CN111092720A - Certificate-based encryption method capable of resisting leakage of master key and decryption key - Google Patents

Certificate-based encryption method capable of resisting leakage of master key and decryption key Download PDF

Info

Publication number
CN111092720A
CN111092720A CN201911154312.7A CN201911154312A CN111092720A CN 111092720 A CN111092720 A CN 111092720A CN 201911154312 A CN201911154312 A CN 201911154312A CN 111092720 A CN111092720 A CN 111092720A
Authority
CN
China
Prior art keywords
certificate
user
decryption
key
decryption key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911154312.7A
Other languages
Chinese (zh)
Inventor
于启红
张娜
李云
李继国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suqian College
Original Assignee
Suqian College
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suqian College filed Critical Suqian College
Priority to CN201911154312.7A priority Critical patent/CN111092720A/en
Publication of CN111092720A publication Critical patent/CN111092720A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention discloses a certificate-based encryption method capable of resisting the leakage of a master key and a decryption key, wherein an authentication center generates a certificate, the certificate is sent to a decryption user, and the encryption user randomly selects a first random number s belonging to Z after verifying the validity of evidencenAnd generating a ciphertext according to the first random number s and the message to be transmitted, sending the ciphertext to a decryption user, obtaining a decryption key by the decryption user, decrypting the ciphertext by using the decryption key to obtain the message to be transmitted, so that the decryption user can more safely obtain the message to be transmitted by the encryption user, and the security of the message to be transmitted in the transmission process is improved.

Description

Certificate-based encryption method capable of resisting leakage of master key and decryption key
Technical Field
The invention relates to the technical field of data security, in particular to a certificate-based encryption method capable of resisting leakage of a master key and a decryption key.
Background
In order to solve the certificate management problem of the conventional public key cryptosystem and the key escrow problem of the identity-based cryptosystem, Gentry proposes a certificate-based encryption mechanism. Since then, based on the assumption that: the master key and the decryption key are absolutely secret, and some specific schemes are constructed:
in the real world, however, this is not the case and some side-channel attacks are gradually discovered. From these attacks, an attacker can obtain some secret information by observing the execution time, energy consumption, etc. of the cryptosystem, which results in secret information leakage, including important partial information such as the master key and the decryption key. Side-channel attacks enhance the advantages of an adversary because the adversary can obtain partial information such as keys. Thus, in this case, the security of the previous encryption scheme is compromised and a new model must be built to capture the attack.
In order to ensure the security of a cryptographic system under certain conditions, an attack model is usually defined to limit the behavior of an attacker. If the attacker satisfies the constraints, the corresponding cryptographic scheme is considered secure in the model. The leaky resilient cryptographic model is used to capture side channel attacks. In fact, it has become a focus of research in cryptography in recent years.
There have been some anti-leakage schemes constructed in the traditional public key cryptosystem and in the identity-based cryptosystem. There is no encryption scheme that can resist decryption key leakage and master key leakage based on the public key cryptosystem of the certificate.
Disclosure of Invention
In view of the above problems, the present invention provides a certificate-based encryption method that is resistant to master key and decryption key leakage.
To achieve the object of the present invention, there is provided a certificate-based encryption method capable of resisting leakage of a master key and a decryption key, comprising the steps of:
s10, the certification center generates a certificate and sends the certificate to the decryption user;
s20, after the proof of the encryption user is verified to be valid, the encryption user randomly selects a first random number S belonging to ZnGenerating a ciphertext according to the first random number s and the message to be transmitted, and sending the ciphertext to a decryption user;
and S30, the decryption user acquires the decryption key, and the ciphertext is decrypted by using the decryption key to obtain the message to be transmitted.
In one embodiment, the certificate authority generates a certificate, and before sending the certificate to the decryption user, the method further includes:
authentication center creates a compound-rank bilinear group (N ═ p)1p2p3,G,GTE) random selection
Figure BDA00022843949300000225
And
Figure BDA00022843949300000226
gen algorithm running Pi generates common reference character string crs and selects it randomly
Figure BDA0002284394930000021
And
Figure BDA0002284394930000022
wherein n.gtoreq.2 is an integer; a master public key and a master private key are generated.
In one embodiment, the certificate authority generating the certificate comprises:
authentication center random selection
Figure BDA0002284394930000023
And n +1 elements
Figure BDA0002284394930000024
And (3) calculating:
Figure BDA0002284394930000025
obtaining a certificate, wherein the certificate is:
Figure BDA0002284394930000026
wherein, CertIDCertificate representing user ID, ID' representing new identity information derived from user ID, pkIDA public key representing a user ID, the ID representing a user identity,
Figure RE-GDA0002400829940000029
it is shown that the hash function is represented,
Figure RE-GDA00024008299400000210
to represent
Figure RE-GDA00024008299400000211
Neutralization of
Figure RE-GDA00024008299400000212
Related moiety, D1To represent
Figure RE-GDA00024008299400000213
Neutral and K1Related moiety, D2To represent
Figure RE-GDA00024008299400000214
Neutral and K2The parts that are of interest are,
Figure RE-GDA00024008299400000215
representing the corresponding portion of the private key,
Figure RE-GDA00024008299400000216
to represent
Figure RE-GDA00024008299400000217
N random numbers of (1), K3Representing the corresponding part in the private key, r' represents
Figure RE-GDA00024008299400000218
Random number of (1), u1To represent
Figure RE-GDA00024008299400000219
Random number of (1), h1To represent
Figure RE-GDA00024008299400000220
The random number in (1) is selected,
Figure RE-GDA00024008299400000221
to represent
Figure RE-GDA00024008299400000222
The number of the n +2 elements is as follows,
Figure RE-GDA00024008299400000223
indicating pairing operation, and n indicates the number of random numbers.
As an embodiment, the decrypting user obtaining the decryption key includes:
the decryption user randomly selects a first random sequence
Figure BDA00022843949300000222
Second random sequence
Figure BDA00022843949300000223
And a second random number t ∈ ZNCalculated as follows:
Figure BDA00022843949300000224
by means of certificates
Figure BDA0002284394930000031
And obtaining a decryption key: the decryption key includes:
Figure BDA0002284394930000032
wherein dkIDWhich represents a decryption key, is presented,
Figure BDA0002284394930000033
three parts representing the decryption key are shown,
Figure BDA0002284394930000034
information representing the exponential operation of the three parts of the certificate,
Figure BDA0002284394930000035
which represents a number n of random numbers,
Figure BDA0002284394930000036
which represents a multiplication and an exponential operation,
Figure BDA0002284394930000037
it is indicated that the pairing operation is performed,
Figure BDA0002284394930000038
to represent
Figure BDA0002284394930000039
And n +2 elements.
In one embodiment, the encrypted user randomly selects a first random number s ∈ Z after verifying the validity of the proofnGenerating a ciphertext according to the first random number s and the message to be transmitted, and before sending the ciphertext to a decryption user, the method further includes:
encrypted user authentication β whether e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf so, the proof of verification is determined to be valid, wherein β represents a random number, e (g)1,v1)αβRepresents e (g)1,v1)αThe result of performing the operation of exponent β, e (g)1,v1)αRepresents a pairing e (g)1,v1) The exponent α operation is performed.
In the certificate-based encryption method capable of resisting the leakage of the master key and the decryption key, the authentication center generates a certificate, the certificate is sent to the decryption user, and the encryption user randomly selects the first random number s E to Z after verifying the validity of the evidencenAnd generating a ciphertext according to the first random number s and the message to be transmitted, sending the ciphertext to a decryption user, obtaining a decryption key by the decryption user, decrypting the ciphertext by using the decryption key to obtain the message to be transmitted, so that the decryption user can more safely obtain the message to be transmitted by the encryption user, and the security of the message to be transmitted in the transmission process is improved.
Drawings
FIG. 1 is a simplified flow diagram of a conventional certificate-based encryption scheme;
FIG. 2 is a flowchart of a certificate-based encryption method that is resistant to master key and decryption key leakage, according to one embodiment;
fig. 3 is a functional block diagram of a certificate-based encryption system that is resistant to master key and decryption key leakage according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The above-mentioned related concepts of certificate-based encryption methods that are resistant to master key and decryption key leakage are given below:
definition 1: bilinear mapping
Suppose G and GTAre multiplication cyclic groups of order q and P is a generator of G, a bilinear map e: G → GTHas the following three characteristics:
(1) bilinear: for P, Q ∈ G and a, b ∈ Z*,e(Pa,Qb)=e(P,Q)ab
(2) Non-degradability: any P, Q belongs to G, e (P, Q) ≠ 1;
(3) calculability: there is an efficient algorithm to compute e (P, Q) e GT
Definition 2: non-interactive zero-knowledge proof system
Let R be a binary relation in language L. For (x, w) ∈ R, x is called a statement and w is called evidence. A non-interactive zero-knowledge (NIZK) proof system includes an algorithm (Ge)n, Prf, Ver). Algorithm Gen with safety parameter 1θThe common reference string crs is output as an input. Prover Prf takes (crs, x, w) as input and gives a proof or proof if (x, w) ∈ R. The verifier Ver takes (crs, x, pi) as input and outputs either "accept" or "reject". If (Gen, Prf, Ver) on the relationship R satisfies three conditions: positive certainty, completeness, zero knowledge; we call (Gen, Prf, Ver) an NIZK proof system for relation R.
Definition 3: collision resistant hash function
For hash functions
Figure BDA0002284394930000041
{0,1}*→{0,1}kIf, if
Figure BDA0002284394930000042
m0≠m1,
Figure BDA0002284394930000043
Then the algorithm A is said to be corrupted
Figure BDA0002284394930000044
The advantage obtained in collision resistance is epsilon, where the advantage is all the random numbers for a. The hash function is said to be collision-resistant if any of the advantages that may be gained by the PPT adversaries are negligible.
Definition 4: composite order bilinear group
Boneh et al present a compound-order bilinear group concept. Let ψ denote a complex-order bilinear group generation algorithm. Psi takes the safety parameter as input, and outputs a compound order bilinear group description omega ═ N ═ p1p2p3,G,GTE }, where p1,p2,p3Prime numbers G and G being three λ bits longTIs of order N ═ p1p2p3E is a bilinear map: g → GT
Are used separately
Figure BDA0002284394930000053
And
Figure BDA0002284394930000054
denotes the middle order of group G as p1,p2,p3A subgroup of (a). If it is not
Figure BDA0002284394930000055
Then there is e (h)i,hj) 1. For example, suppose
Figure BDA0002284394930000056
G is a generator of G. In this way it is possible to obtain,
Figure BDA0002284394930000057
is that
Figure BDA0002284394930000058
Is generated by the one of the generators of (1),
Figure BDA0002284394930000059
is that
Figure BDA00022843949300000510
Is generated by the one of the generators of (1),
Figure BDA00022843949300000511
is that
Figure BDA00022843949300000512
Thus, there is α12So that
Figure BDA00022843949300000513
And
Figure BDA00022843949300000514
then
Figure BDA00022843949300000515
In this way it is possible to obtain,
Figure BDA00022843949300000516
and
Figure BDA00022843949300000517
are mutually orthogonal.
If the element X can be represented as a unique one
Figure BDA00022843949300000518
And an element of
Figure BDA00022843949300000519
The product of the elements, which are respectively called "X" for the two parts
Figure BDA00022843949300000520
Of the moieties "and" X
Figure BDA00022843949300000521
Section ".
Define a vector with <, > and represent the set of elements with (,). The product of the vectors is denoted by · and the component products are denoted by ×. The number of elements or the length of W is represented by | W |.
The exponential product of the vectors is defined as follows: if G e is equal to G, the value of G,
Figure BDA00022843949300000522
a∈ZN,
Figure BDA00022843949300000523
definition of
Figure BDA00022843949300000524
The result is an element of Gn. For bilinear group G, GnThe pairing calculation in (1) is defined as follows: if it is not
Figure BDA00022843949300000525
And
Figure BDA0002284394930000051
the complex order group generation algorithm is denoted by ψ. With a safety parameter 1θFor input, ψ outputs a complex order bilinear group description. Also hasThat is to say that the first and second electrodes,
Figure BDA00022843949300000526
wherein N ═ p1p2p3. Suppose g1,g2And g3Are respectively a subgroup
Figure BDA00022843949300000527
And
Figure BDA00022843949300000528
the generator of (1).
Assume that 1: given D1=(N,G,GT,e,g1,g3) No PPT adversary can successfully distinguish with non-negligible advantage
Figure BDA00022843949300000529
And
Figure BDA00022843949300000530
wherein Z, v ∈ ZN
Enemy
Figure BDA00022843949300000531
The advantage of breaking hypothesis 1 is defined as:
Figure BDA0002284394930000052
if for any PPT adversary
Figure BDA00022843949300000532
Are negligible, say 1 holds true.
Assume 2: given a
Figure BDA0002284394930000063
Wherein Z, v, u, rho epsilon ZNNo PPT adversary can successfully distinguish with non-negligible advantage
Figure BDA0002284394930000064
And
Figure BDA0002284394930000065
wherein omega, kappa, sigma epsilon ZN
Enemy
Figure BDA0002284394930000066
The advantage of destroying hypothesis 2 is defined as:
Figure BDA0002284394930000061
if for any PPT adversary
Figure BDA00022843949300000611
Are negligible, say 2 holds true.
Assume that 3: given a
Figure BDA0002284394930000067
Wherein α, s, v, u ∈ ZNNo PPT adversary can successfully distinguish with non-negligible advantage
Figure BDA0002284394930000068
And
Figure BDA0002284394930000069
enemy
Figure BDA00022843949300000610
The advantage of breaking hypothesis 3 is defined as:
Figure BDA0002284394930000062
if for any PPT adversary
Figure BDA00022843949300000612
Are negligible, say that hypothesis 3 holds.
According to the bilinear pairing, the non-interactive zero-knowledge proof system, the anti-collision hash function and the three static assumptions, the existing certificate-based encryption method will be further described below.
First, a simple flow chart of a standard certificate-based dual system encryption scheme is given, as shown in fig. 1.
As shown in fig. 1, the certificate-based dual-system encryption scheme includes 7 modules, a system parameter setting module, a certificate generating module, a user public key generating module, a user private key generating module, a decryption key generating module, an encrypting module, and a decrypting module.
The prior art has the disadvantage that no encryption scheme that can simultaneously resist decryption key leakage and master key leakage exists. Based on the above, inspired by the disclosure of the public secure certificateless encryption (CLE) and the certificate-based encryption, the invention provides the first certificate-based encryption method which can resist the disclosure of the master key and the decryption key in the standard model. The relative leak rate of the decryption key and the master key can reach 1/3 by using the two-system encryption technology.
Referring to fig. 2, fig. 2 is a flowchart of a certificate-based encryption method capable of resisting disclosure of a master key and a decryption key according to an embodiment, including the following steps:
and S10, the certification center generates a certificate and sends the certificate to the decryption user.
Specifically, the authentication center may operate an initialization algorithm to initialize the required parameters, then operate a certificate generation algorithm to generate a corresponding certificate, and send the certificate to the decryption user.
The encryption user and the decryption user are user ends managed by the authentication center, and in a certain encryption process, the decryption users in other encryption processes can also become encryption users in the encryption process.
S20, after the proof of the encryption user is verified to be valid, the encryption user randomly selects a first random number S belonging to ZnAnd generating a ciphertext according to the first random number s and the message to be transmitted, and sending the ciphertext to a decryption user.
Specifically, the encrypting user can run an algorithm Ver of [ ] to verify the validity of the proof π, i.e., to verify whether β is e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf so, then π is valid, and s ∈ Z is chosen randomlynAnd a ciphertext is obtained. In one example, the resulting ciphertext includes:
Figure BDA0002284394930000071
wherein
Figure BDA0002284394930000073
And S30, the decryption user acquires the decryption key, and the ciphertext is decrypted by using the decryption key to obtain the message to be transmitted.
The decryption key can be used by the decryption user after the decryption key is fetched
Figure BDA0002284394930000074
Decrypting ciphertext
Figure BDA0002284394930000075
Obtaining a message
Figure BDA0002284394930000072
The message is the message to be transmitted of the encrypted user.
In the certificate-based encryption method capable of resisting the leakage of the master key and the decryption key, the authentication center generates a certificate, the certificate is sent to the decryption user, and the encryption user randomly selects the first random number s E to Z after verifying the validity of the evidencenAnd generating a ciphertext according to the first random number s and the message to be transmitted, sending the ciphertext to a decryption user, obtaining a decryption key by the decryption user, decrypting the ciphertext by using the decryption key to obtain the message to be transmitted, so that the decryption user can more safely obtain the message to be transmitted by the encryption user, and the security of the message to be transmitted in the transmission process is improved.
In one embodiment, the certificate authority generates a certificate, and before sending the certificate to the decryption user, the method further includes:
authentication center creates a compound-rank bilinear group (N ═ p)1p2p3,G,GTE) random selection
Figure BDA0002284394930000076
And
Figure BDA0002284394930000077
gen algorithm running Pi generates common reference character string crs and selects it randomly
Figure BDA0002284394930000078
And
Figure BDA0002284394930000079
wherein n.gtoreq.2 is an integer; a master public key and a master private key are generated.
In this embodiment, the authentication center operates an initialization algorithm to initialize the required parameters.
In one example, the initialization algorithm is: first, a compound-order bilinear group (N ═ p) is created1p2p3,G,GTE) then, randomly selecting
Figure BDA00022843949300000710
And
Figure BDA00022843949300000711
next run the Gen algorithm at II to generate a common reference string crs and select randomly
Figure BDA00022843949300000712
And
Figure BDA00022843949300000713
wherein n.gtoreq.2 is an integer. The value of n is variable. Algorithm generation of master public key
Figure BDA0002284394930000084
And a master private key
Figure BDA0002284394930000081
The master public key is public and the master private key is to be kept secret.
In the initialization algorithm, the certification authority first presents a non-interactive zero knowledge (NIZK) proof system ═ Gen (Prf, Ver), where Gen is used to generate system parameters, Prf is used to generate evidence information, and Ver is used to verify the correctness of the evidence, given that ═ Gen (Gen, Prf, Ver) is the language L { β: Y }βZ } where β e ZNAnd Y, Z ∈ GT
Figure BDA0002284394930000085
Is a hash function in which
Figure BDA0002284394930000086
Is a space of identities that is,
Figure BDA0002284394930000087
is a public key space. The main role is to maintain the safety of a CLE protocol when converted to a CBE protocol. Without loss of generality, assume
Figure BDA0002284394930000088
ZNIs the set of all non-negative integers less than N.
In one embodiment, the user terminals, such as the encryption user and the decryption user, can both run the private key generation algorithm to generate the private key and run the public key generation algorithm to generate the public key. Wherein, the private key generating algorithm comprises: user setting private key skIDβ where β e ZN. The public key generation algorithm comprises: user ID setting public key pkID=(Y,π)=(e(g1,v1)αβπ), where π ← Prf (crs, (e (g)1,v1)αβ,e(g1,v1)α) β) is about β being e (g)1,v1)αβRelative to the radical e (g)1,v1)αNIZK proof of discrete logarithm of.
In one embodiment, the certificate authority generating the certificate comprises:
authentication center random selection
Figure BDA0002284394930000089
And n +1 elements
Figure BDA00022843949300000810
And (3) calculating:
Figure BDA00022843949300000811
obtaining a certificate, wherein the certificate is:
Figure BDA0002284394930000082
wherein, CertIDA certificate representing a user ID (e.g. a decrypting user), ID' representing new identity information derived from the user ID, pkIDA public key representing a user ID, the ID representing a user identity,
Figure RE-GDA00024008299400000811
it is shown that the hash function is represented,
Figure RE-GDA00024008299400000812
to represent
Figure RE-GDA00024008299400000813
Neutralization of
Figure RE-GDA00024008299400000814
Related moiety, D1To represent
Figure RE-GDA0002400829940000091
Neutral and K1Related moiety, D2To represent
Figure RE-GDA0002400829940000092
Neutral and K2The parts that are of interest are,
Figure RE-GDA0002400829940000093
representing the corresponding portion of the private key,
Figure RE-GDA0002400829940000094
to represent
Figure RE-GDA0002400829940000095
N random numbers of (1), K3Representing the corresponding part in the private key, r' represents
Figure RE-GDA0002400829940000096
Random number of (1), u1To represent
Figure RE-GDA0002400829940000097
Random number of (1), h1To represent
Figure RE-GDA0002400829940000098
The random number in (1) is selected,
Figure RE-GDA0002400829940000099
to represent
Figure RE-GDA00024008299400000910
The number of the n +2 elements is as follows,
Figure RE-GDA00024008299400000911
indicating pairing operation, and n indicates the number of random numbers.
The user in this embodiment may refer to a decryption user.
In this embodiment, the certificate authority may run a certificate generation algorithm to generate the certificate. Specifically, the certificate generation algorithm includes:
CA (authentication center) random selection
Figure BDA00022843949300000915
And n +1 elements
Figure BDA00022843949300000916
The CA may then also perform the following operation to compute a hash function:
Figure BDA00022843949300000925
obtaining a certificate
Figure BDA0002284394930000093
In one example, if z'i=yi+zi(i ∈ { 1.,. n }) and r ″ ═ r + r', Cert ∈ { 1.,. n })IDIs/are as follows
Figure BDA00022843949300000917
Can be viewed as part
Figure BDA0002284394930000094
As an embodiment, the decrypting user obtaining the decryption key includes:
the decryption user randomly selects a first random sequence
Figure BDA00022843949300000918
Second random sequence
Figure BDA00022843949300000919
And a second random number t ∈ ZNCalculated as follows:
Figure BDA00022843949300000926
by means of certificates
Figure BDA00022843949300000920
And obtaining a decryption key: the decryption key includes:
Figure BDA0002284394930000095
wherein dkIDWhich represents a decryption key, is presented,
Figure BDA00022843949300000921
three parts representing the decryption key are shown,
Figure BDA00022843949300000922
information representing the exponential operation of the three parts of the certificate,
Figure BDA00022843949300000923
represents n random numbersThe number of the machines is increased,
Figure BDA00022843949300000924
which represents a multiplication and an exponential operation,
Figure BDA0002284394930000102
it is indicated that the pairing operation is performed,
Figure BDA0002284394930000103
to represent
Figure BDA0002284394930000104
And n +2 elements.
Specifically, the decryption user can acquire the decryption key through a decryption key generation algorithm. The decryption key generation algorithm includes:
decryption user random selection
Figure BDA0002284394930000105
And t ∈ ZNCalculated as follows:
Figure BDA0002284394930000106
further passing the certificate
Figure BDA0002284394930000107
Deriving a decryption key
Figure BDA0002284394930000101
Wherein dkIDWhich represents a decryption key, is presented,
Figure BDA0002284394930000108
three parts representing the decryption key are shown,
Figure BDA0002284394930000109
information representing the exponential operation of the three parts of the certificate,
Figure BDA00022843949300001010
which represents a number n of random numbers,
Figure BDA00022843949300001011
which represents a multiplication and an exponential operation,
Figure BDA00022843949300001012
it is indicated that the pairing operation is performed,
Figure BDA00022843949300001013
to represent
Figure BDA00022843949300001014
And n +2 elements.
In one embodiment, the encryption user operates to randomly select a first random number s e Z after verifying that the proof is validnGenerating a ciphertext according to the first random number s and the message to be transmitted, and before sending the ciphertext to a decryption user, the method further includes:
encrypted user authentication β whether e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf yes, the proof of verification is determined to be valid, wherein β represents e (g)1,v1)αThe result of performing the operation of exponent β, e (g)1,v1)αRepresents a pairing e (g)1,v1) The exponent α operation is performed.
Specifically, the algorithm Ver for the encrypted user to run pi verifies the validity of the proof pi, i.e. whether β is e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf yes, then pi is valid, so as to accurately judge whether the verification evidence is valid.
In an embodiment, the above certificate-based encryption method capable of resisting leakage of the master key and the decryption key may also refer to fig. 3, where a system parameter setting module of the CA generates the master key and the master public key, a private key generation algorithm of the decryption user generates a user private key according to the master public key, a public key generation algorithm of the decryption user generates a user corresponding public key according to the master public key and the corresponding private key, a certificate generation algorithm of the certificate authority generates a user certificate according to the user identity, the encryption user runs an encryption algorithm to encrypt the message, the decryption user runs a decryption key generation algorithm to generate a decryption key, and further runs the decryption algorithm to decrypt the ciphertext through the decryption key.
The CA is an authentication center, and the CA runs an initialization algorithm and a certificate generation algorithm:
first, a non-interactive zero knowledge (NIZK) proof system is given, II ═ (Gen, Prf, Ver). In case II ═ is given the language L ═ β: YβZ } where β e ZNAnd Y, Z ∈ GT
Figure BDA0002284394930000111
Is a hash function in which
Figure BDA0002284394930000112
Is a space of identities that is,
Figure BDA0002284394930000113
is a public key space. The main role is to maintain the safety of a CLE protocol when converted to a CBE protocol. Without loss of generality, assume
Figure BDA0002284394930000114
The LR-CBE algorithm of the invention specifically consists of the following seven algorithms: an initialization algorithm, a private key generation algorithm, a public key generation algorithm, a certificate generation algorithm, an encryption algorithm, a decryption key generation algorithm, and a decryption algorithm.
In one example, the application of the above certificate-based encryption method against the leakage of the master key and the decryption key in engineering is explained.
According to the steps of the certificate-based encryption method for resisting the leakage of the master key and the decryption key, when the certificate-based encryption system for resisting the leakage of the master key and the decryption key is used in the XX company, an initialization algorithm module of a company authentication center operating system generates a master public key mpk and a master private key msk, the master public key is disclosed in the company, and the master private key authentication center stores the master public key in a secret manner; each employee of the company has corresponding identity information ID, and the certificate authority of the company runs certificatesGeneration algorithm module for generating certificate Cert for ID user (company employee) identityIDAnd is stored in the employee card. Each user operates the private key generation algorithm module to set the own private key sk according to the master public key mpkIDSecretly storing and operating public key generating algorithm module to set own public key pkIDAnd discloses. When a user a (employee a) wants to send encrypted information (ciphertext) of a message M to a user B (employee B, assuming that the identity information is ID), the user a runs an encryption algorithm according to the master public key mpk and the identity information ID of the user B who wants to receive the information to generate a ciphertext C of the message M and publishes it. The user whose identity information is ID uses the master public key mpk and certificate CertIDRunning the decryption key generation algorithm to generate the decryption key dkID, and then running the decryption algorithm through the decryption key dkIDAnd decrypting the ciphertext C to obtain the message M.
The certificate-based encryption method for resisting the leakage of the master key and the decryption key aims at the problem that the existing certificate-based encryption method cannot tolerate the leakage of the master key, and provides a certificate-based encryption system and a method which can resist the leakage of not only the decryption key but also the master key. Where the leakage includes a decryption key leakage and a master key leakage. The security of the method is reduced to a complex order bilinear group hypothesis. This is the first certificate-based encryption scheme to resist master key leakage. The method provided by the invention has good leakage elasticity. The master key and key leakage rate may reach 1/3.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
It should be noted that the terms "first \ second \ third" referred to in the embodiments of the present application merely distinguish similar objects, and do not represent a specific ordering for the objects, and it should be understood that "first \ second \ third" may exchange a specific order or sequence when allowed. It should be understood that "first \ second \ third" distinct objects may be interchanged under appropriate circumstances such that the embodiments of the application described herein may be implemented in an order other than those illustrated or described herein.
The terms "comprising" and "having" and any variations thereof in the embodiments of the present application are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, product, or device that comprises a list of steps or modules is not limited to the listed steps or modules but may alternatively include other steps or modules not listed or inherent to such process, method, product, or device.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (5)

1. A certificate-based encryption method that is resistant to master key and decryption key leakage, comprising the steps of:
s10, the certification center generates a certificate and sends the certificate to the decryption user;
s20, after the proof of the encryption user is verified to be valid, the encryption user randomly selects a first random number S belonging to ZnGenerating a ciphertext according to the first random number s and the message to be transmitted, and sending the ciphertext to a decryption user;
and S30, the decryption user acquires the decryption key, and the ciphertext is decrypted by using the decryption key to obtain the message to be transmitted.
2. The certificate-based encryption method capable of resisting disclosure of a master key and a decryption key as claimed in claim 1, wherein the certificate authority generates a certificate, and before sending the certificate to the decryption user, further comprising:
authentication center creates a compound-rank bilinear group (N ═ p)1p2p3,G,GTE) randomly selecting g1,u1,h1,
Figure FDA0002284394920000011
And
Figure FDA0002284394920000012
gen algorithm running Pi generates common reference character string crs and selects it randomly
Figure FDA0002284394920000013
And
Figure FDA0002284394920000014
wherein n.gtoreq.2 is an integer; a master public key and a master private key are generated.
3. The certificate-based encryption method resistant to master key and decryption key leakage according to claim 1, wherein the certificate authority generating the certificate includes:
authentication center random selection
Figure RE-FDA00024008299300000118
And n +1 elements
Figure RE-FDA0002400829930000016
And (3) calculating:
Figure RE-FDA0002400829930000017
obtaining a certificate, wherein the certificate is:
Figure RE-FDA0002400829930000018
wherein, CertIDCertificate representing user ID, ID' representing new identity information derived from user ID, pkIDA public key representing a user ID, the ID representing a user identity,
Figure RE-FDA0002400829930000019
it is shown that the hash function is represented,
Figure RE-FDA00024008299300000110
to represent
Figure RE-FDA00024008299300000111
Neutralization of
Figure RE-FDA00024008299300000112
Related moiety, D1To represent
Figure RE-FDA00024008299300000113
Neutral and K1Related moiety, D2To represent
Figure RE-FDA00024008299300000114
Neutral and K2The parts that are of interest are,
Figure RE-FDA00024008299300000115
representing the corresponding portion of the private key,
Figure RE-FDA00024008299300000116
to represent
Figure RE-FDA00024008299300000119
N random numbers of (1), K3Representing the corresponding part in the private key, r' represents
Figure RE-FDA0002400829930000021
Random number of (1), u1To represent
Figure RE-FDA0002400829930000022
Random number of (1), h1To represent
Figure RE-FDA0002400829930000023
The random number in (1) is selected,
Figure RE-FDA0002400829930000024
to represent
Figure RE-FDA00024008299300000217
The number of the n +2 elements is as follows,
Figure RE-FDA0002400829930000025
indicating pairing operation, and n indicates the number of random numbers.
4. The certificate-based encryption method resistant to master key and decryption key leakage according to claim 3, wherein the decryption user obtaining the decryption key comprises:
the decryption user randomly selects a first random sequence
Figure FDA0002284394920000027
Second random sequence
Figure FDA0002284394920000028
And a second random number t ∈ ZNCalculated as follows:
Figure FDA0002284394920000029
by means of certificates
Figure FDA00022843949200000210
And obtaining a decryption key: the decryption key includes:
Figure FDA00022843949200000211
wherein dkIDWhich represents a decryption key, is presented,
Figure FDA00022843949200000212
three parts representing the decryption key are shown,
Figure FDA00022843949200000213
information representing the exponential operation of the three parts of the certificate,
Figure FDA00022843949200000214
which represents a number n of random numbers,
Figure FDA00022843949200000215
which represents a multiplication and an exponential operation,
Figure FDA00022843949200000216
it is indicated that the pairing operation is performed,
Figure FDA00022843949200000217
represents Gp3And n +2 elements.
5. A certificate-based encryption method resistant to master and decryption key leakage according to any one of claims 1 to 4, characterized in that said encrypting user randomly selects a first random number s e Z after verifying the validity of the proofnGenerating a ciphertext according to the first random number s and the message to be transmitted, and before sending the ciphertext to a decryption user, the method further includes:
encrypted user authentication β whether e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf so, the proof of verification is determined to be valid, wherein β represents a random number, e (g)1,v1)αβRepresents e (g)1,v1)αThe result of performing the operation of exponent β, e (g)1,v1)αRepresents a pairing e (g)1,v1) The exponent α operation is performed.
CN201911154312.7A 2019-11-22 2019-11-22 Certificate-based encryption method capable of resisting leakage of master key and decryption key Pending CN111092720A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911154312.7A CN111092720A (en) 2019-11-22 2019-11-22 Certificate-based encryption method capable of resisting leakage of master key and decryption key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911154312.7A CN111092720A (en) 2019-11-22 2019-11-22 Certificate-based encryption method capable of resisting leakage of master key and decryption key

Publications (1)

Publication Number Publication Date
CN111092720A true CN111092720A (en) 2020-05-01

Family

ID=70393532

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911154312.7A Pending CN111092720A (en) 2019-11-22 2019-11-22 Certificate-based encryption method capable of resisting leakage of master key and decryption key

Country Status (1)

Country Link
CN (1) CN111092720A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014397A (en) * 2021-03-17 2021-06-22 杭州师范大学 Rapid and safe identity authentication method
CN113873027A (en) * 2021-09-24 2021-12-31 深信服科技股份有限公司 Communication method and related device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
QIHONG YU: "Certificate-based encryption resilient to key leakage", 《THE JOURNAL OF SYSTEMS AND SOFTWARE》, 8 July 2015 (2015-07-08), pages 2 - 8 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014397A (en) * 2021-03-17 2021-06-22 杭州师范大学 Rapid and safe identity authentication method
CN113014397B (en) * 2021-03-17 2023-08-18 杭州师范大学 Quick and safe identity authentication method
CN113873027A (en) * 2021-09-24 2021-12-31 深信服科技股份有限公司 Communication method and related device
CN113873027B (en) * 2021-09-24 2024-02-27 深信服科技股份有限公司 Communication method and related device

Similar Documents

Publication Publication Date Title
Castagnos et al. Bandwidth-efficient threshold EC-DSA
CN106936593B (en) Certificateless multi-receiver signcryption method based on elliptic curve efficient anonymity
US5796833A (en) Public key sterilization
US7221758B2 (en) Practical non-malleable public-key cryptosystem
CN114157427B (en) SM2 digital signature-based threshold signature method
CN101931529B (en) Data encryption method, data decryption method and nodes
CN110545279A (en) block chain transaction method, device and system with privacy and supervision functions
US11870891B2 (en) Certificateless public key encryption using pairings
CN110113150B (en) Encryption method and system based on non-certificate environment and capable of repudiation authentication
CN102201920A (en) Method for constructing certificateless public key cryptography
Huang et al. Generic certificateless encryption in the standard model
CN110086599B (en) Hash calculation method and signcryption method based on homomorphic chameleon Hash function
EP2792098B1 (en) Group encryption methods and devices
CN111342976A (en) Verifiable ideal lattice upper threshold proxy re-encryption method and system
CN104767612A (en) Signcryption method from certificateless environment to public key infrastructure environment
CN108809650B (en) Certificateless anonymous multi-receiver signcryption method without secure channel
Cheng et al. An Improved Certificateless Signcryption in the Standard Model.
CN106713349B (en) Inter-group proxy re-encryption method capable of resisting attack of selecting cipher text
CN104767611A (en) Signcryption method from public key infrastructure environment to certificateless environment
Wei et al. Remove key escrow from the BF and Gentry identity-based encryption with non-interactive key generation
Lai et al. Efficient CCA-secure PKE from identity-based techniques
CN111092720A (en) Certificate-based encryption method capable of resisting leakage of master key and decryption key
CN108055134B (en) Collaborative computing method and system for elliptic curve point multiplication and pairing operation
US20220038267A1 (en) Methods and devices for secured identity-based encryption systems with two trusted centers
Yang et al. Certificateless cryptography with KGC trust level 3

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200501

RJ01 Rejection of invention patent application after publication