CN105024821A - Identity-based encryption method allowing revocation at lattice - Google Patents

Abstract

The invention discloses an identity-based encryption method allowing revocation at the lattice, and specifically includes the steps of: 1. establishing an algorithm; 2. establishing a private key generation algorithm; 3. updating a secret key generation algorithm; 4. decrypting the secret key generation algorithm; 5. encrypting an algorithm; 6. decrypting the algorithm; and 7. revoking the algorithm. The identity-based encryption method allowing revocation at the lattice adds a user identity revocation mechanism, and thus identity management of user can be effectively realized; and the method is based on the problem of LWE difficulty at the lattice, can resist quantum attack, has relatively high computational efficiency, proves that the scheme is adaptively safe, security of the scheme is stipulated to the problem of LWE difficulty, and the problem existing in the prior art that an encryption method causes disclosure of a user private key and difficulty in resisting quantum attack.

Description

Voidable Identity based encryption method on lattice

Technical field

The invention belongs to field of information security technology, be specifically related to a kind of voidable Identity based encryption method on lattice.

Background technology

Identity-based cryptosystems overcome public key certificate in traditional public-key cryptosystem maintenance, upgrade and the problem such as to cancel.Identity-based cryptography fundamentally changes management and the running of certificate in traditional public key system framework.Identity based cryptography difference compared with common public key cryptosyst is, in Identity-based cryptography system, the open identity information of entity is the unique identification of entity, and the PKI of user can be derived by identity information.These schemes have good application prospect in some enterprises and institutions, as between individual and individual, between individual and businessman, businessman and businessman, business exchange between enterprise and enterprise, or the E-Government dealing etc. between government department.

In order to ensure the fail safe of the encryption system having a large number of users, identity revocation mechanism is very necessary.System user PKI has been cancelled many reasons: the first, and the private key of user is revealed; The second, this user is no longer a legal user, in this case needs to cancel this user.Such as in an enterprise management system, certain employee resigns from this enterprise, then need to cancel this user from this system, or certain employee's altered data or reveal enterprise privacy, violate the rules and regulations of this enterprise, also need to cancel this user from this system.

In view of above-mentioned practical problem, voidable Identity based encryption technique study is very practical.In actual life, such a example is a lot, such as secret office, all kinds of enterprise, business, communication etc. field.In these cases, revoked public key-private key to and replace being very important with new key.Voidable Identity-based encryption provides effective cancelling method in Identity-based encryption scheme, and trusted authority issues the non-more new key cancelling user termly, and only has user to have up-to-date more new key, the decrypting ciphertext that he just can be correct.Therefore, along with internet product fast development and widely use, studying voidable Identity-based encryption has good development prospect.

Summary of the invention

The object of this invention is to provide a kind of voidable Identity based encryption method on lattice, solve the encryption method existed in prior art and cause private key for user to be revealed and the problem being difficult to resist quantum attack.

The technical solution adopted in the present invention is, voidable Identity based encryption method on lattice, specifically implements according to following steps:

Step 1, system are set up;

Step 2, private key generate;

Step 3, renewal secret generating;

Step 4, decruption key generate;

Step 5, encryption;

Step 6, deciphering;

Step 7, to cancel.

Feature of the present invention is also,

Step 1 is specifically implemented according to following steps:

Step (1.1), input security parameter λ, and the maximum number N of user, parameters m=2n log q, $\mathrm{\&sigma;}=max(l_1,l_2)m\mathrm{\&omega;}\left(\sqrt{\log m}\right),\mathrm{\&alpha;}<\frac{1}{5}\left(1+\mathrm{\&omega;}\left(\sqrt{\log m}\right)\right){\left(O\left(\left(l_1+l_2\right)\mathrm{\&sigma;}m\right)+1\right)}^{-1},$ $q>10\sqrt{m}(1+\mathrm{\&omega;}(\sqrt{\log m}\left)\right)\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1),$ Make user identity $id=\{b_1,...,b_{l_1}\}\&Element;{\{-1,1\}}^{l_1},$ Time period definition φ be man-to-man mapping: φ (id)=d, d ∈ 1 ..., N};

Step (1.2), use trapdoor generating algorithm TrapGen (q, n) based on lattice, generate the matrix of even random n × m dimension to pass short base and meet $\left|\right|{\tilde{T}}_{A_0}\left|\right|\&le;O\left(\sqrt{n\log q}\right);$

Step (1.3), selection l ₁+ l ₂the matrix of+2 even random n × m dimensions

Step (1.4), select even random vector

Step (1.5), revocation list RL are initially set to state ST stores the user profile in current system, order wherein comprise random vector corresponding to random vector corresponding to user identity, identity index, identity, time, initial setting up

Step (1.6), output common parameter PP and master key MK:

$PP=\{A_0,A_1,...,A_{l_1},C_1,...C_{l_2},B_1,B_2,u\},MK=\left\{T_{A_0}\right\}.$

Step 2 is specifically implemented according to following steps:

The identity of step (2.1), input common parameter PP, a master key MK and user $id=\{b_1,...,b_{l_1}\}\&Element;{\{-1,1\}}^{l_1},$ State ST;

Step (2.2), if identity id is not at state in ST, by calculating φ (id)=d, obtains index d, even Stochastic choice order and add to in state ST; If identity id is in state ST, retrieve from state ST then, make

Step (2.3), sampling $e_{id,d}\&LeftArrow;SampleLeft(A_0,A_{id},T_{A_0},u_{d_1},\mathrm{\&sigma;}),$ E _{id, d}distribution statistics close to wherein F _id=A ₀|| A _id, and here mark || represent cascaded operational;

The initial private key of step (2.4), output identity id with the state ST upgraded.

Step 3 is specifically implemented according to following steps:

Step (3.1), input common parameter PP, master key MK and time period revocation list RL, state ST;

Step (3.2), be defined in time period t and cancel user identity collection namely for arbitrary t '≤t, if exist (id ', t ') meet (id ', t ') ∈ RL, then add (id ', t ') to cancelling in user identity collection R;

Step (3.3), order

Step (3.4), for all four-tuple is retrieved from ST sampling e _t,ddistribution statistics close to wherein F _t=A ₀|| C _t, and here mark || represent cascaded operational;

More new key in step (3.5), output time section t and they are disclosed.

Step 4 is specifically implemented according to following steps:

Step (4.1), input private key SK _id, more new key UK _t;

Step (4.2) if with corresponding identical index d, exports decruption key DK _{id, t}:=(SK _id, KU _t), otherwise, stop.

Step 5 is specifically implemented according to following steps:

Step (5.1), input common parameter PP, identity time $t=\{t_1,...,t_{l_2}\}\&Element;{\{-1,1\}}^{l_2},$ And message m ∈ { 0,1};

Step (5.2), order here mark || represent cascaded operational;

Step (5.3), select even random vector

Step (5.4), selection l ₁+ l ₂individual even random matrix R _i← {-1,1} ^{m × m}, for i=1 ..., l ₁+ l ₂, definition $R_{id}={\mathrm{\&Sigma;}}_{i=1}^{l_1}{b}_i{R}_i\&Element;{\{-l_1,...,l_1\}}^{m\&times;m},R_t={\mathrm{\&Sigma;}}_{i=1}^{l_2}{t}_i{R}_{l_1+i}\&Element;{\{-l_2,\mathrm{...},l{2}_{}\}}^{m\&times;m};$

Step (5.5), selection noisy vector order order

Step (5.6), output ciphertext

Step 6 is specifically implemented according to following steps:

Step (6.1), input common parameter PP, decruption key DK _{id, t}, and ciphertext CT=(c ₀, c ₁);

Step (6.2) is if ciphertext CT _{id, t}with decruption key DK _{id, t}corresponding different identity and time, then stop, otherwise carry out following step:

Step (6.2.1), c ₁resolve to

Step (6.2.2), calculating

Step (6.2.3), compare integer w and size, if then export 1, otherwise, export 0.

Step 7 is specially:

Input identity $id=\{b_1,...,b_{l_1}\}\&Element;{\{-1,1\}}^{l_1},$ Time $t=\{t_1,...,t_{l_2}\}\&Element;{\{-1,1\}}^{l_2},$ Revocation list RL, state ST, then add to (id, t) in revocation list RL.

The invention has the beneficial effects as follows, voidable Identity based encryption method on lattice, based on lattice, quantum can be resisted and attack, and there is higher computational efficiency, adaptability identity security of the present invention, more previous scheme is compared, and its fail safe is more advanced, owing to the addition of user identity revocation mechanism, effectively can realize the Identity Management of user, ensure the fail safe of whole encryption system.

Embodiment

Below in conjunction with embodiment, the present invention is described in detail.

Voidable Identity based encryption method on lattice of the present invention, specifically implement according to following steps:

Step 1, system are set up:

Specifically implement according to following steps:

Step (1.1), input security parameter λ, and the maximum number N of user, parameters m=2n log q, $\mathrm{\&sigma;}=max(l_1,l_2)m\mathrm{\&omega;}\left(\sqrt{\log m}\right),\mathrm{\&alpha;}<\frac{1}{5}(1+\mathrm{\&omega;}(\sqrt{\log m}\left)\right){\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1)}^{-1},$ $q>10\sqrt{m}(1+\mathrm{\&omega;}(\sqrt{\log m}\left)\right)\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1).$ Make user identity $id=\{b_1,...,b_{l_1}\}\&Element;{\{-1,1\}}^{l_1},$ Time period definition φ be man-to-man mapping: φ (id)=d, d ∈ 1 ..., N};

Step (1.2), use trapdoor generating algorithm TrapGen (q, n) based on lattice, generate the matrix of even random n × m dimension to pass short base and meet $\left|\right|{\tilde{T}}_{A_0}\left|\right|\&le;O\left(\sqrt{n\log q}\right);$

Step (1.3), selection l ₁+ l ₂the matrix of+2 even random n × m dimensions

Step (1.4), select even random vector

Step (1.5), revocation list RL are initially set to state ST stores the user profile in current system, order wherein comprise random vector corresponding to random vector corresponding to user identity, identity index, identity, time, initial setting up

Step (1.6), output common parameter PP and master key MK:

$PP=\{A_0,A_1,...,A_{l_1},C_1,...C_{l_2},B_1,B_2,u\},MK=\left\{T_{A_0}\right\};$

Step 2, private key generate:

Specifically implement according to following steps:

The identity of step (2.1), input common parameter PP, a master key MK and user $id=\{b_1,...,b_{l_1}\}\&Element;{\{-1,1\}}^{l_1},$ State ST;

Step (2.2), if identity id is not at state in ST, by calculating φ (id)=d, obtains index d, even Stochastic choice order and add to in state ST; If identity id is in state ST, retrieve from state ST then, make

Step (2.3), sampling e _{id, d}distribution statistics close to wherein F _id=A ₀|| A _id, and here mark || represent cascaded operational;

The initial private key of step (2.4), output identity id with the state ST upgraded;

Step 3, renewal secret generating:

Specifically implement according to following steps:

Step (3.1), input common parameter PP, master key MK and time period revocation list RL, state ST;

Step (3.2), be defined in time period t and cancel user identity collection namely for arbitrary t '≤t, if exist (id ', t ') meet (id ', t ') ∈ RL, then add (id ', t ') to cancelling in user identity collection R;

Step (3.3), order

Step (3.4), for all four-tuple is retrieved from ST sampling e _t,ddistribution statistics close to wherein F _t=A ₀| C _t, and

More new key in step (3.5), output time section t and they are disclosed.

Step 4, decruption key generate:

Specifically implement according to following steps:

Step (4.1), input private key SK _id, more new key UK _t;

Step (4.2) if with corresponding identical index d, exports decruption key DK _{id, t}:=(SK _id, KU _t), otherwise, stop;

Step 5, encryption:

Specifically implement according to following steps:

Step (5.1), input common parameter PP, identity time $t=\{t_1,...,t_{l_2}\}\&Element;{\{-1,1\}}^{l_2},$ And message m ∈ { 0,1};

Step (5.2), order here mark || represent cascaded operational;

Step (5.3), select even random vector

Step (5.4), selection l ₁+ l ₂individual even random matrix R _i← {-1,1} ^{m × m}, for i=1 ..., l ₁+ l ₂, definition $R_{id}={\mathrm{\&Sigma;}}_{i=1}^{l_1}{b}_i{R}_i\&Element;{\{-l_1,...,l_1\}}^{m\&times;m},R_t={\mathrm{\&Sigma;}}_{i=1}^{l_2}{t}_i{R}_{l_1+i}\&Element;{\{-l_2,...,l_2\}}^{m\&times;m};$

Step (5.5), selection noisy vector order order

Step (5.6), output ciphertext

Step 6, deciphering:

Specifically implement according to following steps:

Step (6.1), input common parameter PP, decruption key DK _{id, t}, and ciphertext CT=(c ₀, c ₁);

Step (6.2) is if ciphertext CT _{id, t}with decruption key DK _{id, t}corresponding different identity and time, then stop, otherwise carry out following step:

Step (6.2.1), c ₁resolve to

Step (6.2.2), calculating

Step (6.2.3), compare integer w and size, if then export 1, otherwise, export 0;

Step 7, to cancel, be specially:

Input identity $id=\{b_1,...,b_{l_1}\}\&Element;{\{-1,1\}}^{l_1},$ Time $t=\{t_1,...,t_{l_2}\}\&Element;{\{-1,1\}}^{l_2},$ Revocation list RL, state ST, then add to (id, t) in revocation list RL.

The fail safe of voidable Identity based encryption method on lower surface analysis lattice of the present invention:

(1) verification of correctness:

The correctness derivation of scheme is as follows:

Theorem: the error term in above-mentioned correctness proof $x-e_{id,d}^T\left[\begin{array}{c}y\\ z_1\end{array}\right]-e_{t,d}^T\left[\begin{array}{c}y\\ z_2\end{array}\right]$ Boundary be $\mathrm{\&alpha;}q(1+w(\sqrt{\log m}\left)\right)\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1).$

Prove: in order to prove the boundary of error term, brief note e _id=e _{id, d}, e _t=e _t,d, make e _id=(e _{id, 1}| e _{id, 2}), e _t=(e _{t, 1}| e _{t, 2}), wherein obtained by left sampling algorithm: $\left|\right|e_{id}\left|\right|\&le;\mathrm{\&sigma;}\sqrt{2m},\left|\right|e_t\left|\right|\&le;\mathrm{\&sigma;}\sqrt{2m},$ Then have $e_{id,1},e_{id,2},e_{t,1},e_{t,2}\&le;\mathrm{\&sigma;}\sqrt{m},$ Because $R_{id}=\underset{i=1}{\overset{l_1}{\&Sigma;}}{b}_i{R}_i,$ Obtained by lemma 4, lemma 4 describes as follows:

Lemma 4: make R be that m × m ties up matrix, element is wherein from {-1,1} ^{m × m}middle random selecting, then the constant C that existence one is large, meets

$\mathrm{Pr}\&lsqb;s_R=\left|\right|R|{|}_R>C\sqrt{m}\&rsqb;\&le;e^{-2m}$

Then have $\left|\right|R_{id}\left|\right|\&le;\underset{i=1}{\overset{l_1}{\&Sigma;}}\left|\right|b_i{R}_i\left|\right|\&le;l_{1}O\left(\sqrt{m}\right),$ In like manner $\left|\right|R_t\left|\right|\&le;l_{2}O\left(\sqrt{m}\right),$ Then have

$\left|\right|e_{id,1}+R_{id}{e}_{id,2}\left|\right|\&le;\left|\right|e_{id,1}\left|\right|+\left|\right|R_{id}{e}_{id,2}\left|\right|\&le;\mathrm{\&sigma;}\sqrt{m}(1+O(l_1\sqrt{m}\left)\right)\&le;O\left(l_1\mathrm{\&sigma;}m\right),$

$\left|\right|e_{t,1}+R_t{e}_{t,2}\left|\right|\&le;\left|\right|e_{t,1}\left|\right|+\left|\right|R_t{e}_{t,2}\left|\right|\&le;\mathrm{\&sigma;}\sqrt{m}(1+O(l_2\sqrt{m}\left)\right)\&le;O\left(l_2\mathrm{\&sigma;}m\right),$

Utilize lemma 5, lemma 5 is described below:

Lemma 5: make e be in vector, then | e ^tthe value of y| is the integer in [0, q-1], and meets with the probability of can not ignore

$\left|e^{T}y\right|\&le;\left|\right|e\left|\right|q\mathrm{\&alpha;}w\left(\sqrt{\log m}\right)+\left|\right|e\left|\right|\sqrt{m/2}$

Error term is defined as

$\begin{array}{c}\left|x-{e_{id}}^T\left[\begin{array}{c}y\\ z_1\end{array}\right]-{e_t}^T\left[\begin{array}{c}y\\ z_2\end{array}\right]\right|\&le;\left|x\right|+\left|{(e_{id,1}+R_{id}{e}_{id,2})}^{T}y\right|+\left|{(e_{t,1}+R_t{e}_{t,2})}^{T}y\right|\\ \&le;\frac{1}{2}+q\mathrm{\&alpha;}\mathrm{\&omega;}\left(\sqrt{\log m}\right)+\left|\right|(e_{id,1}-R_{id}{e}_{id,2})\left|\right|\&CenterDot;(\frac{\sqrt{m}}{2}+q\mathrm{\&alpha;}\mathrm{\&omega;}(\sqrt{\log m}\left)\right)+\left|\right|(e_{t,1}-R_t{e}_{t,2})\left|\right|\&CenterDot;(\frac{\sqrt{m}}{2}+q\mathrm{\&alpha;}\mathrm{\&omega;}(\sqrt{\log m}\left)\right)\\ =\frac{1}{2}+q\mathrm{\&alpha;}\mathrm{\&omega;}\left(\sqrt{\log m}\right)+\left(\right|\left|\right(e_{id,1}-R_{id}{e}_{id,2}\left)\right||+|\left|\right(e_{t,1}-R_t{e}_{t,2}\left)\right|\left|\right)(\frac{\sqrt{m}}{2}+q\mathrm{\&alpha;}\mathrm{\&omega;}(\sqrt{\log m}\left)\right)\\ \&le;(1+|\left|\right(e_{id,1}-R_{id}{e}_{id,2}\left)\right||+|\left|\right(e_{t,1}-R_t{e}_{t,2}\left)\right|\left|\right)(\frac{\sqrt{m}}{2}+q\mathrm{\&alpha;}\mathrm{\&omega;}(\sqrt{\log m}\left)\right)\\ \&le;\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1)(\frac{\mathrm{\&alpha;}q}{4}+q\mathrm{\&alpha;}\mathrm{\&omega;}(\sqrt{\log m}\left)\right)\\ <\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1)\left(\mathrm{\&alpha;}q\right(1+\mathrm{\&omega;}\left(\sqrt{\log m}\right)\left)\right)\end{array}$

The boundary of above-mentioned error term is

In order to the correctness of assured plan, by parameters q, n, m, σ, α, guarantee that error term is less than q/5, the parameter estimation procedure in scheme is as follows:

(1.1) error term need be less than q/5, that is $\mathrm{\&alpha;}<\frac{1}{5}(1+(\mathrm{\&omega;}\sqrt{\log m}\left)\right){\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1)}^{-1},$

(1.2) trapdoor generating algorithm need meet m>2n log q,

(1.3) for left sampling algorithm and right sampling algorithm, σ will ensure it is enough large, namely $\mathrm{\&sigma;}>\left|\right|{\tilde{T}}_A\left|\right|max(l_1,l_2)\sqrt{m}w\left(\sqrt{\log m}\right)=max(l_1,l_2)m\mathrm{\&omega;}\left(\sqrt{\log m}\right),$

(1.4) use that scholar Regev's about subtract process, need meet

In order to meet above-mentioned requirement, parameters is as follows:

(a)、m＝2n log q，

(b)、 $\mathrm{\&sigma;}=max(l_1,l_2)m\mathrm{\&omega;}\left(\sqrt{\log m}\right),$

(c), noise parameter $\mathrm{\&alpha;}<\frac{1}{5}(1+\mathrm{\&omega;}(\sqrt{\log m}\left)\right){\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1)}^{-1},$

D (), modulus q are a prime number and meet:

$q>10\sqrt{m}(1+\mathrm{\&omega;}(\sqrt{\log m}\left)\right)\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1).$

(2) security verification:

Theorem: if exist a probabilistic polynomial time algorithm A under INDr-ID-CPA, break through RIBE scheme with advantage ε >0, then exist probabilistic polynomial time algorithm B so that mainly with advantage judge problem.

Prove: if opponent A breaks through scheme with the advantage of can not ignore, then challenger B can judge by opponent A problem.Proof procedure carries out between a series of game, first game is identical with the INDr-ID-CPA game in security model, in the end in a game, the advantage A of opponent is 0, as long as prove that a probabilistic polynomial time opponent A can not distinguish any two game, namely demonstrate opponent and win original INDr-ID-CPA game with insignificant advantage.In i-th game, make W _irepresent opponent's correct conjecture challenge bit in this game, i=1,2,3,4.

L is selected in game 0: challenger B ₁+ l ₂+ 2 random matrixes generate common parameter PP and master key MK.In the challenge stage, challenger generates challenge ciphertext CT ^*.Order for i=1 ... l ₁+ l ₂, represent and create ciphertext CT ^*time use l ₁+ l ₂individual of short duration random matrix.

Game 1: in game 1, challenger changes generation common parameter matrix A _i, C _jmode, to i ∈ 1 ..., l ₁, j ∈ 1 ..., l ₂.Challenger selects random matrix at establishment stage and select l ₁+ l ₂individual random scalar wherein i=1 ..., l ₁+ l ₂.Next, generator matrix A as game 0 ₀, B ₁, B ₂, for i=1 ... l ₁, j=1 ..., l ₂, structural matrix A _i, C _jas follows:

Remaining parameter constant in game.Notice select in advance at establishment stage, and about challenge identity id ^*knowledge be unwanted.

Lemma 3: suppose m> (n+1) logq+w (logn), q is prime number.Order be uniform design, make R be the matrix that m × m ties up, {-1,1} ^{m × m}the upper uniform design of modq.Then, for all vectors distribution (A, AR, R ^tw) be that statistics is close to distribution (A, B, R ^tw).

By using lemma 3, prove that game 0 and game 1 are undistinguishables.Observe in game 1, matrix only be used to structural matrix A _i, C _jand structure challenge ciphertext CT ^*in the error vector used $z_1\&LeftArrow;{\left(R_{id}^{*}\right)}^{T}y,z_2\&LeftArrow;{\left(R_t^{*}\right)}^{T}y,{R_{id}}^{*}={\mathrm{\&Sigma;}}_{i=1}^{l_1}{b}_i{R_i}^{*},{R_t}^{*}={\mathrm{\&Sigma;}}_{i=1}^{l_2}{t}_i{R_{l_1+i}}^{*}.$ Following order by using lemma 3, there is distribution (A ₀, A ₀r ^*, (R ^*) ^ty) and that statistics is close, wherein A _i', C _j' be on even random matrix, i ∈ [l ₁], j ∈ [l ₂].Then z=(z is made ₁| z ₂), then there is distribution with that statistics is close.Therefore, from the angle of opponent, matrix A ₀r _i ^*close to uniformly, and independent of z, so the A defined in (1) formula _i, C _jbe close to uniformly, this just means the angle from opponent, and they are random independent homogeneous matrix, just as in game 0.This just demonstrates

Pr[W ₀]＝Pr[W ₁]

Game 2: game 2 is be similar to game 1, except adding a termination event, this event is the angle independent of opponent.Make Q ^idbe private key inquiry maximum times, | T| is spatio-temporal size, and time and space is the multinomial about λ, make q32 (| T|+Q ^id).Without loss of generality, because time and space T is the multinomial about λ, suppose that the more new key of opponent to all time t ∈ T is all inquired, and challenger can make identical answer to the inquiry repeated.Therefore (t is supposed ₁..., t _{| T|}) be time inquiry tuple, element is wherein by descending order.

In game 2, challenger's behavior is as follows:

1, establishment stage is equal to game 1, except challenger also will select 2 random hash function H ₁, H ₂∈ H _wat, and retain it.

2, challenger answers private key inquiry and key updating inquiry, and directly to going out to challenge ciphertext as in game 1.

3, challenger's random guess i ^*∈ [| T|], meet opponent's i-th ^*secondary renewal key challenge is about t ^*, therefore, the probability that challenger correctly guesses is 1/|T|.

4, challenger guesses opponent is from which kind of following type:

Class1: opponent inquires challenge identity id ^*but this identity is at t ^*time period or cancel before.

Type 2: opponent does not inquire target identities id at any time ^*.

Challenger correctly guesses that the probability of the type of opponent is 1/2.If conjecture result is Class1, the challenger's random guess j ' ∈ [Q in game 2 ^id], the jth ' secondary private key inquiry meeting opponent is about id ^*, the probability that therefore challenger correctly guesses is 1/Q ^id.Make j ^*=| T|+j '.

1, Q=Q is made ^id+ | T|.In the final conjecture stage, opponent exports conjecture result r ' ∈ { 0,1}.Challenger carries out following steps:

1) e is made ₁=(t ₁..., t _{| T|}), wherein (t ₁..., t _{| T|}) and corresponding time inquiry and identity inquiry respectively.Order

2) termination detection: once input e ₁, e ₂, for identity inquiry, challenger detects H ₁whether meet E _j(H ₁), for time inquiry, H ₂whether meet E _j(H ₂).If at least one ungratified word, new { bit in 0,1} rewrites r ' to challenger, and stops game with one.Notice, opponent have never been seen H ₁, H ₂if the event that stops occurs, and opponent can not acquire any information.

3) manual termination: challenger samples, and { 0,1}, meets Pr [Γ=1]=γ (e) to a bit Γ ∈, and wherein function gamma () provides definition in document [1].If Γ=1, new { bit in 0,1} rewrites r ' to challenger, and due to manual termination, challenger stops game with one.

This completes the description of game 2.Notice, end condition is by two hash function H ₁, H ₂determine, and they are the angles independent of opponent.For inquiry tuple e, ε (e) is made to be the probability that termination event (or real or artificial) does not occur, order be scalar, meet what wherein b represented is in the face of the opponent of which kind of type.ε (e) is the probability that termination event in game 2 (or real or artificial) does not occur.Arrange

$\mathrm{\&Delta;}b=\left\{\begin{array}{c}\frac{1}{2\left|T\right|},b=2\\ \frac{1}{2\left|T\right|\&CenterDot;Q^{id}},b=1\end{array}\right.$

Above-mentioned expression be the probability that challenger correctly guesses the type of opponent.

If there is no manual intervention, have can push away

${\mathrm{\&epsiv;}}_{max}^{\left(b\right)}-{\mathrm{\&epsiv;}}_{\min }^{\left(b\right)}=\left\{\begin{array}{c}{\mathrm{\&Delta;}}_1\&CenterDot;(2Q/q^3-Q^2/q^4),b=1\\ {\mathrm{\&Delta;}}_2\&CenterDot;Q/q^2,b=2\end{array}\right.$

Above-mentioned probability be can not ignore, and causes the lower bound that neither one is good.Therefore the method for waters is applied to add manual termination.By using this strategy, then have ${\mathrm{\&epsiv;}}_{max}^{\left(b\right)}-{\mathrm{\&epsiv;}}_{\min }^{\left(b\right)}<{\mathrm{\&epsiv;}}_{\min }^{\left(b\right)}.\left|\mathrm{Pr}\&lsqb;W_1\&rsqb;-\frac{1}{2}\right|,$ Therefore

$\mathrm{Pr}\&lsqb;W_2\&rsqb;-\frac{1}{2}\&GreaterEqual;{\mathrm{\&epsiv;}}_{min}\left|\mathrm{Pr}\&lsqb;W_1\&rsqb;-\frac{1}{2}\right|-\frac{1}{2}({\mathrm{\&epsiv;}}_{max}-{\mathrm{\&epsiv;}}_{min})\&GreaterEqual;\frac{1}{2}{\mathrm{\&epsiv;}}_{min}\left|\mathrm{Pr}\&lsqb;W_1\&rsqb;-\frac{1}{2}\right|$

Then have

$\mathrm{Pr}\&lsqb;W_2\&rsqb;-\frac{1}{2}\&GreaterEqual;\left\{\begin{array}{c}\frac{\left|\mathrm{Pr}\&lsqb;W_1\&rsqb;-\frac{1}{2}\right|}{8q^2\left|T\right|Q^{id}},b=1\\ \frac{\left|\mathrm{Pr}\&lsqb;W_1\&rsqb;-\frac{1}{2}\right|}{8q\left|T\right|},b=2\end{array}\right.$

Known by above formula, game 1 and game 2 can be distinguished with insignificant advantage.

Game 3: now, challenger changes the A in game 2 ₀, B ₁, B ₂selection mode, in game 3, generator matrix A ₀it is one on random matrix, and generator matrix B ₁, B ₂be use TrapGen algorithm, meet B ₁, B ₂be on random matrix, and challenger has trapdoor with trapdoor for i=1 ..., l ₁, j=1 ..., l ₂, A _i, C _jstructure with game 2 in the same, namely

It is as follows that challenger answers private key inquiry:

Private key is inquired: in game 3, for identity challenger uses trapdoor answer private key is inquired:

(1) if identity id is not at state in ST, by calculating φ (id)=d, index d is obtained, even Stochastic choice order and add in state ST; If identity id is in state ST, then retrieve from state ST

(2) construct in (1) formula then have notice h _id=H _iD(id), wherein H _iDbe defined in H _watin hash function race, by use

(3) if h _id=0, challenger stops game, and { 0,1}, as played 2 to pretend output random bit r ' ∈.Otherwise, then perform lower step.

(4) sample e _{id, d}distribution statistics close to wherein F _id=A ₀| A _id.

(5) private key is exported

Upgrade key challenge: in game 3, for the time period challenger uses trapdoor answer upgrades key challenge:

(1) be defined in time period t and cancel user identity collection that is, for arbitrary t '≤t, if exist (id ', t ') meet (id ', t ') ∈ RL, then add (id ', t ') in R.

(2) construct in (1) formula then have notice h _t=H _t(t), wherein H _tbe defined in H _watin hash function race, by use

(3) if h _t=0, challenger stops game, and { 0,1}, as played 2 to pretend output random bit r ' ∈.Otherwise, then perform lower step.

(4) for all four-tuple is retrieved from ST sampling e _t,ddistribution statistics close to wherein F _t=A ₀| C _t.

(5) more new key is exported and they are disclosed.

For other stages of safety game, game 3 and game 2 are equivalent.In the challenge stage, challenger's detection is the opponent of which kind of type.

1) if opponent belongs to type 2, challenger detects whether challenge the time meet if do not met, challenger stops game as played in the of 2.

2) if opponent belongs to Class1, challenger detects whether challenge the time meet $h_{t^{*}}=1+\underset{i=1}{\overset{l_2}{\&Sigma;}}{t}_i^{*}{h}_{l_1+i}=0,$ And challenge identity $id=\{b_1,...,b_{l_1}\}\&Element;{\{-1,1\}}^{l_1}$ Meet if do not met, challenger stops game as played in the of 2.

Then the result using SampleLeft algorithm to obtain in the result proving to use SampleRight algorithm to obtain in game 3 and game 2 is undistinguishable.First the answer of private key inquiry is considered, because in the 3rd step of private key generation, h _idnon-zero, matrix also be h _idb ₁trapdoor.In addition, B ₁order be n, then h _idb ₁order with very high probability also for n.Describe in theorem 3, when $\mathrm{\&sigma;}>\left|\right|{\tilde{T}}_{B_1}\left|\right|\&CenterDot;s_{R_{id}^{*}}\&CenterDot;w\left(\sqrt{\log m}\right),s_{R_{id}^{*}}=\left|\right|R_{id}^{*}|{|}_R\&le;\underset{i=1}{\overset{l_1}{\&Sigma;}}|\left|R_i^{*}\right|{|}_R=O\left(l_1\sqrt{m}\right),$ The distribution of short vector e generated be close to as in game 2.Look back in theorem 1 and have therefore, in parameter Estimation, select enough large σ to meet sampling demand.The process upgrading key challenge is also similar.

Because game 2 and game 3 are consistent from the angle of opponent, in game 3, the advantage of opponent is the same with playing in 2, namely

Pr[W ₂]＝Pr[W ₃]

Game 4: game 4 is equal to game 3, except challenge ciphertext (c ₀ ^*, c ₁ ^*) be the element of upper random selecting.Because the new random element of challenge ciphertext always in the cryptogram space, therefore in this game, the advantage of opponent is 0.

Staying of task proves that game 3 and game 4 are computationally indistinguishable, by using the stipulations of a LWE problem.If the event of termination occurs, game is obviously undistinguishable.Therefore, it mainly concentrates on and does not cause in a series of inquiries of termination.

The stipulations of LWE problem: supposing that opponent has the advantage of can not ignore to distinguish game 3 and game 4, by using opponent to construct a LWE algorithm, being designated as B.

The example looking back LWE problem is provided by a sampling prophesy machine O, and this prophesy is confidential is the prophesy machine O of completely random _$, or be the pseudorandom oracle machine O of band noise _s.Challenger B uses opponent to distinguish two game, and its process is as follows:

Instantiation: B inquires prophesy machine O, is answered.For i=0 ..., m, one new right

Set up: the common parameter PP of B tectonic system is as follows:

1, utilize m example of the LWE problem previously provided, make A ₀the i-th row are n-dimensional vector u in LWE problem-instance _i, for i=1 ..., m.

2, the 0th sampling of LWE example is specified to become random n-dimensional vector

3, constructing the residual term of common parameter, is namely exactly A _i, C _j, B ₁, B ₂structure as game 3 in, by using random scalar h _i, s _iwith random matrix R _i ^*.

4, common parameter PP=(A is sent ₀, A ₁... A _l, C ₁..., C _l, B ₁, B ₂) to opponent.

Inquiry: challenger answers private key inquiry and upgrades key challenge as in game 3, if necessary, comprises and stops game.

Challenge: when opponent provides a message bit b ^*∈ { 0,1}, and a challenge identity-time pair make id ^*=(b ₁ ^*..., b _l ^*), t ^*=(t ₁ ^*..., t _l ^*).Construct one and correspond to target (id ^*, t ^*) challenge ciphertext, as follows:

1, v is made ₀..., v _mbe the component from LWE example, arrange

2, message bit is blinded, by order

3, make wherein R _i ^*, i>0 generates at establishment stage.4, make

5, ciphertext CT is sent ^*=(c ₀ ^*, c ₁ ^*) to opponent.

Following discussion, when LWE foretells that machine is pseudorandom oracle machine time, i.e. O=O _s, then CT is had ^*distribution with game 3 in distribution be consistent, only have when termination event does not occur time meet.First, because $h_{{\mathrm{id}}^{*}}=0,s_{t^{*}}=0,$

Then have

$\begin{array}{c}{F}_{{\mathrm{id}}^{*},t^{*}}=\left(A_0\right|B_1+\underset{i=1}{\overset{l_1}{\&Sigma;}}{b_i}^{*}{A}_i|B_2+\underset{i=1}{\overset{l_2}{\&Sigma;}}{t_i}^{*}{C}_i)=\left(A_0\right|A_0{R_{{\mathrm{id}}^{*}}}^{*}+h_{{\mathrm{id}}^{*}}{B}_1|A_0{R_{t^{*}}}^{*}+s_{t^{*}}{B}_2)\\ =\left(A_0\right|A_0{R_{{\mathrm{id}}^{*}}}^{*}\left|A_0{R_{t^{*}}}^{*}\right)\end{array}$

Secondly, O is passed through _sdefinition, know for some random noise vector be distributed in therefore, define in the 3rd step meet

$\begin{array}{c}{c_1}^{*}=\left[\begin{array}{c}{v}^{*}\\ {\left({R_{{\mathrm{id}}^{*}}}^{*}\right)}^T{v}^{*}\\ {\left({R_{t^{*}}}^{*}\right)}^T{v}^{*}\end{array}\right]=\left[\begin{array}{c}{A}_0^{T}s+y\\ {\left({R_{{\mathrm{id}}^{*}}}^{*}\right)}^T{A}_0^{T}s+{\left({R_{{\mathrm{id}}^{*}}}^{*}\right)}^{T}y\\ {\left({R_{t^{*}}}^{*}\right)}^T{A}_0^{T}s+{\left({R_{t^{*}}}^{*}\right)}^{T}y\end{array}\right]=\left[\begin{array}{c}{A}_0^{T}s+y\\ {\left(A_0{R_{{\mathrm{id}}^{*}}}^{*}\right)}^{T}s+{\left({R_{{\mathrm{id}}^{*}}}^{*}\right)}^{T}y\\ {\left(A_0{R_{t^{*}}}^{*}\right)}^{T}s+{\left({R_{t^{*}}}^{*}\right)}^{T}y\end{array}\right]\\ ={\left(F_{{\mathrm{id}}^{*},t^{*}}\right)}^{T}s+\left[\begin{array}{c}y\\ {\left({R_{{\mathrm{id}}^{*}}}^{*}\right)}^{T}y\\ {\left({R_{t^{*}}}^{*}\right)}^{T}y\end{array}\right]\end{array}$

And the right of equation is the c of effective challenge ciphertext in game 3 ₁part.We also notice, this is the c challenging ciphertext in game 3 just ₀part.

Work as O=O _$, v ₀be evenly distributed on on, v ^*be evenly distributed on on.Therefore, define in above-mentioned steps 3 even and independent distribution exists therefore, challenge ciphertext to be always evenly distributed on on, the same with in game 4.

Conjecture: allow afterwards to carry out extra inquiry, opponent guesses.If opponent wins game, then challenger solves LWE by opponent and to raise difficult questions for discussion problem.

We discussed, and worked as O=O _$, the angle of opponent is the same with game 4, works as O=O _s, the angle of opponent is the same with game 3.Therefore, the advantage of the challenger of solution LWE problem distinguishes game 3 with the advantage of game 4 with opponent is the same.This completes the description of algorithm B, and complete our proof.

The correctness of voidable Identity-based encryption (RIBE) method is defined as follows: to all by Setup (1 ^k, the n) PP of algorithm generation, RL, ST, MK, to arbitrary id, the SK generated by PriKeyGen (PP, MK, id, ST) algorithm _id, to arbitrary t and RL, the KU generated by KeyUpd (PP, MK, t, RL, ST) algorithm _t, to arbitrary id _c, t _cand m, by Enc (PP, id _c, t _c, the m) CT of algorithm generation _{id, t}, demand fulfillment:

(1) if then DecKeyGen (SK _id, KU _t) → DK _{id, t}.

(2) if id ∈ is RL, then with the advantage DecKeyGen (SK that can not ignore _id, KU _t) → ⊥.

(3) if then Dec (PP, DK _{id, t}, CT _{id, t}) → m.

(4) if then with the advantage decipherment algorithm output termination of can not ignore symbol, i.e. Dec (PP, DK _{id, t}, CT _{id, t}) → ⊥.

Claims (8)

1. voidable Identity based encryption method on lattice, is characterized in that, specifically implement according to following steps:

Step 1, system are set up;

Step 2, private key generate;

Step 3, renewal secret generating;

Step 4, decruption key generate;

Step 5, encryption;

Step 6, deciphering;

Step 7, to cancel.

2. voidable Identity based encryption method on lattice according to claim 1, it is characterized in that, described step 1 is specifically implemented according to following steps:

Step (1.1), input security parameter λ, and the maximum number N of user, parameters m=2nlogq, $\mathrm{\&sigma;}=\max (l_1,l_2)m\mathrm{\&omega;}\left(\sqrt{\log m}\right),\mathrm{\&alpha;}<\frac{1}{5}(1+\mathrm{\&omega;}(\sqrt{\log m}\left)\right){\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1)}^{-1},$ $q>10\sqrt{m}(1+\mathrm{\&omega;}(\sqrt{\log m}\left)\right)\left(O\right(\left(l_1+l_2\right)\mathrm{\&sigma;}m)+1).$ Make user identity $id=\{b_1,...,b_{l_1}\}\&Element;{\{-1,1\}}^{l_1},$ Time period definition φ be man-to-man mapping: φ (id)=d, d ∈ 1 ..., N};

Step (1.2), use trapdoor generating algorithm TrapGen (q, n) based on lattice, generate the matrix of even random n × m dimension to pass short base and meet $\left|\right|{\tilde{T}}_{A_0}\left|\right|\&le;O\left(\sqrt{n\log q}\right);$

Step (1.3), selection l ₁+ l ₂the matrix of+2 even random n × m dimensions

Step (1.4), select even random vector

Step (1.5), revocation list RL are initially set to state ST stores the user profile in current system, order wherein comprise random vector corresponding to random vector corresponding to user identity, identity index, identity, time, initial setting up

Step (1.6), output common parameter PP and master key MK:

$PP=\{A_0,A_1,\mathrm{...},A_{l_1,}{C}_1,\mathrm{...},C_{l_2},B_1,B_2,u\},MK=\left\{T_{A_0}\right\}.$

3. voidable Identity based encryption method on lattice according to claim 1, it is characterized in that, described step 2 is specifically implemented according to following steps:

The identity of step (2.1), input common parameter PP, a master key MK and user $id=\{b_1,\mathrm{...},b_{l_1}\}\&Element;{\{-1,1\}}^{l_1},$ State ST;

Step (2.2), if identity id is not at state in ST, by calculating φ (id)=d, obtains index d, even Stochastic choice order and add to in state ST; If identity id is in state ST, retrieve from state ST then, make

Step (2.3), sampling $e_{id,d}\&LeftArrow;SampleLeft(A_0,A_{id},T_{A_0},u_{d_1},\mathrm{\&sigma;}),$ E _{id, d}distribution statistics close to wherein F _id=A ₀|| A _id, and here mark || represent cascaded operational;

The initial private key of step (2.4), output identity id with the state ST upgraded.

4. voidable Identity based encryption method on lattice according to claim 1, it is characterized in that, described step 3 is specifically implemented according to following steps:

Step (3.1), input common parameter PP, master key MK and time period revocation list RL, state ST;

Step (3.2), be defined in time period t and cancel user identity collection namely for arbitrary t '≤t, if exist (id ', t ') meet (id ', t ') ∈ RL, then add (id ', t ') to cancelling in user identity collection R;

Step (3.3), order

Step (3.4), for all four-tuple is retrieved from ST sampling e _t,ddistribution statistics close to wherein F _t=A ₀| C _t, and

More new key in step (3.5), output time section t and they are disclosed.

5. voidable Identity based encryption method on lattice according to claim 1, it is characterized in that, described step 4 is specifically implemented according to following steps:

Step (4.1), input private key SK _id, more new key UK _t;

Step (4.2) if with corresponding identical index d, exports decruption key DK _{id, t}:=(SK _id, KU _t), otherwise, stop.

6. voidable Identity based encryption method on lattice according to claim 1, it is characterized in that, described step 5 is specifically implemented according to following steps:

Step (5.1), input common parameter PP, identity time $t=\{t_1,\mathrm{...},t_{l_2}\}\&Element;{\{-1,1\}}^{l_2},$ And message m ∈ { 0,1};

Step (5.2), order here mark || represent cascaded operational;

Step (5.3), select even random vector

Step (5.4), selection l ₁+ l ₂individual even random matrix R _i← {-1,1} ^{m × m}, for i=1 ..., l ₁+ l ₂, definition $R_{id}={\&Sigma;}_{i=1}^{l_1}{b}_i{R}_i\&Element;{\{-l_1,\mathrm{...},l_1\}}^{m\&times;m},R_t={\&Sigma;}_{i=1}^{l_2}{t}_i{R}_{l_1+i}\&Element;{\{-l_2,\mathrm{...},l_2\}}^{m\&times;m};$

Step (5.5), selection noisy vector order order

Step (5.6), output ciphertext

7. voidable Identity based encryption method on lattice according to claim 1, it is characterized in that, described step 6 is specifically implemented according to following steps:

Step (6.1), input common parameter PP, decruption key DK _{id, t}, and ciphertext CT=(c ₀, c ₁);

Step (6.2) is if ciphertext CT _{id, t}with decruption key DK _{id, t}corresponding different identity and time, then stop, otherwise carry out following step:

Step (6.2.1), c ₁resolve to

Step (6.2.2), calculating

Step (6.2.3), compare integer w and size, if then export 1, otherwise, export 0.

8. voidable Identity based encryption method on lattice according to claim 1, it is characterized in that, described step 7 is specially:

Input identity $id=\{b_1,\mathrm{...},b_{l_1}\}\&Element;{\{-1,1\}}^{l_1},$ Time $t=\{t_1,\mathrm{...},t_{l_2}\}\&Element;{\{-1,1\}}^{l_2},$ Revocation list RL, state ST, then add to (id, t) in revocation list RL.