CN108809650A - Without safe lane without certificate anonymity multi-receiver label decryption method - Google Patents
Without safe lane without certificate anonymity multi-receiver label decryption method Download PDFInfo
- Publication number
- CN108809650A CN108809650A CN201810419999.1A CN201810419999A CN108809650A CN 108809650 A CN108809650 A CN 108809650A CN 201810419999 A CN201810419999 A CN 201810419999A CN 108809650 A CN108809650 A CN 108809650A
- Authority
- CN
- China
- Prior art keywords
- indicate
- sender
- key
- recipient
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Physics & Mathematics (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Computing Systems (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of no safe lanes without certificate anonymity multi-receiver label decryption method, the technical problem for solving existing no certificate anonymity multi-receiver label decryption method safety difference.Technical solution is that pseudo- part private key and part public key are sent to user by overt channel by key generation centre KGC first, after user receives, it verifies the part public key received and whether pseudo- part private key is true, if, the public key, part private key and private key for then calculating user, otherwise stop operation;Next close algorithm design will be signed on elliptic curve, sign the identity information that the cipher-text information in close algorithm does not include sender and recipients, Last call cipher-text message, only authorized receiver just decrypt cipher-text message and obtain clear-text message under the premise of verification cipher-text message is legal.The pseudo- part private key of user is sent to user by the present invention by overt channel, reduces cost;And authorized receiver decrypts cipher-text message, improves safety when verification ciphertext is legal.
Description
Technical field
The present invention relates to a kind of no certificate anonymity multi-receiver label decryption method, more particularly to a kind of no safe lane without card
Book anonymity multi-receiver label decryption method.
Background technology
It is anonymous more that document " number of patent application is 201710332215.7 Chinese invention patent " proposes a kind of no certificate
Recipient signs decryption method.This method key generation centre KGC first generates the public key and part private key of user, and sends it to
User.After user receives public key and part private key, the private key of oneself is calculated, and whether verify the public key received and part private key
Correctly, if correctly, continuing to execute subsequent operation, otherwise stopping operation;Next close algorithm is signed in design on elliptic curve,
It obtains signing ciphertext, broadcast transmission label ciphertext is to recipient, but it is bright to only have the recipient authorized that could correctly decrypt
Literary message.Finally, the recipient of mandate verifies the legitimacy of clear-text message, if legal, authorized receiver receives clear-text message,
Otherwise, clear-text message is rejected.Shortcoming existing for this method is that first, key generation centre KGC passes through safe lane
Send the part private key of user, it is meant that in interactive portion private key, safety is completely dependent on by user and key generation centre KGC
In safe lane, if safe lane is destroyed, anyone can obtain the part private key of user, and use peace
The cost overhead of all channel is larger;Secondly, although this method, which has signature operation, authorized receiver, to be obtained in plain text in decryption
After message, then the legitimacy of clear-text message is verified, this causes authorized receiver that can decrypt useless or untrue or even carry sick
The clear-text message of poison, to bring certain harm to authorized receiver.
In conclusion not only result in system cost expense larger for the use of above method safe lane, and lead to user
The safety of part private key is relatively low.In addition authorized receiver can decrypt useless or untrue or even take viruliferous plaintext and disappear
Breath, it is meant that the safety of the above method is relatively low.
Invention content
In order to overcome the shortcomings of that existing no certificate anonymity multi-receiver label decryption method safety is poor, the present invention provides a kind of nothing
Safe lane without certificate anonymity multi-receiver label decryption method.This method passes through overt channel by key generation centre KGC first
Pseudo- part private key and part public key are sent to user, after user receives, verify the part public key received and pseudo- part private key
It is whether true, if so, otherwise the public key, part private key and private key for then calculating user stop operation;Next it will sign close
Algorithm designs on elliptic curve, signs the identity information that the cipher-text information in close algorithm does not include sender and recipients, finally
Cipher-text message is broadcasted, only authorized receiver just decrypts cipher-text message and obtain in plain text under the premise of verification cipher-text message is legal
Message.It is expected to have the technical effect that:First, key generation centre KGC are sent the pseudo- part private key of user by overt channel
To user, user calculates part private key after receiving, and which not only improves User Part private key safeties, and reduce system
Cost overhead;Second, authorized receiver verify ciphertext it is legal under the premise of, decrypt cipher-text message, avoid decrypting it is useless or
Person is untrue or even takes viruliferous clear-text message, improves safety.
The technical solution adopted by the present invention to solve the technical problems:A kind of no safe lane receives more without certificate anonymity
Person signs decryption method, its main feature is that including the following steps:
Step 1: user U includes sender S and recipient Ri, obtain the public key PK of oneselfUWith private key SKU, wherein i=1,
2 ..., n, n are positive integers, indicate the number for the recipient that sender S chooses;
Step 2: user U randomly selects an integer vU∈Zp *As secret value, then according to the following formula, user U is calculated certainly
Oneself secret value parameter VU:
VU=vUP
Wherein, vUIndicate that the secret value that user U is randomly selected, ∈ indicate defined domain symbol, Zp *It indicates to be based on Big prime p structures
At non-zero multiplicative group, p indicates the Big prime that key generation centre KGC chooses, VUIndicate that the secret value parameter of user U, P indicate
The addition cyclic group G that key generation centre KGC choosespOn generation member, GpIndicate that the ellipse that key generation centre KGC chooses is bent
Addition cyclic group on line E, E indicate the finite field F that key generation centre KGC choosespOn safety elliptic curve, FpIt indicates
The rank that key generation centre KGC chooses is the finite field of Big prime p;
Step 3: user U is by secret value parameter VUWith the identity information ID of oneselfUIt is sent to key life by overt channel
At center KGC, key generation centre KGC receives the secret value parameter V of user UUWith identity information IDUAfterwards, integer d is randomly selectedU
∈Zp *, according to the following formula, calculate the part public key D of user UU:
DU=H0(IDU,VU,dU)P
Wherein, dUIndicate that key generation centre KGC is the integer that user U is randomly selected, ∈ indicates defined domain symbol, Zp *Table
Show that the non-zero multiplicative group constituted based on Big prime p, p indicate the Big prime that key generation centre KGC chooses, DUIndicate user U's
Part public key, H0Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIndicate the identity information of user U, VUTable
Show that the secret value parameter of user U, P indicate the addition cyclic group G that key generation centre KGC choosespOn generation member;
Step 4: according to the following formula, key generation centre KGC calculates the part private key y of user UU:
yU=H0(IDU,VU,dU)+s(mod p)
Wherein, yUIndicate the part private key of user U, H0Indicate the impact resistant hash function that key generation centre KGC chooses,
IDUIndicate the identity information of user U, VUIndicate the secret value parameter of user U, dUIndicate key generation centre KGC be user U with
The integer that machine is chosen, s indicate that the system master key that key generation centre KGC chooses, mod indicate that modulus operation, p indicate key life
The Big prime chosen at center KGC;
Step 5: according to the following formula, key generation centre KGC calculates the pseudo- part private key r of user UU:
rU=yU+H1(IDU,sVU)
Wherein, rUIndicate the pseudo- part private key of user U, yUIndicate the part private key of user U, H1Indicate key generation centre
The impact resistant hash function that KGC chooses, IDUIndicate that the identity information of user U, s indicate the system that key generation centre KGC chooses
Master key, VUIndicate the secret value parameter of user U;
Step 6: key generation centre KGC by overt channel by the part public key D of user UUWith pseudo- part private key rUHair
Give user U.
Step 7: user U receives the part public key D that key generation centre KGC is sended overUWith pseudo- part private key rUAfterwards,
Judge whether they meet following equation.If it is, executing step 8, otherwise, user U is reported to key generation centre KGC
Mistake, and exit user registration course;
rUP=DU+Ppub+H1(IDU,vUPpub)P
Wherein, rUIndicate the pseudo- part private key of user U, DUIndicate the part public key of user U, PpubIndicate key generation centre
The system public key that KGC is generated, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIndicate the identity of user U
Information, vUIndicate that the secret value that user U is randomly selected, P indicate the addition cyclic group G that key generation centre KGC choosespOn life
Cheng Yuan;
Step 8: according to the following formula, user U calculates public key PKU:
PKU=DU+H1(IDU,VU)VU
Wherein, PKUIndicate the public key of user U, DUIndicate the part public key of user U, H1Indicate key generation centre KGC choosings
The impact resistant hash function taken, IDUIndicate the identity information of user U, VUIndicate the secret value parameter of user U;
Step 9: according to the following formula, user U calculates the part private key y of oneselfU:
yU=rU-H1(IDU,vUPpub)
Wherein, yUIndicate the part private key of user U, rUIndicate the pseudo- part private key of user U, H1Indicate key generation centre
The impact resistant hash function that KGC chooses, IDUIndicate the identity information of user U, vUIndicate the secret value that user U is randomly selected, Ppub
Indicate the system public key that key generation centre KGC is generated;
Step 10: user U calculates private key SK according to the following formulaU:
SKU=H1(IDU,PKU)(yU+H1(IDU,VU)vU)(mod p)
Wherein, SKUIndicate the private key of user U, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDU
Indicate the identity information of user U, PKUIndicate the public key of user U, yUIndicate the part private key of user U, VUIndicate the secret of user U
Value parameter, vUIndicate that the secret value that user U is randomly selected, mod indicate that modulus operation, p indicate what key generation centre KGC chose
Big prime;
Step 11: user U is by the public key PK of oneselfUIt is sent to key generation centre KGC by overt channel, and by close
Key generates the public key PK that center KGC externally announces user UU, user U safely preserves the private key SK of oneselfU, backed off after random user
Registration process;
Step 12: sender S judges whether oneself has been carried out user registration course.If so, executing step 10
Three, otherwise, sender S executes user registration course and obtains the public key PK of oneselfSWith private key SKSAfterwards, then step 13 is executed;
Step 13: sender S randomly selects registered recipient Ri, i=1,2 ..., n, wherein and n is positive integer,
Indicate the recipient R that sender S is randomly selectediNumber;
Step 14: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiPuppet it is public
Key Qi:
Qi=PKi+Ppub
Wherein, QiIndicate i-th of recipient RiPseudo- public key, PKiIndicate i-th of recipient RiPublic key, n indicate send
The recipient R that person S is randomly selectediNumber, PpubIndicate the system public key that key generation centre KGC is generated;
Step 15: sender S randomly selects the close integer w ∈ Z of labelp *, close verification part of label of sender S is calculated according to the following formula
Volume W:
W=wP
Wherein, w indicates that the close integer of label that sender S is randomly selected, W indicate that the close verification share of label of sender S, ∈ indicate
Defined domain symbol, Zp *Indicate that the non-zero multiplicative group constituted based on Big prime p, P indicate that the addition that key generation centre KGC chooses follows
Ring group GpOn generation member;
Step 16: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiLabel it is close
Verify share Fi:
Fi=wH1(IDi,PKi)Qi
Wherein, FiIndicate i-th of recipient RiThe close verification share of label, w indicates the close integers of label that randomly select of sender S,
H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDiIndicate i-th of recipient RiIdentity information, PKiTable
Show i-th of recipient RiPublic key, QiIndicate i-th of recipient RiPseudo- public key, n indicates the recipients that randomly select of sender S
RiNumber;
Step 17: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiPseudo- body
Part value αi:
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value, H2Indicate that the impact resistant that key generation centre KGC chooses is breathed out
Uncommon function, W indicate the close verification share of label of sender S, FiIndicate i-th of recipient RiThe close verification share of label, n indicate send
The recipient R that person S is randomly selectediNumber;
Step 18: sender S randomly selects Keyed integer g ∈ Zp *, according to the following formula, calculate encrypted authentication share G:
G=gP
Wherein, g indicates that the Keyed integer that sender S is randomly selected, G indicate that encrypted authentication share, ∈ indicate defined domain symbol
Number, Zp *Indicate that the non-zero multiplicative group constituted based on Big prime p, P indicate the addition cyclic group G that key generation centre KGC choosespOn
Generation member;
Step 19: according to the following formula, sender S calculates cipher-text message M:
Wherein, M indicates that cipher-text message, m indicate clear-text message,Indicate binary system xor operation by turn, H3Indicate key
The impact resistant hash function that generation center KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S;
Step 20: sender S randomly selects integer ξ ∈ Zp *As pseudo- key, according to the following formula, sender's S constructions receive
Person identity information mixed number f (x):
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, ∈ indicate defined domain symbol, Zp *It indicates to be based on Big prime p
The non-zero multiplicative group of composition, f (x) indicate that recipient's identity information mixed number, x indicate that independent variable, ∏ indicate even to multiply operation, αiTable
Show i-th of recipient RiFalse identity value, n indicates the recipient R that randomly select of sender SiNumber, mod indicate modulus behaviour
Make, p indicates the Big prime that key generation centre KGC chooses, a0,a1,…,an-1Indicate recipient identity information mixed number f's (x)
Each term coefficient;
Step 2 11, according to the following formula, sender S calculate the validity parameter h of ciphertext:
H=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, h indicates the validity parameter of ciphertext, H4Indicate the impact resistant hash function that key generation centre KGC chooses,
M indicates cipher-text message, IDSIndicate that the identity information of sender S, G indicate that encrypted authentication share, W indicate that the label of sender S are close and test
Demonstrate,prove share, a0,a1,…,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 2 12, according to the following formula, sender S calculate symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key, H5Indicate that the impact resistant hash function that key generation centre KGC chooses, ξ indicate hair
The pseudo- key that the person of sending S is randomly selected;
Step 2 13, sender S calculate mixing cipher-text message J according to the following formula:
J=Ek(M||IDS||h)
Wherein, J indicates mixing cipher-text message, EkIndicate that symmetric encipherment algorithm, k indicate that symmetric key, M indicate that ciphertext disappears
Breath, IDSIndicate that the identity information of sender S, h indicate the validity parameter of ciphertext, | | indicate link symbol;
Step 2 14, sender S calculate the pseudo- parameter h of ciphertext according to the following formula0:
h0=H6(h)
Wherein, h0Indicate the pseudo- parameter of ciphertext, H6Indicate the impact resistant hash function that key generation centre KGC chooses, h tables
Show the validity parameter of ciphertext;
Step 2 15, sender S calculate g-1It is set to meet equation gg-1≡ 1 (mod p), and calculate the signature parameter z:
Z=g-1(SKS+h0)(mod p)
Wherein, g indicates the Keyed integer that sender S is randomly selected, g-1Indicate the Keyed integer g that sender S is randomly selected
Inverse element at mould Big prime p, z indicate signature parameter, SKSIndicate the private key of sender S, h0Indicate the pseudo- parameter of ciphertext, mod
Indicate that modulus operation, p indicate the Big prime that key generation centre KGC chooses;
Step 2 16, sender S, which will mix cipher-text message J, the close verification share W of label of sender S, recipient's identity, to be believed
Cease the coefficient a of mixed number f (x)0,a1,…,an-1, signature parameter z will sign ciphertext C and is broadcast to reception as label ciphertext C
Person Ri, wherein i=1,2 ..., n;
Step 2 17, recipient RiAfter receiving label ciphertext C, executes solution and sign close process, wherein i=1,2 ..., n, n
Indicate the recipient R that sender S is randomly selectediNumber;
Step 2 18, according to the following formula, recipient RiCalculate the close verification share F of label of oneselfi:
Fi=SKiW
Wherein, FiIndicate i-th of recipient RiThe close verification share of label, SKiIndicate i-th of recipient RiPrivate key, W tables
Show the close verification share of the label of sender S;
Step 2 19, according to the following formula, recipient RiCalculate the false identity value α of oneselfi:
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value, H2Indicate that the impact resistant that key generation centre KGC chooses is breathed out
Uncommon function, W indicate the close verification share of label of sender S, FiIndicate i-th of recipient RiThe close verification share of label;
Step 3 ten, according to the following formula, recipient RiCalculate recipient identity information mixed number f (x):
F (x)=xn+an-1xn-1+...+a1x+a0
Wherein, f (x) indicates that recipient's identity information mixed number, x indicate that independent variable, n indicate what sender S was randomly selected
Recipient RiNumber, a0,a1,...,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 3 11, according to the following formula, recipient RiCalculate the pseudo- key ξ that sender S is randomly selected:
ξ=f (αi)
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, f (x) indicate that recipient's identity information mixed number, x indicate
Independent variable, αiIndicate i-th of recipient RiFalse identity value;
Step 3 12, according to the following formula, recipient RiCalculate symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key, H5Indicate that the impact resistant hash function that key generation centre KGC chooses, ξ indicate hair
The pseudo- key that the person of sending S is randomly selected;
Step 3 13, according to the following formula, recipient RiCalculate the identity information ID of cipher-text message M, sender SSAnd ciphertext
Validity parameter h:
M||IDS| | h=Dk(J)
Wherein, M indicates cipher-text message, IDSIndicate that the identity information of sender S, h indicate the validity parameter of ciphertext, J tables
Show mixing cipher-text message, DkIndicate that symmetrical decipherment algorithm, k indicate symmetric key, | | indicate link symbol;
Step 3 14, recipient RiThe pseudo- parameter h of ciphertext is calculated according to the following formula0:
h0=H6(h)
It indicates, h0Indicate the pseudo- parameter of ciphertext, H6Indicate the impact resistant hash function that key generation centre KGC chooses, h tables
Show the validity parameter of ciphertext;
Step 3 15, according to the following formula, recipient RiCalculate encrypted authentication share G:
G=z-1(H1(IDS,PKS)(PKS+Ppub)+h0P)
Wherein, G indicates that encrypted authentication share, z indicate signature parameter, z-1Indicate that signature parameter z is inverse at mould Big prime p
Member, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDSIndicate the identity information of sender S, PKSIt indicates
The public key of sender S, PpubIndicate the system public key that key generation centre KGC is generated, h0Indicate that the pseudo- parameter of ciphertext, P indicate close
Key generates center KGC and chooses addition cyclic group GpOn generation member;
Step 3 16, according to the following formula, recipient RiCalculate the rights parameters h ' of ciphertext:
H '=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, the rights parameters of h ' expressions ciphertext, H4Indicate the impact resistant hash function that key generation centre KGC chooses, M
Indicate cipher-text message, IDSIndicate that the identity information of sender S, G indicate that encrypted authentication share, W indicate that the label of sender S are close and test
Demonstrate,prove share, a0,a1,…,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 3 17, recipient RiWhether the rights parameters h ' for judging ciphertext and the validity parameter h of ciphertext are equal.If
It is then to illustrate that the identity of sender S passes through verification, recipient RiIt determines and receives the cipher-text message M that sender S is sent, and execute
Otherwise step 3 18 illustrates that the authentication of sender S does not pass through, recipient RiRefusal receives the ciphertext that sender S is sent
Message M, and exit solution and sign close process.
Step 3 18, recipient RiDecryption obtains clear-text message m:
Wherein, m indicates that clear-text message, M indicate cipher-text message,Indicate binary system xor operation by turn, H3Indicate key
The impact resistant hash function that generation center KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S.
The beneficial effects of the invention are as follows:This method is private by pseudo- part by overt channel by key generation centre KGC first
Key and part public key are sent to user, after user receives, verify the part public key received and whether pseudo- part private key is true, if
It sets up, then calculates the public key, part private key and private key of user, otherwise stop operation;Next close algorithm design will be signed to exist
On elliptic curve, the identity information that the cipher-text information in close algorithm does not include sender and recipients is signed, Last call ciphertext disappears
Breath, only authorized receiver just decrypt cipher-text message and obtain clear-text message under the premise of verification cipher-text message is legal.It is expected
It has the technical effect that:The pseudo- part private key of user is sent to user, user by first, key generation centre KGC by overt channel
Part private key is calculated after reception, which not only improves User Part private key safeties, and reduce system cost expense;The
Two, authorized receiver verify ciphertext it is legal under the premise of, decrypt cipher-text message, avoid decrypting it is useless or it is untrue even
Viruliferous clear-text message is taken, safety is improved.
First, in the prior art, key generation centre KGC sends the part private key of user by safe lane, this is not
It only results in that system cost expense is larger, and means that the safety of User Part private key places one's entire reliance upon safe lane, if
Safe lane is destroyed, then anyone can obtain the part private key of user;From the present invention step four, Step 5:
Step 6: Step 7: Step 8: step 9 and step 10 can be seen that key generation centre KGC will be pseudo- by overt channel
Part private key is sent to user, after user's checking puppet part private key is legal, can calculate only user oneself and key generates
The part private key that center KGC knows, which not only improves the safeties of User Part private key, and the cost for reducing system is opened
Pin;
Second, in the prior art, authorized receiver decrypts to obtain clear-text message, then verifies the legitimacy of clear-text message,
This causes authorized receiver to decrypt sometimes useless or untrue or even take viruliferous clear-text message, to be received to mandate
Person brings certain harm.It can be with from step three 15, step 3 16, step 3 17 and the step 3 18 of the present invention
Find out, for authorized receiver under the premise of verification ciphertext is legal, decryption cipher-text message obtains clear-text message, effectively prevents awarding
Power recipient decrypts useless or untrue or even takes viruliferous clear-text message, and therefore, safety is good.
It elaborates with reference to the accompanying drawings and detailed description to the present invention.
Description of the drawings
Fig. 1 is the flow chart without certificate anonymity multi-receiver label decryption method of the invention without safe lane.
Specific implementation mode
Explanation of nouns
KGC(Key Generation Center):Key generation centre is believable third party, and user U is assisted to generate
Private key SKUWith public key PKU;
η:The system security parameter that key generation centre KGC chooses;
p:The Big prime that key generation centre KGC chooses;
Fp:The rank that key generation centre KGC chooses is the finite field of Big prime p;
E:The finite field F that key generation centre KGC choosespOn safety elliptic curve;
Gp:The addition cyclic group on elliptic curve E that key generation centre KGC chooses;
P:The addition cyclic group G that key generation centre KGC choosespOn generation member;
s:The system master key that key generation centre KGC chooses;
Ppub:The system public key that key generation centre KGC is generated;
∈:Defined domain symbol, such as b ∈ B are exactly that element b belongs to set B;
Zp *:The non-zero multiplicative group constituted based on Big prime p;
Hj:The impact resistant hash function that key generation centre KGC chooses, wherein j=0,1,2,3,4,5,6;
A→B:Mappings of the domain A to codomain B;
×:Cartesian product, such as set A={ a, b }, set B={ 0,1,2 }, then two set cartesian products be
{(a,0),(a,1),(a,2),(b,0),(b,1),(b,2)};
{0,1}*:The string that random length " 0 " or " 1 " are constituted;
k:Symmetric key;
Ek:Symmetric encipherment algorithm;
Dk:Symmetrical decipherment algorithm;
Params:Systematic parameter;
U:User, including sender S and recipient Ri, i=1,2 ..., n;
S:Sender;
Ri:I-th of recipient, i=1,2 ..., n;
n:The recipient R that sender S is randomly selectediNumber;
IDU:The identity information of user U;
IDS:The identity information of sender S;
IDi:I-th of recipient RiIdentity information, i=1,2 ..., n;
vU:The secret value that user U is randomly selected;
vS:The secret value that sender S is randomly selected;
vi:I-th of recipient RiThe secret value randomly selected, i=1,2 ..., n;
VU:The secret value parameter of user U;
VS:The secret value parameter of sender S;
Vi:I-th of recipient RiSecret value parameter, i=1,2 ..., n;
dU:Key generation centre KGC is the integer that user U is randomly selected;
dS:Key generation centre KGC is the integer that sender S is randomly selected;
di:Key generation centre KGC is i-th of recipient RiThe integer randomly selected, i=1,2 ..., n;
DU:The part public key of user U
DS:The part public key of sender S
Di:I-th of recipient RiPart public key, i=1,2 ..., n;
yU:The part private key of user U;
yS:The part private key of sender S;
yi:I-th of recipient RiPart private key, i=1,2 ..., n;
rU:The pseudo- part private key of user U;
rS:The pseudo- part private key of sender S;
ri:I-th of recipient RiPseudo- part private key, i=1,2 ..., n;
PKU:The public key of user U;
PKS:The public key of sender S;
PKi:I-th of recipient RiPublic key, i=1,2 ..., n;
SKU:The private key of user U;
SKS:The private key of sender S;
SKi:I-th of recipient RiPrivate key, i=1,2 ..., n;
Qi:I-th of recipient RiPseudo- public key, i=1,2 ..., n;
w:The close integer of label that sender S is randomly selected;
W:The close verification share of label of sender S;
Fi:I-th of recipient RiThe close verification share of label, i=1,2 ..., n;
αi:I-th of recipient RiFalse identity value, i=1,2 ..., n;
g:The Keyed integer that sender S is randomly selected;
g-1:Inverse elements of the Keyed integer g that sender S is randomly selected at mould Big prime p;
G:Encrypted authentication share;
m:Clear-text message;
M:Cipher-text message;
Binary system xor operation, such as x=0101, y=1011 by turn, then
ξ:The pseudo- key that sender S is randomly selected;
f(x):Recipient's identity information mixed number, wherein x indicate independent variable;
∏:Company multiplies operation, such as
mod:Modulus operates;
ai:Each term coefficient of recipient identity information mixed number f (x), i=0,1 ..., n-1;
h:The validity parameter of ciphertext;
h0:The pseudo- parameter of ciphertext;
h′:The rights parameters of ciphertext;
J:Mix cipher-text message;
||:Link symbol, such as x=0101, y=1011, then x | | y=01011011;
≡:Congruence symbol, such as:1 ≡ 3 (mod2), 2 ≡ 5 (mod3);
z:Signature parameter;
z-1:Inverse elements of the signature parameter z at mould Big prime p;
C:Sign ciphertext.
Referring to Fig.1.The present invention is as follows without safe lane without certificate anonymity multi-receiver label decryption method:
Step 1, systematic parameter is generated.
Key generation centre KGC chooses Big prime p according to system security parameter η, chooses the finite field that rank is Big prime p
Fp, finite field FpOn safety elliptic curve E and elliptic curve E on addition cyclic group Gp, choose addition cyclic group GpOn
Generation member P;Key generation centre KGC randomly selects system master key s ∈ Zp *And securely held, then computing system public key
Ppub=sP, and 7 impact resistant hash functions are chosen, it is denoted as respectively:H0:{0,1}*×Gp×Zp *→Zp *;H1:{0,1}*×Gp→
Zp *;H2:Gp×Gp→Zp *;H3:Gp×{0,1}*→{0,1}*;H4:{0,1}*×{0,1}*×Gp×Gp×Zp *×...×Zp *→
{0,1}*;H5:Zp *→Zp *;H6:{0,1}*→Zp *;Then key generation centre KGC is arbitrary from existing symmetric encipherment algorithm
Choose a kind of safe symmetric encipherment algorithm Ek, and choose symmetrical decipherment algorithm D corresponding with the symmetric encipherment algorithmk;Finally,
Key generation centre KGC constructs systematic parameter Params, and open systematic parameter Params according to the following formula:
Params=<p,Fp,E,Gp,P,Ppub,Ek,Dk,H0,H1,H2,H3,H4,H5,H6>;
Wherein, η indicates that the system security parameter that key generation centre KGC chooses, p indicate that key generation centre KGC chooses
Big prime, FpIndicate that the finite field that the rank that key generation centre KGC chooses is Big prime p, E indicate key generation centre KGC
The finite field F of selectionpOn safety elliptic curve, GpIndicate the addition on the elliptic curve E of key generation centre KGC selections
Cyclic group, P indicate the addition cyclic group G that key generation centre KGC choosespOn generation member, s indicates key generation centre KGC
The system master key of selection, H0,H1,H2,H3,H4,H5,H6Indicate the impact resistant hash function that key generation centre KGC chooses, A
→ B indicates the mapping of domain A to codomain B, { 0,1 }*Indicate the string that random length " 0 " or " 1 " is constituted, × indicate that Descartes multiplies
Product, Zp *Indicate that the non-zero multiplicative group constituted based on Big prime p, ∈ indicate defined domain symbol, PpubIndicate key generation centre KGC
The system public key of generation, EkIndicate symmetric encipherment algorithm, DkIndicate that symmetrical decipherment algorithm, k indicate that symmetric key, Params indicate
Systematic parameter;
Step 2, sender registers.
The first step, sender S randomly select an integer vS∈Zp *As secret value, according to the following formula, sender S is calculated certainly
Oneself secret value parameter VS:
VS=vSP
Wherein, vSIndicate the secret value that sender S is randomly selected, VSIndicate the secret value parameter of sender S;
Second step, sender S is by the secret value parameter V of oneselfSWith the identity information ID of oneselfSIt is sent by overt channel
Give key generation centre KGC, key generation centre the KGC secret value parameter V for receiving sender SSWith identity information IDSAfterwards, at random
Choose integer dS∈Zp *, the part public key D of sender S is calculated according to the following formulaS:
DS=H0(IDS,VS,dS)P
Wherein, dSIndicate that key generation centre KGC is the integer that sender S is randomly selected, DSIndicate the part of sender S
Public key, IDSIndicate the identity information of sender S;
According to the following formula, key generation centre KGC calculates the part private key y of sender SS:
yS=H0(IDS,VS,dS)+s(mod p)
Wherein, ySIndicate the part private key of sender S;
According to the following formula, key generation centre KGC calculates the pseudo- part private key r of sender SS:
rS=yS+H1(IDS,sVS)
Wherein, rSIndicate the pseudo- part private key of sender S;
Key generation centre KGC is by overt channel by the part public key D of sender SSWith the pseudo- part private key of sender S
rSIt is sent to sender S.Sender S judges the part public key D receivedSWith pseudo- part private key rSWhether following equation is met:
rSP=DS+Ppub+H1(IDS,vSPpub)P
If it is satisfied, then sender S will continue to execute third step, otherwise, sender S reports an error to key generation centre KGC,
And exit sender's registration process;
Third walks, and sender S calculates public key PK according to the following formulaS:
PKS=DS+H1(IDS,VS)VS
Wherein, PKSIndicate the public key of sender S;
Sender S calculates the part private key y of oneself according to the following formulaS:
yS=rS-H1(IDS,vSPpub)
Sender S calculates the private key SK of oneself according to the following formulaS:
SKS=H1(IDS,PKS)(yS+H1(IDS,VS)vS)(mod p)
Wherein, SKSIndicate the private key of sender S;
4th step, sender S is by public key PKSIt is sent to key generation centre KGC by overt channel, and is generated by key
Center KGC externally announces the public key PK of sender SS, the securely held private key SK of oneself of sender SS, backed off after random sender note
Volume process;
Step 3, recipient registers.
The first step, recipient RiRandomly select an integer vi∈Zp *As secret value, according to the following formula, recipient RiIt calculates
The secret value parameter V of oneselfi:
Vi=viP
Wherein, viIndicate i-th of recipient RiThe secret value randomly selected, ViIndicate i-th of recipient RiSecret value ginseng
Number;
Second step, recipient RiBy the secret value parameter V of oneselfiWith the identity information ID of oneselfiIt is sent by overt channel
Key generation centre KGC, key generation centre KGC is given to receive recipient RiSecret value parameter ViWith identity information IDiAfterwards, with
Machine chooses integer di∈Zp *, recipient R is calculated according to the following formulaiPart public key Di:
Di=H0(IDi,Vi,di)P
Wherein, diIndicate that key generation centre KGC is i-th of recipient RiThe integer randomly selected, DiIt indicates to connect for i-th
Receipts person RiPart public key;
According to the following formula, key generation centre KGC calculates recipient RiPart private key yi:
yi=H0(IDi,Vi,di)+s(mod p)
Wherein, yiIndicate i-th of recipient RiPart private key,
According to the following formula, key generation centre KGC calculates recipient RiPseudo- part private key ri:
ri=yi+H1(IDi,sVi)
Wherein, riIndicate i-th of recipient RiPseudo- part private key;
Key generation centre KGC passes through overt channel transmitting and receiving person RiPart public key DiWith pseudo- part private key riTo connecing
Receipts person Ri.Recipient RiJudge the part public key D receivediWith pseudo- part private key riWhether following equation is met:
riP=Di+Ppub+H1(IDi,viPpub)P
If it is satisfied, then recipient RiThird step, otherwise, recipient R will be continued to executeiIt is reported to key generation centre KGC
Mistake, and exit recipient's registration process;
Third walks, according to the following formula, recipient RiCalculate the public key PK of oneselfi:
PKi=Di+H1(IDi,Vi)Vi
Wherein, PKiIndicate i-th of recipient RiPublic key recipient Ri;
The part private key y of oneself is calculated according to the following formulai:
yi=ri-H1(IDi,viPpub)
Recipient RiPrivate key SK is calculated according to the following formulai:
SKi=H1(IDi,PKi)(yi+H1(IDi,Vi)vi)(mod p)
Wherein, SKiIndicate i-th of recipient RiPrivate key;
4th step, recipient RiBy the public key PK of oneselfiIt is sent to key generation centre KGC by overt channel, and by close
Key generates center KGC and externally announces recipient RiPublic key PKi, recipient RiThe securely held private key SK of oneselfi, backed off after random
Recipient's registration process;
Step 4, close process is signed.
The first step, sender S judge oneself whether to have completed sender's registration process and have obtained the public key PK of oneselfS
With private key SKS.If it is, sender S executes second step, otherwise sender S executes sender's registration process, and obtains oneself
Public key PKSWith private key SKSAfterwards, then second step is executed;
Second step, sender S randomly select registered recipient Ri, to each i=1,2 ..., n, sender's S meters
Calculate i-th of recipient RiPseudo- public key Qi:
Qi=PKi+Ppub
Wherein, QiIndicate i-th of recipient RiPseudo- public key, PKiIndicate i-th of recipient RiPublic key, n indicate send
The recipient R that person S is randomly selectediNumber;
Sender S randomly selects the close integer w ∈ Z of labelp *, the close verification share W of label of sender S is calculated according to the following formula:
W=wP
Wherein, w indicates that the close integer of label that sender S is randomly selected, W indicate the close verification share of label of sender S,;
According to the following formula, to each i=1,2 ..., n, i-th of recipient R is calculatediThe close verification share F of labeli:
Fi=wH1(IDi,PKi)Qi
Wherein, FiIndicate i-th of recipient RiThe close verification share of label;
According to the following formula, i-th of recipient R is calculated to each i=1,2 ..., n, sender SiFalse identity value αi:
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value,;
Sender S randomly selects Keyed integer g ∈ Zp *, encrypted authentication share G is calculated according to the following formula:
G=gP
Wherein, g indicates that the Keyed integer that sender S is randomly selected, G indicate encrypted authentication share;
According to the following formula, sender S calculates cipher-text message M:
Wherein, M indicates that cipher-text message, m indicate clear-text message,Indicate binary system xor operation by turn;
Sender S randomly selects integer ξ ∈ Zp *As pseudo- key, according to the following formula, sender S constructs recipient's identity information
Mixed number f (x):
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, f (x) indicate that recipient's identity information mixed number, x indicate
Independent variable, ∏ indicate even to multiply operation, αiIndicate i-th of recipient RiFalse identity value, a0,a1,…,an-1Indicate recipient's identity
Each term coefficient of information mixed number f (x);
According to the following formula, sender S calculates the validity parameter h of ciphertext:
H=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, h indicates the validity parameter of ciphertext;
According to the following formula, sender S calculates symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key;
Sender S calculates mixing cipher-text message J according to the following formula:
J=Ek(M||IDS||h)
Wherein, J indicates mixing cipher-text message, EkIndicate symmetric encipherment algorithm, | | indicate link symbol;
Sender S calculates the pseudo- parameter h of ciphertext according to the following formula0:
h0=H6(h)
It indicates, h0Indicate the pseudo- parameter of ciphertext;
Sender S calculates g-1It is set to meet equation gg-1≡ 1 (mod p), and calculate the signature parameter z:
Z=g-1(SKS+h0)(mod p)
Wherein, g-1Inverse elements of the Keyed integer g that expression sender S is randomly selected at mould Big prime p, z indicate signature ginseng
Number;
Third walks, and sender S mixes the close verification share W of label, the recipient's identity information that mix cipher-text message J, sender S
The coefficient a of conjunction value f (x)0,a1,…,an-1, signature parameter z will sign ciphertext C and carries out being broadcast to reception as label ciphertext C
Person Ri, i=1,2 ..., n;
Step 5, solution signs close process.
The first step, after receiving label ciphertext C, recipient RiFirst determine whether oneself is registered.If registered,
Second step is continued to execute, otherwise, abandons the label ciphertext C received, and exits solution and signs close step, i=1,2 ..., n, wherein n
Indicate the recipient R that sender S is randomly selectediNumber;
Second step, according to the following formula, recipient RiCalculate the close verification share F of label of oneselfi:
Fi=SKiW
According to the following formula, recipient RiCalculate the false identity value α of oneselfi:
αi=H2(W,Fi)
According to the following formula, recipient RiCalculate recipient identity information mixed number f (x):
F (x)=xn+an-1xn-1+...+a1x+a0
According to the following formula, recipient RiCalculate the pseudo- key ξ that sender S is randomly selected:
ξ=f (αi)
According to the following formula, recipient RiCalculate symmetric key k:
K=H5(ξ)
According to the following formula, recipient RiCalculate the identity information ID of cipher-text message M, sender SS, ciphertext validity parameter h:
M||IDS| | h=Dk(J)
According to the following formula, recipient RiCalculate the pseudo- parameter h of ciphertext0:
h0=H6(h)
According to the following formula, recipient RiCalculate encrypted authentication share G:
G=z-1(H1(IDS,PKS)(PKS+Ppub)+h0P)
Wherein, z-1Indicate inverse elements of the signature parameter z at mould Big prime p;
According to the following formula, recipient RiCalculate the rights parameters h ' of ciphertext:
H '=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, the rights parameters of h ' expressions ciphertext;
Recipient RiWhether the rights parameters h ' for judging ciphertext and the validity parameter h of ciphertext are equal.If so, illustrating to send out
The identity of the person of sending S passes through verification, recipient RiIt determines and receives the cipher-text message M that sender S is sent, and execute third step, otherwise,
Illustrate that the authentication of sender S does not pass through, recipient RiRefusal receives the cipher-text message M that sender S is sent, and exits solution label
Close process.
Third walks, according to the following formula, recipient RiDecryption obtains clear-text message m:
Wherein, m indicates that clear-text message, M indicate cipher-text message,Indicate binary system xor operation by turn, H3Indicate key
The impact resistant hash function that generation center KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S.
Claims (1)
1. a kind of no safe lane without certificate anonymity multi-receiver label decryption method, it is characterised in that include the following steps:
Step 1: user U includes sender S and recipient Ri, obtain the public key PK of oneselfUWith private key SKU, wherein i=1,
2 ..., n, n are positive integers, indicate the number for the recipient that sender S chooses;
Step 2: user U randomly selects an integer vU∈Zp *As secret value, then according to the following formula, user U calculates oneself
Secret value parameter VU:
VU=vUP
Wherein, vUIndicate that the secret value that user U is randomly selected, ∈ indicate defined domain symbol, Zp *It indicates based on Big prime p compositions
Non-zero multiplicative group, p indicate the Big prime that key generation centre KGC chooses, VUIndicate that the secret value parameter of user U, P indicate key
The addition cyclic group G that generation center KGC choosespOn generation member, GpOn the elliptic curve E for indicating key generation centre KGC selections
Addition cyclic group, E indicates the finite field F that key generation centre KGC choosespOn safety elliptic curve, FpIndicate key life
The finite field for being Big prime p at the rank that center KGC chooses;
Step 3: user U is by secret value parameter VUWith the identity information ID of oneselfUIt is sent in key generation by overt channel
Heart KGC, key generation centre KGC receive the secret value parameter V of user UUWith identity information IDUAfterwards, integer d is randomly selectedU∈
Zp *, according to the following formula, calculate the part public key D of user UU:
DU=H0(IDU,VU,dU)P
Wherein, dUIndicate that key generation centre KGC is the integer that user U is randomly selected, ∈ indicates defined domain symbol, Zp *Indicate base
In the non-zero multiplicative group that Big prime p is constituted, p indicates the Big prime that key generation centre KGC chooses, DUIndicate the part of user U
Public key, H0Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIndicate the identity information of user U, VUIt indicates to use
The secret value parameter of family U, P indicate the addition cyclic group G that key generation centre KGC choosespOn generation member;
Step 4: according to the following formula, key generation centre KGC calculates the part private key y of user UU:
yU=H0(IDU,VU,dU)+s(modp)
Wherein, yUIndicate the part private key of user U, H0Indicate the impact resistant hash function that key generation centre KGC chooses, IDUTable
Show the identity information of user U, VUIndicate the secret value parameter of user U, dUIndicate that key generation centre KGC is that user U is randomly selected
Integer, s indicates that the system master key that key generation centre KGC chooses, mod indicate that modulus operation, p indicate key generation centre
The Big prime that KGC chooses;
Step 5: according to the following formula, key generation centre KGC calculates the pseudo- part private key r of user UU:
rU=yU+H1(IDU,sVU)
Wherein, rUIndicate the pseudo- part private key of user U, yUIndicate the part private key of user U, H1Indicate key generation centre KGC choosings
The impact resistant hash function taken, IDUIndicate that the identity information of user U, s indicate that the system master that key generation centre KGC chooses is close
Key, VUIndicate the secret value parameter of user U;
Step 6: key generation centre KGC by overt channel by the part public key D of user UUWith pseudo- part private key rUIt is sent to
User U;
Step 7: user U receives the part public key D that key generation centre KGC is sended overUWith pseudo- part private key rUAfterwards, judge
Whether they meet following equation;If it is, executing step 8, otherwise, user U reports an error to key generation centre KGC, and
Exit user registration course;
rUP=DU+Ppub+H1(IDU,vUPpub)P
Wherein, rUIndicate the pseudo- part private key of user U, DUIndicate the part public key of user U, PpubIndicate key generation centre KGC
The system public key of generation, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIndicate the identity letter of user U
Breath, vUIndicate that the secret value that user U is randomly selected, P indicate the addition cyclic group G that key generation centre KGC choosespOn generation
Member;
Step 8: according to the following formula, user U calculates public key PKU:
PKU=DU+H1(IDU,VU)VU
Wherein, PKUIndicate the public key of user U, DUIndicate the part public key of user U, H1Indicate what key generation centre KGC chose
Impact resistant hash function, IDUIndicate the identity information of user U, VUIndicate the secret value parameter of user U;
Step 9: according to the following formula, user U calculates the part private key y of oneselfU:
yU=rU-H1(IDU,vUPpub)
Wherein, yUIndicate the part private key of user U, rUIndicate the pseudo- part private key of user U, H1Indicate key generation centre KGC choosings
The impact resistant hash function taken, IDUIndicate the identity information of user U, vUIndicate the secret value that user U is randomly selected, PpubIt indicates
The system public key that key generation centre KGC is generated;
Step 10: user U calculates private key SK according to the following formulaU:
SKU=H1(IDU,PKU)(yU+H1(IDU,VU)vU)(modp)
Wherein, SKUIndicate the private key of user U, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIt indicates
The identity information of user U, PKUIndicate the public key of user U, yUIndicate the part private key of user U, VUIndicate the secret value ginseng of user U
Number, vUIndicate that the secret value that user U is randomly selected, mod indicate that modulus operation, p indicate the big element that key generation centre KGC chooses
Number;
Step 11: user U is by the public key PK of oneselfUIt is sent to key generation centre KGC by overt channel, and is given birth to by key
The public key PK of user U is externally announced at center KGCU, user U safely preserves the private key SK of oneselfU, backed off after random user's registration
Process;
Step 12: sender S judges whether oneself has been carried out user registration course;If so, step 13 is executed, it is no
Then, sender S executes user registration course and obtains the public key PK of oneselfSWith private key SKSAfterwards, then step 13 is executed;
Step 13: sender S randomly selects registered recipient Ri, i=1,2 ..., n, wherein n is positive integer, indicates hair
The recipient R that the person of sending S is randomly selectediNumber;
Step 14: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiPseudo- public key Qi:
Qi=PKi+Ppub
Wherein, QiIndicate i-th of recipient RiPseudo- public key, PKiIndicate i-th of recipient RiPublic key, n indicate sender S with
The recipient R that machine is choseniNumber, PpubIndicate the system public key that key generation centre KGC is generated;
Step 15: sender S randomly selects the close integer w ∈ Z of labelp *, the close verification share W of label of sender S is calculated according to the following formula:
W=wP
Wherein, w indicates that the close integer of label that sender S is randomly selected, W indicate that the close verification share of label of sender S, ∈ indicate to limit
Domain symbol, Zp *Indicate that the non-zero multiplicative group constituted based on Big prime p, P indicate the addition cyclic group that key generation centre KGC chooses
GpOn generation member;
Step 16: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiThe close verification part of label
Volume Fi:
Fi=wH1(IDi,PKi)Qi
Wherein, FiIndicate i-th of recipient RiThe close verification share of label, w indicates the close integers of label that randomly select of sender S, H1Table
Show the impact resistant hash function that key generation centre KGC chooses, IDiIndicate i-th of recipient RiIdentity information, PKiIndicate the
I recipient RiPublic key, QiIndicate i-th of recipient RiPseudo- public key, n indicates the recipient R that randomly select of sender Si's
Number;
Step 17: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiFalse identity value
αi:
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value, H2Indicate the impact resistant Hash letter that key generation centre KGC chooses
Number, W indicate the close verification share of label of sender S, FiIndicate i-th of recipient RiThe close verification share of label, n indicate sender S with
The recipient R that machine is choseniNumber;
Step 18: sender S randomly selects Keyed integer g ∈ Zp *, according to the following formula, calculate encrypted authentication share G:
G=gP
Wherein, g indicates that the Keyed integer that sender S is randomly selected, G indicate that encrypted authentication share, ∈ indicate defined domain symbol, Zp *
Indicate that the non-zero multiplicative group constituted based on Big prime p, P indicate the addition cyclic group G that key generation centre KGC choosespOn life
Cheng Yuan;
Step 19: according to the following formula, sender S calculates cipher-text message M:
M=m ⊕ H3(G,IDS)
Wherein, M indicates that cipher-text message, m indicate that clear-text message, ⊕ indicate binary system xor operation by turn, H3In indicating that key generates
The impact resistant hash function that heart KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S;
Step 20: sender S randomly selects integer ξ ∈ Zp *As pseudo- key, according to the following formula, sender S constructs recipient's body
Part information mixed number f (x):
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, ∈ indicate defined domain symbol, Zp *It indicates to constitute based on Big prime p
Non-zero multiplicative group, f (x) indicate recipient's identity information mixed number, x indicate independent variable, ∏ indicate even multiplies operation, αiIndicate the
I recipient RiFalse identity value, n indicates the recipient R that randomly select of sender SiNumber, mod indicate modulus operation, p tables
Show the Big prime that key generation centre KGC chooses, a0,a1,…,an-1Indicate each term system of recipient identity information mixed number f (x)
Number;
Step 2 11, according to the following formula, sender S calculate the validity parameter h of ciphertext:
H=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, h indicates the validity parameter of ciphertext, H4Indicate that the impact resistant hash function that key generation centre KGC chooses, M indicate
Cipher-text message, IDSIndicate that the identity information of sender S, G indicate that encrypted authentication share, W indicate close verification part of label of sender S
Volume, a0,a1,…,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 2 12, according to the following formula, sender S calculate symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key, H5Indicate that the impact resistant hash function that key generation centre KGC chooses, ξ indicate sender S
The pseudo- key randomly selected;
Step 2 13, sender S calculate mixing cipher-text message J according to the following formula:
J=Ek(M||IDS||h)
Wherein, J indicates mixing cipher-text message, EkIndicate that symmetric encipherment algorithm, k indicate that symmetric key, M indicate cipher-text message, IDS
Indicate that the identity information of sender S, h indicate the validity parameter of ciphertext, | | indicate link symbol;
Step 2 14, sender S calculate the pseudo- parameter h of ciphertext according to the following formula0:
h0=H6(h)
Wherein, h0Indicate the pseudo- parameter of ciphertext, H6Indicate that the impact resistant hash function that key generation centre KGC chooses, h indicate close
The validity parameter of text;
Step 2 15, sender S calculate g-1It is set to meet equation gg-1≡ 1 (modp), and calculate the signature parameter z:
Z=g-1(SKS+h0)(modp)
Wherein, g indicates the Keyed integer that sender S is randomly selected, g-1The Keyed integer g that expression sender S is randomly selected is in mould
Inverse element under Big prime p, z indicate signature parameter, SKSIndicate the private key of sender S, h0Indicate that the pseudo- parameter of ciphertext, mod indicate
Modulus operates, and p indicates the Big prime that key generation centre KGC chooses;
Step 2 16, sender S mix the close verification share W of label, the recipient's identity information that mix cipher-text message J, sender S
The coefficient a of conjunction value f (x)0,a1,…,an-1, signature parameter z will sign ciphertext C and is broadcast to recipient R as label ciphertext Ci,
Wherein i=1,2 ..., n;
Step 2 17, recipient RiIt after receiving label ciphertext C, executes solution and signs close process, wherein i=1,2 ..., n, n indicate hair
The recipient R that the person of sending S is randomly selectediNumber;
Step 2 18, according to the following formula, recipient RiCalculate the close verification share F of label of oneselfi:
Fi=SKiW
Wherein, FiIndicate i-th of recipient RiThe close verification share of label, SKiIndicate i-th of recipient RiPrivate key, W indicate send
The close verification share of label of person S;
Step 2 19, according to the following formula, recipient RiCalculate the false identity value α of oneselfi:
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value, H2Indicate the impact resistant Hash letter that key generation centre KGC chooses
Number, W indicate the close verification share of label of sender S, FiIndicate i-th of recipient RiThe close verification share of label;
Step 3 ten, according to the following formula, recipient RiCalculate recipient identity information mixed number f (x):
F (x)=xn+an-1xn-1+...+a1x+a0
Wherein, f (x) indicates that recipient's identity information mixed number, x indicate that independent variable, n indicate the reception that sender S is randomly selected
Person RiNumber, a0,a1,...,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 3 11, according to the following formula, recipient RiCalculate the pseudo- key ξ that sender S is randomly selected:
ξ=f (αi)
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, f (x) indicate that recipient's identity information mixed number, x are indicated from change
Amount, αiIndicate i-th of recipient RiFalse identity value;
Step 3 12, according to the following formula, recipient RiCalculate symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key, H5Indicate that the impact resistant hash function that key generation centre KGC chooses, ξ indicate sender S
The pseudo- key randomly selected;
Step 3 13, according to the following formula, recipient RiCalculate the identity information ID of cipher-text message M, sender SSAnd ciphertext has
Effect property parameter h:
M||IDS| | h=Dk(J)
Wherein, M indicates cipher-text message, IDSIndicate that the identity information of sender S, h indicate that the validity parameter of ciphertext, J indicate mixed
Close cipher-text message, DkIndicate that symmetrical decipherment algorithm, k indicate symmetric key, | | indicate link symbol;
Step 3 14, recipient RiThe pseudo- parameter h of ciphertext is calculated according to the following formula0:
h0=H6(h)
It indicates, h0Indicate the pseudo- parameter of ciphertext, H6Indicate that the impact resistant hash function that key generation centre KGC chooses, h indicate close
The validity parameter of text;
Step 3 15, according to the following formula, recipient RiCalculate encrypted authentication share G:
G=z-1(H1(IDS,PKS)(PKS+Ppub)+h0P)
Wherein, G indicates that encrypted authentication share, z indicate signature parameter, z-1Indicate inverse elements of the signature parameter z at mould Big prime p,
H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDSIndicate the identity information of sender S, PKSIt indicates to send
The public key of person S, PpubIndicate the system public key that key generation centre KGC is generated, h0Indicate that the pseudo- parameter of ciphertext, P indicate key life
Addition cyclic group G is chosen at center KGCpOn generation member;
Step 3 16, according to the following formula, recipient RiCalculate the rights parameters h ' of ciphertext:
H '=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, the rights parameters of h ' expressions ciphertext, H4Indicate that the impact resistant hash function that key generation centre KGC chooses, M indicate
Cipher-text message, IDSIndicate that the identity information of sender S, G indicate that encrypted authentication share, W indicate close verification part of label of sender S
Volume, a0,a1,…,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 3 17, recipient RiWhether the rights parameters h ' for judging ciphertext and the validity parameter h of ciphertext are equal;If so,
Illustrate that the identity of sender S passes through verification, recipient RiIt determines and receives the cipher-text message M that sender S is sent, and execute step 3
18, otherwise, illustrate that the authentication of sender S does not pass through, recipient RiRefusal receives the cipher-text message M that sender S is sent,
And it exits solution and signs close process;
Step 3 18, recipient RiDecryption obtains clear-text message m:
M=M ⊕ H3(G,IDS)
Wherein, m indicates that clear-text message, M indicate that cipher-text message, ⊕ indicate binary system xor operation by turn, H3In indicating that key generates
The impact resistant hash function that heart KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810419999.1A CN108809650B (en) | 2018-05-04 | 2018-05-04 | Certificateless anonymous multi-receiver signcryption method without secure channel |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810419999.1A CN108809650B (en) | 2018-05-04 | 2018-05-04 | Certificateless anonymous multi-receiver signcryption method without secure channel |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108809650A true CN108809650A (en) | 2018-11-13 |
CN108809650B CN108809650B (en) | 2021-04-13 |
Family
ID=64093692
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810419999.1A Active CN108809650B (en) | 2018-05-04 | 2018-05-04 | Certificateless anonymous multi-receiver signcryption method without secure channel |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108809650B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109921896A (en) * | 2019-03-11 | 2019-06-21 | 郑州师范学院 | A kind of label decryption method, system, equipment and computer readable storage medium |
CN111262709A (en) * | 2020-01-17 | 2020-06-09 | 铜陵学院 | Trapdoor hash function-based unlicensed bookmark encryption system and method |
CN111934887A (en) * | 2020-08-10 | 2020-11-13 | 西安电子科技大学 | Multi-receiver signcryption method based on interpolation polynomial |
CN114128213A (en) * | 2019-05-29 | 2022-03-01 | 比特飞翔区块链株式会社 | Apparatus, method, and program for verifying authenticity of public key |
CN114189339A (en) * | 2021-12-07 | 2022-03-15 | 贵州亨达集团信息安全技术有限公司 | Certificateless aggregation signature method and certificateless aggregation signature system supporting parallel key isolation |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106936593A (en) * | 2017-05-12 | 2017-07-07 | 西安电子科技大学 | Based on the efficient anonymity of elliptic curve without certificate multi-receiver label decryption method |
CN107438006A (en) * | 2017-09-12 | 2017-12-05 | 西安电子科技大学 | Full multi-receiver label decryption method of the anonymity without certificate |
CN107682145A (en) * | 2017-09-12 | 2018-02-09 | 西安电子科技大学 | It is true anonymous without the more message multi-receiver label decryption methods of certificate |
-
2018
- 2018-05-04 CN CN201810419999.1A patent/CN108809650B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106936593A (en) * | 2017-05-12 | 2017-07-07 | 西安电子科技大学 | Based on the efficient anonymity of elliptic curve without certificate multi-receiver label decryption method |
CN107438006A (en) * | 2017-09-12 | 2017-12-05 | 西安电子科技大学 | Full multi-receiver label decryption method of the anonymity without certificate |
CN107682145A (en) * | 2017-09-12 | 2018-02-09 | 西安电子科技大学 | It is true anonymous without the more message multi-receiver label decryption methods of certificate |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109921896A (en) * | 2019-03-11 | 2019-06-21 | 郑州师范学院 | A kind of label decryption method, system, equipment and computer readable storage medium |
CN114128213A (en) * | 2019-05-29 | 2022-03-01 | 比特飞翔区块链株式会社 | Apparatus, method, and program for verifying authenticity of public key |
CN114128213B (en) * | 2019-05-29 | 2024-05-28 | 比特飞翔区块链株式会社 | Apparatus, method, and program for verifying the authenticity of a public key |
CN111262709A (en) * | 2020-01-17 | 2020-06-09 | 铜陵学院 | Trapdoor hash function-based unlicensed bookmark encryption system and method |
CN111262709B (en) * | 2020-01-17 | 2022-05-10 | 铜陵学院 | Trapdoor hash function-based unlicensed bookmark encryption system and method |
CN111934887A (en) * | 2020-08-10 | 2020-11-13 | 西安电子科技大学 | Multi-receiver signcryption method based on interpolation polynomial |
CN114189339A (en) * | 2021-12-07 | 2022-03-15 | 贵州亨达集团信息安全技术有限公司 | Certificateless aggregation signature method and certificateless aggregation signature system supporting parallel key isolation |
CN114189339B (en) * | 2021-12-07 | 2024-01-26 | 贵州亨达集团信息安全技术有限公司 | Certificate-free aggregation signature method and system supporting parallel key isolation |
Also Published As
Publication number | Publication date |
---|---|
CN108809650B (en) | 2021-04-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108809650A (en) | Without safe lane without certificate anonymity multi-receiver label decryption method | |
CN107438006B (en) | Full multi-receiver label decryption method of the anonymity without certificate | |
CN107682145B (en) | It is true anonymous without the more message multi-receiver label decryption methods of certificate | |
CN106027239B (en) | The multi-receiver label decryption method without key escrow based on elliptic curve | |
CN106936593A (en) | Based on the efficient anonymity of elliptic curve without certificate multi-receiver label decryption method | |
CN105429941B (en) | Multi-receiver identity anonymous label decryption method | |
CN107733648B (en) | Identity-based RSA digital signature generation method and system | |
US8661240B2 (en) | Joint encryption of data | |
Farshim et al. | Robust encryption, revisited | |
EP2442483A2 (en) | Elliptic curve Pinstov Vanstone signature scheme with authenticated message recovery | |
CN107659395A (en) | The distributed authentication method and system of identity-based under a kind of environment of multi-server | |
CN107947913A (en) | The anonymous authentication method and system of a kind of identity-based | |
CN107707358A (en) | A kind of EC KCDSA digital signature generation method and system | |
EP2792098B1 (en) | Group encryption methods and devices | |
CN114157427A (en) | Threshold signature method based on SM2 digital signature | |
CN101931536B (en) | Method for encrypting and authenticating efficient data without authentication center | |
CN105743641B (en) | It is a kind of can explicit authentication public key multi-receiver label decryption method | |
CN103312506A (en) | Multi-receiver sign-cryption method for receivers with anonymous identities | |
US9088419B2 (en) | Keyed PV signatures | |
CN108833345A (en) | Accountable anonymity identity of the sender without certificate multi-receiver label decryption method | |
CN106330862A (en) | Secure transmission method and system for dynamic password | |
CN108696362B (en) | Certificateless multi-message multi-receiver signcryption method capable of updating secret key | |
CN107888380A (en) | A kind of the RSA digital signature generation method and system of two sides distribution identity-based | |
Li et al. | Signcryption from randomness recoverable public key encryption | |
CN1905447B (en) | Authentication encryption method and E-mail system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |