CN109067520B - Revocable broadcast encryption method and system based on hierarchical identity - Google Patents

Revocable broadcast encryption method and system based on hierarchical identity Download PDF

Info

Publication number
CN109067520B
CN109067520B CN201810835912.9A CN201810835912A CN109067520B CN 109067520 B CN109067520 B CN 109067520B CN 201810835912 A CN201810835912 A CN 201810835912A CN 109067520 B CN109067520 B CN 109067520B
Authority
CN
China
Prior art keywords
identity
ribbe
revocable
scheme
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810835912.9A
Other languages
Chinese (zh)
Other versions
CN109067520A (en
Inventor
关振宇
刘建伟
李大伟
李云浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN201810835912.9A priority Critical patent/CN109067520B/en
Publication of CN109067520A publication Critical patent/CN109067520A/en
Application granted granted Critical
Publication of CN109067520B publication Critical patent/CN109067520B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a revocable broadcast encryption method and system based on hierarchical identity, wherein the method comprises the following steps: acquiring the indistinguishability of a ciphertext to a selectively bounded revocable identity vector set and a selected plaintext attack aiming at RIBBE, and determining a security concept; constructing an RIBBE scheme on a prime order bilinear group, taking a broadcast identification vector set as a single identification vector in HIBE to execute encryption with a similar principle, and eliminating redundant identities in the set when decrypting to ensure that a ciphertext is decrypted by a corresponding decryption key to finish the construction scheme; the certification scheme is based on IND-sBRIVS-CPA security of decision wBDHI hypothesis to prove the security of the scheme. According to the method, two specific RIBBE schemes are constructed on the prime order bilinear group, so that the RIBBE has good revocation and encryption performance and can be effectively revoked on the initial bilinear group.

Description

Revocable broadcast encryption method and system based on hierarchical identity
Technical Field
The invention relates to the technical field of information security, in particular to a revocable broadcast encryption method and system based on hierarchical identity.
Background
In 2014, Liu et al first proposed Hierarchical Identity Based Broadcast Encryption (HIBBE) that combines the functions of hierarchical identity encryption (HIBBE) and Broadcast Encryption (BE). In the HIBBE system, users are organized in a tree structure, and they can distribute private keys to subordinate users, thereby reducing the workload of a Private Key Generator (PKG). If the sender needs to encrypt the same message to a large number of recipients, it is not necessary to encrypt each recipient separately, but rather, the message is encrypted only once, thereby reducing computational cost and saving communication bandwidth. For example, consider a scenario in which a message is sent to Alice, Bob, etc. via email. A user may encrypt information using a public key, such as: com, Bob @ mail.com, and broadcast this ciphertext, only the designated recipient can decrypt the information.
In some cases, if the user's private key is compromised or the user is cheating, his private key should be revoked. If there is no revocation mechanism in the HIBBE system, he must change his own identity to apply for a new private key and a lot of work is required to persuade all other users to approve the change. Two mechanisms are commonly used in HIBBE to implement revocation, namely direct revocation and indirect revocation. In direct revocation, the sender directly specifies the revocation list, and must always confirm that the private key of the revoked user is always invalid in encryption, which makes encryption relatively inefficient. Indirect revocation also includes two kinds of revocation: the first type of indirect revocation, PKG, maintains a revocation list and can transmit private keys to all non-revoked users at intervals, which places a heavy burden on the PKG because the PKG must frequently calculate new keys for all non-revoked users. In addition, a secure channel is required to transmit the private key to each user at a time. The second indirect revocation was proposed by Alexandra et al. In revocable identity-based encryption (RIBE), the private key of each user is divided into a secret key and an update key according to the idea of Fuzzy IBE, where the identity is contained in the secret key and the time is contained in the update key, by which method the PKG only publishes the update key publicly, but does not require a secure channel, and the subset cover revocation framework plays an important role in reducing the number of key updates performed in linear to logarithmic relation to the number of users.
In addition, Seo et al developed the RIBE scheme of RHIBE, and users could distribute keys and update keys to their children in a tree structure to share the burden of PKG, but HIBBE has no effective and secure revocation mechanism.
Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, one objective of the present invention is to provide a revocable hierarchical identity-based broadcast encryption method, which constructs a specific RIBBE scheme and an IND-sBRIVS-CPA security RIBBE scheme on a prime order bilinear group, so that RIBBE has good revocation and encryption performance and is effectively revoked on an initial bilinear group.
It is another object of the present invention to provide a revocable hierarchical identity based broadcast encryption system.
In order to achieve the above object, an embodiment of an aspect of the present invention provides a revocable hierarchical identity-based broadcast encryption method, including the following steps: acquiring the indistinguishability of ciphertext to a selectively bounded revocable identity vector set aiming at RIBBE and a selected plaintext attack to determine a security concept; constructing an RIBBE scheme on a prime order bilinear group, taking a broadcast identification vector set in the RIBBE as a single identification vector in the HIBE to perform encryption with a similar principle, and eliminating redundant identities in the identification vector set when decrypting to ensure that a ciphertext is decrypted by a corresponding decryption key so as to finish constructing the RIBBE scheme; and proving that the RHIBE scheme is based on the IND-sBRIVS-CPA security of decision wBDHI hypothesis to prove the security of the RHIBE scheme.
The revocable broadcast encryption method based on the hierarchical identity has good revocation and encryption performance by constructing a specific RIBBE scheme on the prime order bilinear group, constructs an IND-sBRIVS-CPA security RIBBE scheme, effectively revokes on the initial bilinear group, and proves that an unbounded version of the scheme is safe to the IND-sBRIVS-CPA.
In addition, the revocable hierarchical identity-based broadcast encryption method according to the above embodiment of the present invention may further have the following additional technical features:
further, in one embodiment of the invention, in the security concept, an attacker declares the set of identity vectors to be attacked, and performs private key queries under preset limits, wherein the order of the set of identity vectors queried by the attacker is bounded and it is not possible to distinguish which plaintext is encrypted by the selected set of identity vectors to capture the attack on RHIBBE.
Further, in an embodiment of the present invention, the method further includes: braking a common parameter related to a total number of users in the RHIBE scheme to order elements in the broadcast identification vector set to avoid an attack.
Further, in one embodiment of the invention, the set of target identity vectors selected for attack is bounded.
Further, in one embodiment of the present invention, the RIBBE scheme is proven to be indistinguishable to a set of selectively revocable identity vectors and a statically selected plaintext attack by capturing the truest attack type through the attack.
In order to achieve the above object, another embodiment of the present invention provides a revocable hierarchical identity-based broadcast encryption system, including: the determining module is used for acquiring the indistinguishability of ciphertext to the selectively bounded revocable identity vector set aiming at RIBBE and the attack of selecting plaintext so as to determine a security concept; the building module is used for building an RIBBE scheme on the prime order bilinear group, taking a broadcast identification vector set in the RIBBE as a single identification vector in the HIBE to execute encryption with a similar principle, and eliminating redundant identities in an identity vector set when decrypting to ensure that a ciphertext is decrypted by a corresponding decryption key so as to finish building the RIBBE scheme; a proving module for proving that the RIBBE scheme is based on the IND-sBRIVS-CPA security of decision wBDHI hypothesis to prove the security of the RIBBE scheme.
The revocable hierarchical identity-based broadcast encryption system provided by the embodiment of the invention has good revocation and encryption performance by constructing a specific RIBBE scheme on the prime order bilinear group, constructs an IND-sBRIVS-CPA security RIBBE scheme, effectively revokes on the initial bilinear group, and proves that an unbounded version of the scheme is safe to the IND-sBRIVS-CPA.
In addition, the revocable hierarchical identity-based broadcast encryption system according to the above embodiment of the present invention may also have the following additional technical features:
further, in one embodiment of the invention, in the security concept, an attacker declares the set of identity vectors to be attacked, and performs private key queries under preset limits, wherein the order of the set of identity vectors queried by the attacker is bounded and it is not possible to distinguish which plaintext is encrypted by the selected set of identity vectors to capture the attack on RHIBBE.
Further, in an embodiment of the present invention, the method further includes: braking a common parameter related to a total number of users in the RHIBE scheme to order elements in the broadcast identification vector set to avoid an attack.
Further, in one embodiment of the invention, the set of target identity vectors selected for attack is bounded.
Further, in one embodiment of the present invention, the RIBBE scheme is proven to be indistinguishable to a set of selectively revocable identity vectors and a statically selected plaintext attack by capturing the truest attack type through the attack.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a flow diagram of a revocable hierarchical identity based broadcast encryption method according to one embodiment of the present invention;
FIG. 2 is a schematic structural diagram of RIBBE according to one embodiment of the present invention;
FIG. 3 is a schematic diagram of a binary tree structure of node ID2, according to one embodiment of the invention;
fig. 4 is a schematic structural diagram of a revocable hierarchical identity-based broadcast encryption system according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.
The revocable hierarchical identity-based broadcast encryption method and system according to an embodiment of the present invention will be described with reference to the accompanying drawings, and first, the revocable hierarchical identity-based broadcast encryption method according to an embodiment of the present invention will be described with reference to the accompanying drawings.
Fig. 1 is a flow chart of a revocable hierarchical identity based broadcast encryption method according to an embodiment of the present invention.
As shown in fig. 1, the revocable hierarchical identity-based broadcast encryption method includes the following steps:
in step S101, the indecipherability of the selectively bounded set of revocable identity vectors for RHIBBE and chosen plaintext attacks by the ciphertext is obtained to determine the security concept.
Further, in one embodiment of the present invention, the RIBBE scheme is proven to be indistinguishable to a selectively revocable set of identity vectors and a statically chosen plaintext attack by capturing the truest type of attack through the attack.
Further, in one embodiment of the invention, in the security concept, an attacker declares the set of identity vectors to be attacked, and performs private key queries under preset limits, wherein the order of the identity vector sets queried by the attacker is bounded and it is not possible to distinguish which plaintext is encrypted by the selected set of identity vectors to capture the attack on RIBBE.
Further, in one embodiment of the invention, the set of target identity vectors selected for attack is bounded.
It should be noted that the concept of deterministic security refers to the indistinguishability of ciphertext to a selectively bounded set of revocable identity vectors for RIBBE and a chosen plaintext attack (IND-sBRIVS-CPA). In this security concept, the attacker should claim a set of identity vectors that he will attack, and he can make private key queries under some restrictions. In addition, the order of the set of identity vectors queried by the attacker is bounded. He still cannot distinguish which plaintext is encrypted by the selected set of identity vectors. This security concept has captured in reality many powerful attacks on RHIBBE.
In step S102, an RHIBBE scheme is constructed on the prime order bilinear group, the broadcast identity vector set in the RHIBBE is used as a single identity vector in the HIBE to perform encryption of a similar principle, and when decrypting, redundant identities in the identity vector set are eliminated to ensure that the ciphertext is decrypted by a corresponding decryption key, so as to complete the construction of the RHIBBE scheme.
Further, in an embodiment of the present invention, the method further includes: the common parameters related to the total number of users in the RIBBE scheme are braked, so that the elements in the broadcast identification vector set are ordered to avoid attacks.
That is, a specific RIBBE scheme is constructed on the prime order bilinear group, and the scheme has efficient performance in the aspects of revocation and encryption. Inspired by HIBE, the set of broadcast identity vectors in RIBBE is used as a single identity vector in HIBE to perform encryption similar to the principle. When decrypting, redundant identities in the set of identity vectors will be eliminated to ensure that the ciphertext can be decrypted by the corresponding decryption key. In HIBE, common parameters are related to the overall hierarchy in the schema. However, this method can cause a number of security problems for RIBBE. For example, the ciphertext is encrypted by a set of identity vectors that contains two identity vectors, and then the ciphertext can be successfully decrypted if an attacker swaps one identity vector from one identity vector to another in the same hierarchy. Therefore, we formulate a common parameter related to the total number of users in the scheme, which means that the elements in the broadcast identification vector set are ordered to avoid such trivial attacks.
In step S103, the RHIBE scheme is certified based on the IND-sBRIVS-CPA security of decision wBDHI hypothesis to certify the security of the RHIBE scheme.
In particular, the RHIBE scheme is proven to be based on decision wBDHI assumed IND-sBRIVS-CPA security, where the set of target identity vectors chosen for attacks is bounded. Such attacks can capture the truest attack types. Even when the broadcast set is required to be unbounded to improve broadcast performance, the scheme may prove indistinguishable to a selectively revocable set of identity vectors and a statically chosen plaintext attack (IND-sRIVS-cpa), which is secure enough but weaker than the former case.
The technical solution of the revocable hierarchical identity-based broadcast encryption method proposed by the present invention is described in detail below.
The main idea is as follows: using a subset to cover the revocation framework and split the keys into two parts related to identity and time will reduce the workload and bandwidth of the PKG without having to issue keys to all non-revoked users each time using a highly secure key transport channel as in the typical HIBBE. The PKG shares its burden on higher level users who can delegate keys and update keys to corresponding lower level users, and the number of update keys that can be broadcast publicly is logarithmic to the number of non-revoked users.
The invention provides revocable hierarchical identity-based broadcast encryption (RHIBE), which consists of seven polynomial time algorithms of Setup, SK, KU, DK, ENC, DEC and REV. The scheme comprises the following concrete implementation steps:
the method comprises the following steps: setup polynomial time algorithm
(mpk, msk) ← SETUP (1 λ, n, l): the setup algorithm is executed by the PKG to initialize the system. When inputting, the security parameter λ is expressed by a unary expression, the maximum number of users n is O (poly (λ), and the maximum hierarchical depth l is O (poly (λ)), which outputs the master public key mpk containing the initial system state information st and the master key msk0And an empty revocation list RL. The PKG issues mpk and saves msk by itself. It selects a prime order bilinear group generator
Figure BDA0001744491700000051
And perform
Figure BDA0001744491700000052
Figure BDA0001744491700000053
It selects randomly
Figure BDA0001744491700000054
Then, mpk ═ n, l, g is issued1G α, h, g2, u1, …, un, u ', h', RL, and retain msk g2 α by itself.
Step two: SK polynomial time algorithm
Figure BDA0001744491700000055
Key generation algorithm by IDk-1(k ═ 1, 2.. times, n) execution, for which branch ID is takenkA key is generated. In inputting the key IDk-1Saved state information of binary tree
Figure BDA0001744491700000056
And identity IDkWhen it outputs the key
Figure BDA0001744491700000057
Each user IDk-1(k 1, 2.. times.n) may all act as a key generator for its children assigned as leaf nodes in the binary tree, so the state information
Figure BDA0001744491700000058
Comprising a binary tree BTk-1And msk-shadeP of each node thetaθ. When generating
Figure BDA0001744491700000059
Is a key of
Figure BDA00017444917000000510
Time, IDk-1An algorithm is executed. For each node theta ∈ Path (ID)k) It is selected from
Figure BDA00017444917000000511
In which is selected from PθOr if P isθIf not, then randomly choose
Figure BDA00017444917000000512
Then the algorithm chooses randomly
Figure BDA00017444917000000513
And calculate
Figure BDA00017444917000000514
Step three: KU polynomial time algorithm
As shown in FIG. 3, the KUNOde algorithm runs in this structure, specifically, ku0,T←KU(msk,st0,RL0And T): key renewal algorithm by IDk-1Execute to generate an update key for its unrevoked branch, where ID0Representing PKG. At the input of the current decryption key
Figure BDA0001744491700000061
(k equals msk when 1), status information stIDk-1, revocation list
Figure BDA0001744491700000062
And time T, it outputs the updated key
Figure BDA0001744491700000063
It retains msk, state information st0Revocation list RL0And a time T. For each node theta ∈ KUNOde (BT)0,RL0T), e.g. PθHas been defined, this algorithm returns PθOr randomly assigned one
Figure BDA0001744491700000064
As it is undefined, θ ∈ KUNOde (BT) for each node0,RL0T), it selects randomly
Figure BDA0001744491700000065
And calculate
Figure BDA0001744491700000066
Step four: DK polynomial time algorithm
Figure BDA0001744491700000067
The decryption key generation algorithm consists of a key with an identity IDkTo calculate its decryption key. At the input of a secret key
Figure BDA0001744491700000068
And current update key
Figure BDA0001744491700000069
When it outputs the decryption key
Figure BDA00017444917000000610
Which can be used for decryption and key update. For the
Figure BDA00017444917000000611
The secret key is
Figure BDA00017444917000000612
The renewed key at time T is
Figure BDA00017444917000000613
And is provided with
Figure BDA00017444917000000614
k is 1. Computing
Figure BDA00017444917000000615
Figure BDA00017444917000000616
Using combined random integers
Figure BDA00017444917000000617
It is re-randomized and,to obtain a decryption key
Figure BDA00017444917000000618
Step five: ENC polynomial time algorithm
C ← ENC (M, S, T): this algorithm is executed by the sender to encrypt a message into a ciphertext. When message M, the identities S of a group of recipients and the current time T are entered, it outputs a ciphertext C. The receiver identity set is set as S, and the encryption algorithm selects any one
Figure BDA00017444917000000619
And outputs the ciphertext
Figure BDA00017444917000000620
Step six: DEC polynomial time algorithm
Figure BDA00017444917000000625
The decryption algorithm consists of having an identity IDkTo decrypt the ciphertext into a message. In the input cryptogram C, the identities S of a group of receivers and a decryption key
Figure BDA00017444917000000621
Only when the ID iskE S, it outputs a message M. Giving ciphertext C ═ C0,C1,C2,C3) Possession of decryption keys
Figure BDA00017444917000000622
Receiver ID ofkFirst calculate e S
Figure BDA00017444917000000626
Figure BDA00017444917000000623
Then outputs the information
Figure BDA00017444917000000624
Step seven: REV polynomial time algorithm
Figure BDA0001744491700000071
The revocation algorithm consists of having an identity IDk-1User execution to revoke IDk. In inputting the key IDk-1Saved revocation list
Figure BDA0001744491700000072
And the identity IDk and time T that needs to be revoked, it outputs an updated revocation list
Figure BDA0001744491700000073
The direction of the algorithm
Figure BDA0001744491700000074
Is increased by (ID)kT) to update the revocation list RL.
It should be noted that, as shown in fig. 2 and 3, RHIBBE has the following formula: the setup algorithm is executed by the PKG to initialize the system. A security parameter λ expressed in unary at the input, a maximum number of users n ═ O (poly (λ)), and a maximum hierarchical depth l ═ O (poly (λ)), which outputs a master public key mpk and a master key msk. The master public key mpk contains initial system state information st0And an empty revocation list RL. The PKG issues mpk and saves msk by itself.
Figure BDA0001744491700000075
Figure BDA0001744491700000076
Key generation algorithm by IDk-1(k ═ 1, 2.. times, n) execution, for which branch ID is takenkA key is generated. In inputting the key IDk-1Saved state information of binary tree
Figure BDA0001744491700000077
And identity IDkWhen it outputs the key
Figure BDA0001744491700000078
IDk-1
IDk∈S
Figure BDA0001744491700000079
Key renewal algorithm by IDk-1Execute to generate an update key for its unrevoked branch, where ID0Representing PKG. At the input of the current decryption key
Figure BDA00017444917000000710
(k equals msk when 1), status information stIDk-1, revocation list RLIDk-1 and time T, it outputs the updated key
Figure BDA00017444917000000711
The decryption key generation algorithm consists of a key with an identity IDkTo calculate its decryption key. At the input of a secret key
Figure BDA00017444917000000712
And current update key
Figure BDA00017444917000000713
When it outputs the decryption key
Figure BDA00017444917000000714
Which can be used for decryption and key update.
The algorithm is executed by the sender to encrypt the message into ciphertext. When message M, the identities S of a group of recipients and the current time T are entered, it outputs a ciphertext C.
The decryption algorithm is executed by the user with the identity IDk to decrypt the ciphertext into a message. When the ciphertext C, the identity S of a group of recipients and the decryption key dkIDk, T are input, it outputs a message M only if IDk ∈ S.
The revocation algorithm consists of having an identity IDk-1Is carried by the userLine revocation IDk. In inputting the key IDk-1Saved revocation list
Figure BDA00017444917000000715
And the identity IDk and time T that needs to be revoked, it outputs an updated revocation list
Figure BDA00017444917000000716
Figure BDA00017444917000000717
Figure BDA0001744491700000081
Figure BDA0001744491700000082
Figure BDA0001744491700000083
Figure BDA0001744491700000084
Figure BDA0001744491700000085
Figure BDA0001744491700000086
Figure BDA0001744491700000087
Figure BDA0001744491700000088
)
Figure BDA0001744491700000089
Figure BDA00017444917000000810
Figure BDA00017444917000000811
Figure BDA00017444917000000812
Figure BDA00017444917000000813
θ∈KUNode(BT0,RL0,T)
Figure BDA00017444917000000814
Figure BDA00017444917000000815
Figure BDA00017444917000000816
Figure BDA00017444917000000819
Figure BDA00017444917000000817
Figure BDA00017444917000000818
Figure BDA0001744491700000091
Figure BDA0001744491700000092
Figure BDA0001744491700000093
Figure BDA0001744491700000094
Figure BDA0001744491700000095
Figure BDA0001744491700000096
Figure BDA0001744491700000097
Figure BDA0001744491700000098
Figure BDA0001744491700000099
Figure BDA00017444917000000910
Figure BDA00017444917000000911
Figure BDA00017444917000000912
Figure BDA00017444917000000913
Figure BDA00017444917000000914
Figure BDA00017444917000000915
Figure BDA00017444917000000916
Figure BDA00017444917000000917
It should be noted that the mathematical basis required for the above specific implementation is as follows:
(1) bilinear group:
let p be a large prime number.
Figure BDA0001744491700000101
And
Figure BDA0001744491700000102
are two cyclic groups of order p. g is
Figure BDA0001744491700000103
The generation element of (a) is generated,
Figure BDA0001744491700000104
is a bilinear map. If e satisfies the following properties, we call
Figure BDA0001744491700000105
And
Figure BDA0001744491700000106
is a bilinear group:
① bilinear:
Figure BDA0001744491700000107
e(ua,vb)=e(u,v)ab=e(ub,va);
② nondegenerate e (g, g) ≠ 1;
③ calculability for u, v ∈ vRThe group operation e (u, v) of G can be efficiently performed.
(2) Bilinear Diffie-Hellman hypothesis (BDH):
order to
Figure BDA0001744491700000108
And
Figure BDA0001744491700000109
two bilinear groups of order q, and
Figure BDA00017444917000001010
the BDH problem can be described as follows: selecting a generator G of G, (G, G)a,gb,gc) For calculating
Figure BDA00017444917000001011
Wherein
Figure BDA00017444917000001012
[9]. If the following conditions are satisfied, the algorithm
Figure BDA00017444917000001021
Has advantages of solving BDH:
Figure BDA00017444917000001013
wherein the probability is randomly selected g, a, b, c and
Figure BDA00017444917000001014
the random bit correlation used in (1).
Definition 1 if no algorithm solves the BDH problem with at least an advantage of epsilon within the polynomial time t, (t, epsilon) -BDH is assumed to be
Figure BDA00017444917000001015
Is true.
If the following condition is satisfied, an outputb is equal to {0,1} algorithm
Figure BDA00017444917000001016
There is an advantage epsilon in resolving decision BDH:
Figure BDA00017444917000001017
wherein the probability is related to randomly selected g, a, b, c,
Figure BDA00017444917000001018
Random bits used therein and randomly selected
Figure BDA00017444917000001019
It is related.
Definition 2 if at polynomial time, no algorithm solves the decision BDH problem with at least an advantage of epsilon, then (t, epsilon) -decision BDH is assumed to be
Figure BDA00017444917000001020
Is true.
(3) Subset coverage revocation framework:
naor proposes a subset coverage revocation framework, where CS and SD are examples used in practice. The present document mainly enables CS method based revocation. The binary tree BT, the current time T and the revocation list RL are input and the algorithm outputs a set of users that have not been revoked before time T. More importantly, the set allows updating the key of the smallest node, which is logarithmic in the number of users.
Let V denote a non-leaf node, and let vL (vR) denote the left (right) child of V. As shown in fig. 3, in the binary tree BT each user is assigned a leaf node and, if revoked at time T, will be added to the revocation list RL. The kunon (BT, RL, T) function is defined as follows:
KUNode(BT,RL,T)
Figure BDA0001744491700000111
Figure BDA0001744491700000112
if Ti≤T then add Path(vi)to X
Figure BDA0001744491700000113
if xL∈/X,then add xL to Y
ifxR∈/X,then addxR to Y
Figure BDA0001744491700000114
then add root to Y
Return Y
according to the revocable hierarchical identity-based broadcast encryption method provided by the embodiment of the invention, a specific RIBBE scheme is constructed on a prime order bilinear group, so that the revocation and encryption performance is good, an IND-sBRIVS-CPA security RIBBE scheme is constructed, effective revocation is performed on an initial bilinear group, and a unbounded version of the scheme is proved to be IND-sBRIVS-CPA security.
Next, a proposed revocable hierarchical identity-based broadcast encryption system according to an embodiment of the present invention is described with reference to the accompanying drawings.
Fig. 4 is a schematic structural diagram of a revocable hierarchical identity-based broadcast encryption system according to an embodiment of the present invention.
As shown in fig. 4, the revocable hierarchical identity based broadcast encryption system 10 includes: determining module 100, building module 200 and certifying module 300
The determining module 100 is configured to obtain the indistinguishability of ciphertext to the set of revocable identity vectors selectively bounded for RHIBBE and the chosen plaintext attack, so as to determine the security concept. The constructing module 200 is configured to construct an RHIBBE scheme on a prime order bilinear group, use a broadcast identity vector set in the RHIBBE as a single identity vector in the HIBE to perform encryption based on a similar principle, and eliminate redundant identities in the identity vector set when decrypting, so as to ensure that a ciphertext is decrypted by a corresponding decryption key, thereby completing the construction of the RHIBBE scheme. Proof module 300 is used to prove that the RHIBE scheme is based on the IND-sBRIVS-CPA security of decision wBDHI hypothesis to prove the security of the RHIBE scheme. The system 10 of the embodiment of the invention constructs a specific RIBBE scheme and an IND-sBRIVS-CPA safety RIBBE scheme on the prime order bilinear group, so that the RIBBE has good revocation and encryption performance and is effectively revoked on the initial bilinear group.
Further, in one embodiment of the invention, in the security concept, an attacker declares the set of identity vectors to be attacked, and performs private key queries under preset limits, wherein the order of the identity vector sets queried by the attacker is bounded and it is not possible to distinguish which plaintext is encrypted by the selected set of identity vectors to capture the attack on RIBBE.
Further, in an embodiment of the present invention, the method may further include: the common parameters related to the total number of users in the RIBBE scheme are braked, so that the elements in the broadcast identification vector set are ordered to avoid attacks.
Further, in one embodiment of the invention, the set of target identity vectors selected for attack is bounded.
Further, in one embodiment of the present invention, the RIBBE scheme is proven to be indistinguishable to a selectively revocable set of identity vectors and a statically chosen plaintext attack by capturing the truest type of attack through the attack.
It should be noted that the foregoing explanation of the revocable hierarchical identity-based broadcast encryption method embodiment is also applicable to the system of this embodiment, and details are not described here.
According to the revocable hierarchical identity-based broadcast encryption system provided by the embodiment of the invention, a specific RIBBE scheme is constructed on a prime order bilinear group, so that the system has good revocation and encryption performances, an IND-sBRIVS-CPA security RIBBE scheme is constructed, effective revocation is performed on an initial bilinear group, and a unbounded version of the scheme is proved to be IND-sBRIVS-CPA security.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims (8)

1. A revocable hierarchical identity based broadcast encryption method, comprising the steps of:
acquiring the indecipherability of a ciphertext pair to a selectively bounded revocable identity vector set and a selected plaintext attack aiming at revocable hierarchical identity-based broadcast encryption RHIBE to determine a security concept;
constructing an RIBBE scheme on a prime order bilinear group, taking a broadcast identification vector set in the RIBBE as a single identification vector in identity-based hierarchical encryption HIBE to perform encryption, and eliminating redundant identities in an identity vector set when decrypting to ensure that a ciphertext is decrypted by a corresponding decryption key so as to finish constructing the RIBBE scheme;
proving that the RIBBE scheme is based on the selected plaintext attack IND-sBRIVS-CPA security of the decision weak bilinear function wBDHI hypothesis to prove the security of the RIBBE scheme; and
braking a common parameter related to a total number of users in the RHIBE scheme to order elements in the broadcast identification vector set to avoid an attack.
2. The revocable hierarchical identity based broadcast encryption method according to claim 1, characterized in that in the security concept an attacker declares the identity vector set to be attacked and performs private key queries under preset limits, wherein the order of the identity vector set of the attacker queries is bounded and it is not possible to distinguish which clear text is encrypted by the selected identity vector set to capture the attack on RIBBE.
3. A revocable hierarchical identity based broadcast encryption method according to claim 1 characterised in that the set of target identity vectors selected for attack is bounded.
4. The revocable hierarchical identity based broadcast encryption method according to claim 3, characterized in that the RIBBE scheme proves indistinguishable to a set of selectively revocable identity vectors and a statically selected plaintext attack by capturing the truest attack type through an attack.
5. A revocable hierarchical identity based broadcast encryption system comprising:
the determining module is used for acquiring the indiscriminability of ciphertext to a revocable identity vector set which is selectively bounded aiming at revocable hierarchical identity-based broadcast encryption RHIBE so as to select plaintext attack, so as to determine a security concept;
the building module is used for building an RIBBE scheme on the prime order bilinear group, taking a broadcast identification vector set in the RIBBE as a single identification vector in identity-based hierarchical encryption HIBE to perform encryption, and eliminating redundant identities in the identity vector set when decrypting to ensure that a ciphertext is decrypted by a corresponding decryption key so as to finish building the RIBBE scheme;
and the proving module is used for proving that the RIBBE scheme is based on the selected plaintext attack IND-sBRIVS-CPA security of the decision weak bilinear function wBDHI hypothesis to prove the security of the RIBBE scheme, and braking public parameters related to the total number of users in the RIBBE scheme to enable elements in the broadcast identification vector set to be ordered to avoid attacks.
6. A revocable hierarchical identity based broadcast encryption system according to claim 5 characterised in that in the security concept an attacker declares the set of identity vectors to be attacked and makes private key queries under preset limits, where the order of the set of identity vectors of the attacker queries is bounded and it is not possible to distinguish which clear text is encrypted by the selected set of identity vectors to capture the attack on RHIBE.
7. A revocable hierarchical identity based broadcast encryption system according to claim 5 characterised in that the set of target identity vectors selected for attack is bounded.
8. The revocable hierarchical identity based broadcast encryption system according to claim 7, characterized in that the RIBBE scheme proves indistinguishable to a set of selectively revocable identity vectors and a statically selected plaintext attack by capturing the truest attack type through an attack.
CN201810835912.9A 2018-07-26 2018-07-26 Revocable broadcast encryption method and system based on hierarchical identity Active CN109067520B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810835912.9A CN109067520B (en) 2018-07-26 2018-07-26 Revocable broadcast encryption method and system based on hierarchical identity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810835912.9A CN109067520B (en) 2018-07-26 2018-07-26 Revocable broadcast encryption method and system based on hierarchical identity

Publications (2)

Publication Number Publication Date
CN109067520A CN109067520A (en) 2018-12-21
CN109067520B true CN109067520B (en) 2020-06-05

Family

ID=64836686

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810835912.9A Active CN109067520B (en) 2018-07-26 2018-07-26 Revocable broadcast encryption method and system based on hierarchical identity

Country Status (1)

Country Link
CN (1) CN109067520B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1489847A (en) * 2001-01-26 2004-04-14 �Ҵ���˾ Method for broadcast encryption and key withdrawal of status-less receiver
CN101707524A (en) * 2009-01-09 2010-05-12 北京大学 Method for encrypting public key broadcasts with hierarchical relationship
CN103986574A (en) * 2014-05-16 2014-08-13 北京航空航天大学 Hierarchical identity-based broadcast encryption method
CN104135473A (en) * 2014-07-16 2014-11-05 北京航空航天大学 A method for realizing identity-based broadcast encryption by ciphertext-policy attribute-based encryption
CN106130992A (en) * 2016-06-30 2016-11-16 北京航空航天大学 The level identity base encipherment scheme of attack is opened in anti-selection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1489847A (en) * 2001-01-26 2004-04-14 �Ҵ���˾ Method for broadcast encryption and key withdrawal of status-less receiver
CN101707524A (en) * 2009-01-09 2010-05-12 北京大学 Method for encrypting public key broadcasts with hierarchical relationship
CN103986574A (en) * 2014-05-16 2014-08-13 北京航空航天大学 Hierarchical identity-based broadcast encryption method
CN104135473A (en) * 2014-07-16 2014-11-05 北京航空航天大学 A method for realizing identity-based broadcast encryption by ciphertext-policy attribute-based encryption
CN106130992A (en) * 2016-06-30 2016-11-16 北京航空航天大学 The level identity base encipherment scheme of attack is opened in anti-selection

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"Hierarchical Identity-Based Broadcast Encryption";Weiran Liu等;《Springer(information security and privacy)》;20140709;第242-257页 *
"Recipient Revocable Identity-Based Broadcast Encryption";Willy Susilo等;《ASIA CCS’16》;20160603;第201-210页摘要、正文第1-3部分 *
"分层认证机构的属性基加密方案";艾倩颖等;《武汉大学学报(理学版)》;20140904;第60卷(第5期);第441-446页 *
"基于区块链的密钥更新和可信定位系统";李大伟等;《密码学报》;20180215;第5卷(第1期);第35-42页 *
"选择密文安全的基于身份的广播加密方案";刘潇等;《密码学报》;20150215;第2卷(第1期);第66-76页 *

Also Published As

Publication number Publication date
CN109067520A (en) 2018-12-21

Similar Documents

Publication Publication Date Title
Liu et al. Practical attribute-based encryption: traitor tracing, revocation and large universe
Horváth Attribute-based encryption optimized for cloud computing
Lee et al. Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency
US10411885B2 (en) Method and system for group-oriented encryption and decryption with selection and exclusion functions
Xie et al. New ciphertext-policy attribute-based access control with efficient revocation
Zu et al. New ciphertext-policy attribute-based encryption with efficient revocation
CN110505062B (en) Dynamic elliptic curve encryption method applied to alliance chain
Ming et al. Efficient revocable multi-authority attribute-based encryption for cloud storage
Yao et al. A novel revocable and identity-based conditional proxy re-encryption scheme with ciphertext evolution for secure cloud data sharing
Ishida et al. CCA-secure revocable identity-based encryption schemes with decryption key exposure resistance
Liu et al. Dynamic attribute-based access control in cloud storage systems
Doshi et al. Constant ciphertext length in multi-authority ciphertext policy attribute based encryption
CN106169996A (en) Multi-area optical network key management method based on key hypergraph and identification cipher
Zhang et al. Multi‐authority attribute‐based encryption scheme with constant‐size ciphertexts and user revocation
FU et al. Secure personal data sharing in cloud computing using attribute-based broadcast encryption
Li et al. Revocable hierarchical identity-based broadcast encryption
Lv et al. A secure and efficient revocation scheme for fine-grained access control in cloud storage
Hong et al. A key-insulated CP-ABE with key exposure accountability for secure data sharing in the cloud
Ishida et al. Constructions of CCA-secure revocable identity-based encryption
Ma et al. Directly Revocable and Verifiable Key-Policy Attribute-based Encryption for Large Universe.
Pareek et al. Provably secure group key management scheme based on proxy re-encryption with constant public bulletin size and key derivation time
CN109067520B (en) Revocable broadcast encryption method and system based on hierarchical identity
Touati et al. Instantaneous proxy-based key update for cp-abe
Chen et al. Generic user revocation systems for attribute-based encryption in cloud storage
Balu et al. Ciphertext-policy attribute-based encryption with user revocation support

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant