CN108809650A - Without safe lane without certificate anonymity multi-receiver label decryption method - Google Patents

Without safe lane without certificate anonymity multi-receiver label decryption method Download PDF

Info

Publication number
CN108809650A
CN108809650A CN201810419999.1A CN201810419999A CN108809650A CN 108809650 A CN108809650 A CN 108809650A CN 201810419999 A CN201810419999 A CN 201810419999A CN 108809650 A CN108809650 A CN 108809650A
Authority
CN
China
Prior art keywords
indicate
sender
key
recipient
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810419999.1A
Other languages
Chinese (zh)
Other versions
CN108809650B (en
Inventor
庞辽军
贾生盼
叩曼
李慧贤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201810419999.1A priority Critical patent/CN108809650B/en
Publication of CN108809650A publication Critical patent/CN108809650A/en
Application granted granted Critical
Publication of CN108809650B publication Critical patent/CN108809650B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computing Systems (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of no safe lanes without certificate anonymity multi-receiver label decryption method, the technical problem for solving existing no certificate anonymity multi-receiver label decryption method safety difference.Technical solution is that pseudo- part private key and part public key are sent to user by overt channel by key generation centre KGC first, after user receives, it verifies the part public key received and whether pseudo- part private key is true, if, the public key, part private key and private key for then calculating user, otherwise stop operation;Next close algorithm design will be signed on elliptic curve, sign the identity information that the cipher-text information in close algorithm does not include sender and recipients, Last call cipher-text message, only authorized receiver just decrypt cipher-text message and obtain clear-text message under the premise of verification cipher-text message is legal.The pseudo- part private key of user is sent to user by the present invention by overt channel, reduces cost;And authorized receiver decrypts cipher-text message, improves safety when verification ciphertext is legal.

Description

Without safe lane without certificate anonymity multi-receiver label decryption method
Technical field
The present invention relates to a kind of no certificate anonymity multi-receiver label decryption method, more particularly to a kind of no safe lane without card Book anonymity multi-receiver label decryption method.
Background technology
It is anonymous more that document " number of patent application is 201710332215.7 Chinese invention patent " proposes a kind of no certificate Recipient signs decryption method.This method key generation centre KGC first generates the public key and part private key of user, and sends it to User.After user receives public key and part private key, the private key of oneself is calculated, and whether verify the public key received and part private key Correctly, if correctly, continuing to execute subsequent operation, otherwise stopping operation;Next close algorithm is signed in design on elliptic curve, It obtains signing ciphertext, broadcast transmission label ciphertext is to recipient, but it is bright to only have the recipient authorized that could correctly decrypt Literary message.Finally, the recipient of mandate verifies the legitimacy of clear-text message, if legal, authorized receiver receives clear-text message, Otherwise, clear-text message is rejected.Shortcoming existing for this method is that first, key generation centre KGC passes through safe lane Send the part private key of user, it is meant that in interactive portion private key, safety is completely dependent on by user and key generation centre KGC In safe lane, if safe lane is destroyed, anyone can obtain the part private key of user, and use peace The cost overhead of all channel is larger;Secondly, although this method, which has signature operation, authorized receiver, to be obtained in plain text in decryption After message, then the legitimacy of clear-text message is verified, this causes authorized receiver that can decrypt useless or untrue or even carry sick The clear-text message of poison, to bring certain harm to authorized receiver.
In conclusion not only result in system cost expense larger for the use of above method safe lane, and lead to user The safety of part private key is relatively low.In addition authorized receiver can decrypt useless or untrue or even take viruliferous plaintext and disappear Breath, it is meant that the safety of the above method is relatively low.
Invention content
In order to overcome the shortcomings of that existing no certificate anonymity multi-receiver label decryption method safety is poor, the present invention provides a kind of nothing Safe lane without certificate anonymity multi-receiver label decryption method.This method passes through overt channel by key generation centre KGC first Pseudo- part private key and part public key are sent to user, after user receives, verify the part public key received and pseudo- part private key It is whether true, if so, otherwise the public key, part private key and private key for then calculating user stop operation;Next it will sign close Algorithm designs on elliptic curve, signs the identity information that the cipher-text information in close algorithm does not include sender and recipients, finally Cipher-text message is broadcasted, only authorized receiver just decrypts cipher-text message and obtain in plain text under the premise of verification cipher-text message is legal Message.It is expected to have the technical effect that:First, key generation centre KGC are sent the pseudo- part private key of user by overt channel To user, user calculates part private key after receiving, and which not only improves User Part private key safeties, and reduce system Cost overhead;Second, authorized receiver verify ciphertext it is legal under the premise of, decrypt cipher-text message, avoid decrypting it is useless or Person is untrue or even takes viruliferous clear-text message, improves safety.
The technical solution adopted by the present invention to solve the technical problems:A kind of no safe lane receives more without certificate anonymity Person signs decryption method, its main feature is that including the following steps:
Step 1: user U includes sender S and recipient Ri, obtain the public key PK of oneselfUWith private key SKU, wherein i=1, 2 ..., n, n are positive integers, indicate the number for the recipient that sender S chooses;
Step 2: user U randomly selects an integer vU∈Zp *As secret value, then according to the following formula, user U is calculated certainly Oneself secret value parameter VU
VU=vUP
Wherein, vUIndicate that the secret value that user U is randomly selected, ∈ indicate defined domain symbol, Zp *It indicates to be based on Big prime p structures At non-zero multiplicative group, p indicates the Big prime that key generation centre KGC chooses, VUIndicate that the secret value parameter of user U, P indicate The addition cyclic group G that key generation centre KGC choosespOn generation member, GpIndicate that the ellipse that key generation centre KGC chooses is bent Addition cyclic group on line E, E indicate the finite field F that key generation centre KGC choosespOn safety elliptic curve, FpIt indicates The rank that key generation centre KGC chooses is the finite field of Big prime p;
Step 3: user U is by secret value parameter VUWith the identity information ID of oneselfUIt is sent to key life by overt channel At center KGC, key generation centre KGC receives the secret value parameter V of user UUWith identity information IDUAfterwards, integer d is randomly selectedU ∈Zp *, according to the following formula, calculate the part public key D of user UU
DU=H0(IDU,VU,dU)P
Wherein, dUIndicate that key generation centre KGC is the integer that user U is randomly selected, ∈ indicates defined domain symbol, Zp *Table Show that the non-zero multiplicative group constituted based on Big prime p, p indicate the Big prime that key generation centre KGC chooses, DUIndicate user U's Part public key, H0Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIndicate the identity information of user U, VUTable Show that the secret value parameter of user U, P indicate the addition cyclic group G that key generation centre KGC choosespOn generation member;
Step 4: according to the following formula, key generation centre KGC calculates the part private key y of user UU
yU=H0(IDU,VU,dU)+s(mod p)
Wherein, yUIndicate the part private key of user U, H0Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIndicate the identity information of user U, VUIndicate the secret value parameter of user U, dUIndicate key generation centre KGC be user U with The integer that machine is chosen, s indicate that the system master key that key generation centre KGC chooses, mod indicate that modulus operation, p indicate key life The Big prime chosen at center KGC;
Step 5: according to the following formula, key generation centre KGC calculates the pseudo- part private key r of user UU
rU=yU+H1(IDU,sVU)
Wherein, rUIndicate the pseudo- part private key of user U, yUIndicate the part private key of user U, H1Indicate key generation centre The impact resistant hash function that KGC chooses, IDUIndicate that the identity information of user U, s indicate the system that key generation centre KGC chooses Master key, VUIndicate the secret value parameter of user U;
Step 6: key generation centre KGC by overt channel by the part public key D of user UUWith pseudo- part private key rUHair Give user U.
Step 7: user U receives the part public key D that key generation centre KGC is sended overUWith pseudo- part private key rUAfterwards, Judge whether they meet following equation.If it is, executing step 8, otherwise, user U is reported to key generation centre KGC Mistake, and exit user registration course;
rUP=DU+Ppub+H1(IDU,vUPpub)P
Wherein, rUIndicate the pseudo- part private key of user U, DUIndicate the part public key of user U, PpubIndicate key generation centre The system public key that KGC is generated, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIndicate the identity of user U Information, vUIndicate that the secret value that user U is randomly selected, P indicate the addition cyclic group G that key generation centre KGC choosespOn life Cheng Yuan;
Step 8: according to the following formula, user U calculates public key PKU
PKU=DU+H1(IDU,VU)VU
Wherein, PKUIndicate the public key of user U, DUIndicate the part public key of user U, H1Indicate key generation centre KGC choosings The impact resistant hash function taken, IDUIndicate the identity information of user U, VUIndicate the secret value parameter of user U;
Step 9: according to the following formula, user U calculates the part private key y of oneselfU
yU=rU-H1(IDU,vUPpub)
Wherein, yUIndicate the part private key of user U, rUIndicate the pseudo- part private key of user U, H1Indicate key generation centre The impact resistant hash function that KGC chooses, IDUIndicate the identity information of user U, vUIndicate the secret value that user U is randomly selected, Ppub Indicate the system public key that key generation centre KGC is generated;
Step 10: user U calculates private key SK according to the following formulaU
SKU=H1(IDU,PKU)(yU+H1(IDU,VU)vU)(mod p)
Wherein, SKUIndicate the private key of user U, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDU Indicate the identity information of user U, PKUIndicate the public key of user U, yUIndicate the part private key of user U, VUIndicate the secret of user U Value parameter, vUIndicate that the secret value that user U is randomly selected, mod indicate that modulus operation, p indicate what key generation centre KGC chose Big prime;
Step 11: user U is by the public key PK of oneselfUIt is sent to key generation centre KGC by overt channel, and by close Key generates the public key PK that center KGC externally announces user UU, user U safely preserves the private key SK of oneselfU, backed off after random user Registration process;
Step 12: sender S judges whether oneself has been carried out user registration course.If so, executing step 10 Three, otherwise, sender S executes user registration course and obtains the public key PK of oneselfSWith private key SKSAfterwards, then step 13 is executed;
Step 13: sender S randomly selects registered recipient Ri, i=1,2 ..., n, wherein and n is positive integer, Indicate the recipient R that sender S is randomly selectediNumber;
Step 14: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiPuppet it is public Key Qi
Qi=PKi+Ppub
Wherein, QiIndicate i-th of recipient RiPseudo- public key, PKiIndicate i-th of recipient RiPublic key, n indicate send The recipient R that person S is randomly selectediNumber, PpubIndicate the system public key that key generation centre KGC is generated;
Step 15: sender S randomly selects the close integer w ∈ Z of labelp *, close verification part of label of sender S is calculated according to the following formula Volume W:
W=wP
Wherein, w indicates that the close integer of label that sender S is randomly selected, W indicate that the close verification share of label of sender S, ∈ indicate Defined domain symbol, Zp *Indicate that the non-zero multiplicative group constituted based on Big prime p, P indicate that the addition that key generation centre KGC chooses follows Ring group GpOn generation member;
Step 16: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiLabel it is close Verify share Fi
Fi=wH1(IDi,PKi)Qi
Wherein, FiIndicate i-th of recipient RiThe close verification share of label, w indicates the close integers of label that randomly select of sender S, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDiIndicate i-th of recipient RiIdentity information, PKiTable Show i-th of recipient RiPublic key, QiIndicate i-th of recipient RiPseudo- public key, n indicates the recipients that randomly select of sender S RiNumber;
Step 17: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiPseudo- body Part value αi
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value, H2Indicate that the impact resistant that key generation centre KGC chooses is breathed out Uncommon function, W indicate the close verification share of label of sender S, FiIndicate i-th of recipient RiThe close verification share of label, n indicate send The recipient R that person S is randomly selectediNumber;
Step 18: sender S randomly selects Keyed integer g ∈ Zp *, according to the following formula, calculate encrypted authentication share G:
G=gP
Wherein, g indicates that the Keyed integer that sender S is randomly selected, G indicate that encrypted authentication share, ∈ indicate defined domain symbol Number, Zp *Indicate that the non-zero multiplicative group constituted based on Big prime p, P indicate the addition cyclic group G that key generation centre KGC choosespOn Generation member;
Step 19: according to the following formula, sender S calculates cipher-text message M:
Wherein, M indicates that cipher-text message, m indicate clear-text message,Indicate binary system xor operation by turn, H3Indicate key The impact resistant hash function that generation center KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S;
Step 20: sender S randomly selects integer ξ ∈ Zp *As pseudo- key, according to the following formula, sender's S constructions receive Person identity information mixed number f (x):
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, ∈ indicate defined domain symbol, Zp *It indicates to be based on Big prime p The non-zero multiplicative group of composition, f (x) indicate that recipient's identity information mixed number, x indicate that independent variable, ∏ indicate even to multiply operation, αiTable Show i-th of recipient RiFalse identity value, n indicates the recipient R that randomly select of sender SiNumber, mod indicate modulus behaviour Make, p indicates the Big prime that key generation centre KGC chooses, a0,a1,…,an-1Indicate recipient identity information mixed number f's (x) Each term coefficient;
Step 2 11, according to the following formula, sender S calculate the validity parameter h of ciphertext:
H=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, h indicates the validity parameter of ciphertext, H4Indicate the impact resistant hash function that key generation centre KGC chooses, M indicates cipher-text message, IDSIndicate that the identity information of sender S, G indicate that encrypted authentication share, W indicate that the label of sender S are close and test Demonstrate,prove share, a0,a1,…,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 2 12, according to the following formula, sender S calculate symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key, H5Indicate that the impact resistant hash function that key generation centre KGC chooses, ξ indicate hair The pseudo- key that the person of sending S is randomly selected;
Step 2 13, sender S calculate mixing cipher-text message J according to the following formula:
J=Ek(M||IDS||h)
Wherein, J indicates mixing cipher-text message, EkIndicate that symmetric encipherment algorithm, k indicate that symmetric key, M indicate that ciphertext disappears Breath, IDSIndicate that the identity information of sender S, h indicate the validity parameter of ciphertext, | | indicate link symbol;
Step 2 14, sender S calculate the pseudo- parameter h of ciphertext according to the following formula0
h0=H6(h)
Wherein, h0Indicate the pseudo- parameter of ciphertext, H6Indicate the impact resistant hash function that key generation centre KGC chooses, h tables Show the validity parameter of ciphertext;
Step 2 15, sender S calculate g-1It is set to meet equation gg-1≡ 1 (mod p), and calculate the signature parameter z:
Z=g-1(SKS+h0)(mod p)
Wherein, g indicates the Keyed integer that sender S is randomly selected, g-1Indicate the Keyed integer g that sender S is randomly selected Inverse element at mould Big prime p, z indicate signature parameter, SKSIndicate the private key of sender S, h0Indicate the pseudo- parameter of ciphertext, mod Indicate that modulus operation, p indicate the Big prime that key generation centre KGC chooses;
Step 2 16, sender S, which will mix cipher-text message J, the close verification share W of label of sender S, recipient's identity, to be believed Cease the coefficient a of mixed number f (x)0,a1,…,an-1, signature parameter z will sign ciphertext C and is broadcast to reception as label ciphertext C Person Ri, wherein i=1,2 ..., n;
Step 2 17, recipient RiAfter receiving label ciphertext C, executes solution and sign close process, wherein i=1,2 ..., n, n Indicate the recipient R that sender S is randomly selectediNumber;
Step 2 18, according to the following formula, recipient RiCalculate the close verification share F of label of oneselfi
Fi=SKiW
Wherein, FiIndicate i-th of recipient RiThe close verification share of label, SKiIndicate i-th of recipient RiPrivate key, W tables Show the close verification share of the label of sender S;
Step 2 19, according to the following formula, recipient RiCalculate the false identity value α of oneselfi
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value, H2Indicate that the impact resistant that key generation centre KGC chooses is breathed out Uncommon function, W indicate the close verification share of label of sender S, FiIndicate i-th of recipient RiThe close verification share of label;
Step 3 ten, according to the following formula, recipient RiCalculate recipient identity information mixed number f (x):
F (x)=xn+an-1xn-1+...+a1x+a0
Wherein, f (x) indicates that recipient's identity information mixed number, x indicate that independent variable, n indicate what sender S was randomly selected Recipient RiNumber, a0,a1,...,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 3 11, according to the following formula, recipient RiCalculate the pseudo- key ξ that sender S is randomly selected:
ξ=f (αi)
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, f (x) indicate that recipient's identity information mixed number, x indicate Independent variable, αiIndicate i-th of recipient RiFalse identity value;
Step 3 12, according to the following formula, recipient RiCalculate symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key, H5Indicate that the impact resistant hash function that key generation centre KGC chooses, ξ indicate hair The pseudo- key that the person of sending S is randomly selected;
Step 3 13, according to the following formula, recipient RiCalculate the identity information ID of cipher-text message M, sender SSAnd ciphertext Validity parameter h:
M||IDS| | h=Dk(J)
Wherein, M indicates cipher-text message, IDSIndicate that the identity information of sender S, h indicate the validity parameter of ciphertext, J tables Show mixing cipher-text message, DkIndicate that symmetrical decipherment algorithm, k indicate symmetric key, | | indicate link symbol;
Step 3 14, recipient RiThe pseudo- parameter h of ciphertext is calculated according to the following formula0
h0=H6(h)
It indicates, h0Indicate the pseudo- parameter of ciphertext, H6Indicate the impact resistant hash function that key generation centre KGC chooses, h tables Show the validity parameter of ciphertext;
Step 3 15, according to the following formula, recipient RiCalculate encrypted authentication share G:
G=z-1(H1(IDS,PKS)(PKS+Ppub)+h0P)
Wherein, G indicates that encrypted authentication share, z indicate signature parameter, z-1Indicate that signature parameter z is inverse at mould Big prime p Member, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDSIndicate the identity information of sender S, PKSIt indicates The public key of sender S, PpubIndicate the system public key that key generation centre KGC is generated, h0Indicate that the pseudo- parameter of ciphertext, P indicate close Key generates center KGC and chooses addition cyclic group GpOn generation member;
Step 3 16, according to the following formula, recipient RiCalculate the rights parameters h ' of ciphertext:
H '=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, the rights parameters of h ' expressions ciphertext, H4Indicate the impact resistant hash function that key generation centre KGC chooses, M Indicate cipher-text message, IDSIndicate that the identity information of sender S, G indicate that encrypted authentication share, W indicate that the label of sender S are close and test Demonstrate,prove share, a0,a1,…,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 3 17, recipient RiWhether the rights parameters h ' for judging ciphertext and the validity parameter h of ciphertext are equal.If It is then to illustrate that the identity of sender S passes through verification, recipient RiIt determines and receives the cipher-text message M that sender S is sent, and execute Otherwise step 3 18 illustrates that the authentication of sender S does not pass through, recipient RiRefusal receives the ciphertext that sender S is sent Message M, and exit solution and sign close process.
Step 3 18, recipient RiDecryption obtains clear-text message m:
Wherein, m indicates that clear-text message, M indicate cipher-text message,Indicate binary system xor operation by turn, H3Indicate key The impact resistant hash function that generation center KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S.
The beneficial effects of the invention are as follows:This method is private by pseudo- part by overt channel by key generation centre KGC first Key and part public key are sent to user, after user receives, verify the part public key received and whether pseudo- part private key is true, if It sets up, then calculates the public key, part private key and private key of user, otherwise stop operation;Next close algorithm design will be signed to exist On elliptic curve, the identity information that the cipher-text information in close algorithm does not include sender and recipients is signed, Last call ciphertext disappears Breath, only authorized receiver just decrypt cipher-text message and obtain clear-text message under the premise of verification cipher-text message is legal.It is expected It has the technical effect that:The pseudo- part private key of user is sent to user, user by first, key generation centre KGC by overt channel Part private key is calculated after reception, which not only improves User Part private key safeties, and reduce system cost expense;The Two, authorized receiver verify ciphertext it is legal under the premise of, decrypt cipher-text message, avoid decrypting it is useless or it is untrue even Viruliferous clear-text message is taken, safety is improved.
First, in the prior art, key generation centre KGC sends the part private key of user by safe lane, this is not It only results in that system cost expense is larger, and means that the safety of User Part private key places one's entire reliance upon safe lane, if Safe lane is destroyed, then anyone can obtain the part private key of user;From the present invention step four, Step 5: Step 6: Step 7: Step 8: step 9 and step 10 can be seen that key generation centre KGC will be pseudo- by overt channel Part private key is sent to user, after user's checking puppet part private key is legal, can calculate only user oneself and key generates The part private key that center KGC knows, which not only improves the safeties of User Part private key, and the cost for reducing system is opened Pin;
Second, in the prior art, authorized receiver decrypts to obtain clear-text message, then verifies the legitimacy of clear-text message, This causes authorized receiver to decrypt sometimes useless or untrue or even take viruliferous clear-text message, to be received to mandate Person brings certain harm.It can be with from step three 15, step 3 16, step 3 17 and the step 3 18 of the present invention Find out, for authorized receiver under the premise of verification ciphertext is legal, decryption cipher-text message obtains clear-text message, effectively prevents awarding Power recipient decrypts useless or untrue or even takes viruliferous clear-text message, and therefore, safety is good.
It elaborates with reference to the accompanying drawings and detailed description to the present invention.
Description of the drawings
Fig. 1 is the flow chart without certificate anonymity multi-receiver label decryption method of the invention without safe lane.
Specific implementation mode
Explanation of nouns
KGC(Key Generation Center):Key generation centre is believable third party, and user U is assisted to generate Private key SKUWith public key PKU
η:The system security parameter that key generation centre KGC chooses;
p:The Big prime that key generation centre KGC chooses;
Fp:The rank that key generation centre KGC chooses is the finite field of Big prime p;
E:The finite field F that key generation centre KGC choosespOn safety elliptic curve;
Gp:The addition cyclic group on elliptic curve E that key generation centre KGC chooses;
P:The addition cyclic group G that key generation centre KGC choosespOn generation member;
s:The system master key that key generation centre KGC chooses;
Ppub:The system public key that key generation centre KGC is generated;
∈:Defined domain symbol, such as b ∈ B are exactly that element b belongs to set B;
Zp *:The non-zero multiplicative group constituted based on Big prime p;
Hj:The impact resistant hash function that key generation centre KGC chooses, wherein j=0,1,2,3,4,5,6;
A→B:Mappings of the domain A to codomain B;
×:Cartesian product, such as set A={ a, b }, set B={ 0,1,2 }, then two set cartesian products be {(a,0),(a,1),(a,2),(b,0),(b,1),(b,2)};
{0,1}*:The string that random length " 0 " or " 1 " are constituted;
k:Symmetric key;
Ek:Symmetric encipherment algorithm;
Dk:Symmetrical decipherment algorithm;
Params:Systematic parameter;
U:User, including sender S and recipient Ri, i=1,2 ..., n;
S:Sender;
Ri:I-th of recipient, i=1,2 ..., n;
n:The recipient R that sender S is randomly selectediNumber;
IDU:The identity information of user U;
IDS:The identity information of sender S;
IDi:I-th of recipient RiIdentity information, i=1,2 ..., n;
vU:The secret value that user U is randomly selected;
vS:The secret value that sender S is randomly selected;
vi:I-th of recipient RiThe secret value randomly selected, i=1,2 ..., n;
VU:The secret value parameter of user U;
VS:The secret value parameter of sender S;
Vi:I-th of recipient RiSecret value parameter, i=1,2 ..., n;
dU:Key generation centre KGC is the integer that user U is randomly selected;
dS:Key generation centre KGC is the integer that sender S is randomly selected;
di:Key generation centre KGC is i-th of recipient RiThe integer randomly selected, i=1,2 ..., n;
DU:The part public key of user U
DS:The part public key of sender S
Di:I-th of recipient RiPart public key, i=1,2 ..., n;
yU:The part private key of user U;
yS:The part private key of sender S;
yi:I-th of recipient RiPart private key, i=1,2 ..., n;
rU:The pseudo- part private key of user U;
rS:The pseudo- part private key of sender S;
ri:I-th of recipient RiPseudo- part private key, i=1,2 ..., n;
PKU:The public key of user U;
PKS:The public key of sender S;
PKi:I-th of recipient RiPublic key, i=1,2 ..., n;
SKU:The private key of user U;
SKS:The private key of sender S;
SKi:I-th of recipient RiPrivate key, i=1,2 ..., n;
Qi:I-th of recipient RiPseudo- public key, i=1,2 ..., n;
w:The close integer of label that sender S is randomly selected;
W:The close verification share of label of sender S;
Fi:I-th of recipient RiThe close verification share of label, i=1,2 ..., n;
αi:I-th of recipient RiFalse identity value, i=1,2 ..., n;
g:The Keyed integer that sender S is randomly selected;
g-1:Inverse elements of the Keyed integer g that sender S is randomly selected at mould Big prime p;
G:Encrypted authentication share;
m:Clear-text message;
M:Cipher-text message;
Binary system xor operation, such as x=0101, y=1011 by turn, then
ξ:The pseudo- key that sender S is randomly selected;
f(x):Recipient's identity information mixed number, wherein x indicate independent variable;
∏:Company multiplies operation, such as
mod:Modulus operates;
ai:Each term coefficient of recipient identity information mixed number f (x), i=0,1 ..., n-1;
h:The validity parameter of ciphertext;
h0:The pseudo- parameter of ciphertext;
h′:The rights parameters of ciphertext;
J:Mix cipher-text message;
||:Link symbol, such as x=0101, y=1011, then x | | y=01011011;
≡:Congruence symbol, such as:1 ≡ 3 (mod2), 2 ≡ 5 (mod3);
z:Signature parameter;
z-1:Inverse elements of the signature parameter z at mould Big prime p;
C:Sign ciphertext.
Referring to Fig.1.The present invention is as follows without safe lane without certificate anonymity multi-receiver label decryption method:
Step 1, systematic parameter is generated.
Key generation centre KGC chooses Big prime p according to system security parameter η, chooses the finite field that rank is Big prime p Fp, finite field FpOn safety elliptic curve E and elliptic curve E on addition cyclic group Gp, choose addition cyclic group GpOn Generation member P;Key generation centre KGC randomly selects system master key s ∈ Zp *And securely held, then computing system public key Ppub=sP, and 7 impact resistant hash functions are chosen, it is denoted as respectively:H0:{0,1}*×Gp×Zp *→Zp *;H1:{0,1}*×Gp→ Zp *;H2:Gp×Gp→Zp *;H3:Gp×{0,1}*→{0,1}*;H4:{0,1}*×{0,1}*×Gp×Gp×Zp *×...×Zp *→ {0,1}*;H5:Zp *→Zp *;H6:{0,1}*→Zp *;Then key generation centre KGC is arbitrary from existing symmetric encipherment algorithm Choose a kind of safe symmetric encipherment algorithm Ek, and choose symmetrical decipherment algorithm D corresponding with the symmetric encipherment algorithmk;Finally, Key generation centre KGC constructs systematic parameter Params, and open systematic parameter Params according to the following formula:
Params=<p,Fp,E,Gp,P,Ppub,Ek,Dk,H0,H1,H2,H3,H4,H5,H6>;
Wherein, η indicates that the system security parameter that key generation centre KGC chooses, p indicate that key generation centre KGC chooses Big prime, FpIndicate that the finite field that the rank that key generation centre KGC chooses is Big prime p, E indicate key generation centre KGC The finite field F of selectionpOn safety elliptic curve, GpIndicate the addition on the elliptic curve E of key generation centre KGC selections Cyclic group, P indicate the addition cyclic group G that key generation centre KGC choosespOn generation member, s indicates key generation centre KGC The system master key of selection, H0,H1,H2,H3,H4,H5,H6Indicate the impact resistant hash function that key generation centre KGC chooses, A → B indicates the mapping of domain A to codomain B, { 0,1 }*Indicate the string that random length " 0 " or " 1 " is constituted, × indicate that Descartes multiplies Product, Zp *Indicate that the non-zero multiplicative group constituted based on Big prime p, ∈ indicate defined domain symbol, PpubIndicate key generation centre KGC The system public key of generation, EkIndicate symmetric encipherment algorithm, DkIndicate that symmetrical decipherment algorithm, k indicate that symmetric key, Params indicate Systematic parameter;
Step 2, sender registers.
The first step, sender S randomly select an integer vS∈Zp *As secret value, according to the following formula, sender S is calculated certainly Oneself secret value parameter VS
VS=vSP
Wherein, vSIndicate the secret value that sender S is randomly selected, VSIndicate the secret value parameter of sender S;
Second step, sender S is by the secret value parameter V of oneselfSWith the identity information ID of oneselfSIt is sent by overt channel Give key generation centre KGC, key generation centre the KGC secret value parameter V for receiving sender SSWith identity information IDSAfterwards, at random Choose integer dS∈Zp *, the part public key D of sender S is calculated according to the following formulaS
DS=H0(IDS,VS,dS)P
Wherein, dSIndicate that key generation centre KGC is the integer that sender S is randomly selected, DSIndicate the part of sender S Public key, IDSIndicate the identity information of sender S;
According to the following formula, key generation centre KGC calculates the part private key y of sender SS
yS=H0(IDS,VS,dS)+s(mod p)
Wherein, ySIndicate the part private key of sender S;
According to the following formula, key generation centre KGC calculates the pseudo- part private key r of sender SS
rS=yS+H1(IDS,sVS)
Wherein, rSIndicate the pseudo- part private key of sender S;
Key generation centre KGC is by overt channel by the part public key D of sender SSWith the pseudo- part private key of sender S rSIt is sent to sender S.Sender S judges the part public key D receivedSWith pseudo- part private key rSWhether following equation is met:
rSP=DS+Ppub+H1(IDS,vSPpub)P
If it is satisfied, then sender S will continue to execute third step, otherwise, sender S reports an error to key generation centre KGC, And exit sender's registration process;
Third walks, and sender S calculates public key PK according to the following formulaS
PKS=DS+H1(IDS,VS)VS
Wherein, PKSIndicate the public key of sender S;
Sender S calculates the part private key y of oneself according to the following formulaS
yS=rS-H1(IDS,vSPpub)
Sender S calculates the private key SK of oneself according to the following formulaS
SKS=H1(IDS,PKS)(yS+H1(IDS,VS)vS)(mod p)
Wherein, SKSIndicate the private key of sender S;
4th step, sender S is by public key PKSIt is sent to key generation centre KGC by overt channel, and is generated by key Center KGC externally announces the public key PK of sender SS, the securely held private key SK of oneself of sender SS, backed off after random sender note Volume process;
Step 3, recipient registers.
The first step, recipient RiRandomly select an integer vi∈Zp *As secret value, according to the following formula, recipient RiIt calculates The secret value parameter V of oneselfi
Vi=viP
Wherein, viIndicate i-th of recipient RiThe secret value randomly selected, ViIndicate i-th of recipient RiSecret value ginseng Number;
Second step, recipient RiBy the secret value parameter V of oneselfiWith the identity information ID of oneselfiIt is sent by overt channel Key generation centre KGC, key generation centre KGC is given to receive recipient RiSecret value parameter ViWith identity information IDiAfterwards, with Machine chooses integer di∈Zp *, recipient R is calculated according to the following formulaiPart public key Di
Di=H0(IDi,Vi,di)P
Wherein, diIndicate that key generation centre KGC is i-th of recipient RiThe integer randomly selected, DiIt indicates to connect for i-th Receipts person RiPart public key;
According to the following formula, key generation centre KGC calculates recipient RiPart private key yi
yi=H0(IDi,Vi,di)+s(mod p)
Wherein, yiIndicate i-th of recipient RiPart private key,
According to the following formula, key generation centre KGC calculates recipient RiPseudo- part private key ri
ri=yi+H1(IDi,sVi)
Wherein, riIndicate i-th of recipient RiPseudo- part private key;
Key generation centre KGC passes through overt channel transmitting and receiving person RiPart public key DiWith pseudo- part private key riTo connecing Receipts person Ri.Recipient RiJudge the part public key D receivediWith pseudo- part private key riWhether following equation is met:
riP=Di+Ppub+H1(IDi,viPpub)P
If it is satisfied, then recipient RiThird step, otherwise, recipient R will be continued to executeiIt is reported to key generation centre KGC Mistake, and exit recipient's registration process;
Third walks, according to the following formula, recipient RiCalculate the public key PK of oneselfi
PKi=Di+H1(IDi,Vi)Vi
Wherein, PKiIndicate i-th of recipient RiPublic key recipient Ri
The part private key y of oneself is calculated according to the following formulai
yi=ri-H1(IDi,viPpub)
Recipient RiPrivate key SK is calculated according to the following formulai
SKi=H1(IDi,PKi)(yi+H1(IDi,Vi)vi)(mod p)
Wherein, SKiIndicate i-th of recipient RiPrivate key;
4th step, recipient RiBy the public key PK of oneselfiIt is sent to key generation centre KGC by overt channel, and by close Key generates center KGC and externally announces recipient RiPublic key PKi, recipient RiThe securely held private key SK of oneselfi, backed off after random Recipient's registration process;
Step 4, close process is signed.
The first step, sender S judge oneself whether to have completed sender's registration process and have obtained the public key PK of oneselfS With private key SKS.If it is, sender S executes second step, otherwise sender S executes sender's registration process, and obtains oneself Public key PKSWith private key SKSAfterwards, then second step is executed;
Second step, sender S randomly select registered recipient Ri, to each i=1,2 ..., n, sender's S meters Calculate i-th of recipient RiPseudo- public key Qi
Qi=PKi+Ppub
Wherein, QiIndicate i-th of recipient RiPseudo- public key, PKiIndicate i-th of recipient RiPublic key, n indicate send The recipient R that person S is randomly selectediNumber;
Sender S randomly selects the close integer w ∈ Z of labelp *, the close verification share W of label of sender S is calculated according to the following formula:
W=wP
Wherein, w indicates that the close integer of label that sender S is randomly selected, W indicate the close verification share of label of sender S,;
According to the following formula, to each i=1,2 ..., n, i-th of recipient R is calculatediThe close verification share F of labeli
Fi=wH1(IDi,PKi)Qi
Wherein, FiIndicate i-th of recipient RiThe close verification share of label;
According to the following formula, i-th of recipient R is calculated to each i=1,2 ..., n, sender SiFalse identity value αi
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value,;
Sender S randomly selects Keyed integer g ∈ Zp *, encrypted authentication share G is calculated according to the following formula:
G=gP
Wherein, g indicates that the Keyed integer that sender S is randomly selected, G indicate encrypted authentication share;
According to the following formula, sender S calculates cipher-text message M:
Wherein, M indicates that cipher-text message, m indicate clear-text message,Indicate binary system xor operation by turn;
Sender S randomly selects integer ξ ∈ Zp *As pseudo- key, according to the following formula, sender S constructs recipient's identity information Mixed number f (x):
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, f (x) indicate that recipient's identity information mixed number, x indicate Independent variable, ∏ indicate even to multiply operation, αiIndicate i-th of recipient RiFalse identity value, a0,a1,…,an-1Indicate recipient's identity Each term coefficient of information mixed number f (x);
According to the following formula, sender S calculates the validity parameter h of ciphertext:
H=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, h indicates the validity parameter of ciphertext;
According to the following formula, sender S calculates symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key;
Sender S calculates mixing cipher-text message J according to the following formula:
J=Ek(M||IDS||h)
Wherein, J indicates mixing cipher-text message, EkIndicate symmetric encipherment algorithm, | | indicate link symbol;
Sender S calculates the pseudo- parameter h of ciphertext according to the following formula0
h0=H6(h)
It indicates, h0Indicate the pseudo- parameter of ciphertext;
Sender S calculates g-1It is set to meet equation gg-1≡ 1 (mod p), and calculate the signature parameter z:
Z=g-1(SKS+h0)(mod p)
Wherein, g-1Inverse elements of the Keyed integer g that expression sender S is randomly selected at mould Big prime p, z indicate signature ginseng Number;
Third walks, and sender S mixes the close verification share W of label, the recipient's identity information that mix cipher-text message J, sender S The coefficient a of conjunction value f (x)0,a1,…,an-1, signature parameter z will sign ciphertext C and carries out being broadcast to reception as label ciphertext C Person Ri, i=1,2 ..., n;
Step 5, solution signs close process.
The first step, after receiving label ciphertext C, recipient RiFirst determine whether oneself is registered.If registered, Second step is continued to execute, otherwise, abandons the label ciphertext C received, and exits solution and signs close step, i=1,2 ..., n, wherein n Indicate the recipient R that sender S is randomly selectediNumber;
Second step, according to the following formula, recipient RiCalculate the close verification share F of label of oneselfi
Fi=SKiW
According to the following formula, recipient RiCalculate the false identity value α of oneselfi
αi=H2(W,Fi)
According to the following formula, recipient RiCalculate recipient identity information mixed number f (x):
F (x)=xn+an-1xn-1+...+a1x+a0
According to the following formula, recipient RiCalculate the pseudo- key ξ that sender S is randomly selected:
ξ=f (αi)
According to the following formula, recipient RiCalculate symmetric key k:
K=H5(ξ)
According to the following formula, recipient RiCalculate the identity information ID of cipher-text message M, sender SS, ciphertext validity parameter h:
M||IDS| | h=Dk(J)
According to the following formula, recipient RiCalculate the pseudo- parameter h of ciphertext0
h0=H6(h)
According to the following formula, recipient RiCalculate encrypted authentication share G:
G=z-1(H1(IDS,PKS)(PKS+Ppub)+h0P)
Wherein, z-1Indicate inverse elements of the signature parameter z at mould Big prime p;
According to the following formula, recipient RiCalculate the rights parameters h ' of ciphertext:
H '=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, the rights parameters of h ' expressions ciphertext;
Recipient RiWhether the rights parameters h ' for judging ciphertext and the validity parameter h of ciphertext are equal.If so, illustrating to send out The identity of the person of sending S passes through verification, recipient RiIt determines and receives the cipher-text message M that sender S is sent, and execute third step, otherwise, Illustrate that the authentication of sender S does not pass through, recipient RiRefusal receives the cipher-text message M that sender S is sent, and exits solution label Close process.
Third walks, according to the following formula, recipient RiDecryption obtains clear-text message m:
Wherein, m indicates that clear-text message, M indicate cipher-text message,Indicate binary system xor operation by turn, H3Indicate key The impact resistant hash function that generation center KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S.

Claims (1)

1. a kind of no safe lane without certificate anonymity multi-receiver label decryption method, it is characterised in that include the following steps:
Step 1: user U includes sender S and recipient Ri, obtain the public key PK of oneselfUWith private key SKU, wherein i=1, 2 ..., n, n are positive integers, indicate the number for the recipient that sender S chooses;
Step 2: user U randomly selects an integer vU∈Zp *As secret value, then according to the following formula, user U calculates oneself Secret value parameter VU
VU=vUP
Wherein, vUIndicate that the secret value that user U is randomly selected, ∈ indicate defined domain symbol, Zp *It indicates based on Big prime p compositions Non-zero multiplicative group, p indicate the Big prime that key generation centre KGC chooses, VUIndicate that the secret value parameter of user U, P indicate key The addition cyclic group G that generation center KGC choosespOn generation member, GpOn the elliptic curve E for indicating key generation centre KGC selections Addition cyclic group, E indicates the finite field F that key generation centre KGC choosespOn safety elliptic curve, FpIndicate key life The finite field for being Big prime p at the rank that center KGC chooses;
Step 3: user U is by secret value parameter VUWith the identity information ID of oneselfUIt is sent in key generation by overt channel Heart KGC, key generation centre KGC receive the secret value parameter V of user UUWith identity information IDUAfterwards, integer d is randomly selectedU∈ Zp *, according to the following formula, calculate the part public key D of user UU
DU=H0(IDU,VU,dU)P
Wherein, dUIndicate that key generation centre KGC is the integer that user U is randomly selected, ∈ indicates defined domain symbol, Zp *Indicate base In the non-zero multiplicative group that Big prime p is constituted, p indicates the Big prime that key generation centre KGC chooses, DUIndicate the part of user U Public key, H0Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIndicate the identity information of user U, VUIt indicates to use The secret value parameter of family U, P indicate the addition cyclic group G that key generation centre KGC choosespOn generation member;
Step 4: according to the following formula, key generation centre KGC calculates the part private key y of user UU
yU=H0(IDU,VU,dU)+s(modp)
Wherein, yUIndicate the part private key of user U, H0Indicate the impact resistant hash function that key generation centre KGC chooses, IDUTable Show the identity information of user U, VUIndicate the secret value parameter of user U, dUIndicate that key generation centre KGC is that user U is randomly selected Integer, s indicates that the system master key that key generation centre KGC chooses, mod indicate that modulus operation, p indicate key generation centre The Big prime that KGC chooses;
Step 5: according to the following formula, key generation centre KGC calculates the pseudo- part private key r of user UU
rU=yU+H1(IDU,sVU)
Wherein, rUIndicate the pseudo- part private key of user U, yUIndicate the part private key of user U, H1Indicate key generation centre KGC choosings The impact resistant hash function taken, IDUIndicate that the identity information of user U, s indicate that the system master that key generation centre KGC chooses is close Key, VUIndicate the secret value parameter of user U;
Step 6: key generation centre KGC by overt channel by the part public key D of user UUWith pseudo- part private key rUIt is sent to User U;
Step 7: user U receives the part public key D that key generation centre KGC is sended overUWith pseudo- part private key rUAfterwards, judge Whether they meet following equation;If it is, executing step 8, otherwise, user U reports an error to key generation centre KGC, and Exit user registration course;
rUP=DU+Ppub+H1(IDU,vUPpub)P
Wherein, rUIndicate the pseudo- part private key of user U, DUIndicate the part public key of user U, PpubIndicate key generation centre KGC The system public key of generation, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIndicate the identity letter of user U Breath, vUIndicate that the secret value that user U is randomly selected, P indicate the addition cyclic group G that key generation centre KGC choosespOn generation Member;
Step 8: according to the following formula, user U calculates public key PKU
PKU=DU+H1(IDU,VU)VU
Wherein, PKUIndicate the public key of user U, DUIndicate the part public key of user U, H1Indicate what key generation centre KGC chose Impact resistant hash function, IDUIndicate the identity information of user U, VUIndicate the secret value parameter of user U;
Step 9: according to the following formula, user U calculates the part private key y of oneselfU
yU=rU-H1(IDU,vUPpub)
Wherein, yUIndicate the part private key of user U, rUIndicate the pseudo- part private key of user U, H1Indicate key generation centre KGC choosings The impact resistant hash function taken, IDUIndicate the identity information of user U, vUIndicate the secret value that user U is randomly selected, PpubIt indicates The system public key that key generation centre KGC is generated;
Step 10: user U calculates private key SK according to the following formulaU
SKU=H1(IDU,PKU)(yU+H1(IDU,VU)vU)(modp)
Wherein, SKUIndicate the private key of user U, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDUIt indicates The identity information of user U, PKUIndicate the public key of user U, yUIndicate the part private key of user U, VUIndicate the secret value ginseng of user U Number, vUIndicate that the secret value that user U is randomly selected, mod indicate that modulus operation, p indicate the big element that key generation centre KGC chooses Number;
Step 11: user U is by the public key PK of oneselfUIt is sent to key generation centre KGC by overt channel, and is given birth to by key The public key PK of user U is externally announced at center KGCU, user U safely preserves the private key SK of oneselfU, backed off after random user's registration Process;
Step 12: sender S judges whether oneself has been carried out user registration course;If so, step 13 is executed, it is no Then, sender S executes user registration course and obtains the public key PK of oneselfSWith private key SKSAfterwards, then step 13 is executed;
Step 13: sender S randomly selects registered recipient Ri, i=1,2 ..., n, wherein n is positive integer, indicates hair The recipient R that the person of sending S is randomly selectediNumber;
Step 14: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiPseudo- public key Qi
Qi=PKi+Ppub
Wherein, QiIndicate i-th of recipient RiPseudo- public key, PKiIndicate i-th of recipient RiPublic key, n indicate sender S with The recipient R that machine is choseniNumber, PpubIndicate the system public key that key generation centre KGC is generated;
Step 15: sender S randomly selects the close integer w ∈ Z of labelp *, the close verification share W of label of sender S is calculated according to the following formula:
W=wP
Wherein, w indicates that the close integer of label that sender S is randomly selected, W indicate that the close verification share of label of sender S, ∈ indicate to limit Domain symbol, Zp *Indicate that the non-zero multiplicative group constituted based on Big prime p, P indicate the addition cyclic group that key generation centre KGC chooses GpOn generation member;
Step 16: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiThe close verification part of label Volume Fi
Fi=wH1(IDi,PKi)Qi
Wherein, FiIndicate i-th of recipient RiThe close verification share of label, w indicates the close integers of label that randomly select of sender S, H1Table Show the impact resistant hash function that key generation centre KGC chooses, IDiIndicate i-th of recipient RiIdentity information, PKiIndicate the I recipient RiPublic key, QiIndicate i-th of recipient RiPseudo- public key, n indicates the recipient R that randomly select of sender Si's Number;
Step 17: according to the following formula, to each i=1,2 ..., n, sender S calculates i-th of recipient RiFalse identity value αi
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value, H2Indicate the impact resistant Hash letter that key generation centre KGC chooses Number, W indicate the close verification share of label of sender S, FiIndicate i-th of recipient RiThe close verification share of label, n indicate sender S with The recipient R that machine is choseniNumber;
Step 18: sender S randomly selects Keyed integer g ∈ Zp *, according to the following formula, calculate encrypted authentication share G:
G=gP
Wherein, g indicates that the Keyed integer that sender S is randomly selected, G indicate that encrypted authentication share, ∈ indicate defined domain symbol, Zp * Indicate that the non-zero multiplicative group constituted based on Big prime p, P indicate the addition cyclic group G that key generation centre KGC choosespOn life Cheng Yuan;
Step 19: according to the following formula, sender S calculates cipher-text message M:
M=m ⊕ H3(G,IDS)
Wherein, M indicates that cipher-text message, m indicate that clear-text message, ⊕ indicate binary system xor operation by turn, H3In indicating that key generates The impact resistant hash function that heart KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S;
Step 20: sender S randomly selects integer ξ ∈ Zp *As pseudo- key, according to the following formula, sender S constructs recipient's body Part information mixed number f (x):
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, ∈ indicate defined domain symbol, Zp *It indicates to constitute based on Big prime p Non-zero multiplicative group, f (x) indicate recipient's identity information mixed number, x indicate independent variable, ∏ indicate even multiplies operation, αiIndicate the I recipient RiFalse identity value, n indicates the recipient R that randomly select of sender SiNumber, mod indicate modulus operation, p tables Show the Big prime that key generation centre KGC chooses, a0,a1,…,an-1Indicate each term system of recipient identity information mixed number f (x) Number;
Step 2 11, according to the following formula, sender S calculate the validity parameter h of ciphertext:
H=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, h indicates the validity parameter of ciphertext, H4Indicate that the impact resistant hash function that key generation centre KGC chooses, M indicate Cipher-text message, IDSIndicate that the identity information of sender S, G indicate that encrypted authentication share, W indicate close verification part of label of sender S Volume, a0,a1,…,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 2 12, according to the following formula, sender S calculate symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key, H5Indicate that the impact resistant hash function that key generation centre KGC chooses, ξ indicate sender S The pseudo- key randomly selected;
Step 2 13, sender S calculate mixing cipher-text message J according to the following formula:
J=Ek(M||IDS||h)
Wherein, J indicates mixing cipher-text message, EkIndicate that symmetric encipherment algorithm, k indicate that symmetric key, M indicate cipher-text message, IDS Indicate that the identity information of sender S, h indicate the validity parameter of ciphertext, | | indicate link symbol;
Step 2 14, sender S calculate the pseudo- parameter h of ciphertext according to the following formula0
h0=H6(h)
Wherein, h0Indicate the pseudo- parameter of ciphertext, H6Indicate that the impact resistant hash function that key generation centre KGC chooses, h indicate close The validity parameter of text;
Step 2 15, sender S calculate g-1It is set to meet equation gg-1≡ 1 (modp), and calculate the signature parameter z:
Z=g-1(SKS+h0)(modp)
Wherein, g indicates the Keyed integer that sender S is randomly selected, g-1The Keyed integer g that expression sender S is randomly selected is in mould Inverse element under Big prime p, z indicate signature parameter, SKSIndicate the private key of sender S, h0Indicate that the pseudo- parameter of ciphertext, mod indicate Modulus operates, and p indicates the Big prime that key generation centre KGC chooses;
Step 2 16, sender S mix the close verification share W of label, the recipient's identity information that mix cipher-text message J, sender S The coefficient a of conjunction value f (x)0,a1,…,an-1, signature parameter z will sign ciphertext C and is broadcast to recipient R as label ciphertext Ci, Wherein i=1,2 ..., n;
Step 2 17, recipient RiIt after receiving label ciphertext C, executes solution and signs close process, wherein i=1,2 ..., n, n indicate hair The recipient R that the person of sending S is randomly selectediNumber;
Step 2 18, according to the following formula, recipient RiCalculate the close verification share F of label of oneselfi
Fi=SKiW
Wherein, FiIndicate i-th of recipient RiThe close verification share of label, SKiIndicate i-th of recipient RiPrivate key, W indicate send The close verification share of label of person S;
Step 2 19, according to the following formula, recipient RiCalculate the false identity value α of oneselfi
αi=H2(W,Fi)
Wherein, αiIndicate i-th of recipient RiFalse identity value, H2Indicate the impact resistant Hash letter that key generation centre KGC chooses Number, W indicate the close verification share of label of sender S, FiIndicate i-th of recipient RiThe close verification share of label;
Step 3 ten, according to the following formula, recipient RiCalculate recipient identity information mixed number f (x):
F (x)=xn+an-1xn-1+...+a1x+a0
Wherein, f (x) indicates that recipient's identity information mixed number, x indicate that independent variable, n indicate the reception that sender S is randomly selected Person RiNumber, a0,a1,...,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 3 11, according to the following formula, recipient RiCalculate the pseudo- key ξ that sender S is randomly selected:
ξ=f (αi)
Wherein, ξ indicates that the pseudo- key that sender S is randomly selected, f (x) indicate that recipient's identity information mixed number, x are indicated from change Amount, αiIndicate i-th of recipient RiFalse identity value;
Step 3 12, according to the following formula, recipient RiCalculate symmetric key k:
K=H5(ξ)
Wherein, k indicates symmetric key, H5Indicate that the impact resistant hash function that key generation centre KGC chooses, ξ indicate sender S The pseudo- key randomly selected;
Step 3 13, according to the following formula, recipient RiCalculate the identity information ID of cipher-text message M, sender SSAnd ciphertext has Effect property parameter h:
M||IDS| | h=Dk(J)
Wherein, M indicates cipher-text message, IDSIndicate that the identity information of sender S, h indicate that the validity parameter of ciphertext, J indicate mixed Close cipher-text message, DkIndicate that symmetrical decipherment algorithm, k indicate symmetric key, | | indicate link symbol;
Step 3 14, recipient RiThe pseudo- parameter h of ciphertext is calculated according to the following formula0
h0=H6(h)
It indicates, h0Indicate the pseudo- parameter of ciphertext, H6Indicate that the impact resistant hash function that key generation centre KGC chooses, h indicate close The validity parameter of text;
Step 3 15, according to the following formula, recipient RiCalculate encrypted authentication share G:
G=z-1(H1(IDS,PKS)(PKS+Ppub)+h0P)
Wherein, G indicates that encrypted authentication share, z indicate signature parameter, z-1Indicate inverse elements of the signature parameter z at mould Big prime p, H1Indicate the impact resistant hash function that key generation centre KGC chooses, IDSIndicate the identity information of sender S, PKSIt indicates to send The public key of person S, PpubIndicate the system public key that key generation centre KGC is generated, h0Indicate that the pseudo- parameter of ciphertext, P indicate key life Addition cyclic group G is chosen at center KGCpOn generation member;
Step 3 16, according to the following formula, recipient RiCalculate the rights parameters h ' of ciphertext:
H '=H4(M,IDS,G,W,a0,a1,...,an-1)
Wherein, the rights parameters of h ' expressions ciphertext, H4Indicate that the impact resistant hash function that key generation centre KGC chooses, M indicate Cipher-text message, IDSIndicate that the identity information of sender S, G indicate that encrypted authentication share, W indicate close verification part of label of sender S Volume, a0,a1,…,an-1Indicate each term coefficient of recipient identity information mixed number f (x);
Step 3 17, recipient RiWhether the rights parameters h ' for judging ciphertext and the validity parameter h of ciphertext are equal;If so, Illustrate that the identity of sender S passes through verification, recipient RiIt determines and receives the cipher-text message M that sender S is sent, and execute step 3 18, otherwise, illustrate that the authentication of sender S does not pass through, recipient RiRefusal receives the cipher-text message M that sender S is sent, And it exits solution and signs close process;
Step 3 18, recipient RiDecryption obtains clear-text message m:
M=M ⊕ H3(G,IDS)
Wherein, m indicates that clear-text message, M indicate that cipher-text message, ⊕ indicate binary system xor operation by turn, H3In indicating that key generates The impact resistant hash function that heart KGC chooses, G indicate encrypted authentication share, IDSIndicate the identity information of sender S.
CN201810419999.1A 2018-05-04 2018-05-04 Certificateless anonymous multi-receiver signcryption method without secure channel Active CN108809650B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810419999.1A CN108809650B (en) 2018-05-04 2018-05-04 Certificateless anonymous multi-receiver signcryption method without secure channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810419999.1A CN108809650B (en) 2018-05-04 2018-05-04 Certificateless anonymous multi-receiver signcryption method without secure channel

Publications (2)

Publication Number Publication Date
CN108809650A true CN108809650A (en) 2018-11-13
CN108809650B CN108809650B (en) 2021-04-13

Family

ID=64093692

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810419999.1A Active CN108809650B (en) 2018-05-04 2018-05-04 Certificateless anonymous multi-receiver signcryption method without secure channel

Country Status (1)

Country Link
CN (1) CN108809650B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109921896A (en) * 2019-03-11 2019-06-21 郑州师范学院 A kind of label decryption method, system, equipment and computer readable storage medium
CN111262709A (en) * 2020-01-17 2020-06-09 铜陵学院 Trapdoor hash function-based unlicensed bookmark encryption system and method
CN111934887A (en) * 2020-08-10 2020-11-13 西安电子科技大学 Multi-receiver signcryption method based on interpolation polynomial
CN114128213A (en) * 2019-05-29 2022-03-01 比特飞翔区块链株式会社 Apparatus, method, and program for verifying authenticity of public key
CN114189339A (en) * 2021-12-07 2022-03-15 贵州亨达集团信息安全技术有限公司 Certificateless aggregation signature method and certificateless aggregation signature system supporting parallel key isolation

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106936593A (en) * 2017-05-12 2017-07-07 西安电子科技大学 Based on the efficient anonymity of elliptic curve without certificate multi-receiver label decryption method
CN107438006A (en) * 2017-09-12 2017-12-05 西安电子科技大学 Full multi-receiver label decryption method of the anonymity without certificate
CN107682145A (en) * 2017-09-12 2018-02-09 西安电子科技大学 It is true anonymous without the more message multi-receiver label decryption methods of certificate

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106936593A (en) * 2017-05-12 2017-07-07 西安电子科技大学 Based on the efficient anonymity of elliptic curve without certificate multi-receiver label decryption method
CN107438006A (en) * 2017-09-12 2017-12-05 西安电子科技大学 Full multi-receiver label decryption method of the anonymity without certificate
CN107682145A (en) * 2017-09-12 2018-02-09 西安电子科技大学 It is true anonymous without the more message multi-receiver label decryption methods of certificate

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109921896A (en) * 2019-03-11 2019-06-21 郑州师范学院 A kind of label decryption method, system, equipment and computer readable storage medium
CN114128213A (en) * 2019-05-29 2022-03-01 比特飞翔区块链株式会社 Apparatus, method, and program for verifying authenticity of public key
CN114128213B (en) * 2019-05-29 2024-05-28 比特飞翔区块链株式会社 Apparatus, method, and program for verifying the authenticity of a public key
CN111262709A (en) * 2020-01-17 2020-06-09 铜陵学院 Trapdoor hash function-based unlicensed bookmark encryption system and method
CN111262709B (en) * 2020-01-17 2022-05-10 铜陵学院 Trapdoor hash function-based unlicensed bookmark encryption system and method
CN111934887A (en) * 2020-08-10 2020-11-13 西安电子科技大学 Multi-receiver signcryption method based on interpolation polynomial
CN114189339A (en) * 2021-12-07 2022-03-15 贵州亨达集团信息安全技术有限公司 Certificateless aggregation signature method and certificateless aggregation signature system supporting parallel key isolation
CN114189339B (en) * 2021-12-07 2024-01-26 贵州亨达集团信息安全技术有限公司 Certificate-free aggregation signature method and system supporting parallel key isolation

Also Published As

Publication number Publication date
CN108809650B (en) 2021-04-13

Similar Documents

Publication Publication Date Title
CN108809650A (en) Without safe lane without certificate anonymity multi-receiver label decryption method
CN107438006B (en) Full multi-receiver label decryption method of the anonymity without certificate
CN107682145B (en) It is true anonymous without the more message multi-receiver label decryption methods of certificate
CN106027239B (en) The multi-receiver label decryption method without key escrow based on elliptic curve
CN106936593A (en) Based on the efficient anonymity of elliptic curve without certificate multi-receiver label decryption method
CN105429941B (en) Multi-receiver identity anonymous label decryption method
CN107733648B (en) Identity-based RSA digital signature generation method and system
US8661240B2 (en) Joint encryption of data
Farshim et al. Robust encryption, revisited
EP2442483A2 (en) Elliptic curve Pinstov Vanstone signature scheme with authenticated message recovery
CN107659395A (en) The distributed authentication method and system of identity-based under a kind of environment of multi-server
CN107947913A (en) The anonymous authentication method and system of a kind of identity-based
CN107707358A (en) A kind of EC KCDSA digital signature generation method and system
EP2792098B1 (en) Group encryption methods and devices
CN114157427A (en) Threshold signature method based on SM2 digital signature
CN101931536B (en) Method for encrypting and authenticating efficient data without authentication center
CN105743641B (en) It is a kind of can explicit authentication public key multi-receiver label decryption method
CN103312506A (en) Multi-receiver sign-cryption method for receivers with anonymous identities
US9088419B2 (en) Keyed PV signatures
CN108833345A (en) Accountable anonymity identity of the sender without certificate multi-receiver label decryption method
CN106330862A (en) Secure transmission method and system for dynamic password
CN108696362B (en) Certificateless multi-message multi-receiver signcryption method capable of updating secret key
CN107888380A (en) A kind of the RSA digital signature generation method and system of two sides distribution identity-based
Li et al. Signcryption from randomness recoverable public key encryption
CN1905447B (en) Authentication encryption method and E-mail system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant