CN108551390A - A kind of band keyword search public key encryption method without safe lane - Google Patents
A kind of band keyword search public key encryption method without safe lane Download PDFInfo
- Publication number
- CN108551390A CN108551390A CN201810227500.7A CN201810227500A CN108551390A CN 108551390 A CN108551390 A CN 108551390A CN 201810227500 A CN201810227500 A CN 201810227500A CN 108551390 A CN108551390 A CN 108551390A
- Authority
- CN
- China
- Prior art keywords
- keyword
- parameter
- private key
- trapdoor
- encryption method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention discloses a kind of band keyword search public key encryption method without safe lane, includes the following steps:Step 1, security parameter λ is obtained, according to the global common parameter GP of security parameter λ outputs;Step 2, the public private key pair (pk of server S is obtained according to global common parameter GPS,skS);Step 3, the public private key pair (pk of recipient is obtained according to global common parameter GPR,skR) and keyword ω;Step 4, it obtains PEKS ciphertexts C with keyword ω encryptions and returns to security parameter λ;Step 5, according to the private key sk of recipientRWith keyword ω, output trapdoor Tω;Step 6, according to the private key sk of server SS, PEKS ciphertexts C and trapdoor Tω, counter to push away keyword ω ';Step 7, judge whether ω=ω ' is true, if set up, export " Correct ", encrypt successfully, otherwise export " Incorrect ", encryption is unsuccessful.Such encryption method is capable of providing the better Encryption Model of more efficient and safety.
Description
Technical field
The present invention relates to a kind of public key cryptography with keyword search, more particularly to a kind of bands without safe lane
Keyword search public key encryption method.
Background technology
With internet, the development of cloud computing, user needs to store encrypted data beyond the clouds, is needed at this time to ciphertext
It scans for, then proposes band keyword search and encrypt.Typical application is as follows:Assuming that user A wants to send encrypted electronics
Mail gives user B, and in order to ensure anyone in addition to user B cannot decrypt Email, user A is sending Email
The public key encryption of the user B mail is used before, therefore only user B possesses the ability of decryption.However encrypted electronics postal
Part is completely random, and server's (mail server) will be unable to carry out Intelligent routing.For example, user B wants to be received with its mobile phone
Those include the mail of keyword " urgent ", and the mail of other keywords is wished to route in (download) to computer to read,
So user B needs to establish a kind of ciphertext matching mechanisms between mail service person, i.e., server is in non-decrypting mail ciphertext
Under the conditions of test (TEST) mail whether include keyword " urgent ".
Keyword often from small set, and ordinary user commonly using known keyword (as it is urgent,
Tourism etc.) it encrypts, the public key cryptography scheme with keyword search studied before only provides search plan, without providing
User decrypts the ability of encrypted information, and attacker can only obtain the relevant trapdoor of keyword and cannot obtain in security model
Test result between trapdoor and keyword.In reality, the recipient (attacker) of a malice oneself can generate selected close
The trapdoor of keyword, and by interacting to obtain the relationship between trapdoor and ciphertext with server to realize attack.The prior art
In existing enhance security model by increasing test query attacker obtained between non-challenge ciphertext and trapdoor
Relationship, and give the public key with keyword search without safe lane safe under enhancing model under random oracle
Encipherment scheme.Although the existing public key cryptography scheme with keyword search without safe lane is very ripe, he
Safety can only be in approved safe under random oracle model, and random oracle model is a Utopian model, at this
All participants can access the hash function of true random by black box under model, and under random oracle model
Proof is only capable of being taken as a didactic argument, and the insecurity of system can be caused in actual environment.
Invention content
The purpose of the present invention is to provide a kind of band keyword search public key encryption method without safe lane, can
There is provided more efficient and safety better Encryption Model.
In order to achieve the above objectives, solution of the invention is:
A kind of band keyword search public key encryption method without safe lane includes the following steps:
Step 1, security parameter λ is obtained, according to the global common parameter GP of security parameter λ outputs;
Step 2, the public private key pair (pk of server S is obtained according to global common parameter GPS,skS);
Step 3, the public private key pair (pk of recipient is obtained according to global common parameter GPR,skR) and keyword ω;
Step 4, it obtains PEKS ciphertexts C with keyword ω encryptions and returns to security parameter λ;
Step 5, according to the private key sk of recipientRWith keyword ω, output trapdoor Tω;
Step 6, according to the private key sk of server SS, PEKS ciphertexts C and trapdoor Tω, counter to push away keyword ω ';
Step 7, judge whether ω=ω ' is true, if set up, export " Correct ", encrypt successfully, otherwise export "
Incorrect ", encryption are unsuccessful.
In above-mentioned steps 1, the specific acquisition methods of global common parameter GP are:If (p, g, G1,G2, e) and it is Bilinear map
Parameter selects one-way Hash functionIf keyword domain isRandomly generate random parameter u, v ∈
G1Once signed Sig=(G, S, V) can not be forged by force;The global common parameter of output is GP=(p, g, G1,G2,e,u,v,Sig,
H,KSω)。
In above-mentioned steps 2, the public private key pair (pk of server SS,skS) specific acquisition methods be:Select random parameterEnable X=gx, select random parameterG1 *It is random parameter u, the intersection of v exports the public private key pair of server
(pkS,skS), wherein pkS=(GP, X, Q), skS=(pkS,x)。
In above-mentioned steps 3, the public private key pair (pk of recipientR,skR) specific acquisition methods be:Select random parameterEnable Y=gy, select random parameterExport the public private key pair (pk of recipientR,skR), pkR=(GP, Y, h),
skS=(pkR,y)。
In above-mentioned steps 5, trapdoor TωSpecific acquisition methods be:Select random parameterIt enablesTrapdoor is Tω=(sω,dω)。
In above-mentioned steps 6, the anti-specific method for pushing away keyword ω ' is:
Step 61, selection can not forge by force once signed key pair (ssk, svk) ← G (λ), and C is arranged0=svk;
Step 62, random parameter is selectedEnable C1=gs, t=H (e (X, Q)s), C2=(Yg-ω)r/t, C3=e (g,
g)r, C4=e (g, h)r, C5=(usvkv)s;
Step 63, to five-tuple (C1,C2,C3,C4,C5) generate one can not forge once signed σ=S (ssk, (C by force1,
C2,C3,C4,C5));
Step 64, PEKS ciphertexts are C=(C0,C1,C2,C3,C4,C5,σ)。
In above-mentioned steps 7, judge that the whether true specific methods of ω=ω ' are:
Step 71, the Formula V (C such as verification0,σ,(C1,C2,C3,C4,C5))=1 whether true, go to step 72 if setting up;
Step 72, equation is verifiedIt is whether true, go to step 73 if setting up;
Step 73, t=H (e (C are calculated1,Q)x);
Step 74, equation is verifiedIt is whether true, if set up, export " Correct ", encrypts
Otherwise success exports " Incorrect ", encryption is unsuccessful.
After adopting the above scheme, compared with prior art in various encipherment schemes, enhancing proposed by the present invention without peace
The safety of the public key cryptography scheme with keyword search of all channel, to improve the safety of one-to-one communication in internet
Property, it can effectively prevent third-party attack, and the front that safety and consistency of the invention avoids in proof procedure
The shortcomings that random oracle is used in case, has the characteristics that:
(1) present invention has stronger security model.The security model of the present invention allow attacker obtain non-challenge ciphertext with
Relationship namely attacker's ability between trapdoor is stronger, then the solution security of approved safe is more under this enhancing model
It is high.
(2) since be proved to be under random oracle model in the practical application that safe scheme interconnects beyond the clouds may be uneasy
Entirely, and the solution of the present invention does not depend on random oracle model and is individually present, and can bring better safety.
Specific implementation mode
Below with reference to specific embodiment, technical scheme of the present invention and advantageous effect are described in detail.
First to used in the present invention to concept illustrate:
1.1 negligible functions
Function of ε (n):N → R is referred to as insignificant, if for all n, 1/ ε (n) is nonpolynomial circle
Amount.
1.2 Bilinear map
If G1,G2It is the cyclic group that exponent number is prime number p, g is crowd G1Generation member (G is indicated respectively1\{1},Zp\
{0}).Claim e:G1×G1→G2It is a Bilinear map, is set up and if only if following condition:
1.Wherein a, b ∈ ZP,g1,g2∈G1;
2.e(g,g)≠1;
3. for all g1,g2∈G1, e (g1,g2) it is computable.
1.3 DBDH assume
If e:G1×G1→G2It is a Bilinear map, defines the attack dominance function of opponent BIt is as follows:
a,b,c,r∈ZpAnd it randomly selects.If for all probabilistic polynomial time opponent B,
It is insignificant, then the decisive Diffie-Hellman based on Bilinear map assumes to set up (reference can be made to Boneh D, Boyen
X..Efficient selective-ID Identity based encryption without random oracles
[C].In Proc.of EUROCRYPT 2004,Springer Berlin Heidelberg,2004:223-238 and
Gentry C..Practical identity-based encryption without random oracles[C].In
Proc.of EUROCRYPT 2006,Springer-Verlag,2006:457-464)。
1.4 Truncated (Decisional) q-ABDHE assumes
If e:G1×G1→G2It is a Bilinear map, defines the advantage function of opponent BIt is as follows:
Wherein x, z, r ∈ ZpIt randomly selects.If for all probabilistic polynomial time opponent B,It is insignificant, then decisive Truncated q-ABDHE assume to set up.
The last 1.5 can not forge once signed
It includes a triple algorithm Sig=(G, S, V) that once signed can not be forged by force.Input parameter λ, G generate a pair of
Key (ssk, svk).For any message M, the V (svk, σ)=1 as σ=S (ssk, M), otherwise V (svk, σ)=0.By force can not
Forgery once signed, which refers to no any probabilistic polynomial timing attack person A, can forge a new signature, even to once signing
Cross the message of name.
Sig=(G, S, V), which is one, can not forge by force once signed, multinomial for any probability and if only if the following time
The probability of formula time adulterator F is insignificant:
AdvOTS=Pr [(ssk, svk) ← G (λ);
(m,St)←F(svk);σ←S(ssk,m);
(m',σ')←F(m.,σ,svk,St):
∧ (m', σ ') ≠ (m, the σ) of V (svk, σ ', m')=1]
Wherein St indicates the status information that each stage F is obtained.
The 1.6 public key encryption definition with keyword search without safe lane
Define 1 (public key encryption with keyword search for being not necessarily to safe lane):Band keyword without safe lane is searched
The public key cryptography scheme of rope includes following several algorithms:
-GloSetup(λ):Security parameter λ is inputted, global common parameter GP is exported.
-KeyGenreceiver(GP):It is input, the public private key pair (pk of output recipient R with common parameter GPR,skR)。
-KeyGensever(GP):It is input, the public private key pair (pk of output server S with common parameter GPS,skS)。
-SCF-PEKS(GP,pkR,pkS,ω):Input common parameter GP, the public key pk of recipientR, the public key of server
pkS, keyword ω.One is returned with the encrypted PEKS ciphertexts C of keyword ω.
-Trapdoor(CP,skR,ω):Input common parameter GP, the private key sk of recipientRAnd keyword ω, output
Trapdoor Tω。
-Test(GP,skS,C,Tω):Input common parameter GP, the private key sk of serverS, trapdoor TωAnd PEKS ciphertexts
C, wherein C=SCF-PEKS (GP, pkR,pkS,ω').If ω=ω ', export " Correct ", otherwise export "
Incorrect"。
Similar document Abdalla M, Bellare M, Catalano D, et al.Advances in Cryptology-
CRYPTO 2005[C].Springer Berlin Heidelberg,2005:The conformance definition of 205-222, without safety letter
The conformance definition of the public key cryptography scheme with keyword search in road is as follows:
Define 2 (consistency):Assuming that there are an opponent A, want that the consistency to ruin a plan, formalization are defined as follows:
(pkR,skR)←KeyGenreceiver(GP);(pkS,skS)←KeyGensever(GP)
(ω,ω')←A(pkR,pkS)
C←SCF-PEKS(GP,pkR,pkS,ω);Tω'←Trapdoor(GP,skR,ω')
ifω≠ω'and Test(GP,skS,C,Tω')=" Correct "
Then return 1,
else return 0。
The wherein advantage of A is as follows:
If the probability for winning above-mentioned game for the opponent A of all probabilistic polynomial time is all insignificant,
Scheme is to calculate consistency.
Next the safety definition for providing the public key encryption with keyword search without safe lane, that is, be not necessarily to safety
The public key encryption with keyword search of channel resists the indistinguishability (IND-DT-CKA) of selection keyword attack.IND-
DT-CKA ensure that in the case where that can obtain any non-challenge keyword trapdoor, not have any server that can distinguish PEKS close
Text is by his selected keyword ω0, ω1Which of keyword encrypt.Also, it is any to there is no server
It is by his selected keyword ω that the external attacker (including recipient) of private key, which cannot distinguish between PEKS ciphertexts,0, ω1In which
What a keyword was encrypted, even if he can obtain the relationship between non-challenge ciphertext and trapdoor.It is defined as follows:
Define 3 (IND-DT-CKA game):λ is security parameter, and A is attacker.Consider following attacker A and mimic B
Two game:
Game 1:Assuming that A is server.
System is established:Common parameter generates algorithm GloSetup (λ) and two encryption key generating algorithms KeyGenreceiver
(GP), KeyGensever(GP) it is performed, generates common parameter GP, the public private key pair (pk of recipient and serverR,skR),
(pkS,skS), then mimic B is (pkS,skS) and pkRIt is sent to attacker A.
Inquiry phase one:Attacker A does following inquiry:
(3.1) trapdoor is inquired<ω>:A inquires that trapdoors of the B about keyword ω, B return to A trapdoors Tω=Trapdoor
(GP,skR,ω)。
(3.2) test query<C,ω>:A inquires test queries of the B about keyword ω and PEKS ciphertext.B does one first
A trapdoor inquiry<ω>To obtain trapdoor Tω, B returns to A algorithm Test (GP, Tω,skS, C) result.
(3.3) it challenges:Once A determines that 1 stage of inquiry terminates, he exports challenge keyword to (ω0,ω1) (note that ω0,
ω1Cannot be the keyword for any trapdoor inquiry that A is done in inquiry phase one).Challenge keyword is received to rear, B is randomly
B ∈ { 0,1 } are selected, and generate challenge ciphertext C*=SCF-PEKS (GP, pkR,pkS,ωb), it is sent to A.
Inquiry phase two:A do with one identical inquiry of stage, the only limitation is that A cannot be to ω0, ω1Trapdoor inquiry is done,
And if<C,ω>=<C*,ω0>Or<C,ω>=<C*,ω1>Then permit no.<C,ω>Test query.
(3.4) guess:Attacker exports his conjecture b'.If b=b', attacker wins.
The advantage of attacker A in definition game 1:
Game 2:Assuming that A is external attacker (including recipient).
System is established:Common parameter generates algorithm GloSetup (λ) and two encryption key generating algorithms KeyGenreceiver
(GP), KeyGensever(GP) it is performed, generates common parameter GP, the public private key pair (pk of recipient and serverR,skR),
(pkS,skS), then mimic B is (pkR,skR) and pkSIt is sent to attacker A.
Inquiry phase one:Attacker A does following inquiry:
(3.5) trapdoor is inquired<ω>:A inquires that trapdoors of the B about keyword ω, B return to A trapdoors Tω=Trapdoor
(GP,skR,ω)。
(3.6) test query<C,ω>:A inquires test queries of the B about keyword ω and PEKS ciphertext C.B does one first
A trapdoor inquiry<ω>To obtain trapdoor Tω, B returns to A tests Test (GP, Tω,skS, C) result.
(3.7) it challenges:Once A determines that 1 stage of inquiry terminates, output challenge keyword is to (ω0,ω1) (note that ω0,
ω1Cannot be that any trapdoor that A is done in inquiry phase one inquires relevant keyword).Receive challenge keyword to rear, B with
B ∈ { 0,1 } are selected to machine, and generate challenge ciphertext C*=SCF-PEKS (GP, pkR,pkS,ωb), it is sent to A.
Inquiry phase two:A do with one identical inquiry of stage, if limitation<C,ω>=<C*,ω0>Or<C,ω>=<
C*,ω1>Then permit no.<C,ω>Test query.With 1 different, ω of game0, ω1Here it is allowed to do trapdoor inquiry.
(3.8) guess:Attacker exports his conjecture b', if b=b', attacker wins.We define trip
The advantage of attacker A in play 1:IfI=1 or 2 be it is insignificant,
The public key cryptography scheme with keyword search for being so not necessarily to safe lane is IND-SCF-CKA safety.
Next the implementation and Security Proof of the present invention are specifically described.
The solution of the present invention includes following specific building method:
·GloSetup(λ):λ is security parameter, if (p, g, G1,G2, e) be Bilinear map parameter.Select one-way hash function
FunctionIf keyword domain isRandomly generate u, v ∈ G1Once signed Sig can not be forged by force
=(G, S, V).The global common parameter of output is GP=(p, g, G1,G2,e,u,v,Sig,H,KSω)。
·KeyGensever(GP):Random selectionCalculate X=gx, random selectionExport the public affairs of server
Private key is to (pkS,skS), wherein pkS=(GP, X, Q), skS=(pkS,x)。
·KeyGenreceiver(GP):Random selectionCalculate Y=gy, random selectionExport recipient's
Public private key pair, (pkR,skR), pkR=(GP, Y, h), skS=(pkR,y)。
·PEKS(GP,pkR,pkS,ω):
Selection can not forge by force once signed key pair (ssk, svk) ← G (λ), and C is arranged0=svk, is as follows:
(1) it randomly choosesCalculate C1=gs, t=H (e (X, Q)s), C2=(Yg-ω)r/t, C3=e (g, g)r, C4
=e (g, h)r, C5=(usvkv)s。
(2) to five-tuple (C1,C2,C3,C4,C5) generate one can not forge once signed σ=S (ssk, (C by force1,C2,C3,
C4,C5))
(3) PEKS ciphertexts are C=(C0,C1,C2,C3,C4,C5, σ), return to C.
·Trapdoor(GP,skR,ω):Random selectionIt calculatesTrapdoor is Tω=
(sω,dω), return to Tω。
·Test(GP,skS,C,Tω):Whether true verify following several equatioies:
V(C0,σ,(C1,C2,C3,C4,C5))=1
If set up, calculate:T=H (e (C1,Q)x), whether true then verify following formula:
If above equation is all set up, " Correct " is returned, otherwise returns to " Incorrect ".
The consistency checking of the present invention is as follows:
Assuming that 1:The public key cryptography scheme with keyword search without safe lane of above-mentioned construction is to calculate consistency
's.
It proves:Assuming that there are the consistency that a polynomial time attacker A can destroy scheme above.
Enable (ω0,ω1) it is the keyword pair that attacker A is returned in consistent sex play.Without loss of generality, it is assumed that ω ≠ ω '.
It enablesIt is to generate ciphertext SCF-PEKS (GP, pkR,pkS, ω) when it is randomly selected.(ssk, svk) be it is strong not
The key pair of once signed can be forged.H=gz, C1=gs, t=H (e (X, Q)s), C2=(Yg-ω)r/t, C3=e (g, g)r, C4=e
(g,h)r, Tω'=(sω',dω'), whereinIt is to be fallen into caused by keyword ω '
Door.
The condition that obvious A wins is ω ≠ ω ', and needs to meetThen have:
It is transparent to attacker because y, z are private keys, therefore, Pr [sω'=z]=1/ (p-1), and Pr [ω '=y]=
1/ (p-1), wherein p-1 isThe number of middle element.As described above, when ω ≠ ω ', Test (GP, skS,C,Tω')="
Correct"。
The security verification of the present invention is as follows:
Assuming that 2:Assuming that DBDH and q-ABDHE problems are difficult to resolve, then said program is the IND-DT- under master pattern
CKA safety.
In order to prove this it is assumed that two citations is divided to complete to prove.
Citation 1:If q >=qk+ 1, wherein qkIt is the total degree of the done trapdoor inquiry of attacker.Assuming that q-ABDHE problems are difficult
Solution, above-mentioned scheme is that anti-selection keyword attacks Semantic Security under master pattern in game 1.
It proves:Assuming that in game 1, there are a polynomial time attacker A, and above-mentioned side can be attacked under master pattern
Case.Q-ABDHE can be solved the problems, such as by establishing a mimic B.Physical simulation is as follows:First, group G is arranged in challenger1,G2And it is double
Linearly to e and group G1Generation member g.Mimic B is entered a q-ABDHE problem-instanceThe target of mimic B is to discriminate betweenOr T is crowd G2In one
Random number.
System is established:λ is security parameter, (p, g, G1,G2, e) and it is Bilinear map parameter, one-way Hash functionKeyword domainGenerate u, v ∈ G1Once signed Sig=(G, S, V) can not be forged by force.It is public
Parameter is GP=(p, g, G altogether1,G2,e,u,v,Sig,H,KSω).It randomly selectsCalculate X=ga, random selectionThe public and private key that server is arranged is respectively pkS=(GP, X, Q), skS=(GP, a).
Q rank multinomials f (X) is randomly selected, Y=g is definedx, h=gf(x).The public key of recipient is pkR=(pkS,Y,h)。
Send (pkR,pkS,skS) give attacker A.
Inquiry phase one:Attacker A does following inquiry:
Trapdoor is inquired<ω>:A inquires that s is arranged in trapdoors of the B about keyword ω, Bω=f (ω) calculates dω=g(f(x )-f(ω))/(x-ω), send trapdoor Tω=(sω,dω) give A.As q >=qkWhen+1, sω=f (ω) is a random number for A,
Because f (X) is a random q rank multinomial.
Test query<C,ω>:A inquires B about the test result between keyword ω and PEKS ciphertext.B does one first
Trapdoor is inquired<ω>To obtain trapdoor Tω, B returns to A tests Test (GP, Tω,skS, C) result.
Challenge:Once A determines that 1 stage of inquiry terminates, he exports challenge keyword to (ω0,ω1) (note that ω0, ω1No
Can be the keyword for any trapdoor inquiry that A is done in inquiry phase one).B is randomly chosen b ∈ { 0,1 }, and ω is arranged*=ωb,
Key pair (the ssk of once signed can not be forged by force by generating*,svk*C is arranged in) ← G (λ)0 *=svk*,It calculates
B is randomly choosedAnd it calculatesDefine q+1 rank multinomials
It calculates
Once signed σ can not be forged by force by generating one*=S (ssk*,(C1 *,C2 *,C3 *,C4 *,C5 *)).Send challenge ciphertext
C*=(C0 *,C1 *,C2 *,C3 *,C4 *,C5 *,σ*) give attacker A.
If r*=zF*(x), ifSo,
Inquiry phase two:A do with one identical inquiry of stage, limitation is that A cannot be to ω0, ω1Trapdoor inquiry is done, and such as
Fruit<C,ω>=<C*,ω0>Or<C,ω>=<C*,ω1>, then do not allow pair<C,ω>Do test query.
Conjecture:Attacker exports his conjecture b', if b=b', exports 1, indicatesOtherwise it exports
0, indicate T=e (g, g)r。
Probability analysis:IfSimulation is perfect, and the probability that A correctly guesss out b is 1/2+ ε.Otherwise T
It is a random number, (C2 *,C3 *) be completely random and independently of each other.Inequality in this case
The probability of establishment is 1-1/p.When inequality is set up, because of because private keyIt is random, soIt is random.And the angle of information, C are obtained from A4 *With it is close
Other elements are independent from each other (C in text3 *Except).Therefore C4 *It is random and mutually independent.Because of s*∈Zp *It is to select at random
It takes, thereforeBe it is random and with (C2 *,C3 *,C4 *) be independent from each other.Challenge ciphertext C*=(C0 *,C1 *,C2 *,C3 *,
C4 *,C5 *,σ*) without revealing any information about b.To the proof of this completion game 1.
Citation 2:Assuming that DBDH problems are difficult to resolve, the solution of the present invention is the anti-selection under master pattern in game 2
Keyword attacks Semantic Security.
It proves:Assuming that in game 2, there are a polynomial time attacker A, and this paper structures can be attacked under master pattern
The scheme made, we, which establish a mimic B, can solve the problems, such as DBDH.Physical simulation is as follows:
First, cyclic group G is arranged in challenger1,G2And Bilinear map e and group G1Generation member g.Mimic is entered
One DBDH problem-instances (g, ga,gb,gc, T), the target of mimic B is to discriminate between T=e (g, g)abcOr T is crowd G2In one
A random number.
Before describing B, event F is defined firstOTSAnd provide its probable range.Allow C*=(C0 *,C1 *,C2 *,C3 *,C4 *,
C5 *,σ*) indicate the challenge ciphertext that attacker A is sent in game.FOTSIndicate A to ciphertext C=(svk*,C1,C2,C3,C4,C5,
Inquiry, and V (svk σ) is decrypted*,σ,(C1,C2,C3,C4,C5))=1.In the stage one, A does not know about svk*It is any
Information, therefore event FOTSIt is no more than q in the probability that the stage one occurskθ.Wherein qkIt is the total degree of test query, θ indicates primary
The authentication secret svk of signature*The maximum probability (being no more than 1/p) of appearance.Obviously in stage two, FOTSGeneration equally forge
Strong once signed.Therefore Pr [FOTS]≤qk/p+AdvOTS, second part is the probability that can not be forged once signed by force and be destroyed,
Therefore it is also insignificant.
In simulation process, if event FOTSOccur, then mimic B stops playing and exporting a random number representative
The result of conjecture.Key pair (the ssk of once signed can not be forged by force by being generated in preparation stage B*,svk*) ← G (λ), and attacked
The person's of hitting A parametersWithWhereinIt is randomly selected.Entire simulation process is as follows:
System is established:λ is security parameter, (p, g, G1,G2, e) be Bilinear map parameter, one-way Hash functionCommon parameter is GP=(p, g, G1,G2,e,H,KSω)。KSωIndicate keyword domain.Enable X=ga, Q=gb,
The public key that server is arranged is pkS=(GP, X, Q).
Random selectionCalculate Y=gy.Random selectionExport the public private key pair (pk of recipientR,skR),
Wherein pkR=(GP, Y, h), skS=(pkR,y)。(pkR,skR) and pkSIt is sent to attacker A.
Inquiry phase one:Attacker A does following inquiry:
Trapdoor is inquired<ω>:B randomly chooses sω∈Zp *, calculateSend trapdoor Tω=(sω,dω)
To A.
Test query<C,ω>:A inquires B about keyword ω and PEKS ciphertext C=(C0,C1,C2,C3,C4,C5, σ) between
Test result.B does a trapdoor inquiry first<ω>To obtain trapdoor Tω, whether true then verify following formula:
V(C0,σ,(C1,C2,C3,C4,C5))=1,
If set up, it is divided into following two situation:
If C0=svk=svk*=C0 *, and,
(C1,C2,C3,C4,C5,σ)≠(C1 *,C2 *,C3 *,C4 *,C5 *,σ*)。
It is event F in this caseOTSOccur, stops game.
If C0=svk ≠ svk*=C0 *, the legitimacy of ciphertext makesAnd
Because of C1=gs, B can calculateThen B can be calculated
B checks whether following formula is true:
If all equatioies are all set up, returns correctly, otherwise return to mistake.
Challenge:A output challenge keywords pair.B is randomly chosen b ∈ { 0,1 }, enables challenge keyword ω*=ωb, C0 *=
svk*, C1 *=gc, t*=H (T) randomly selects r ∈ Zp *, calculateC3 *=e (g, g)r, C4 *=e (g, h)r,
Once signed σ can not be forged by force by generating one*=S (ssk*,(C1 *,C2 *,C3 *,C4 *,C5 *)),
Return to ciphertext C*=(C0 *,C1 *,C2 *,C3 *,C4 *,C5 *,σ*), send C*To A.
Inquiry phase two:A do with one identical inquiry of stage, limitation be if<C,ω>=<C*,ω0>Or<C,ω>
=<C*,ω1>Then permit no.<C,ω>Test query.With 1 different, ω of game0, ω1Here it is allowed to do trapdoor and look into
It askes.
Conjecture:Attacker exports his conjecture b', if b=b', output 1 indicates T=e (g, g)abc.Otherwise 0 is exported,
Indicate T=e (g, g)r。
Probability analysis:Assuming that the existing probability polynomial time attacker A in game 2, it can be under master pattern with excellent
Gesture ε wins game.The probability of mimic B is provided now:
As T=e (g, g)abcWhen, A meets | Pr [b=b'] -1/2 | >=ε.When T is G2 *In a random number when, then t*=H
(T) be it is random, equallyIt is random, then there is Pr [b=b']=1/2.A, b, c are Zp *In member
Element, T are G2 *In element, then have
It is that can not ignore.To the proof of this completion game 2.
Below by the solution of the present invention and a kind of scheme progress performance comparison in the prior art:
Because of security model (Rhee H.S., Park J.H., Susilo W., the et al.Improved of Rhee et al.
searchable public key encryption with designated tester[C].In Proc.of the 4th
international Symposium on information,Computer,and Communications Security
(ASIACCS’09),ACM,New York,NY,2009:376–379.)0Safety in the security model of the prior art compared with
Height, therefore be compared with above-mentioned security model (hereinafter referred to as Rhee schemes).
Wherein G1, G2Indicate cyclic group;teIndicate group G1, G2The cost of upper exponent arithmetic, tpIt is the flower of Bilinear map operation
Take, and the cost t of Bilinear map operationpAt least it is several times as much as the cost t of exponent arithmetice;ts, tvSignature and verification are indicated respectively
Calculating spend.The present invention will not consider two-wire linearly to e (Q, X), the calculating time of e (g, g) and e (g, Y), because they
It can be regarded as public key.The meter of Bilinear map e (g, h) in Rhee et al. schemes, e (g, u) and e (g, u~) are not considered equally
Evaluation time.Result of the comparison such as the following table 1." test query C*" expression pair<C*,ω>Test query, wherein ω ≠ ω0, ω ≠
ω1。
The result of table 1. present invention and Rhee project plan comparisons
Rhee et al. schemes refer to Rhee H.S., Park J.H., Susilo W., et al.Improved
searchable public key encryption with designated tester[C].In Proc.of the 4th
international Symposium on information,Computer,and Communications Security
(ASIACCS’09),ACM,New York,NY,2009:376–379。
Obtained from table 1, the solution of the present invention in terms of the public key size and PEKS encryptions of recipient and server more
Efficiently.But the solution of the present invention is in the security model approved safe of enhancing, you can with to challenging ciphertext C*Do about<C*,ω
>Test query, wherein ω ≠ ω0, ω ≠ ω1.And be approved safe under master pattern, avoid the dependence of Rhee schemes
This disadvantage of random oracle.
Above example is merely illustrative of the invention's technical idea, and protection scope of the present invention cannot be limited with this, every
According to technological thought proposed by the present invention, any change done on the basis of technical solution each falls within the scope of the present invention
Within.
Claims (7)
1. a kind of band keyword search public key encryption method without safe lane, it is characterised in that include the following steps:
Step 1, security parameter λ is obtained, according to the global common parameter GP of security parameter λ outputs;
Step 2, the public private key pair (pk of server S is obtained according to global common parameter GPS,skS);
Step 3, the public private key pair (pk of recipient is obtained according to global common parameter GPR,skR) and keyword ω;
Step 4, it obtains PEKS ciphertexts C with keyword ω encryptions and returns to security parameter λ;
Step 5, according to the private key sk of recipientRWith keyword ω, output trapdoor Tω;
Step 6, according to the private key sk of server SS, PEKS ciphertexts C and trapdoor Tω, counter to push away keyword ω ';
Step 7, judge whether ω=ω ' is true, if set up, export " Correct ", encrypt successfully, otherwise export "
Incorrect ", encryption are unsuccessful.
2. a kind of band keyword search public key encryption method without safe lane as described in claim 1, it is characterised in that:
In the step 1, the specific acquisition methods of global common parameter GP are:If (p, g, G1,G2, e) be Bilinear map parameter, choosing
Select one-way Hash function H:If keyword domain isRandomly generate random parameter u, v ∈ G1By force not
Once signed Sig=(G, S, V) can be forged;The global common parameter of output is GP=(p, g, G1,G2,e,u,v,Sig,H,KSω)。
3. a kind of band keyword search public key encryption method without safe lane as described in claim 1, it is characterised in that:
In the step 2, the public private key pair (pk of server SS,skS) specific acquisition methods be:Select random parameterEnable X
=gx, select random parameterG1 *It is random parameter u, the intersection of v exports the public private key pair (pk of serverS,skS),
Middle pkS=(GP, X, Q), skS=(pkS,x)。
4. a kind of band keyword search public key encryption method without safe lane as described in claim 1, it is characterised in that:
In the step 3, the public private key pair (pk of recipientR,skR) specific acquisition methods be:Select random parameterEnable Y=
gy, select random parameterExport the public private key pair (pk of recipientR,skR), pkR=(GP, Y, h), skS=(pkR,y)。
5. a kind of band keyword search public key encryption method without safe lane as claimed in claim 4, it is characterised in that:
In the step 5, trapdoor TωSpecific acquisition methods be:Select random parameterIt enablesTrapdoor
For Tω=(sω,dω)。
6. a kind of band keyword search public key encryption method without safe lane as described in claim 1, it is characterised in that:
In the step 6, the anti-specific method for pushing away keyword ω ' is:
Step 61, selection can not forge by force once signed key pair (ssk, svk) ← G (λ), and C is arranged0=svk;
Step 62, random parameter is selectedEnable C1=gs, t=H (e (X, Q)s), C2=(Yg-ω)r/t, C3=e (g, g)r,
C4=e (g, h)r, C5=(usvkv)s;
Step 63, to five-tuple (C1,C2,C3,C4,C5) generate one can not forge once signed σ=S (ssk, (C by force1,C2,C3,
C4,C5));
Step 64, PEKS ciphertexts are C=(C0,C1,C2,C3,C4,C5,σ)。
7. a kind of band keyword search public key encryption method without safe lane as described in claim 1, it is characterised in that:
In the step 7, judge that the whether true specific methods of ω=ω ' are:
Step 71, the Formula V (C such as verification0,σ,(C1,C2,C3,C4,C5))=1 whether true, go to step 72 if setting up;
Step 72, equation is verifiedIt is whether true, go to step 73 if setting up;
Step 73, t=H (e (C are calculated1,Q)x);
Step 74, equation is verifiedIt is whether true, if set up, " Correct " is exported, is encrypted successfully,
Otherwise " Incorrect " is exported, encryption is unsuccessful.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810227500.7A CN108551390A (en) | 2018-03-20 | 2018-03-20 | A kind of band keyword search public key encryption method without safe lane |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810227500.7A CN108551390A (en) | 2018-03-20 | 2018-03-20 | A kind of band keyword search public key encryption method without safe lane |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108551390A true CN108551390A (en) | 2018-09-18 |
Family
ID=63516628
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810227500.7A Pending CN108551390A (en) | 2018-03-20 | 2018-03-20 | A kind of band keyword search public key encryption method without safe lane |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108551390A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111159724A (en) * | 2019-11-18 | 2020-05-15 | 南京航空航天大学 | Conditional proxy reconfigurable encryption method for fine-grained strategy |
| CN112118104A (en) * | 2020-09-17 | 2020-12-22 | 中国人民解放军31008部队 | Security-enhanced connection keyword search method based on public key encryption |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882687A (en) * | 2012-10-19 | 2013-01-16 | 杭州尚思科技有限公司 | Intelligent household safe access method and system based on searchable cipher text |
| JP5969681B1 (en) * | 2015-10-30 | 2016-08-17 | 株式会社第一コンピュータサービス | Confidential information management system |
| CN106407822A (en) * | 2016-09-14 | 2017-02-15 | 华南理工大学 | Keyword or multi-keyword based searchable encryption method and system |
-
2018
- 2018-03-20 CN CN201810227500.7A patent/CN108551390A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882687A (en) * | 2012-10-19 | 2013-01-16 | 杭州尚思科技有限公司 | Intelligent household safe access method and system based on searchable cipher text |
| JP5969681B1 (en) * | 2015-10-30 | 2016-08-17 | 株式会社第一コンピュータサービス | Confidential information management system |
| CN106407822A (en) * | 2016-09-14 | 2017-02-15 | 华南理工大学 | Keyword or multi-keyword based searchable encryption method and system |
Non-Patent Citations (1)
| Title |
|---|
| 方黎明: ""标准模型下增强的无需安全信道的带关键词搜索的公钥加密"", 《计算机科学》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111159724A (en) * | 2019-11-18 | 2020-05-15 | 南京航空航天大学 | Conditional proxy reconfigurable encryption method for fine-grained strategy |
| CN111159724B (en) * | 2019-11-18 | 2022-04-01 | 南京航空航天大学 | Conditional proxy reconfigurable encryption method for fine-grained strategy |
| CN112118104A (en) * | 2020-09-17 | 2020-12-22 | 中国人民解放军31008部队 | Security-enhanced connection keyword search method based on public key encryption |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lu et al. | Keyword guessing attacks on a public key encryption with keyword search scheme without random oracle and its improvement | |
| Bellare et al. | RKA security beyond the linear barrier: IBE, encryption and signatures | |
| Rhee et al. | Trapdoor security in a searchable public-key encryption scheme with a designated tester | |
| Rhee et al. | Secure searchable public key encryption scheme against keyword guessing attacks | |
| Hu et al. | An Enhanced Searchable Public Key Encryption Scheme with a Designated Tester and Its Extensions. | |
| Weng et al. | Cryptanalysis of a certificateless signcryption scheme in the standard model | |
| Hwang et al. | Certificateless public key encryption secure against malicious KGC attacks in the standard model | |
| Hwang et al. | Timed-release encryption with pre-open capability and its application to certified e-mail system | |
| Cheng et al. | An Improved Certificateless Signcryption in the Standard Model. | |
| Yang et al. | Analysis and improvement of a signcryption scheme with key privacy | |
| CN114124371A (en) | Certificateless public key searchable encryption method meeting MTP (Multi-time programmable) security | |
| Tian | A new strong multiple designated verifiers signature | |
| Park et al. | Fully secure hidden vector encryption under standard assumptions | |
| Ki et al. | Constructing Strong Identity‐Based Designated Verifier Signatures with Self‐Unverifiability | |
| Zhao et al. | Verifiable outsourced ciphertext-policy attribute-based encryption for mobile cloud computing | |
| Wu et al. | Security of authenticated multiple-key agreement protocols | |
| Li et al. | An efficient signcryption scheme with key privacy and its extension to ring signcryption | |
| Chen et al. | Certificateless signatures: structural extensions of security models and new provably secure schemes | |
| CN108551390A (en) | A kind of band keyword search public key encryption method without safe lane | |
| Wang et al. | Relations among privacy notions for signcryption and key invisible “sign-then-encrypt” | |
| Yang et al. | Leakage-resilient certificateless signcryption scheme | |
| Lu et al. | Related-key security for hybrid encryption | |
| Youn et al. | An efficient non-interactive deniable authentication scheme based on trapdoor commitment schemes | |
| Tian et al. | A systematic method to design strong designated verifier signature without random oracles | |
| Yang et al. | Efficient certificateless encryption withstanding attacks from malicious KGC without using random oracles |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180918 |