix A
i, C
jand structure challenge ciphertext CT
*in the error vector used
Following order
by using lemma 3, there is distribution (A
0, A
0r
*, (R
*)
ty) and
that statistics is close, wherein A
i', C
j' be
on even random matrix, i ∈ [l
1], j ∈ [l
2].Then z=(z is made
1| z
2), then there is distribution
with
that statistics is close.Therefore, from the angle of opponent, matrix A
0r
i *close to uniformly, and independent of z, so the A defined in (1) formula
i, C
jbe close to uniformly, this just means the angle from opponent, and they are random independent homogeneous matrix, just as in game 0.This just demonstrates
Pr[W
0]=Pr[W
1]
Game 2: game 2 is be similar to game 1, except adding a termination event, this event is the angle independent of opponent.Make Q
idbe private key inquiry maximum times, | T| is spatio-temporal size, and time and space is the multinomial about λ, make q32 (| T|+Q
id).Without loss of generality, because time and space T is the multinomial about λ, suppose that the more new key of opponent to all time t ∈ T is all inquired, and challenger can make identical answer to the inquiry repeated.Therefore (t is supposed
1..., t
| T|) be time inquiry tuple, element is wherein by descending order.
In game 2, challenger's behavior is as follows:
1, establishment stage is equal to game 1, except challenger also will select 2 random hash function H
1, H
2∈ H
wat, and retain it.
2, challenger answers private key inquiry and key updating inquiry, and directly to going out to challenge ciphertext as in game 1.
3, challenger's random guess i
*∈ [| T|], meet opponent's i-th
*secondary renewal key challenge is about t
*, therefore, the probability that challenger correctly guesses is 1/|T|.
4, challenger guesses opponent is from which kind of following type:
Class1: opponent inquires challenge identity id
*but this identity is at t
*time period or cancel before.
Type 2: opponent does not inquire target identities id at any time
*.
Challenger correctly guesses that the probability of the type of opponent is 1/2.If conjecture result is Class1, the challenger's random guess j ' ∈ [Q in game 2
id], the jth ' secondary private key inquiry meeting opponent is about id
*, the probability that therefore challenger correctly guesses is 1/Q
id.Make j
*=| T|+j '.
1, Q=Q is made
id+ | T|.In the final conjecture stage, opponent exports conjecture result r ' ∈ { 0,1}.Challenger carries out following steps:
1) e is made
1=(t
1..., t
| T|),
wherein (t
1..., t
| T|) and
corresponding time inquiry and identity inquiry respectively.Order
2) termination detection: once input e
1, e
2, for identity inquiry, challenger detects H
1whether meet E
j(H
1), for time inquiry, H
2whether meet E
j(H
2).If at least one ungratified word, new { bit in 0,1} rewrites r ' to challenger, and stops game with one.Notice, opponent have never been seen H
1, H
2if the event that stops occurs, and opponent can not acquire any information.
3) manual termination: challenger samples, and { 0,1}, meets Pr [Γ=1]=γ (e) to a bit Γ ∈, and wherein function gamma () provides definition in document [1].If Γ=1, new { bit in 0,1} rewrites r ' to challenger, and due to manual termination, challenger stops game with one.
This completes the description of game 2.Notice, end condition is by two hash function H
1, H
2determine, and they are the angles independent of opponent.For inquiry tuple e, ε (e) is made to be the probability that termination event (or real or artificial) does not occur, order
be scalar, meet
what wherein b represented is in the face of the opponent of which kind of type.ε (e) is the probability that termination event in game 2 (or real or artificial) does not occur.Arrange
Above-mentioned expression be the probability that challenger correctly guesses the type of opponent.
If there is no manual intervention, have
can push away
Above-mentioned probability be can not ignore, and causes
the lower bound that neither one is good.Therefore the method for waters is applied to add manual termination.By using this strategy, then have
Therefore
Then have
Known by above formula, game 1 and game 2 can be distinguished with insignificant advantage.
Game 3: now, challenger changes the A in game 2
0, B
1, B
2selection mode, in game 3, generator matrix A
0it is one
on random matrix, and generator matrix B
1, B
2be use TrapGen algorithm, meet B
1, B
2be
on random matrix, and challenger has
trapdoor
with
trapdoor
for i=1 ..., l
1, j=1 ..., l
2, A
i, C
jstructure with game 2 in the same, namely
It is as follows that challenger answers private key inquiry:
Private key is inquired: in game 3, for identity
challenger uses trapdoor
answer private key is inquired:
(1) if identity id is not at state in ST, by calculating φ (id)=d, index d is obtained, even Stochastic choice
order
and add
in state ST; If identity id is in state ST, then retrieve from state ST
(2) construct in (1) formula
then have
notice h
id=H
iD(id), wherein H
iDbe defined in H
watin hash function race, by use
(3) if h
id=0, challenger stops game, and { 0,1}, as played 2 to pretend output random bit r ' ∈.Otherwise, then perform lower step.
(4) sample
e
id, ddistribution statistics close to
wherein F
id=A
0| A
id.
(5) private key is exported
Upgrade key challenge: in game 3, for the time period
challenger uses trapdoor
answer upgrades key challenge:
(1) be defined in time period t and cancel user identity collection
that is, for arbitrary t '≤t, if exist (id ', t ') meet (id ', t ') ∈ RL, then add (id ', t ') in R.
(2) construct in (1) formula
then have
notice h
t=H
t(t), wherein H
tbe defined in H
watin hash function race, by use
(3) if h
t=0, challenger stops game, and { 0,1}, as played 2 to pretend output random bit r ' ∈.Otherwise, then perform lower step.
(4) for all
four-tuple is retrieved from ST
sampling
e
t,ddistribution statistics close to
wherein F
t=A
0| C
t.
(5) more new key is exported
and they are disclosed.
For other stages of safety game, game 3 and game 2 are equivalent.In the challenge stage, challenger's detection is the opponent of which kind of type.
1) if opponent belongs to type 2, challenger detects whether challenge the time
meet
if do not met, challenger stops game as played in the of 2.
2) if opponent belongs to Class1, challenger detects whether challenge the time
meet
And challenge identity
Meet
if do not met, challenger stops game as played in the of 2.
Then the result using SampleLeft algorithm to obtain in the result proving to use SampleRight algorithm to obtain in game 3 and game 2 is undistinguishable.First the answer of private key inquiry is considered, because in the 3rd step of private key generation, h
idnon-zero, matrix
also be h
idb
1trapdoor.In addition, B
1order be n, then h
idb
1order with very high probability also for n.Describe in theorem 3, when
The distribution of short vector e generated be close to
as in game 2.Look back in theorem 1 and have
therefore, in parameter Estimation, select enough large σ to meet sampling demand.The process upgrading key challenge is also similar.
Because game 2 and game 3 are consistent from the angle of opponent, in game 3, the advantage of opponent is the same with playing in 2, namely
Pr[W
2]=Pr[W
3]
Game 4: game 4 is equal to game 3, except challenge ciphertext (c
0 *, c
1 *) be
the element of upper random selecting.Because the new random element of challenge ciphertext always in the cryptogram space, therefore in this game, the advantage of opponent is 0.
Staying of task proves that game 3 and game 4 are computationally indistinguishable, by using the stipulations of a LWE problem.If the event of termination occurs, game is obviously undistinguishable.Therefore, it mainly concentrates on and does not cause in a series of inquiries of termination.
The stipulations of LWE problem: supposing that opponent has the advantage of can not ignore to distinguish game 3 and game 4, by using opponent to construct a LWE algorithm, being designated as B.
The example looking back LWE problem is provided by a sampling prophesy machine O, and this prophesy is confidential is the prophesy machine O of completely random
$, or be the pseudorandom oracle machine O of band noise
s.Challenger B uses opponent to distinguish two game, and its process is as follows:
Instantiation: B inquires prophesy machine O, is answered.For i=0 ..., m, one new right
Set up: the common parameter PP of B tectonic system is as follows:
1, utilize m example of the LWE problem previously provided, make A
0the i-th row are n-dimensional vector u in LWE problem-instance
i, for i=1 ..., m.
2, the 0th sampling of LWE example is specified to become random n-dimensional vector
3, constructing the residual term of common parameter, is namely exactly A
i, C
j, B
1, B
2structure as game 3 in, by using random scalar h
i, s
iwith random matrix R
i *.
4, common parameter PP=(A is sent
0, A
1... A
l, C
1..., C
l, B
1, B
2) to opponent.
Inquiry: challenger answers private key inquiry and upgrades key challenge as in game 3, if necessary, comprises and stops game.
Challenge: when opponent provides a message bit b
*∈ { 0,1}, and a challenge identity-time pair
make id
*=(b
1 *..., b
l *), t
*=(t
1 *..., t
l *).Construct one and correspond to target (id
*, t
*) challenge ciphertext, as follows:
1, v is made
0..., v
mbe the component from LWE example, arrange
2, message bit is blinded, by order
3, make
wherein R
i *, i>0 generates at establishment stage.4, make
5, ciphertext CT is sent
*=(c
0 *, c
1 *) to opponent.
Following discussion, when LWE foretells that machine is pseudorandom oracle machine time, i.e. O=O
s, then CT is had
*distribution with game 3 in distribution be consistent, only have when termination event does not occur time meet.First, because
Then have
Secondly, O is passed through
sdefinition, know
for some random noise vector
be distributed in
therefore, define in the 3rd step
meet
And the right of equation is the c of effective challenge ciphertext in game 3
1part.We also notice,
this is the c challenging ciphertext in game 3 just
0part.
Work as O=O
$, v
0be evenly distributed on
on, v
*be evenly distributed on
on.Therefore, define in above-mentioned steps 3
even and independent distribution exists
therefore, challenge ciphertext to be always evenly distributed on
on, the same with in game 4.
Conjecture: allow afterwards to carry out extra inquiry, opponent guesses.If opponent wins game, then challenger solves LWE by opponent and to raise difficult questions for discussion problem.
We discussed, and worked as O=O
$, the angle of opponent is the same with game 4, works as O=O
s, the angle of opponent is the same with game 3.Therefore, the advantage of the challenger of solution LWE problem distinguishes game 3 with the advantage of game 4 with opponent is the same.This completes the description of algorithm B, and complete our proof.
The correctness of voidable Identity-based encryption (RIBE) method is defined as follows: to all by Setup (1
k, the n) PP of algorithm generation, RL, ST, MK, to arbitrary id, the SK generated by PriKeyGen (PP, MK, id, ST) algorithm
id, to arbitrary t and RL, the KU generated by KeyUpd (PP, MK, t, RL, ST) algorithm
t, to arbitrary id
c, t
cand m, by Enc (PP, id
c, t
c, the m) CT of algorithm generation
id, t, demand fulfillment:
(1) if
then DecKeyGen (SK
id, KU
t) → DK
id, t.
(2) if id ∈ is RL, then with the advantage DecKeyGen (SK that can not ignore
id, KU
t) → ⊥.
(3) if
then Dec (PP, DK
id, t, CT
id, t) → m.
(4) if
then with the advantage decipherment algorithm output termination of can not ignore symbol, i.e. Dec (PP, DK
id, t, CT
id, t) → ⊥.