CN111835825A - Method suitable for transmitting messages between two intelligent Internet of things system communication parties - Google Patents

Abstract

The invention discloses a method suitable for transmitting messages between two communication parties of an intelligent Internet of things system, which constructs an inadvertent transmission protocol of l and k by using an application scene of cooperative and safe interaction of an Internet of things management platform and an edge Internet of things agent device, calculates by using spare resources of the edge Internet of things agent device when the resources of the Internet of things management platform are insufficient, and then recovers the calculation result to obtain a determined calculation value. In the process, the Internet of things management platform does not know which data are calculated by the edge Internet of things agent device, so that the privacy of a receiver is protected, and meanwhile, the correctness and the safety of the data transmission process are ensured.

Description

Method suitable for transmitting messages between two intelligent Internet of things system communication parties

Technical Field

The invention relates to a transmission protocol suitable for an intelligent Internet of things system, in particular to a method suitable for transmitting messages by two communication parties of the intelligent Internet of things system.

Background

With the rapid development of the internet of things technology and the cloud computing technology, a large amount of data is generated in an information system every moment. According to incomplete statistics, the number of terminals of the internet of things serving power grid production services in the system is up to billions, only about five hundred million terminals (including four hundred million electric meters) are connected to the network and managed through a service system, most terminals of the internet of things are in a offline operation state, and the total amount of accumulated data exceeds 5PB in two-level data centers of a company. In the face of a large amount of terminal interaction and data outbreak of electric power, a large amount of data is generated every day, and simultaneously, along with resources shared by various services, the electric power industry faces increasingly strong computing environments represented by high-performance computers, grids and the like, and the computing task of the electric power industry is completed by using the strong computing resources through a network. In such an environment, it is a basic requirement of computing to ensure the security of each service data, and secure multiparty computing is a key point of attention in such a background.

For many years, secure multi-party computing has been the fundamental subject of cryptographic research, and is constructed by using basic cryptographic protocols, such as digital signatures, zero-knowledge proofs, inadvertent transmissions, distributed environment computing, etc., where a secure multi-party computing problem refers to multiple parties, each having a secret input, with which a party wishes to jointly compute a function without revealing their secret input. After the computation is over, each party is required to receive the correct output and each party can only know their own input and output security.

The oblivious transmission model is an important component in cryptography, and is widely applied to constructing a multi-party communication security protocol requiring privacy protection, so that multiple parties in communication can transmit messages in a selective fuzzification manner. Inadvertent transmission protocols prevent the sender from obtaining any information from the message sent, and the recipient from obtaining any information other than that chosen by the recipient. In an electric power application scene, an oblivious protocol can be applied to an intelligent Internet of things system, particularly the interaction between an Internet of things management platform and various intelligent terminals, and the copyright content protection of various business APPs.

Disclosure of Invention

The invention aims to overcome the defects of the prior art and provides a two-branch obfuscator and a dual-mode encryption system of a public key encryption scheme based on DDH hypothesis, a safe I-K-taking careless transmission protocol is constructed, the protocol realizes the function of careless transmission, and the method can be effectively applied to a scene that each service is polled in an edge internet of things agent device and a scene that an internet of things management platform sends sensitive messages to a plurality of edge internet of things agent devices in a fuzzy transmission mode and is suitable for both communication sides of an intelligent internet of things system to transmit messages.

A method suitable for both communication sides of an intelligent Internet of things system to transmit messages comprises the following steps of (1) selecting a difficult algorithm, and (2) selecting an encryption algorithm; (3) selecting a random algorithm; (4) constructing the encryption algorithm of the step 2 by using the random algorithm of the step 3 to construct an algorithm based on difficult hypothesis, namely a two-branch indistinguishable confuser; (5) constructing a safe and careless transmission protocol by using two-branch indistinguishable confusion; (6) giving a security analysis of the two-branch obfuscator, the inadvertent transmission protocol; (7) and message transmission between the two communication parties of the intelligent Internet of things system is realized by utilizing an inadvertent transmission protocol.

The steps of constructing a secure oblivious transport protocol using two-branch indistinguishable obfuscation are as follows:

(1) inadvertent transmission function of construction thing networking management platform to edge thing networking agent device

The Internet of things management platform has l inputs of x₁,...χ_lThe input of the edge Internet of things agent device is sigma₁,...σ_k∈[1,l]The edge internet of things agent device can only receive k messages from the internet of things management platform, but the internet of things management platform cannot know which k messages are received by the edge internet of things agent device;

function(s)

The management platform of the Internet of things is a sender, the edge agent device of the Internet of things is a receiver, an attacker S exists, and the functions

The specific definition is as follows:

receiving a message (sid, sender, x) from an internet of things management platform₁,...,x_l) Wherein each x_i∈{0,1}^mThe tuple (x)₁,...,x_l) And (7) recording. (the length of string m is fixed and known to all parties.)

The edge Internet of things agent device receives a message (sid, receiver, sigma)₁,...,σ_k) Where σ is₁,...,σ_k∈[1,l]. Check (sid, receiver..) whether the message was sent before, and if so, will check

Sending to the edge Internet of things agent device, sending to the enemy S through (sid) and stopping. If not, no message is sent to the edge agent device (but the operation is continued).

(2) Construct the oblivious transport protocol crs ═ c (c ═ c)g₀,h₀,g₁,h₁) The protocol actually runs in one of the obfuscated branches, but the two branches are computationally indistinguishable. And the protocol acts in a normal reference string mode, i.e. the same normal reference string is reused for different procedures of the inadvertent transmission. And, the interaction between the parties is coordinated through a sub-dialog (denoted by the parameter ssid) of a single dialog (denoted by the parameter sid), the specific protocol is as follows:

(3) oblivious transport protocol OT^ob：

(4) In the protocol OT^obIn (2), the parameter ob ∈ {1,2} (the parameter is selected in advance before executing the protocol, i.e., ob ═ 1 means that 1-obf-branch is selected, and ob ═ 2 means that 2-obf-branch is selected), the specific details are as follows:

(5) inputting the Internet of things management platform: (sid, sender, x)₁,...,x_l) Wherein x is₁,...,x_l∈{0,1}ⁿ

(6) Input of the edge internet of things agent device: (sid, receiver, σ)₁,...,σ_k) Where σ is₁,...,σ_k∈{0,1}

(7) When executing the protocol, the IOT management platform queries F with (sid, sender, receiver)_CRSAnd retrieve (sid, crs). The edge Internet of things proxy then queries F with (sid, sender, receiver)_CRSAnd retrieving (sid, crs);

(8) edge proxy computing (pk)_i,sk_i)←EKG(crs,σ_i) Where i ∈ [1, k ]]And (sid, ssid, pk)₁,...,pk_k) Sending the data to the edge Internet of things agent device and storing the data;

(9) alice receives (sid, ssid, pk) from the edge proxy₁,...,pk_k) Calculating y_i,b←Enc(pk_i,b,x_b) Wherein b ∈ [1, l ]]，i∈[1,k]And will (sid, ssid, y)_i,1,...,y_i,l) Sent to Alice, where i e [1, k ]]；

(10) The edge agent device receives (sid, ssid, y) from the management platform of the internet of things_i,1,...,y_i,l) And output

Where i ∈ [1, k ]]。

The specific operation of selecting a difficult algorithm is that the protocol security depends on the DDH assumption, as follows:

let G be the algorithm whose input is a security parameter 1ⁿThe output is G ═ (G, p, G), where G is the prime order p of the cyclic group and G is a generator of G. For each probability polynomial time, D is calculated, all sufficiently large N belongs to N, each random generator G, h belongs to G, and all the elements have

Where G is a cyclic group of prime order p, tuple (G, h, G)^a,h^a) And (g, h, g)^a,h^b) Are computationally indistinguishable.

The encryption algorithm is selected specifically as follows: selecting a dual-mode encryption scheme, expressing the scheme to be a probability polynomial time Turing machine pi, and constructing an algorithm as follows:

(1)Setup(1ⁿμ): the security parameter n and the pattern μ ∈ {0,1} are input, and (crs, t) is output. When μ ═ 0, the algorithm Setup (1)ⁿ0) setting algorithm for chaotic pattern, we use SetupMessy (1)ⁿ) To represent; when μ ═ 1, the algorithm Setup (1)ⁿ1) setting algorithm for decryption mode, we use SetupDec (1)ⁿ) To show that crs is a generic string that is the input to other algorithms, and t is an auxiliary trapdoor value that is used to determine which of the FindMessy or TrapKEyGen algorithms is chosen;

(2) KeyGen (σ, crs): inputting a branch value σ e {0,1}, inputting a key pair (pk, sk), wherein pk is a public key and sk is a private key corresponding to the message encrypted at the branch σ;

(3) enc (pk, b, m, crs): inputting a public key pk, a branch value b e {0,1} and a message m e {0,1}^hOutputting a ciphertext c encrypted on branch b;

(4) dec (sk, c, crs): inputting a private key sk and a ciphertext c, and outputting a message m e to {0,1}^h；

(5) FindMessy (t, pk, crs): inputting a trap value t and a public key pk, and outputting a branch value b belonging to {0,1} corresponding to a chaotic branch of pk;

(6) TrapKEyGen (t, crs): inputting a trap value t, and outputting (pk, sk)₀,sk₁) Where pk is a public key, sk₀And sk₁The secret decryption keys corresponding to the branches 0 and 1 are respectively, and l integers are randomly selected in SetupMessy and SetupDec algorithms as a trap value t, so that the lengths of t are equal, and an attacker can not distinguish two different modes through the defect.

The random algorithm is specifically selected as follows: the algorithm is constructed as follows:

let G be an arbitrary multiplicative group of prime order p, for each χ ∈ Z_pDefinition of L_G(χ)＝((g,g^χ) G ∈ G). Let G, h e G be the generator of G, define the probabilistic algorithm as Randomize, which considers G, h G^lAnd g^χ，h^χE G as input, and then outputs a pair (u, v) e G²The specific process is as follows: respectively selecting s, t ← Z_pLet u be g^sh^tAnd v ═ g^χ)^s(h^x)^t，Randomize(g,h,g^x,h^x) And (u, v) output, wherein the algorithm has the following two characteristics:

(1) if there is (g, g) for a certain x^χ)，(h,h^χ)∈L_G(χ) such that (u, v) is at L_G(χ) is uniformly random;

(2) for x, y ∈ Z_pX ≠ y if present such that (g, g)^χ)∈L_G(χ)， (h,h^y)∈L_G(y) then (u, v) is at G²Are uniformly random.

Constructing the encryption algorithm of the step 2 by using the random algorithm of the step 3 to construct an algorithm based on difficult hypothesis, namely a two-branch indistinguishable confuser; constructing a public key encryption scheme based on DDH by a randomization algorithm, which specifically comprises the following steps:

(1)EKG(1ⁿ)：

1) select G ═ G (G, p, G) ← G (1)ⁿ) Where G is the message space of the scheme.

2) Selecting a uniform random element h and an index r ← Z in G_p。

3) Let pk be (g, h, g)^r,h^r) And sk ═ r.

4) And outputting (pk, sk).

(2)Enc(pk,m)：

1) Analyze pk to (g, h, g)^r,h^r)

2) Let (u, v) ← Randomize (g, h, g)^r,h^r)。

3) The output ciphertext c is (u, v · m).

(3)Dec(sk,c)：

1) C is resolved into (e)₀,e₁)；

2) Output of

Constructing a two-branch indistinguishable obfuscator based on a DDH encryption scheme and a dual-mode encryption scheme, and comprising the following steps:

(1)Setup(1ⁿ)：G＝(G,p,g)←G(1ⁿ) Where G is the message space of the system;

(2) 1-obf-branch: randomly select l different generators g₁,...g_l} G, and randomly selects l different integers { χ₁,...χ_l}←Z_pAs a non-zero index, let_i＝obfuscate(1^λ,C_1,i) Where i ∈ [1, l ]]

(3) 2-obf-branch: randomly selecting a generator g₁C o ← G, and randomly select χ and l different integers { y₁,...y_l}←Z_pAs a non-zero index. Order to

Where i ∈ [2, l ]]Let us order_i＝obfuscate(1^λ,C_2,i) Where i ∈ [1, l ]]；

(4) EKG (σ, crs): call Evaalrate (crs) algorithm, let h_i＝Evaluate(_i,g_i) Uniformly and randomly selecting r ← Z_p. Order to

And is

pk ═ r, (g, h), sk ═ r, output (pk, sk);

(5) enc (pk, b, m, crs): analyze pk to (g, h) and let pk_b＝(g_b,h_b,g,h)， (u,v)←Randomize(g_b,h_bG, h), the output ciphertext c ═ (u, v · m) as the encryption of message m on encryption branch b;

(6) dec (sk, c, crs): c is resolved into (e)₀,e₁) Output m ═ e₁/e₀ ^r；

(7) FindMessy (t, pk, crs): the trapdoor value t of 1-obf-branch is resolved as { χ%₁,...,χ_lResolving the public key pk to (g, h) if

Then the output b-i is taken as a candidate chaotic encryption branch, otherwise, there is

Where i ≠ j, the output b ≠ j as a (candidate) obfuscated encryption branch;

(8) TrapKEyGen (t, crs): the trapdoor value t of 2-obf-branch resolves to non-zero y_i∈Z_pSelecting a random r ← Z_pAnd calculate

And outputs (pk, r, ry).

The method comprises the following steps of providing security analysis of a two-branch obfuscator and an inadvertent transmission protocol:

(1) determining the DDH for G is difficult, and no adversary can identify with very great probability which confusing branch is used.

1) The DDH problem is considered difficult to prove for the group used. The version of DDH used was constructed as follows: for a random generator G, h ∈ G and random a, b ∈ Z_pIn other words, the tuple (g, h, g)^a,h^a) And (g, h, g)^a,h^b) Are computationally indistinguishable. This DDH assumption is equivalent to another common form, i.e., with a very large probability c ≠ ab.

2) Scheme security is an indiscriminate dependence on two obfuscating branches. Obviously, the outputs crs of the two branches₁＝(g₀,₁,g₁,₂)，t₁＝(χ₀,χ₁) And ob ∈ {0,1}, t₂＝(y₀,y₁) Have the same form: g₀，g₁，g₀And g₁Are both generators that are randomly selected and,₁，₂，₃，₄are confusing and indistinguishable descriptions of equivalent circuits.

3) The two obfuscated branches are indistinguishable. In the EKG algorithm, the confusion is translated into h_bAnd crs ═ g₀,h₀,g₁,h₁). In the 1-obf-branch,

wherein g is₀，g₁Is a random generator of G, and₀,χ₁at Z_pIs different and non-zero. Order to

It is non-zero but at Z_pIs uniform. Then

Is non-zero and is different from a, otherwise it is uniform. Thus, crs is statistically close to a random DDH non-tuple

Wherein a, b ← Z_pBecause of

Is non-zero and is in Z_pIs random, crs is statistically close to a random DDH tuple. Under the DDH difficulty problem, the indistinguishability of pk can be deduced from the indistinguishability of crs.

(2) Let ob be {0,1} protocol. Protocol OT^obThe function of careless transmission is realized safely

All the characteristics of the dual-mode encryption system (1-obf-branch corresponding to chaotic mode and 2-obf-branch corresponding to decryption mode) have a direct correspondence between correctness and the case where neither party is attacked, as well as a direct correspondence between 1-obf-branch and the statistical security of the sender and between 2-obf-branch and the statistical security of the recipient. The indistinguishability between the two obfuscated branches will establish computational security for the counterpart in the protocol.

In summary, compared with the prior art, the invention has the following advantages:

in order to prevent reverse engineering, the transmission method of the invention is based on indistinguishable confusion and dual-mode encryption system design. The method comprises the steps that an Internet of things management platform sends information to an intelligent terminal, when the Internet of things management platform sends l messages, the intelligent terminal can only receive k messages (k is less than l) of the messages, the rest l-k messages cannot be known, and the Internet of things management platform knows that the intelligent terminal receives k messages but does not know which k messages. The method can be effectively applied to a scene that the edge Internet of things agent device polls each service and a scene that the Internet of things management platform sends sensitive messages to a plurality of edge Internet of things agent devices in a fuzzy transmission mode. The invention fully considers the applicability of the protocol in an intelligent Internet of things system when designing the protocol, constructs an I-K careless transmission protocol by using an application scene of cooperative safe interaction of an Internet of things management platform and an edge Internet of things agent device, calculates by using spare resources of the edge Internet of things agent device when the resources of the Internet of things management platform are insufficient, and then recovers the calculation result to obtain a determined calculation value. In the process, the Internet of things management platform does not know which data are calculated by the edge Internet of things agent device, so that the privacy of a receiver is protected, and meanwhile, the correctness and the safety of the data transmission process are ensured.

Drawings

FIG. 1 shows a circuit C according to the invention_1,1Schematic representation.

FIG. 2 is a circuit C of the present invention_1,1Schematic representation.

FIG. 3 is a circuit C of the present invention_2,1Schematic representation.

FIG. 4 is a circuit C of the present invention_2,2Schematic representation.

Detailed Description

The present invention will be described in more detail with reference to examples.

Example 1

A method suitable for both communication sides of an intelligent Internet of things system to transmit messages comprises the following steps of (1) selecting a difficult algorithm, and (2) selecting an encryption algorithm; (3) selecting a random algorithm; (4) constructing the encryption algorithm of the step 2 by using the random algorithm of the step 3 to construct an algorithm based on difficult hypothesis, namely a two-branch indistinguishable confuser; (5) constructing a safe and careless transmission protocol by using two-branch indistinguishable confusion; (6) giving a security analysis of the two-branch obfuscator, the inadvertent transmission protocol; (7) and message transmission between the two communication parties of the intelligent Internet of things system is realized by utilizing an inadvertent transmission protocol.

In the first step, the difficult problem on which the designed protocol is based is clarified, and the protocol security depends on the DDH assumption, which is as follows:

let G be the algorithm whose input is a security parameter 1ⁿThe output is G ═ (G, p, G), where G is the prime order p of the cyclic group and G is a generator of G. For each probability polynomial time, D is calculated, all sufficiently large N belongs to N, each random generator G, h belongs to G, and all the elements have

Where G is a cyclic group of prime order p, tuple (G, h, G)^a,h^a) And (g, h, g)^a,h^b) Are computationally indistinguishable.

Secondly, selecting a dual-mode encryption scheme, expressing the scheme to be a probability polynomial time turing machine pi, and constructing an algorithm as follows:

(1)Setup(1ⁿμ): the security parameter n and the pattern μ ∈ {0,1} are input, and (crs, t) is output. When μ ═ 0, the algorithm Setup (1)ⁿ0) setting algorithm for chaotic pattern, we use SetupMessy (1)ⁿ) To represent; when μ ═ 1, the algorithm Setup (1)ⁿ1) setting algorithm for decryption mode, we use SetupDec (1)ⁿ) To indicate. crs is a generic string that is the input to other algorithms and t is an auxiliary trapdoor value that is used to determine which of the FindMessy or TrapKEyGen algorithms is selected.

(2) KeyGen (σ, crs): a branch value σ ∈ {0,1} is input, and a key pair (pk, sk) is input, where pk is a public key and sk is a private key corresponding to the message encrypted at the branch σ.

(3) Enc (pk, b, m, crs): inputting a public key pk, a branch value b e {0,1} and a message m e {0,1}^hAnd outputs a ciphertext c encrypted on branch b.

(4) Dec (sk, c, crs): inputting a private key sk and a ciphertext c, and outputting a message m e to {0,1}^h。

(5) FindMessy (t, pk, crs): inputting a trap value t and a public key pk, and outputting a branch value b E {0,1} corresponding to a chaotic branch of pk.

(6) TrapKEyGen (t, crs): inputting a trap value t, and outputting (pk, sk)₀,sk₁) Where pk is a public key, sk₀And sk₁The secret decryption keys for branches 0 and 1, respectively.

This algorithm has the drawback that in the SetupMessy and SetupDec algorithms, the length of the trapdoor value t of the two algorithms is not equal, that is,if used, l_mDenote the length of t in the SetupMessy algorithm by l_dRepresenting the length of t in the SetupDec algorithm, we can see l_m＝2×l_d. In this way, an attacker may distinguish two different patterns by discriminating the length of t, and this defect will destroy the indistinguishability of the two patterns. To improve this defect, the setupmessage and SetupDec algorithms choose i integers randomly as the trap value t, so that the length of t is equal, ensuring that an attacker cannot distinguish two different patterns through this defect.

Thirdly, selecting a randomization algorithm, wherein the algorithm is constructed as follows:

let G be an arbitrary multiplicative group of prime order p. For each χ ∈ Z_pDefinition of L_G(χ)＝((g,g^χ) G ∈ G). Let G, h ∈ G be the generator of G. The probability algorithm is defined as Randomize, which defines g, h ═ g^lAnd g^χ，h^χE G as input, and then outputs a pair (u, v) e G². The specific process is as follows: respectively selecting s, t ← Z_pLet u be g^sh^tAnd v ═ g^χ)^s(h^x)^t，Randomize(g,h,g^x,h^x) And (u, v) is output. The algorithm has the following two characteristics:

(1) if there is (g, g) for a certain x^χ)，(h,h^χ)∈L_G(χ) such that (u, v) is at L_G(χ) is uniformly random.

(2) For x, y ∈ Z_pX ≠ y if present such that (g, g)^χ)∈L_G(χ)， (h,h^y)∈L_G(y) then (u, v) is at G²Are uniformly random.

Fourthly, constructing a public key encryption scheme based on the DDH by a randomization algorithm, which comprises the following steps:

EKG(1ⁿ)：

select G ═ G (G, p, G) ← G (1)ⁿ) Where G is the message space of the scheme.

Selecting a uniform random element h and an index r ← Z in G_p。

Let pk be (g, h, g)^r,h^r) And sk ═ r.

And outputting (pk, sk).

Enc(pk,m)：

Analyze pk to (g, h, g)^r,h^r)

Let (u, v) ← Randomize (g, h, g)^r,h^r)。

The output ciphertext c is (u, v · m).

Dec(sk,c)：

C is resolved into (e)₀,e₁)。

Output of

Fourthly, constructing a two-branch indistinguishable obfuscator based on the encryption scheme of the DDH and the dual-mode encryption scheme, and comprising the following steps of:

(1)Setup(1ⁿ)：G＝(G,p,g)←G(1ⁿ) Where G is the message space of the system.

(2) 1-obf-branch: randomly select l different generators g₁,...g_l} G, and randomly selects l different integers { χ₁,...χ_l}←Z_pAs a non-zero index. Order to_i＝obfuscate(1^λ,C_1,i) Where i ∈ [1, l ]](with respect to C)_1,iBy the specific function of C_1,1And C_1,2By way of example, C_1,iThe difference between them is the difference in the parameters, i.e.,

). Let crs equal (g)₁,g₂,...g_l,₁,₂,...,_l) Ssid. Output (crs, t).

(3) 2-obf-branch: randomly selecting a generator g₁C o ← G, and randomly select χ and l different integers { y₁,...y_l}←Z_pAs a non-zero index. Order to

Where i ∈ [2, l ]]. Order to_i＝obfuscate(1^λ,C_2,i) Where i ∈ [1, l ]](with respect to C)_2,iBy the specific function of C_2,1And C_2,2By way of example, C_2,iThe difference between them is in the parameter, i.e.

). Let crs equal (g)₁,g₂,...g_l,₁,₂,...,_l) And FindMessy (t, pk, crs), output (crs, t).

(4) EKG (σ, crs): the Evaluate (crs) algorithm is invoked. Let h_i＝Evaluate(_i,g_i) Uniformly and randomly selecting r ← Z_p. Order to

And is

pk is (g, h) and sk is r. And outputting (pk, sk).

(5) Enc (pk, b, m, crs): pk was resolved as (g, h). Let pk_b＝(g_b,h_b,g,h)， (u,v)←Randomize(g_b,h_bG, h). The ciphertext c is output as the encryption of the message m on the encryption branch b (u, v · m).

(6) Dec (sk, c, crs): c is resolved into (e)₀,e₁). Output m ═ e₁/e₀ ^r。

(7) FindMessy (t, pk, crs): the trapdoor value t of 1-obf-branch is resolved as { χ%₁,...,χ_lResolve the public key pk to (g, h). If it is not

Then b-i is output as a (candidate) chaotic encryption branch. Otherwise, there is

Where i ≠ j, output b ═ j as a (candidate) aliasAnd (6) encrypting branches.

(8) TrapKEyGen (t, crs): the trapdoor value t of 2-obf-branch resolves to non-zero y_i∈Z_p. Select a random r ← Z_pAnd calculate

And outputs (pk, r, r/y).

As can be seen from fig. 1,2, 3 and 4, the strings crs of the two confusion branches are computationally indistinguishable, but the functions are identical.

Fifthly, the steps of constructing the safe and careless transmission protocol by using two-branch indistinguishable confusion are as follows:

inadvertent transmission function of construction thing networking management platform to edge thing networking agent device

The Internet of things management platform has l inputs of x₁,...χ_lThe input of the edge Internet of things agent device is sigma₁,...σ_k∈[1,l]The edge internet of things agent device can only receive k messages from the internet of things management platform, but the internet of things management platform cannot know which k messages are received by the edge internet of things agent device.

(2) Construct the inadvertent transport protocol crs ═ (g)₀,h₀,g₁,h₁) The protocol actually runs in one of the obfuscated branches, but the two branches are computationally indistinguishable. And the protocol acts in a normal reference string mode, i.e. the same normal reference string is reused for different procedures of the inadvertent transmission. And, the interaction between the parties is coordinated through a sub-dialog (denoted by the parameter ssid) of a single dialog (denoted by the parameter sid)The application is as follows. Specific protocols are shown in the following table

Sixthly, the security analysis of the two-branch obfuscator and the careless transmission protocol is given, and the method comprises the following specific steps:

(1) determining the DDH for G is difficult, and no adversary can identify with very great probability which confusing branch is used.

1) The DDH problem is considered difficult to prove for the group used. The version of DDH used was constructed as follows: for a random generator G, h ∈ G and random a, b ∈ Z_pIn other words, the tuple (g, h, g)^a,h^a) And (g, h, g)^a,h^b) Are computationally indistinguishable. This DDH assumption is equivalent to another common form, i.e., with a very large probability c ≠ ab.

2) Scheme security is an indiscriminate dependence on two obfuscating branches. Obviously, the outputs crs of the two branches₁＝(g₀,₁,g₁,₂)，t₁＝(χ₀,χ₁) And ob ∈ {0,1}, t₂＝(y₀,y₁) Have the same form: g₀，g₁，g₀And g₁Are both generators that are randomly selected and,₁，₂，₃，₄are confusing and indistinguishable descriptions of equivalent circuits.

3) The two obfuscated branches are indistinguishable. In the EKG algorithm, the confusion is translated into h_bAnd crs ═ g₀,h₀,g₁,h₁). In the 1-obf-branch,

wherein g is₀，g₁Is a random generator of G, and₀,χ₁at Z_pIs different and non-zero. Order to

It is non-zero but at Z_pIs uniform. Then

Is non-zero and is different from a, otherwise it is uniform. Thus, crs is statistically close to a random DDH non-tuple

Wherein a, b ← Z_pBecause of

Is non-zero and is in Z_pIs random, crs is statistically close to a random DDH tuple. Under the DDH difficulty problem, the indistinguishability of pk can be deduced from the indistinguishability of crs.

(2) Let ob be {0,1} protocol. Protocol OT^obThe function of careless transmission is realized safely

All the characteristics of the dual-mode encryption system (1-obf-branch corresponding to chaotic mode and 2-obf-branch corresponding to decryption mode) have a direct correspondence between correctness and the case where neither party is attacked, as well as a direct correspondence between 1-obf-branch and the statistical security of the sender and between 2-obf-branch and the statistical security of the recipient. The indistinguishability between the two obfuscated branches will establish computational security for the counterpart in the protocol.

The parts not described in the present embodiment are the same as those in the prior art.

Claims (6)

1. A method for transmitting messages by two communication parties in an intelligent Internet of things system is characterized in that: (1) selecting a difficult algorithm, (2) selecting an encryption algorithm; (3) selecting a random algorithm; (4) constructing the encryption algorithm of the step 2 by using the random algorithm of the step 3 to construct an algorithm based on difficult hypothesis, namely a two-branch indistinguishable confuser; (5) constructing a safe and careless transmission protocol by using two-branch indistinguishable confusion; (6) giving a security analysis of the two-branch obfuscator, the inadvertent transmission protocol; (7) and message transmission between the two communication parties of the intelligent Internet of things system is realized by utilizing an inadvertent transmission protocol.

2. The method as claimed in claim 1, wherein the method comprises: the steps of constructing a secure oblivious transport protocol using two-branch indistinguishable obfuscation are as follows:

inadvertent transmission function of construction thing networking management platform to edge thing networking agent device

The Internet of things management platform has l inputs of x₁,...χ_lThe input of the edge Internet of things agent device is sigma₁,...σ_k∈[1,l]The edge internet of things agent device can only receive k messages from the internet of things management platform, but the internet of things management platform cannot know which k messages are received by the edge internet of things agent device;

function(s)

The management platform of the Internet of things is a sender, the edge agent device of the Internet of things is a receiver, an attacker S exists, and the functions

The specific definition is as follows:

receiving a message (sid, sender, x) from an internet of things management platform₁,...,x_l) Wherein each x_i∈{0,1}^mThe tuple (x)₁,...,x_l) And (7) recording. (the length of string m is fixed and known to all parties;)

Edge articleThe co-proxy device receives a message (sid, receiver, sigma)₁,...,σ_k) Where σ is₁,...,σ_k∈[1,l]Check if a message was sent before, and if so, will check if it was sent

Sending the information to the edge Internet of things agent device, sending the information to the enemy S through (sid) and stopping, if the information is not sent before, not sending any information to the edge Internet of things agent device (but continuing to run);

construct the inadvertent transport protocol crs ═ (g)₀,h₀,g₁,h₁) The protocol, which in fact operates in one of the obfuscated branches, but is computationally indistinguishable from the other, acts in a common reference string mode, i.e. the same common reference string is reused for different processes of an inadvertent transmission, and the interaction between the parties is coordinated by a sub-dialog (denoted by parameter ssid) of a single dialog (denoted by parameter sid), as follows:

oblivious transport protocol OT^ob：

In the protocol OT^obIn (2), the parameter ob ∈ {1,2} (the parameter is selected in advance before executing the protocol, i.e., ob ═ 1 means that 1-obf-branch is selected, and ob ═ 2 means that 2-obf-branch is selected), the specific details are as follows:

inputting the Internet of things management platform: (sid, sender, x)₁,...,x_l) Wherein x is₁,...,x_l∈{0,1}ⁿ

Input of the edge internet of things agent device: (sid, receiver, σ)₁,...,σ_k) Where σ is₁,...,σ_k∈{0,1}

When executing the protocol, the IOT management platform queries F with (sid, sender, receiver)_CRSAnd retrieve (sid, crs), then the edge proxy queries F with (sid, sender, receiver)_CRSAnd retrieving (sid, crs);

edge proxy computing (pk)_i,sk_i)←EKG(crs,σ_i) Where i ∈ [1, k ]]And (sid, ssid, pk)₁,...,pk_k) Sending the data to the edge Internet of things agent device and storing the data;

alice receives (sid, ssid, pk) from the edge proxy₁,...,pk_k) Calculating y_i,b←Enc(pk_i,b,x_b) Wherein b ∈ [1, l ]]，i∈[1,k]And will (sid, ssid, y)_i,1,...,y_i,l) Sent to Alice, where i ∈ [1, k ]]；

The edge agent device receives (sid, ssid, y) from the management platform of the internet of things_i,1,...,y_i,l) And output

Where i ∈ [1, k ]]。

3. The method as claimed in claim 1, wherein the method comprises: the specific operation of selecting a difficult algorithm is that the protocol security depends on the DDH assumption, as follows:

let G be the algorithm whose input is a security parameter 1ⁿThe output is G ═ (G, p, G), where G is the prime order p of the cyclic group and G is a generator of G. For each probability polynomial time, D is calculated, all sufficiently large N belongs to N, each random generator G, h belongs to G, and all the elements have

Where G is a cyclic group of prime order p, tuple (G, h, G)^a,h^a) And (g, h, g)^a,h^b) Are computationally indistinguishable.

4. The method as claimed in claim 1, wherein the method comprises: the encryption algorithm is selected specifically as follows: selecting a dual-mode encryption scheme, expressing the scheme to be a probability polynomial time Turing machine pi, and constructing an algorithm as follows:

(1)Setup(1ⁿμ): the security parameter n and the pattern μ ∈ {0,1} are input, and (crs, t) is output. When μ ═ 0, the algorithm Setup (1)ⁿ0) setting algorithm for chaotic pattern, we use SetupMessy (1)ⁿ) To represent; when μ ═ 1, the algorithm Setup (1)ⁿ1) setting algorithm for decryption mode, we use SetupDec (1)ⁿ) To show that crs is a generic string that is the input to other algorithms, and t is an auxiliary trapdoor value that is used to determine which of the FindMessy or TrapKEyGen algorithms is chosen;

(2) KeyGen (σ, crs): inputting a branch value σ e {0,1}, inputting a key pair (pk, sk), wherein pk is a public key and sk is a private key corresponding to the message encrypted at the branch σ;

(3) enc (pk, b, m, crs): inputting a public key pk, a branch value b e {0,1} and a message m e {0,1}^hOutputting a ciphertext c encrypted on branch b;

(4) dec (sk, c, crs): inputting a private key sk and a ciphertext c, and outputting a message m e to {0,1}^h；

(5) FindMessy (t, pk, crs): inputting a trap value t and a public key pk, and outputting a branch value b belonging to {0,1} corresponding to a chaotic branch of pk;

(6) TrapKEyGen (t, crs): inputting a trap value t, and outputting (pk, sk)₀,sk₁) Where pk is a public key, sk₀And sk₁The secret decryption keys corresponding to the branches 0 and 1 are respectively, and l integers are randomly selected in SetupMessy and SetupDec algorithms as a trap value t, so that the lengths of t are equal, and an attacker can not distinguish two different modes through the defect.

5. The method as claimed in claim 1, wherein the method comprises: the random algorithm is specifically selected as follows: the algorithm is constructed as follows:

let G be an arbitrary multiplicative group of prime order p, for each χ ∈ Z_pDefinition of L_G(χ)＝((g,g^χ) G belongs to G), let G, h belongs to G beG, the probability algorithm is defined as Randomize, and G, h are G^lAnd g^χ，h^χE G as input, and then outputs a pair (u, v) e G²The specific process is as follows: respectively selecting s, t ← Z_pLet u be g^sh^tAnd v ═ g^χ)^s(h^x)^t，Randomize(g,h,g^x,h^x) And (u, v) output, wherein the algorithm has the following two characteristics:

(1) if there is (g, g) for a certain x^χ)，(h,h^χ)∈L_G(χ) such that (u, v) is at L_G(χ) is uniformly random;

(2) for x, y ∈ Z_pX ≠ y if present such that (g, g)^χ)∈L_G(χ)，(h,h^y)∈L_G(y) then (u, v) is at G²Are uniformly random.

6. The method as claimed in claim 1, wherein the method comprises: constructing the encryption algorithm of the step 2 by using the random algorithm of the step 3 to construct an algorithm based on difficult hypothesis, namely a two-branch indistinguishable confuser; constructing a public key encryption scheme based on DDH by a randomization algorithm, which specifically comprises the following steps:

EKG(1ⁿ)：

select G ═ G (G, p, G) ← G (1)ⁿ) Where G is the message space of the scheme,

selecting a uniform random element h and an index r ← Z in G_p，

Let pk be (g, h, g)^r,h^r) And sk ═ r.

The output (pk, sk),

Enc(pk,m)：

analyze pk to (g, h, g)^r,h^r)

Let (u, v) ← Randomize (g, h, g)^r,h^r)，

The output ciphertext c is (u, v · m),

Dec(sk,c)：

c is resolved into (e)₀,e₁)；

Output of

Constructing a two-branch indistinguishable obfuscator based on a DDH encryption scheme and a dual-mode encryption scheme, and comprising the following steps:

(1)Setup(1ⁿ)：G＝(G,p,g)←G(1ⁿ) Where G is the message space of the system;

(2) 1-obf-branch: randomly select l different generators g₁,...g_l} G, and randomly selects l different integers { χ₁,...χ_l}←Z_pAs a non-zero index, let_i＝obfuscate(1^λ,C_1,i) Where i ∈ [1, l ]]

(3) 2-obf-branch: randomly selecting a generator g₁C o ← G, and randomly select χ and l different integers { y₁,...y_l}←Z_pAs a non-zero index. Order to

Where i ∈ [2, l ]]Let us order_i＝obfuscate(1^λ,C_2,i) Where i ∈ [1, l ]]；

(4) EKG (σ, crs): call Evaalrate (crs) algorithm, let h_i＝Evaluate(_i,g_i) Uniformly and randomly selecting r ← Z_pLet us order

And is

pk ═ r, (g, h), sk ═ r, output (pk, sk);

(5) enc (pk, b, m, crs): analyze pk to (g, h) and let pk_b＝(g_b,h_b,g,h)，(u,v)←Randomize(g_b,h_bG, h), the output ciphertext c ═ (u, v · m) as the encryption of message m on encryption branch b;

(6) dec (sk, c, crs): resolving c into(e₀,e₁) Output m ═ e₁/e₀ ^r；

(7) FindMessy (t, pk, crs): the trapdoor value t of 1-obf-branch is resolved as { χ%₁,...,χ_lResolving the public key pk to (g, h) if

Then the output b-i is taken as a candidate chaotic encryption branch, otherwise, there is

Where i ≠ j, the output b ≠ j as a (candidate) obfuscated encryption branch;

(8) TrapKEyGen (t, crs): the trapdoor value t of 2-obf-branch resolves to non-zero y_i∈Z_pSelecting a random r ← Z_pAnd calculate

And outputs (pk, r, r/y).

Images