CN110677238B - Broadcast encryption method and device - Google Patents

Broadcast encryption method and device Download PDF

Info

Publication number
CN110677238B
CN110677238B CN201910181445.7A CN201910181445A CN110677238B CN 110677238 B CN110677238 B CN 110677238B CN 201910181445 A CN201910181445 A CN 201910181445A CN 110677238 B CN110677238 B CN 110677238B
Authority
CN
China
Prior art keywords
key
ciphertext
master
generating
kem
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910181445.7A
Other languages
Chinese (zh)
Other versions
CN110677238A (en
Inventor
程朝辉
杨海峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Aolian Information Security Technology Co ltd
Original Assignee
Shenzhen Aolian Information Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Aolian Information Security Technology Co ltd filed Critical Shenzhen Aolian Information Security Technology Co ltd
Priority to CN201910181445.7A priority Critical patent/CN110677238B/en
Publication of CN110677238A publication Critical patent/CN110677238A/en
Application granted granted Critical
Publication of CN110677238B publication Critical patent/CN110677238B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a broadcast encryption method and a device, which relate to the technical field of communication, wherein the method comprises the steps that a key generation center generates system parameters params, a master key s and a master public key mpk according to an SM9 algorithm; the key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving end b Generating an identification private key sk ID And the identification private key sk is used ID Sending the data to a corresponding receiving end; the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext Msg KEM And data encapsulation ciphertext CT DEM (ii) a The sending end encapsulates the ciphertext CT according to the session key KEM And the data package ciphertext CT DEM And generating the ciphertext CT. When the receiving end is a plurality of receiving ends, the calculation overhead can be reduced, and simultaneously, the SM9 encryption algorithm can be completely compatible, so that the existing SM9 facilities can be utilized to comprise a key generation function, a data encapsulation function and the like, and the hardware cost is reduced.

Description

Broadcast encryption method and device
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a broadcast encryption method and a broadcast encryption apparatus.
Background
Broadcast encryption is an encryption scheme that enables one-to-many secure communications over insecure channels. In a general broadcast encryption system, a broadcaster broadcasts encrypted information to users in the system, any user can obtain the encrypted information by monitoring the broadcast, and only users in an authorized user set can decrypt a broadcast ciphertext by using a private key of the user to recover corresponding plaintext information.
The SM9-IBE algorithm is part of the Chinese cipher Standard "identification-based cipher Algorithm SM 9". The method is used for many applications such as financial data protection, mail protection, message encryption in the Internet of things, data encryption on the cloud and the like. But one SM9-IBE encryption operation can only encrypt data to one recipient. For the broadcast encryption, which needs to encrypt data to multiple receivers, the SM9-IBE algorithm needs longer cipher text length and has high calculation cost.
Disclosure of Invention
In view of the above problems, embodiments of the present invention are proposed to provide a broadcast encryption method and a corresponding broadcast encryption apparatus that overcome or at least partially solve the above problems.
In order to solve the above problem, an embodiment of the present invention discloses a broadcast encryption method, including:
the key generation center generates a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm, and discloses the system parameter params and the master public key mpk; specifically, the key generation center obtains the maximum number u of receiving ends for one-time broadcast encryption; selecting three groups G 1 、G 2 、G 3 And a bilinear pair e: G 1 ×G 2 →G 3 Wherein G is 1 、G 2 、G 3 The orders of all are prime numbers p; random selection of G 1 Generator Q in a group 1 And G 2 Generator Q in a group 2 (ii) a At random in the group
Figure GDA0003686835720000011
Generating a master key s, calculating R 1 =sQ 1 ,...,R u =s u Q 1 ,W=s 2 Q 2 (ii) a Wherein when u is 1, W is not calculated; precomputed J ═ e (R) 1 ,Q 2 ) (ii) a Generating the system parameter params ═ Q 1 ,Q 2 ,G 1 ,G 2 ,G 3 ,e,p>The master key s and the master public key mpk ═ (R) 1 ,...,R u ,J,W);
The key generation center generates the key according to the system parameters params, the master key s, the master public key mpk and anyIdentification ID of the receiving end b Generating an identification private key sk ID And the identification private key sk is used ID Sending the data to a corresponding receiving end;
the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext Msg KEM And data encapsulation ciphertext CT DEM
The sending end encapsulates the ciphertext CT according to the session key KEM And the data package ciphertext CT DEM Generating a ciphertext CT; specifically, the sending end encapsulates the session key into a ciphertext CT KEM And the data package ciphertext CT DEM Splicing to generate a ciphertext CT; when the number of the receiving ends is more than 1 and less than or equal to u, the length of the ciphertext CT is kept unchanged;
the receiving end receives the ciphertext CT and identifies the private key sk according to the corresponding identification private key sk ID And the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
In a preferred embodiment, the key generation center generates the key according to the system parameters params, the master key s, the master public key mpk, and the ID of any receiving end b Generating an identification private key sk ID The method comprises the following steps:
the key generation center is according to function H specified in SM9 standard 1 Derived from M ═ H 1 (ID b ||0x03,p);
Judging that M + s is 0mod p, if so, outputting an error and stopping;
otherwise, calculate t ═ M + s) -1 s mod p;
Calculating sk according to the t ID =tQ 2
In a preferred embodiment, the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L, and the plaintext Msg KEM And data encapsulation ciphertext CT DEM The method comprises the following steps:
the sending end rootGenerating a session key K and a session key encapsulation ciphertext CT by adopting a session key encapsulation mechanism KEM KEM
And the sending end generates a data encapsulation ciphertext CT by adopting a data encapsulation mechanism DEM DEM
In a preferred embodiment, the generating of the session key K and the session key encapsulation ciphertext CT KEM And the step of generating the plaintext Msg each include a plurality of dot-by-sum calculations including:
dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data;
and summing the dot product summation data of the at least two groups to obtain a plurality of dot product summation calculation results.
In order to solve the above problem, an embodiment of the present invention discloses a broadcast encryption apparatus, including:
the first generation module is positioned in the key generation center and used for generating a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm and disclosing the system parameter params and the master public key mpk; specifically, the first generation module includes: the acquisition submodule is used for acquiring the maximum receiving end number u of one-time broadcast encryption; a selection submodule for selecting the three groups G 1 、G 2 、G 3 And a bilinear pair e: G 1 ×G 2 →G 3 Wherein G is 1 、G 2 、G 3 The orders of all are prime numbers p; a first random selection submodule for randomly selecting G 1 Generator Q in a group 1 And G 2 Generator Q in a group 2 (ii) a A second random selection submodule for randomly selecting a group
Figure GDA0003686835720000031
Generating a master key s, calculating R 1 =sQ 1 ,...,R u =s u Q 1 ,W=s 2 Q 2 (ii) a Wherein when u is 1, W is not calculated; a pre-calculation module for pre-calculating J ═ e (R) 1 ,Q 2 ) (ii) a A first generation submodule for generating the system parameter params ═ Q 1 ,Q 2 ,G 1 ,G 2 ,G 3 ,e,p>The master key s and the master public key mpk ═ (R) 1 ,...,R u ,J,W);
A second generating module located in the key generating center, configured to generate the second key according to the system parameter params, the master key s, the master public key mpk, and the ID of any receiving end b Generating an identification private key sk ID And the identification private key sk is used ID Sending the data to a corresponding receiving end;
a third generating module at the sending end, configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identifier set ID of the receiving end, the tag L, and the plaintext Msg KEM And data encapsulation ciphertext CT DEM
A fourth generation module at the sending end, configured to encapsulate the ciphertext CT according to the session key KEM And the data package ciphertext CT DEM Generating a ciphertext CT; specifically, the fourth generating module includes: an encryption submodule for encapsulating the session key into ciphertext CT KEM And the data package ciphertext CT DEM Splicing to generate a ciphertext CT; when the number of the receiving ends is more than 1 and less than or equal to u, the length of the ciphertext CT is kept unchanged;
a decryption module at the receiving end for receiving the ciphertext CT and according to the corresponding identification private key sk ID And the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
In a preferred embodiment, the second generating module includes:
a derivation submodule for deriving M-H1 (ID) according to a function H1 specified in the SM9 standard b ||0x03,p);
A judgment submodule for judging that M + s is 0mod p, if yes, outputtingGo out "error" and stop; otherwise, calculate t ═ M + s) -1 s mod p;
An identification key generation submodule for calculating sk according to the t ID =tQ 2
In a preferred embodiment, the third generating module comprises:
a session key encapsulation submodule, configured to generate a session key K and a session key encapsulation ciphertext CT by using a session key encapsulation mechanism kem KEM
A data encapsulation submodule, configured to generate a data encapsulation ciphertext CT by using a data encapsulation mechanism dem DEM
Compared with the prior art, the embodiment of the invention has the beneficial effects that: the key generation center generates system parameters params, a master key s and a master public key mpk according to SM9 algorithm, and then generates system parameters params, a master key s and a master public key mpk according to the identification ID of any receiving terminal b Generating an identification private key sk ID (ii) a The sending end adopts a session key encapsulation mechanism and a data encapsulation mechanism to generate a session key encapsulation ciphertext CT KEM And data encapsulation ciphertext CT DEM Finally, the session key is packaged into a ciphertext CT KEM And data encapsulation ciphertext CT DEM Splicing to generate a ciphertext; the encryption security is ensured, and the ciphertext length is not increased due to the increase of the number of the receiving ends, so that when the number of the receiving ends is multiple, the calculation overhead can be reduced, and simultaneously, the SM9 algorithm can be completely compatible, so that the existing SM9 facilities are utilized to comprise a key generation function, a data encapsulation function and the like, and the hardware cost is reduced.
Drawings
FIG. 1 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
FIG. 2 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
FIG. 3 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
FIG. 4 is a flow chart of the steps of one embodiment of a broadcast encryption method of the present invention;
fig. 5 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention;
fig. 6 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention;
fig. 7 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention;
fig. 8 is a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Referring to fig. 1, an embodiment of the present invention provides a broadcast encryption method, including the following steps:
s01, the key generation center generates a system parameter params, a master key S and a master public key mpk according to SM9 algorithm, and discloses the system parameter params and the master public key mpk;
s02, the key generation center generates the system parameter params, the master key S, the master public key mpk and the ID of any receiving end according to the system parameter params, the master key S and the master public key mpk b Generating an identification private key sk ID And the identification private key sk is used ID Sending the data to a corresponding receiving end;
s03, the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext Msg KEM And data encapsulation ciphertext CT DEM
S04, the sending end encapsulates the ciphertext CT according to the session key KEM And the data package ciphertext CT DEM And generating the ciphertext CT.
As the step S01, the key generation center generates a system parameter params, a master key S and a master public key mpk according to SM9 algorithm, and discloses the system parameter params and the master public key mpk; the key generation center refers to a trusted authority responsible for generating system parameters params, a master key s and a master public key mpk. Both the sending end and the receiving end can obtain the system parameters params and the master public key mpk; the master key s is stored in the key generation center. The system parameters params, master key s and master public key mpk are generated from the SM9 algorithm to achieve full compatibility with the SM9 algorithm.
Referring to fig. 2, the step S01 includes the following sub-steps:
s101, acquiring the maximum receiving end number u of one-time broadcast encryption;
s102, selecting three groups G 1 、G 2 、G 3 And a bilinear pair e: G 1 ×G 2 →G 3 Wherein G is 1 、G 2 、G 3 The orders of all are prime numbers p;
s103, randomly selecting G 1 Generator Q in a group 1 And G 2 Generator Q in a group 2
S104, randomly forming a group
Figure GDA0003686835720000061
Generating a master key s, calculating R 1 =sQ 1 ,...,R u =s u Q 1 ,W=s 2 Q 2 (ii) a Wherein when u is 1, W is not calculated;
s105, precomputing J ═ e (R) 1 ,Q 2 );
S106, generating the system parameter params ═ Q 1 ,Q 2 ,G 1 ,G 2 ,G 3 ,e,p>The master key msk ═ s, the master public key mpk ═ (R) 1 ,...,R u ,J,W)。
In step S02, the key generation center generates the key according to the system parameters params, the master key S, the master public key mpk, and the ID of any receiving end b Generating an identification private key sk ID And the identification private key sk is used ID Sending the data to a corresponding receiving end; according to the ID of the receiving end b A unique receiving end can be determined.
Referring to fig. 3, the step S02 includes the following sub-steps:
s201, according to the regulation of SM9 standardFunction H of 1 Derivative M ═ H 1 (ID b ||0x03,p);
S202, judging that M + S is 0mod p, if so, outputting error and stopping; otherwise, calculate t ═ M + s) -1 s mod p;
S203, calculating sk according to t ID =tQ 2
In order to ensure the identification private key sk ID The correctness of (2) can be verified by the following steps:
deriving M-H according to the function H1 specified in the SM9 standard 1 (ID b ||0x03,p);
Calculate T ═ e (MQ) 1 +R,sk ID );
If T is J, the output is "valid", otherwise the output is "invalid".
In step S03, the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L, and the plaintext Msg KEM And data encapsulation ciphertext CT DEM (ii) a The ID of the identification set of the receiving end is the set of the identifications of all the receiving ends; the plaintext Msg is plaintext information which is pre-sent by a sending end, and the session key encapsulates a ciphertext CT KEM Is the encapsulated ciphertext to the session key K that is used to encrypt the message.
Referring to fig. 4, the step S03 includes the following sub-steps:
s301, the sending end generates a session key K and a session key encapsulation ciphertext CT by adopting a session key encapsulation mechanism KEM.Enc according to the system parameter params, the master public key mpk and the identification set ID of the receiving end KEM (ii) a The session key encapsulates the ciphertext CT KEM And sending the data to the receiving end.
S302, the sending end generates a data encapsulation ciphertext CT by adopting a data encapsulation mechanism DEM DEM
Enc uses the identification set ID (ID) of the receiving end 1 ,...,ID t ) Where t is less than or equal to u, principal formulaThe key mpk and the system parameter params are used as input and output<K,CT KEM >The method comprises the following concrete steps:
from selection
Figure GDA0003686835720000071
A medium random integer r;
for each ID j Calculating M j =H 1 (ID j ||0x03,p);
Computing
Figure GDA0003686835720000072
C 1 rX. The calculation method of X is as follows: first, a polynomial is calculated
Figure GDA0003686835720000073
Coefficient of (low exponential term coefficient before): (cf) 0 ,cf 1 ,...,cf t ) Then calculating X ═ cf 0 Q 1 +cf 1 R 1 +...+cf t R t
Calculating C 2 =(-r)W;
B=J r
K=KDF(EC2OSP(C 1 )||EC2OSP(C 2 )||FE2OSP(B)||I2OSP(cf 0 ) Klen), where klen is the bit length required for the session key, EC2OSP represents an elliptic curve to byte string;
FE2OSP represents a field element to byte string; i2OSP denotes integer-to-byte strings and KDF is a function specified in the SM9 standard.
CT KEM =EC2OSP(C 1 )||EC2OSP(C 2 )。
When u is 1, CT KEM No ciphertext part C 2 And K ═ KDF (EC2OSP (C) 1 )||FE2OSP(B)||ID,klen)。
The step of calculating X includes multiple dot product summation calculations, and preferably, the multiple dot product summation calculations may be accelerated by the following steps:
dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data;
summing the dot product summation data of the at least two groups to obtain the result of the calculation of the dot product summation
Dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data; for example, calculate X ═ cf 0 Q 1 +cf 1 R 1 +...+cf t R t To cf 0 Q 1 +cf 1 R 1 +...+cf t R t Starting from the first term, the adjacent 6-term dot product calculations are grouped into a group, which is totally divided into n +1 groups: cf 0 Q 1 +cf 1 R 1 +...+cf 5 R 5 ;cf 6 R 6 +...+cf 11 R 11 ;...;cf 6n R 6n +...cf t R t (ii) a And summing the point multiplication summation data of the n +1 groups to obtain a final result X, thereby reducing the calculation difficulty and improving the calculation speed.
Enc takes a session key K, a tag L and a plaintext Msg as input, and outputs a data encapsulation ciphertext CT DEM The method comprises the following concrete implementation steps:
k is analyzed to be K ═ K 1 ||K 2 ,BITS(K 1 ) BITS (Msg); that is, the bit number of the byte string K1 is equal to the bit number of the byte string Msg;
Figure GDA0003686835720000081
C 3 =H(C 2 ||K 2 );
CT DEM =C 3 ||C 2
it should be noted that the data encapsulation mechanism dem.enc may also generate the data encapsulation ciphertext CT by using a block encryption manner specified by the SM9 encryption algorithm standard DEM
In step S04, the sender encapsulates the ciphertext CT according to the session key KEM And the data package is sealedText CT DEM And generating the ciphertext CT.
The ciphertext CT is packaged by the session key KEM And the data package ciphertext CT DEM And performing splicing generation.
And when the number of the receiving ends is more than 1 and less than or equal to u, the length of the ciphertext CT is kept unchanged.
In one embodiment, the broadcast encryption method further includes:
the receiving end receives the ciphertext CT and identifies the private key sk according to the corresponding identification private key sk ID And the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg. The specific implementation process is as follows:
resolving CT into CT ═ CT KEM ||CT DEM . If the CT analysis fails, outputting an error and stopping;
conversely, K ═ kem. dec (params, mpk, ID, sk) is calculated ID ,CT KEM );
Then, based on K obtained by the above formula, Msg ═ dem DEM )。
The KEM.Dec is a session key decapsulation mechanism; the specific steps for executing the session key decapsulation mechanism are as follows:
analytical CT KEM (C1, C2) OS2ECP (CT) KEM );
Judgment C 1 Whether or not it is in G 1 In, and C 2 Whether or not it is in G 2 Performing the following steps;
if not, outputting an error and stopping;
otherwise, calculate B 1 =e(C 1 ,sk ID );
Assume ID i To decipher a person, calculate
Figure GDA0003686835720000091
The calculation method comprises the following steps: first, a polynomial is calculated
Figure GDA0003686835720000092
Coefficient (c): (cf' 0 ,cf' 1 ,...,cf' t-1 ) And then calculating PL ═ cf' 1 Q 1 +cf' 2 R 1 +...+cf' t-1 R t-2
Calculating M i =H1(ID i ||0x03,p),cf 0 =cf' 0 M i
B 2 =e(PL,C 2 );
B=(B 1 *B 2 ) cf ' 0
K=KDF(EC2OSP(C 1 )||EC2OSP(C 2 )||FE2OSP(B)||I2OSP(cf 0 ) Klen), where klen is the bit length required for the session key.
When u is 1, calculate B 1 =e(C 1 ,sk ID ),K=KDF(EC2OSP(C 1 )||FE2OSP(B)||ID,klen)。
The above steps include multiple dot product summation calculations when calculating PL, and the same step of calculating X in the synchronization step S301 may be adopted for calculation to reduce the calculation difficulty and increase the calculation speed, which is not described herein again.
The DEM and the Dec are data decapsulation mechanisms; the specific steps for executing the data decapsulation mechanism are as follows:
analytical CT DEM To obtain CT DEM =C 3 ||C 2
Resolving K to obtain K ═ K 1 ||K 2 ,BITS(K 1 )=BITS(C 2 );
According to said K 2 And C 2 Calculating C' 3 =H(C 2 ||K 2 );
C 'is judged' 3 And C 3 Whether the values are equal or not, if not, outputting an error;
otherwise, calculate
Figure GDA0003686835720000101
And the receiving end decrypts the ciphertext CT to generate a plaintext Msg.
The broadcast encryption method provided by this embodiment compares the computation overhead and the ciphertext expansion with the SM9-IBE algorithm, and the conclusion is as follows:
Figure GDA0003686835720000102
in the embodiment provided by the invention, the key generation center generates the system parameters params, the master key s and the master public key mpk according to the SM9 algorithm and then generates the system parameters params, the master key s and the master public key mpk according to the identification ID of any receiving terminal b Generating an identification private key sk ID (ii) a The sending end adopts a session key encapsulation mechanism and a data encapsulation mechanism to generate a session key encapsulation ciphertext CT KEM And data encapsulation ciphertext CT DEM Finally, the session key is packaged into a ciphertext CT KEM And data encapsulation ciphertext CT DEM Splicing to generate a ciphertext; the encryption security is ensured, the ciphertext length cannot be increased due to the increase of the number of receiving ends, so that the calculation overhead is reduced, and meanwhile, the SM9 algorithm can be completely compatible, so that the existing SM9 facilities including a key generation function, a data encapsulation function and the like are utilized, and the hardware cost is reduced.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 5, a block diagram of a broadcast encryption apparatus according to an embodiment of the present invention is shown, and may specifically include the following modules:
a first generating module 100 located at the key generating center, configured to generate a system parameter params, a master key s, and a master public key mpk according to an SM9 algorithm, and disclose the system parameter params and the master public key mpk;
a second generating module 200 located at the key generating center, configured to generate the system parameter params, the master key s, the master public key mpk, and a target of any receiving end according to the system parameter params, the master key s, the master public key mpkID identification b Generating an identification private key sk ID And the identification private key sk is used ID Sending the data to a corresponding receiving end;
a third generating module 300 at the transmitting end, configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identifier set ID of the receiving end, the tag L, and the plaintext Msg KEM And data encapsulation ciphertext CT DEM (ii) a The ID of the identification set of the receiving end is the set of the identifications of all the receiving ends;
a fourth generating module 400 at the sending end, configured to encapsulate the ciphertext CT according to the session key KEM And the data package ciphertext CT DEM And generating the ciphertext CT.
As the second generating module 200, configured to generate a system parameter params, a master key s, and a master public key mpk according to the SM9 algorithm, and disclose the system parameter params and the master public key mpk; the key generation center refers to a trusted authority responsible for generating system parameters params, a master key s and a master public key mpk. Both the sending end and the receiving end can obtain the system parameters params and the master public key mpk; the master key s is stored in the key generation center. The system parameters params, master key s and master public key mpk are generated from the SM9 algorithm to achieve full compatibility with the SM9 algorithm.
Referring to fig. 6, the first generating module 100 includes the following sub-modules:
the obtaining sub-module 101 is configured to obtain the maximum number u of receiving ends for one broadcast encryption;
a selection submodule 102 for selecting the three groups G 1 、G 2 、G 3 And a bilinear pair e: G 1 ×G 2 →G 3 Wherein G is 1 、G 2 、G 3 The orders of all are prime numbers p;
a first random selection submodule 103 for randomly selecting G 1 Generator Q in a group 1 And G 2 Generator Q in a group 2
A second random selection submodule 104 for randomly selecting a group
Figure GDA0003686835720000121
Generating a master key s, calculating R 1 =sQ 1 ,...,R u =s u Q 1 ,W=s 2 Q 2 (ii) a Wherein when u is 1, W is not calculated;
a pre-calculation module 105 for pre-calculating J ═ e (R) 1 ,Q 2 );
A first generation submodule 106 for generating the system parameter params ═ Q 1 ,Q 2 ,G 1 ,G 2 ,G 3 ,e,p>The master key msk ═ s, the master public key mpk ═ (R) 1 ,...,R u ,J,W)。
As the second generating module 200, it is used for generating the system parameter params, the master key s, the master public key mpk, and the ID of any receiving end according to the system parameter params, the master secret key s, the master public key mpk, and the ID of any receiving end b Generating an identification private key sk ID And the identification private key sk is used ID Sending the data to a corresponding receiving end; according to the ID of the receiving end b A unique receiving end can be determined.
Referring to fig. 7, the second generation module 200 includes the following sub-modules:
a derivation submodule 201 for deriving M-H according to a function H1 specified in the SM9 standard 1 (ID b ||0x03,p);
The judgment sub-module 202 is used for judging that M + s is 0mod p, and if so, outputting an error and stopping; otherwise, calculate t ═ M + s) -1 s mod p;
An identification key generation submodule 203 for calculating sk ID =tQ 2
In order to ensure the identification private key sk ID Can be verified by a verification module, the verification module comprising:
verifying the derivation submodule, and deriving M-H according to a function H1 specified in the SM9 standard 1 (ID b ||0x03,p);
Verifying computation submodule, computing T ═ e (MQ) 1 +R,sk ID );
And the verification judgment sub-module outputs 'valid' if T is equal to J, and otherwise outputs 'invalid'.
For example, the third generating module 300 is configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L, and the plaintext Msg KEM And data encapsulation ciphertext CT DEM (ii) a The ID of the identification set of the receiving end is the set of the identifications of all the receiving ends; the plaintext Msg is plaintext information which is pre-sent by a sending end, and the session key encapsulates a ciphertext CT KEM Is the encapsulated ciphertext to the session key K that is used to encrypt the message.
Referring to fig. 8, the third generating module 300 includes the following sub-modules:
a session key encapsulation submodule 301, configured to generate a session key K and a session key encapsulation ciphertext CT by using a session key encapsulation mechanism kem.enc according to the system parameter params, the master public key mpk, and the identifier set ID of the receiving end KEM (ii) a The session key encapsulates the ciphertext CT KEM And sending the data to the receiving end.
A data encapsulation submodule 302, configured to generate a data encapsulation ciphertext CT by using a data encapsulation mechanism dem DEM
Enc uses the identification set ID (ID) of the receiving end 1 ,...,ID t ) Where t is less than or equal to u, the master public key mpk and the system parameter params are used as input and output<K,CT KEM >I.e. session key K and session key encapsulation cryptogram CT KEM
The session key encapsulation submodule 301 comprises a dot-by-dot summation first submodule and a dot-by-dot summation second submodule; the first submodule and the second submodule are used for calculating a plurality of point multiplication summation calculations. Specifically, the dot product summation first sub-module is used for dividing the required dot product summation calculation into a plurality of opposite parts, and each part independently adopts a multi-exponential summation algorithm to calculate the result; and the point multiplication and summation second submodule is used for summing the results of all independent parts of the first submodule to obtain the results of the point multiplication and summation calculation.
Enc takes a session key K, a tag L and a plaintext Msg as input, and outputs a data encapsulation ciphertext CT DEM
The fourth generating module 400 is used for encapsulating the ciphertext CT according to the session key KEM And the data package ciphertext CT DEM And generating the ciphertext CT. The fourth generation module 400 includes the following sub-modules:
an encryption submodule for encapsulating the session key into a ciphertext CT KEM And the data package ciphertext CT DEM And (5) splicing to generate a ciphertext CT.
And when the number of the receiving ends is more than 1 and less than or equal to u, the length of the ciphertext CT is kept unchanged.
In one embodiment, the broadcast encryption apparatus further includes:
a decryption module at the receiving end for receiving the ciphertext CT and according to the corresponding identification private key sk ID And the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
The decryption module comprises a dot-product-sum first sub-module and a dot-product-sum second sub-module; the first submodule and the second submodule are used for calculating a plurality of point multiplication summation calculations.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The broadcast encryption method and the broadcast encryption device provided by the invention are described in detail, and the principle and the implementation mode of the invention are explained by applying specific examples, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (7)

1. A broadcast encryption method, comprising:
the key generation center generates a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm, and discloses the system parameter params and the master public key mpk; specifically, the key generation center obtains the maximum number u of receiving ends for one-time broadcast encryption; selecting three groups G 1 、G 2 、G 3 And a bilinear pair e: G 1 ×G 2 →G 3 Wherein G is 1 、G 2 、G 3 The orders of all are prime numbers p; random selection of G 1 Generator Q in a group 1 And G 2 Generator Q in group 2 (ii) a At random in group Z p Generating a master key s, calculating R 1 =sQ 1 ,...,R u =s u Q 1 ,W=s 2 Q 2 (ii) a Wherein when u is 1, W is not calculated; precomputed J ═ e (R) 1 ,Q 2 ) (ii) a Generating the system parameter params ═ Q 1 ,Q 2 ,G 1 ,G 2 ,G 3 ,e,p>The master key s and the master public key mpk ═ (R) 1 ,...,R u ,J,W);
The key generation center generates a key according to the system parameters params, the master key s, the master public key mpk and the identification ID of any receiving end b Generating an identification private key sk ID And the identification private key sk is used ID Sending the data to a corresponding receiving end;
the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext Msg KEM And data encapsulation ciphertext CT DEM
The sending end encapsulates the ciphertext CT according to the session key KEM And the data package ciphertext CT DEM Generating a ciphertext CT; specifically, the sending end encapsulates the session key into a ciphertext CT KEM And the data package ciphertext CT DEM Splicing to generate a ciphertext CT; when the number of the receiving ends is more than 1When the length of the ciphertext CT is less than or equal to u, the length of the ciphertext CT is kept unchanged;
the receiving end receives the ciphertext CT and identifies the private key sk according to the corresponding identification private key sk ID And the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
2. The method according to claim 1, wherein the key generation center generates the key according to the system parameters params, the master key s, the master public key mpk and the ID of any receiving end b Generating an identification private key sk ID The method comprises the following steps:
the key generation center is according to function H specified in SM9 standard 1 Derivative M ═ H 1 (ID b ||0x03,p);
Judging that M + s is 0mod p, if so, outputting an error and stopping;
otherwise, calculate t ═ M + s) -1 s mod p;
Calculating sk according to the t ID =tQ 2
3. The method according to claim 1, wherein the sending end generates a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identification set ID of the receiving end, the label L and the plaintext Msg KEM And data encapsulation ciphertext CT DEM The method comprises the following steps:
the sending end generates a session key K and a session key encapsulation ciphertext CT by adopting a session key encapsulation mechanism KEM.Enc according to the system parameter params, the master public key mpk and the identification set ID of the receiving end KEM
And the sending end generates a data encapsulation ciphertext CT by adopting a data encapsulation mechanism DEM DEM
4. The method of claim 1 or claim 3, the generating a session key K and a session key encapsulation ciphertext CT KEM And the step of generating the plaintext Msg each include a plurality of dot product sum calculations, wherein the plurality of dot product sum calculations include:
dividing the multiple dot product summation calculations into at least two groups, wherein each group adopts a multi-exponential multiplication algorithm to calculate to obtain corresponding dot product summation data;
and summing the dot product summation data of the at least two groups to obtain a plurality of dot product summation calculation results.
5. A broadcast encryption apparatus, comprising:
the first generation module is positioned in the key generation center and used for generating a system parameter params, a master key s and a master public key mpk according to an SM9 algorithm and disclosing the system parameter params and the master public key mpk; specifically, the first generation module includes: the acquisition submodule is used for acquiring the maximum receiving end number u of one-time broadcast encryption; a selection submodule for selecting the three groups G 1 、G 2 、G 3 And a bilinear pair e: G 1 ×G 2 →G 3 Wherein G is 1 、G 2 、G 3 The orders of all are prime numbers p; a first random selection submodule for randomly selecting G 1 Generator Q in a group 1 And G 2 Generator Q in a group 2 (ii) a A second random selection submodule for randomly selecting a group
Figure FDA0003686835710000021
Generating a master key s, calculating R 1 =sQ 1 ,...,R u =s u Q 1 ,W=s 2 Q 2 (ii) a Wherein when u is 1, W is not calculated; a pre-calculation module for pre-calculating J ═ e (R) 1 ,Q 2 ) (ii) a A first generation submodule for generating the system parameter params ≦
Q 1 ,Q 2 ,G 1 ,G 2 ,G 3 ,e,p>The master key s and the master public key mpk ═ (R) 1 ,...,R u ,J,W);
A second generating module located in the key generating center, configured to generate the second key according to the system parameter params, the master key s, the master public key mpk, and the ID of any receiving end b Generating an identification private key sk ID And the identification private key sk is used ID Sending the data to a corresponding receiving end;
a third generating module at the sending end, configured to generate a session key encapsulation ciphertext CT according to the system parameter params, the master public key mpk, the identifier set ID of the receiving end, the tag L, and the plaintext Msg KEM And data encapsulation ciphertext CT DEM
A fourth generation module at the sending end, configured to encapsulate the ciphertext CT according to the session key KEM And the data package ciphertext CT DEM Generating a ciphertext CT; specifically, the fourth generating module includes: an encryption submodule for encapsulating the session key into a ciphertext CT KEM And the data package ciphertext CT DEM Splicing to generate a ciphertext CT; when the number of the receiving ends is more than 1 and less than or equal to u, the length of the ciphertext CT is kept unchanged;
a decryption module at the receiving end for receiving the ciphertext CT and according to the corresponding identification private key sk ID And the identification set ID, the label L and the system parameter params analyze the ciphertext CT to generate the plaintext Msg.
6. The apparatus of claim 5, wherein the second generating module comprises:
a derivation submodule for deriving M-H1 (ID) according to a function H1 specified in the SM9 standard b ||0x03,p);
The judgment submodule is used for judging that M + s is 0mod p, if so, outputting an error and stopping; otherwise, calculate t ═ M + s) -1 s mod p;
An identification key generation submodule for calculating sk according to the t ID =tQ 2
7. The apparatus of claim 5, wherein the third generating module comprises:
a session key encapsulation submodule, configured to generate a session key K and a session key encapsulation ciphertext CT by using a session key encapsulation mechanism kem KEM
A data encapsulation submodule, configured to generate a data encapsulation ciphertext CT by using a data encapsulation mechanism dem DEM
CN201910181445.7A 2019-03-11 2019-03-11 Broadcast encryption method and device Active CN110677238B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910181445.7A CN110677238B (en) 2019-03-11 2019-03-11 Broadcast encryption method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910181445.7A CN110677238B (en) 2019-03-11 2019-03-11 Broadcast encryption method and device

Publications (2)

Publication Number Publication Date
CN110677238A CN110677238A (en) 2020-01-10
CN110677238B true CN110677238B (en) 2022-08-05

Family

ID=69068560

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910181445.7A Active CN110677238B (en) 2019-03-11 2019-03-11 Broadcast encryption method and device

Country Status (1)

Country Link
CN (1) CN110677238B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301585B (en) * 2021-11-17 2024-01-05 北京智芯微电子科技有限公司 Identification private key using method, generation method and management system
CN114826611B (en) * 2022-04-14 2023-10-20 扬州大学 IND-sID-CCA2 security identification broadcast encryption method based on SM9 of national cipher

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010076899A1 (en) * 2009-01-05 2010-07-08 日本電気株式会社 Broadcast encryption system, sender apparatus, user apparatus, encapsulation/decapsulation method
CN103095710A (en) * 2013-01-17 2013-05-08 北京交通大学 Broadcast encryption transmission method in network based on identification and centering on contents
CN103986574A (en) * 2014-05-16 2014-08-13 北京航空航天大学 Hierarchical identity-based broadcast encryption method
CN105049207A (en) * 2015-05-11 2015-11-11 电子科技大学 ID-based broadcast encryption scheme containing customized information
CN106992871A (en) * 2017-04-01 2017-07-28 中国人民武装警察部队工程大学 A kind of broadcast encryption method towards many groups
CN107070874A (en) * 2017-01-23 2017-08-18 济南浪潮高新科技投资发展有限公司 System, encryption method and the device of broadcast communication, decryption method and device
CN107317675A (en) * 2017-04-01 2017-11-03 中国人民武装警察部队工程大学 A kind of broadcast encryption method of transmittable personal information

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170404B (en) * 2006-10-24 2010-05-19 华为技术有限公司 Method for secret key configuration based on specified group
CN109039611B (en) * 2018-08-31 2019-05-21 北京海泰方圆科技股份有限公司 Decruption key segmentation and decryption method, device, medium based on SM9 algorithm

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010076899A1 (en) * 2009-01-05 2010-07-08 日本電気株式会社 Broadcast encryption system, sender apparatus, user apparatus, encapsulation/decapsulation method
CN103095710A (en) * 2013-01-17 2013-05-08 北京交通大学 Broadcast encryption transmission method in network based on identification and centering on contents
CN103986574A (en) * 2014-05-16 2014-08-13 北京航空航天大学 Hierarchical identity-based broadcast encryption method
CN105049207A (en) * 2015-05-11 2015-11-11 电子科技大学 ID-based broadcast encryption scheme containing customized information
CN107070874A (en) * 2017-01-23 2017-08-18 济南浪潮高新科技投资发展有限公司 System, encryption method and the device of broadcast communication, decryption method and device
CN106992871A (en) * 2017-04-01 2017-07-28 中国人民武装警察部队工程大学 A kind of broadcast encryption method towards many groups
CN107317675A (en) * 2017-04-01 2017-11-03 中国人民武装警察部队工程大学 A kind of broadcast encryption method of transmittable personal information

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
一种新的基于身份的匿名加密;杨坤伟等;《计算机应用与软件》;20150115(第01期);全文 *
具有固定公钥和私钥长度的广播加密方案;王庆滨等;《通信学报》;20110225(第02期);全文 *
标准模型下基于身份的分等级加密方案;陈宇等;《计算机技术与发展》;20180224(第06期);全文 *

Also Published As

Publication number Publication date
CN110677238A (en) 2020-01-10

Similar Documents

Publication Publication Date Title
CN111740828B (en) Key generation method, device and equipment and encryption and decryption method
US9172529B2 (en) Hybrid encryption schemes
CN107395368B (en) Digital signature method, decapsulation method and decryption method in media-free environment
CN111106936A (en) SM 9-based attribute encryption method and system
CN101645773B (en) Based on the stopover sites of elliptic curve cryptography
CN101442522B (en) Identification authentication method for communication entity based on combined public key
CN110011995B (en) Encryption and decryption method and device in multicast communication
CN112564907B (en) Key generation method and device, encryption method and device, and decryption method and device
CN109995509B (en) Authentication key exchange method based on message recovery signature
WO2020155622A1 (en) Method, device and system for enhancing security of image data transmission, and storage medium
CN102469173A (en) IPv6 (Internet Protocol Version 6) network layer credible transmission method and system based on combined public key algorithm
WO2016067524A1 (en) Authenticated encryption apparatus, authenticated decryption apparatus, authenticated cryptography system, authenticated encryption method, and program
CN110677238B (en) Broadcast encryption method and device
CN114726546A (en) Digital identity authentication method, device, equipment and storage medium
US20170041133A1 (en) Encryption method, program, and system
CN112948867A (en) Method and device for generating and decrypting encrypted message and electronic equipment
EP2571192A1 (en) Hybrid encryption schemes
CN113852466B (en) User revocation method based on SM9 of China
CN114826611A (en) IND-sID-CCA2 security identifier broadcast encryption method based on SM9
CN111404689B (en) Identity-based lightweight linear homomorphic network coding signature method
CN114070549A (en) Key generation method, device, equipment and storage medium
CN111404687B (en) Lightweight secure communication method for mobile internet
Soman Lightweight Elliptical Curve Cryptography (ECC) for Data Integrity and User Authentication in Smart Transportation IoT System
RU2518950C9 (en) Method of encrypting n-bit unit m
TWI571086B (en) Advanced metering infrastructure network system and message broadcasting method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant