CN106130992A - The level identity base encipherment scheme of attack is opened in anti-selection - Google Patents

Abstract

The invention discloses a kind of anti-selection and open the level identity base encipherment scheme of attack, comprise the following steps: set up, by the game between definition opponent and challenger, the security model that the level identity based system of attack is opened in anti-selection；Have the 1 monolateral opening function of bit by proof, the undistinguishable model of level identity base has the safety of undistinguishable chosen-plain attact proves that the safety of the security model of the level identity based system of attack is opened in anti-selection.The program can overcome the deficiency of existing Semantic Security model, it is adaptable to the network environment of multi-party communication and the system of layering framework.

Description

The level identity base encipherment scheme of attack is opened in anti-selection

Technical field

The present invention relates to field of information security technology, open the level identity base encryption of attack particularly to a kind of anti-selection Scheme.

Background technology

Networked environment makes information system increasingly sophisticated, and the requirement of security performance is also not quite similar by different environment, The security strategy taked also has multiformity.Such as, in Secure computing environment, multiple senders can use public key encryption Send cipher-text information to same recipient, and the plaintext of the many correspondences of these ciphertexts is likely to be mutually related.Enemy may Penetration attack can be carried out, obtain all of information of some sender, including the random number in plain text and used by encryption.Traditional only The undistinguishable model (also can become Semantic Security model) relating to two square tube letters, it is difficult to ensure that its safety, needs new safety Model, to ensure the confidentiality of confidential information added by those communication entities not permeated by opponent.

In order to tackle the attack under these complex environments, researchers propose the security model selecting to open attack.Choosing Select and open opponent in security model there is higher attacking ability, show as penetration attack, it may be assumed that opponent can open with unrestricted choice Which ciphertext, and obtain plaintext and the random number being correlated with.In correlation technique, peace is opened in selection based on conventional public-key encryption system The research of full model is the most ripe, and such as Bellare in 2009 etc. propose the method damaging encryption to realize selecting peace in plain text Attack model is opened in complete anti-selection, and Fehr in 2010 etc. are based on denying AES and non-conformant encryption mechanism, utilization The ambiguity of ciphertext achieves and selects the anti-selection of ciphertext safety to open attack model.It is applied to the anti-choosing of identity based encryption system Select and open attack option the most day by day maturation.1 bit is monolateral public opens system by building for Waters, Bellare etc. in 2010 And then achieve and select the anti-selection of plaintext secure to open attack model, Liu Shengli in 2014 etc. are can extract monolateral public open Identity basic mode type based on, realize know clearly select ciphertext safety anti-selection open attack model.

But, for level identity based encryption system, correlation technique is not applied to anti-selection therein and opens and attack The security model hit, and level identity based system has a lot of application scenarios in routine work in life especially, such as typical case Medical system, campus system, large enterprise etc. there is the system of hierarchical organization structure.In these systems, senior staff is permissible Authorize junior staff and distribute key for them, thus forming tree.The corresponding work of each node on tree Make personnel.In such network environment, when certain several node (as sender) sends associated with each other to another node When adding confidential information, the penetration attack of opponent can be faced equally, open the security model of attack resist so needing also exist for anti-selection Opponent attacks.

Summary of the invention

It is contemplated that the technical problem solved the most to a certain extent in correlation technique.

To this end, it is an object of the invention to propose a kind of anti-selection to open the level identity base encipherment scheme of attack, the party Case can overcome the deficiency of existing Semantic Security model, simple easily realization.

For reaching above-mentioned purpose, the embodiment of the present invention proposes a kind of anti-selection and opens the level identity base encryption side of attack Case, comprises the following steps: sets up anti-selection by the game between definition opponent and challenger and opens the level identity base of attack The security model of system, described is defined including to the game between opponent and challenger: initial phase: described opponent's sound Bright challenge identity vector；System establishment stage: described challenger's call parameters generating algorithm generates common parameter, and by described public affairs Parameter sends to described opponent altogether；Private key puts question to inquiry: described opponent to private key corresponding to described challenger's inquiry identity vector, Wherein, described identity vector can not be the identity vector of statement in described initial phase；The challenge stage: described opponent output is wanted The identity vector of challenge, the message vector of efficiently sampling, PKI parameter and random number to described challenger, described challenger calls AES generates cyphertext vector and returns to described opponent；Opening stage: described opponent selects a set to send to described Challenger, in order to described challenger opens corresponding cyphertext component and obtains in plain text and random number, and described challenger selects at random Selecting a bit, wherein, if bit is 1, the information opened is sent to described opponent by the most described challenger, if bit is 0, the most described challenger samples to send to described opponent new plaintext component again；The conjecture stage: described opponent exports one Individual conjecture result, if described conjecture result is correct, the most described opponent wins in gaming；By proof, there is 1 bit monolateral The safety that opening function, the undistinguishable model of level identity base have undistinguishable chosen-plain attact is described anti-to prove Select to open the safety of the security model of the level identity based system of attack.

The level identity base encipherment scheme of attack is opened in the anti-selection of the embodiment of the present invention, and attack is opened in the anti-selection of selection Model can successfully manage many-to-one communication pattern in complex network environment, prevents because assailant has stolen the letter of a hop link Cease and then attacked all links, caused network paralysis, secondly, attack model being opened in anti-selection and effectively applies to level body In part based encryption system, extremely mate with real-life sight, can be applicable to large-scale there is sophistication levels structure be In system, simple easily realization.

It addition, the level identity base encipherment scheme that attack is opened in anti-selection according to the above embodiment of the present invention can also have There is a following additional technical characteristic:

Further, in one embodiment of the invention, there is described in structure the 1 monolateral opening function of bit, level body The undistinguishable model of part base, farther includes: system is set up: according to closing number rank Bilinear GroupsExponent number random with choose Number is set up algorithm by system and is generated main private key and PKI；Private key generates: according to the random number chosen by private key generating algorithm Generate the private key of the first level；Private key escrow: according to the private key of last layer node, the atom identity of current hierarchy node and choose The 3rd random number obtained the private key of current level by private key escrow algorithm；Encryption: by AES to adding in plain text Close, to obtain ciphertext, wherein, by the ciphertext of default structure, digital ratio is encrypted specially for the plaintext of 0 bit, and by choosing Take the random number ciphertext as single-bit 1；Deciphering: by decipherment algorithm, described ciphertext is decrypted, to recover described plaintext.

Further, in one embodiment of the invention, also include: decrypted result is carried out verification of correctness.

Further, in one embodiment of the invention, the current level generated by described private key escrow algorithm Private key form keeps consistent with the private key form of the first level generated by described private key generating algorithm.

Aspect and advantage that the present invention adds will part be given in the following description, and part will become from the following description Obtain substantially, or recognized by the practice of the present invention.

Accompanying drawing explanation

The present invention above-mentioned and/or that add aspect and advantage will become from the following description of the accompanying drawings of embodiments Substantially with easy to understand, wherein:

Fig. 1 is the flow chart that the level identity base encipherment scheme of attack is opened in the anti-selection according to the embodiment of the present invention；

Fig. 2 is, according to one embodiment of the invention, the game between opponent and challenger is defined flow chart；

Fig. 3 be according to one embodiment of the invention construct have the 1 monolateral opening function of bit, level identity base can not Distinguish the structure flow chart of model.

Detailed description of the invention

Embodiments of the invention are described below in detail, and the example of described embodiment is shown in the drawings, the most from start to finish Same or similar label represents same or similar element or has the element of same or like function.Below with reference to attached The embodiment that figure describes is exemplary, it is intended to is used for explaining the present invention, and is not considered as limiting the invention.

Describe the anti-selection proposed according to embodiments of the present invention with reference to the accompanying drawings and open the level identity base encryption of attack Scheme.

Fig. 1 is the flow chart that the level identity base encipherment scheme of attack is opened in the anti-selection of the embodiment of the present invention.

As it is shown in figure 1, the level identity base encipherment scheme that attack is opened in this anti-selection comprises the following steps:

In step S101, set up anti-selection by the game between definition opponent and challenger and open the level body of attack The security model of part based system.

It is understood that the embodiment of the present invention make use of based on the monolateral level identity based system opening attribute of 1 bit With based on 1 ratio in the safety of dual system level identity based system.Specifically, initially set up anti-selection and open the level body of attack The security model of part based system.Security model is generally defined by the game between opponent and challenger, wherein, as in figure 2 it is shown, It is defined including to the game between opponent and challenger:

Step S201, initial phase: opponent states challenge identity vector.I.e. saying, in initial phase, opponent states One its identity vector to be attackedCan referred to as challenge identity vector.

Step S202, system establishment stage: challenger's call parameters generating algorithm generates common parameter, and by common parameter Send to opponent.It is to say, in system establishment stage, challenger's call parameters generating algorithm generates common parameter and (includes PKI and main private key), and common parameter is sent to opponent.

Step S203, private key puts question to inquiry: opponent is to private key corresponding to challenger's inquiry identity vector, wherein, identity to Amount can not be the identity vector of statement in initial phase.Specifically, opponent's inquiry identityCorresponding private key, challenger can Obtain with operation private key generating algorithmCorresponding private key also sends it to opponent.It should be noted that hereNo It can be challenge identity vectorThe prefix of itself and it is (i.e.Can not be the superior node of challenge identity vector).

Step S204, challenges the stage: opponent's output identity vector to be challenged, the message vector of efficiently sampling, PKI are joined Number and random number are to challenger, and challenger calls AES and generates cyphertext vector and return to opponent.Specifically, opponent is to choosing War person exports the identity vector that it is to be challengedAnd can be with the message vector M=of efficiently sampling (M₁,M₂,...,M_n), PKI parameter and random number r=(r₁,r₂,...,r_n).Challenger calls AES and generates cyphertext vector C=(C₁,C₂,...,C_n), and it is returned to opponent.

Step S205, opening stage: opponent selects a set to send to challenger, in order to challenger opens the closeest Literary composition component obtains in plain text and random number, and challenger randomly chooses a bit, and wherein, if bit is 1, then challenger will The information opened sends to opponent, if bit is 0, then challenger samples to send to opponent new plaintext component again.

Such as, opponent selects a setIt is sent to challenger.Challenger opens corresponding ciphertext and divides Measure plaintext and random number (M_k,r_k)_k∈K.Challenger randomly chooses a bit b again.If b=1, challenger will open Information (M_k,r_k)_k∈KIt is sent to opponent.If b=0, challenger then samples again according to the probability distribution of M, obtains new plaintext Component (M'_k)_k∈KIt is sent to opponent.

Step S206, guesses the stage: opponent exports a conjecture result, if conjecture result is correct, then opponent is in game Middle triumph.Being equivalent to, opponent exports a conjecture b'.The b'=b if opponent hits it, announces that opponent wins in gaming.

Secondly, it was demonstrated that the safety of above-mentioned model.Above-mentioned model is that bit more than selects to open attack model, its peace Full property can reduction be finally the 1 monolateral public safety opening model of bit.So core point is by based on many bits, level body The anti-selection of part base is opened the safety reduction of model and is had the 1 monolateral opening function of bit, the undistinguishable mould of level identity base The safety of type.

Finally, construct one and there is the 1 monolateral opening function of bit, the undistinguishable model of level identity base, and prove to be somebody's turn to do Model has the safety of anti-undistinguishable chosen-plain attact.The embodiment of the present invention make use of dual system encipherment scheme to construct This model.Wherein, so-called dual system, refer to that ciphertext and key have two kinds of forms: common form and half functional form.Common shape The key of formula is for the decrypting process of the present invention；Half functional form key is then for proving the safety of model.Meanwhile, the present invention The dual system encipherment scheme that embodiment is utilized meets that 1 bit is monolateral opens the system requirement for ciphertext, i.e. for 0 ratio in plain text Special encrypted cipher text has a specific structure, this structure can be measured by key and inspecting identity but can not the person of being hacked detect Go out, be then a random number and can be by inverse sampling for the encrypted cipher text of in plain text 1 bit.Detailed process is carried out below in detail Thin description.

In step s 102, have the 1 monolateral opening function of bit by proof, the undistinguishable model of level identity base has There is the safety of undistinguishable chosen-plain attact to prove that the security model of the level identity based system of attack is opened in anti-selection Safety.

It should be noted that the safety of the scheme of the embodiment of the present invention can be divided into two levels to be illustrated.One be by There is anti-selection open attack model, many bits level identity base scheme safety reduction and monolateral public open merit for having Can, anti-undistinguishable chosen-plain attact model, the safety of 1 bit level identity base scheme；Two is to construct one Have and monolateral public open attribute, 1 bit level identity base scheme, the number that the safety reduction of this structure is assumed in general group Learn difficult problem, and proved.

Further, in one embodiment of the invention, as it is shown on figure 3, structure have the 1 monolateral opening function of bit, The undistinguishable model of level identity base, farther includes:

Step S301, system foundation: according to closing number rank Bilinear GroupsExponent number built by system with the random number chosen Vertical algorithm generates main private key and PKI.

Specifically, (PK, MSK) ← Setup (λ): system sets up algorithm.Close number rank Bilinear GroupsExponent number be N (N= p₁p₂p₃p₄),Choose random number u₁₁,u₁₂,...,u_1l,u₄,x₁,x₄, ω₄←Z_N, and calculateAnd U_1j,4←U_1jU₄、W_1,4← g₁W₄、X₁₄←X₁X₄.Ultimately generate main private key MSK={g₁,U₁₁,U₁₂,...,U_1l,X₁,g₃And PKI PK={N, U_11,4, U_12,4,...,U_1l,4,X₁₄,W₁₄,g₄}。

Step S302, private key generates: generated the private key of the first level by private key generating algorithm according to the random number chosen.

Alternatively, in one embodiment of the invention, private key generating algorithm can be KeyGen algorithm.

Specifically,Private key generating algorithm.Wherein This algorithms selection random number r, r₃,r′₃,r_j+1,...,r_l←Z_N, calculate private key

$K_1=g_1^r{g}_3^{r_3},K_2={\left(U_{11}^{{\mathrm{id}}_1}\mathrm{...}{U}_{1j}^{{\mathrm{id}}_j}{X}_1\right)}^r{g}_3^{r_3^{\′}},E_{j+1}=U_{1,j+1}^r{g}_3^{r_{j+1}},\mathrm{...},E_l=U_{1l}^r{g}_3^{r_{{}_l}}.$

Step S303, private key escrow: according to the private key of last layer node, the atom identity of current hierarchy node and choose 3rd random number obtains the private key of current level by private key escrow algorithm.

Further, in one embodiment of the invention, the private key of the current level generated by private key escrow algorithm Form keeps consistent with the private key form of the first level generated by private key generating algorithm.

Specifically,Private key escrow algorithm.WhereinFor last layer node Private key, ID is the atom identity of current hierarchy node.Choose random numberPrivate key escrow algorithm is such as Under:

$K_1=K_1^{\′}{g}_1^{r^{\′}}{g}_3^{{\tilde{r}}_3}=g_1^{r+r^{\′}}{g}_3^{r_3+{\tilde{r}}_3},$

$K_2=K_2^{\′}{\left(U_{11}^{{\mathrm{id}}_1}\mathrm{...}{U}_{1j}^{{\mathrm{id}}_j}{X}_1\right)}^{r^{\′}}{\left(E_{j+1}^{\′}\right)}^{{\mathrm{id}}_{j+1}}{U}_{1,j+1}^{r^{\′}{\mathrm{id}}_{j+1}}{g}_3^{{\tilde{r}}_3^{\′}}=={\left(U_{11}^{{\mathrm{id}}_1}\mathrm{...}{U}_{1,j+1}^{{\mathrm{id}}_{j+1}}{X}_1\right)}^{r+r^{\′}}{g}_3^{r_3^{\′}+{\tilde{r}}_3^{\′}+r_{j+1}{\mathrm{id}}_{j+1}},$

$E_{j+2}=E_{j+2}^{\′}{U}_{1,j+2}^{r^{\′}}{g}_3^{r_{j+2}^{\′}}=U_{1,j+2}^{r+r^{\′}}{g}_3^{r_{j+2}+r_{j+2}^{\′}},$

$E_l=E_l^{\′}{U}_{1,l}^{r^{\′}}{g}_3^{r_l^{\′}}=U_{1,l}^{r+r^{\′}}{g}_3^{r_l+r_l^{\′}}.$

Visible, private key escrow algorithm generating private key is a process the most randomized, the form of private key and use The private key that KeyGen algorithm generates keeps consistent in form.

Step S304, encryption: by AES to being encrypted, to obtain ciphertext, wherein, by default knot in plain text Digital ratio is encrypted by the ciphertext of structure specially for the plaintext of 0 bit, and by choosing the random number ciphertext as single-bit 1.

Specifically,AES.Encryption for single-bit 0 is to have one specifically The ciphertext of structure, the encryption for single-bit 1 bit is then a random number.

Work as M=0, choose random number s, t₄,t′₄, calculating ciphertext:

$C_1={(\underset{j}{\Π}{U}_{1j,4}^{{\mathrm{id}}_j}\·X_{14})}^s{g}_4^{t_4},C_2=W_{14}^s{g}_4^{t_4^{\′}};$

Working as M=1, ciphertext is then at Bilinear GroupsOn two elements randomly selecting, it may be assumed that (C₁,C₂)←Samp_G。

Step S305, deciphering: be decrypted ciphertext by decipherment algorithm, to recover in plain text.

Specifically,Decipherment algorithm.Owing to the encrypted cipher text of 0 bit in plain text is had one Individual specific structure and this structure can be measured with inspecting identity by key, and the encrypted cipher text to 1 bit in plain text is random.Institute It is also classified into two kinds of situations: as e (C with decrypted result₁,K₁)=e (C₂,K₂) time, decrypted result is 0 bit；As e (C₁,K₁)≠e (C₂,K₂) time, decrypted result is 1 bit.

Further, in one embodiment of the invention, also include: decrypted result is carried out verification of correctness.

For example, verification of correctness: need to verify when decrypted result is 0 bit, when inputting correct ciphertext and private Key, e (C₁,K₁)=e (C₂,K₂) itself it is to set up.Proof procedure is as follows:

$\begin{array}{c}e(C_1,K_1)=e\left({\left(U_{11}^{{\mathrm{id}}_1}\mathrm{...}{U}_{1j}^{{\mathrm{id}}_j}\·U_{41}^{{\mathrm{id}}_j}\mathrm{...}{U}_{4j}^{{\mathrm{id}}_j}\·X_1{X}_2\right)}^s\·g_4^{t_4},g_1^r{g}_3^{r_3}\right)\\ =e(g_1^{s\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{1i}{\mathrm{id}}_i\right)+x_1\]},g_1^r)\·e(g_1^{s\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{1i}{\mathrm{id}}_i\right)+x_1\]},g_3^r)\·e(g_4^{s\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{4i}{\mathrm{id}}_i\right)+x_4\]+t_4},g_1^r)\·e(g_4^{s\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{4i}{\mathrm{id}}_i\right)+x_4\]+t_4},g_3^r)\\ =e(g_1^{s\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{1i}{\mathrm{id}}_i\right)+x_1\]},g_1^r)=e{(g_1,g_1)}^{sr\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{1i}{\mathrm{id}}_i\right)+x_1\]}\end{array};$

$\begin{array}{c}e(C_2,K_2)=(g_1^s{g}_4^{{\mathrm{\ω}}_{4}s+t_4^{\′}},{\left(g_1^{u_{11}{\mathrm{id}}_1}\mathrm{...}{g}_1^{u_{1j}{\mathrm{id}}_j}\·g_1^{x_1}\right)}^r\·g_3^{r_3^{\′}})\\ =e(g_1^s,g_1^{r\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{1i}{\mathrm{id}}_i\right)+x_1\]})\·e(g_1^s,g_3^r)\·e(g_4^{{\mathrm{\ω}}_{4}s+t_4^{\′}},g_1^{r\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{1i}{\mathrm{id}}_i\right)+x_1\]})\·e(g_4^{{\mathrm{\ω}}_{4}s+t_4^{\′}},g_3^{r_3^{/}})\\ =e(g_1^s,g_1^{r\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{1i}{\mathrm{id}}_i\right)+x_1\]})=e{(g_1,g_1)}^{sr\[\underset{i=1}{\overset{j}{\Σ}}\left(u_{1i}{\mathrm{id}}_i\right)+x_1\]}\end{array}.$

Visible, when ciphertext form is correct, decipherment algorithm can recover in plain text with correct private key.

The level identity base encipherment scheme of attack is opened in anti-selection according to embodiments of the present invention, and the anti-selection of selection is opened Attack model can successfully manage many-to-one communication pattern in complex network environment, prevents because assailant has stolen a hop link Information so that attacked all links, caused network paralysis, secondly, attack model is opened in anti-selection and effectively applies to layer In secondary identity based encryption system, extremely mate with real-life sight, can be applicable to large-scale there is sophistication levels structure System in, simple easily realize.

Claims (4)

1. the level identity base encipherment scheme of attack is opened in an anti-selection, it is characterised in that comprise the following steps:

The safe mould that the level identity based system of attack is opened in anti-selection is set up by the game between definition opponent and challenger Type, described is defined including to the game between opponent and challenger:

Initial phase: described opponent states challenge identity vector；

System establishment stage: described challenger's call parameters generating algorithm generates common parameter, and is sent by described common parameter To described opponent；

Private key puts question to inquiry: described opponent is to private key corresponding to described challenger's inquiry identity vector, wherein, and described identity vector It can not be the identity vector of statement in described initial phase；

The challenge stage: identity vector, the message vector of efficiently sampling, PKI parameter and the random number that described opponent output is to be challenged To described challenger, described challenger calls AES and generates cyphertext vector and return to described opponent；

Opening stage: described opponent selects a set to send to described challenger, in order to described challenger opens the closeest Literary composition component obtains in plain text and random number, and described challenger randomly chooses a bit, wherein, if bit is 1, then described The information opened is sent to described opponent by challenger, if bit is 0, the most described challenger samples again with by new plaintext Component sends to described opponent；

The conjecture stage: described opponent exports a conjecture result, if described conjecture result is correct, the most described opponent is in gaming Win；

Have the 1 monolateral opening function of bit by proof, the undistinguishable model of level identity base has undistinguishable and selects bright The safety that literary composition is attacked proves that the safety of the security model of the level identity based system of attack is opened in described anti-selection.

The level identity base encipherment scheme of attack is opened in anti-selection the most according to claim 1, it is characterised in that structure institute State and there is the 1 monolateral opening function of bit, the undistinguishable model of level identity base, farther include:

System is set up: according to closing number rank Bilinear GroupsExponent number and the random number chosen set up algorithm by system and generate main private Key and PKI；

Private key generates: generated the private key of the first level by private key generating algorithm according to the random number chosen；

Private key escrow: lead to the 3rd random number chosen according to the private key of last layer node, the atom identity of current hierarchy node Cross private key escrow algorithm and obtain the private key of current level；

Encryption: by AES to being encrypted, to obtain ciphertext, wherein, by the ciphertext of default structure to list in plain text Bit is that the plaintext of 0 bit is encrypted, and by choosing the random number ciphertext as single-bit 1；And

Deciphering: by decipherment algorithm, described ciphertext is decrypted, to recover described plaintext.

The level identity ciphering scheme of attack is opened in anti-selection the most according to claim 2, it is characterised in that also include: Decrypted result is carried out verification of correctness.

The level identity ciphering method of attack is opened in anti-selection the most according to claim 2, it is characterised in that by described The private key form of the current level that private key escrow algorithm generates and the private key of the first level with the generation of described private key generating algorithm Form keeps consistent.