CN105915333A

CN105915333A - High-efficiency secret key distribution method based on attribute encryption

Info

Publication number: CN105915333A
Application number: CN201610146573.4A
Authority: CN
Inventors: 孙知信; 洪汉舒; 徐睿; 李冬军; 宫婧
Original assignee: Nanjing Post and Telecommunication University
Current assignee: Nanjing Post and Telecommunication University; Nanjing University of Posts and Telecommunications
Priority date: 2016-03-15
Filing date: 2016-03-15
Publication date: 2016-08-31
Anticipated expiration: 2036-03-15
Also published as: CN105915333B

Abstract

The invention discloses a high-efficiency secret key distribution method based on attribute encryption. An attribute encryption system is widely applied, yet a strategy is needed in an objective sense for mitigating the burden of an attribute authentication center and also ensuring system security in the process of attribute cancellation and secret key updating. A system related to by the method comprises six modules including the attribute authentication center, a secret key aid, a data sender, a data receiver, a base station, a data server and the like. The attribute authentication center is in charge of managing attributes of users and distributes initial private keys to the users. The secret key aid is in charge of updating private keys of the users when each time fragment of the system begins. According to the invention, the life cycle of the system is divided into a plurality of time fragments, and in case of attribute cancelation or secret key leakage, forward and backward security of the system can be ensured through updating the private keys of valid users. The secret key aid can help the users to update the secret keys and thus the burden of the authentication center is effectively mitigated.

Description

A kind of efficient key distribution method based on encryption attribute

Technical field

The present invention relates to secrecy or the safety communication technology of digital information transmission, be specifically related to a kind of based on encryption attribute Efficient key update method

Background technology:

The system of encryption attribute has attracted in recent years and has been widely applied.In traditional encryption attribute mechanism, attribute authenticates Center carries important task, should manage intrasystem all properties, generate key, operand mistake for each user again Greatly, easily cause the single point failure of node thus affect the performance of system.Additionally, be usually associated with during attribute is cancelled The renewal of common parameter, owing to the common parameter in encryption attribute mechanism is relatively big, the substantial amounts of calculating that renewal can cause frequently And communication resource consumption.On the other hand, in properties secret system, it is frequently accompanied by the situation generation that private key for user is revealed.As Really key can not get updating timely, and substantial amounts of private data can be exposed to disabled user, and whole system also can be faced with huge Security threat.Therefore, encryption system based on attribute needs a kind of strategy, can alleviate the burden of attribute AUC, again Can cancel at attribute and ensure security of system during key updating.Additionally, the expense of key updating should be preferably minimized, keep away Exempt from a large amount of common parameter and update the huge communication load brought.

Application No. CN201510407611.2, entitled " revocable fraction prestige key strategy based on multilinear pairing Encryption attribute method " patent propose the encryption attribute of a kind of revocable fraction prestige key strategy based on multilinear pairing Method, constructs and meets the key strategy of user for the single attribute cancelling user, the only property set of ciphertext, and user could be complete Become decrypting process.Scheme is taked by the strategy of authority's central configuration fraction prestige, and each fraction prestige is grasped respective master key and participates in Common parameter set up process, utilize linear privacy share algorithm that access strategy transfers to access structure, generate and access knot accordingly Private key for user under structure, according to property set and known revocation list, is encrypted message, it is judged that whether user is cancelling row In table, complete decrypting process, in conjunction with known private key and user, set up tracing algorithm, it is determined that user and the relatedness of private key, and Solve and cancel the single attribute of user and the problem of all attributes of non-user, demonstrate the relatedness of user and confidence, improve Operation efficiency and overall security.But, due to the problem that many authority centers exist the time and parameter synchronization is shared, work as user Attribute when needing to cancel, in system, common parameter renewal can take the biggest calculating resource so that it is whole that system key updates Body efficiency is on the low side, is not suitable for being applied to the scene such as radio communication, Sensor Network.Additionally, key updatings whole in scheme works all By attribute, AUC completes, and over-burden for node, easily causes the problems such as single point failure.

Summary of the invention

The technical problem to be solved in the present invention is to seek a kind of encryption policy to alleviate the burden of attribute AUC, again can Cancel at attribute and ensure security of system during key updating, reduce the expense of key updating, it is to avoid a large amount of common parameters Update the huge communication load brought.

For solving the problems referred to above, the technical scheme that the present invention proposes is a kind of efficient key distributor based on encryption attribute Method, comprises the steps of

Step one: system initialization

1. definition G₁,G₂Being two cyclic groups, it is G that its exponent number is p. definition g₁On one generation unit.

2. definitionIt is a bilinear map, and defines a hash function H₁:{0,1}^*→G₁, The function of this function is that the character string of random length is projected G₁On.

3. attribute AUC is at finite fieldInterior is one random number of each Attributions selectionAdditionally chooseThen the main private key of system is { t_i,g^y, s}, aid key is h, and system common parameter is

Step 2: initial key is distributed

At starting stage TP₀, without loss of generality, it is assumed that the unique identifier of a user is u₁, the community set being had is { A_i}, Then this user is at TP₀The initial key in moment is defined as

Step 3: key updating

1. when the time slice of system is from TP_n-1Evolve to TP_nTime, key aid is calculated as each property calculation key More fresh information

2. user obtainsAfter, by the key updating before oneself to latest edition, calculation procedure method is as follows:

Step 4: data encryption

1. data sender choosesAnd define the matrix of l row n rowAs access control matrix.

2. assumeThe i-th row value beMatrix data sender chooses a column vector And make

3., according to the common parameter of system, data sender calculates following information:

C₁=g^x,

4. data sender is by { C₀,C₁,C_2,i,C_3,i,C_4,iPacking is uploaded to data server as ciphertext.

Step 5: data deciphering

1. Data receiver downloads corresponding ciphertext at data server.

2. Data receiver utilizes current private keyCarry out acquisition calculated as below in plain text, wherein ω_iIt is that a constant makes Obtain ∑_i∈lλ_iω_i=x.

M = \frac{C_{0} \cdot Π_{i &Element; l} (\hat{e} ({TD}_{r, {TP}_{n}}, C_{3, i}) \cdot \hat{e} (C_{2, i}, D_{2}) \cdot \hat{e} {(C_{4, i}, g^{h})}^{ω_{i}})}{\hat{e} (C_{1}, D_{1})}

Above-mentioned formula correctness specification is as follows:

\begin{matrix} M = \frac{C_{0} \cdot Π_{i &Element; l} (\hat{e} ({TD}_{i, {TP}_{n}}, C_{3, i}) \cdot \hat{e} (C_{2, i}, D_{2}) \cdot \hat{e} {(C_{4, i}, g^{h})}^{ω_{i}})}{\hat{e} (C_{1}, D_{1})} \\ = \frac{C_{0} \cdot Π_{i &Element; l} (\hat{e} {(g^{u_{2} t_{i}} H_{1} {(T_{i}, {TP}_{n})}^{h}, g^{r_{i}})}^{ω_{i}})}{\hat{e} (g^{x}, g^{y + u_{2} s})} . \end{matrix}

\begin{matrix} \frac{Π_{i &Element; l} (\hat{e} {(g^{- t_{i} r_{i}} \cdot g^{{sλ}_{i}}, g^{u_{2}})}^{ω_{i}} \cdot \hat{e} {(H_{1} {(T_{i}, {TP}_{n})}^{- r_{i}}, g^{h})}^{ω_{i}})}{\hat{e} (g^{x}, g^{y + u_{2} s})} \\ = \frac{C_{0} \cdot Π_{i &Element; l} {(\hat{e} (g^{u_{2} t_{i}}, g^{r_{i}}) \cdot \hat{e} (H_{1} {(T_{i}, {TP}_{n})}^{h}, g^{r_{i}}))}^{ω_{i}}}{\hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u_{2} s x}} . \end{matrix}

\frac{Π_{i &Element; l} (\hat{e} (g^{- t_{i} r_{i}}, g^{u_{2}}) \cdot \hat{e} (g^{{sλ}_{i}}, g^{u_{2}}) \cdot \hat{e} {(g^{- {hr}_{i}}, H_{1} (T_{i}, {TP}_{n}))}^{ω_{i}})}{\hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u_{2} s x}}

\begin{matrix} = \frac{C_{0} \cdot Π_{i &Element; l} (\hat{e} {(g^{{sλ}_{i}}, g^{u})}^{ω_{i}})}{\hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u_{2} s x}} \\ = \frac{M \hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u s Σ_{i &Element; l} λ_{i} ω_{i}}}{\hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u_{2} s x}} \\ = M \end{matrix}

Further, present invention also offers the system that can realize efficient key distribution method based on encryption attribute, comprise Attribute AUC, key aid, data sender, Data receiver, base station and data server.Wherein, attribute authentication The attribute of user, and the initial private key of dispatch user are responsible in center.Key aid is responsible at each time slice of system The private key of user is updated during beginning.The communication that base station is each inter-entity provides the channel of safety.Data sender formulates in plain text Encryption policy, afterwards ciphertext is uploaded to data server.The physical node that data server is made up of computer cluster, It is responsible for the storage data of safety.Data receiver downloads corresponding ciphertext, and is obtained in plain text by the deciphering of owned private key.

Beneficial effect:

1, in the cryptographic key distribution method that the present invention provides, the life cycle of system is divided into some time fragment, surely belongs to Property cancel or Key Exposure occur time, can by update validated user private key guarantee the forward direction of system and consequent safety. The private key of fragment user reveals the safety not affecting system other times fragment the most sometime.

2, for existing encryption attribute mechanism AUC over-burden feature, in system, introduce a key assist Device, helps user to update private key, alleviates the burden of AUC, it is to avoid cause node to delay the situation of machine.And in key updating During, system common parameter will not occur any change, only need to update the part private key of user, greatly reduce key more New cost.

3, have employed efficient attribute key update method, only have updated the part private key of user, and the public ginseng of system Number need not change, and greatly improves the efficiency of system.Data sender can formulate control extension strategy, thus realizes certainly Main data access controls.

Accompanying drawing explanation

Fig. 1 is the system schematic of the present invention.

Detailed description of the invention

It is embodied as being further described in detail to the present invention below in conjunction with the accompanying drawings.

Fig. 1 is the system schematic of the present invention.It can be seen that efficient key dissemination system based on encryption attribute, bag Containing six functional entitys, i.e. attribute AUC, key aid, data sender, Data receiver, base station and data, services Device.Wherein, attribute AUC is responsible for the attribute of user, and the initial private key of dispatch user.In order to alleviate attribute authentication The calculated load at center, introduces another device keys aid in system.Key aid is responsible for generating private key for user more Fresh information；In order to before and after guarantee system to safety, system is divided into some discrete time slices；When the private key of user is sent out When life leaks or needs attribute to redirect, system enters future time fragment, and is responsible in system every by key aid The private key of user is updated when individual time slice starts；Key aid is responsible for when each time slice of system starts updating user Private key.The communication that base station is each inter-entity provides the channel of safety.Data sender formulates encryption of plaintext strategy, afterwards Ciphertext is uploaded to data server.The physical node that data server is made up of computer cluster, is responsible for the storage of safety Data.Data receiver downloads corresponding ciphertext, and is obtained in plain text by the deciphering of owned private key.

Now efficient key based on encryption attribute is updated and the process of data sharing illustrates, comprise the steps of

Step one: system initialization

Step 2: initial key is distributed

Step 3: key updating

Step 4: data encryption

C₁=g^x,

Step 5: data deciphering

1. Data receiver downloads corresponding ciphertext at data server.

M = \frac{C_{0} \cdot Π_{i &Element; l} (\hat{e} ({TD}_{r, {TP}_{n}}, C_{3, i}) \cdot \hat{e} (C_{2, i}, D_{2}) \cdot \hat{e} {(C_{4, i}, g^{h})}^{ω_{i}})}{\hat{e} (C_{1}, D_{1})}

The correctness specification of above formula is as follows:

\begin{matrix} M = \frac{C_{0} \cdot Π_{i &Element; l} (\hat{e} ({TD}_{i, {TP}_{n}}, C_{3, i}) \cdot \hat{e} (C_{2, i}, D_{2}) \cdot \hat{e} {(C_{4, i}, g^{h})}^{ω_{i}})}{\hat{e} (C_{1}, D_{1})} \\ = \frac{C_{0} \cdot Π_{i &Element; l} (\hat{e} {(g^{u_{2} t_{i}} H_{1} {(T_{i}, {TP}_{n})}^{h}, g^{r_{i}})}^{ω_{i}})}{\hat{e} (g^{x}, g^{y + u_{2} s})} . \end{matrix}

\begin{matrix} \frac{Π_{i &Element; l} (\hat{e} {(g^{- t_{i} r_{i}} \cdot g^{{sλ}_{i}}, g^{u_{2}})}^{ω_{i}} \cdot \hat{e} {(H_{1} {(T_{i}, {TP}_{n})}^{- r_{i}}, g^{h})}^{ω_{i}})}{\hat{e} (g^{x}, g^{y + u_{2} s})} \\ = \frac{C_{0} \cdot Π_{i &Element; l} {(\hat{e} (g^{u_{2} t_{i}}, g^{r_{i}}) \cdot \hat{e} (H_{1} {(T_{i}, {TP}_{n})}^{h}, g^{r_{i}}))}^{ω_{i}}}{\hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u_{2} s x}} . \end{matrix}

\begin{matrix} \frac{Π_{i &Element; l} (\hat{e} (g^{- t_{i} r_{i}}, g^{u_{2}}) \cdot \hat{e} (g^{{sλ}_{i}}, g^{u_{2}}) \cdot \hat{e} {(g^{- {hr}_{i}}, H_{1} (T_{i}, {TP}_{n}))}^{ω_{i}})}{\hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u_{2} s x}} \\ = \frac{C_{0} \cdot Π_{i &Element; l} (\hat{e} {(g^{{sλ}_{i}}, g^{u})}^{ω_{i}})}{\hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u_{2} s x}} \\ = \frac{M \hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u s Σ_{i &Element; l} λ_{i} ω_{i}}}{\hat{e} {(g, g)}^{y x} \cdot \hat{e} {(g, g)}^{u_{2} s x}} \\ = M \end{matrix}

In order to before and after guarantee system to safety and solve the problem that attribute key is revoked, the present invention is by the life of whole system The life cycle is divided into the time slice that several are discrete, and the information of each time slice can be embedded in the private key that user is current In.When occurring user property to cancel in system, update or during the situation such as private key for user leakage, by updating the private of validated user Key guarantees intrasystem front backward security.

Especially, it should be noted that, in order to alleviate the computation burden of attribute AUC, in system, introduce a key Aid, helps user to update private key when new time slice arrives.In the life cycle of whole system, system public There is not any change in parameter, therefore attribute cancels the renewal that need not involve parameter, in addition to User Part private key needs to update Without synchronizing systematic parameter, therefore the efficiency of key updating is greatly improved.

The foregoing is only a specific embodiment of the present invention, not in order to limit the present invention, used in the present embodiment Data set and attack mode are only limitted to the present embodiment, all within the spirit and principles in the present invention, any amendment of being made, equivalent Replacement, improvement etc., should be included within the scope of the present invention.

Claims

1. an efficient key distribution method based on encryption attribute, it is characterised in that comprise the steps of

Step one: system initialization

1) definition G₁,G₂Being two cyclic groups, it is G that its exponent number is p., definition g₁On one generation unit；

2) definitionIt is a bilinear map, and defines a hash function H₁: { 0,1}^*→G₁, this letter The function of number is that the character string of random length is projected G₁On；

3) attribute AUC is at finite fieldInterior is one random number of each Attributions selectionAdditionally chooseThen the main private key of system is { t_i,^y, s}, aid key is h, and system common parameter is

Step 2: initial key is distributed

At starting stage TP₀, without loss of generality, it is assumed that the unique identifier of a user is u₁, the community set being had is { A_i, then should User is at TP₀The initial key in moment is defined as

Step 3: key updating

1) when the time slice of system is from TP_n-1Evolve to TP_nTime, key aid is calculated as the renewal of each property calculation key Information

2) user obtainsAfter, by the key updating before oneself to latest edition, calculation procedure method is as follows:

{SK}_{{TP}_{n + 1}} = {D_{1}, D_{2}, {TD}_{i, {TP}_{n}} \cdot {UP}_{i, T_{n + 1}}} = {g^{y + u_{1} s}, g^{u_{1}}, g^{u_{1} t_{i}} H_{1} {(T_{i}, {TP}_{n + 1})}^{h}};

Step 4: data encryption

1) data sender choosesAnd define the matrix of l row n rowAs access control matrix；

2) assumeThe i-th row value beMatrix data sender chooses a column vectorAnd And order

3) according to the common parameter of system, data sender calculates following information:

4) data sender is by { C₀,C₁,C_2,i,C_3,i,C_4,iPacking is uploaded to data server as ciphertext；

Step 5: data deciphering

1) Data receiver downloads corresponding ciphertext at data server；

2) Data receiver utilizes current private keyCarry out acquisition calculated as below in plain text, wherein ω_iIt is that a constant makes

2. the system of the efficient key distribution method based on encryption attribute realized described in claim 1, it is characterised in that Comprise attribute AUC, key aid, data sender, Data receiver, base station and data server, wherein, described Attribute AUC is responsible for the attribute of user, and the initial private key of dispatch user；Described key aid is responsible in system The private key of user is updated when each time slice starts；The communication that described base station is each inter-entity provides the channel of safety；Institute State data sender and formulate encryption of plaintext strategy, afterwards ciphertext is uploaded to data server；Described data server be by The physical node of computer cluster composition, is responsible for the storage data of safety；Described Data receiver downloads corresponding ciphertext, and passes through The deciphering of owned private key obtains in plain text.