CN111917547B - Trap door binary one-way function-based broadcast encryption method and device - Google Patents

Trap door binary one-way function-based broadcast encryption method and device Download PDF

Info

Publication number
CN111917547B
CN111917547B CN202010725369.4A CN202010725369A CN111917547B CN 111917547 B CN111917547 B CN 111917547B CN 202010725369 A CN202010725369 A CN 202010725369A CN 111917547 B CN111917547 B CN 111917547B
Authority
CN
China
Prior art keywords
lwe
algorithm
broadcast encryption
binary
way function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010725369.4A
Other languages
Chinese (zh)
Other versions
CN111917547A (en
Inventor
朱岩
王静
陈娥
王迪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Science and Technology Beijing USTB
Original Assignee
University of Science and Technology Beijing USTB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology Beijing USTB filed Critical University of Science and Technology Beijing USTB
Priority to CN202010725369.4A priority Critical patent/CN111917547B/en
Publication of CN111917547A publication Critical patent/CN111917547A/en
Application granted granted Critical
Publication of CN111917547B publication Critical patent/CN111917547B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3093Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

The invention provides a trap door binary one-way function-based broadcast encryption method and a trap door binary one-way function-based broadcast encryption device, and mainly relates to a trap door binary one-way function TB-OWF user key extraction method under a large-scale group, and a lattice-based multiple band error learning Multi-LWE encryption scheme based on the difficult assumption of band error learning RLWE on a ring. The broadcast encryption scheme based on RLWE provided by the invention has the advantage that the solution of the private key becomes very difficult without knowing the trap door. By adopting the Multi-band error learning Multi-LWE encryption scheme, the encryption efficiency and the security of a ciphertext are improved. In the broadcast encryption system, the number of users is unlimited, and the encryption scheme is simplified.

Description

Trap door binary one-way function-based broadcast encryption method and device
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of information security, in particular to a trap door binary one-way function-based broadcast encryption method and a trap door binary one-way function-based broadcast encryption device, and the trap door binary one-way function-based broadcast encryption device has collusion attack resistance.
[ background of the invention ]
In 2005, Regev first proposed the Learning With Error (LWE) problem, which is widely used in lattice cryptography as a general case difficulty problem reducible to the worst case difficulty problem on lattices. The LWE problem is divided into two types, one is a searchability problem of LWE, which is denoted as search-LWE, and the other is a determinability problem of LWE, which is also called decision-LWE problem, and in the application of cryptosystem, most is based on LWE. On the basis, the problem about the difficulty of the error learning (RLWE) of the ring is proposed by Lyubaskkevsky, Peikert and Regev in the European Union of 2010, the RLWE problem overcomes the defects of large public key length and high ciphertext expansion rate of the LWE problem, and the RLWE is widely applied to the design of a cryptology scheme.
In addition, the one-way trapdoor function is a commonly used technique for ensuring the security of the cryptographic scheme, and the trapdoor one-way function is a special one-way function with trapdoors, which is easy to calculate in one direction and difficult to calculate in the opposite direction by using the irreversibility of the one-way function, but can be easily calculated in the other direction if the trapdoor is known.
The core idea of broadcast encryption is that a broadcaster sends message encryption to a large number of users in a broadcast mode, each legal receiver decrypts corresponding plaintext by using a private key of the legal receiver, and any illegal user who does not belong to the group cannot successfully perform the decryption operation, the broadcast encryption scheme has been widely applied, including distribution of copyrighted materials such as pay television systems, CDs/DVDs and the like, and the field of broadcast encryption is formally introduced by Fiat and Naor at the earliest and is widely concerned.
Since broadcast encryption is group-oriented, collusion attacks are most likely to occur between adversaries and rape possessing valid keys, and therefore, in the research of group-oriented cryptosystems, the collusion attacks must be considered, and it is a concern of broadcast encryption that how to share the ciphertext securely to an arbitrarily selected receiver set.
In order to solve the collusion attack problem of broadcast encryption, the invention mainly relies on the two technologies to provide a broadcast encryption method based on a trapdoor binary one-way function, provides a key extraction method based on the trapdoor binary one-way function, and designs a safe multiple error learning Multi-LWE encryption scheme based on the RLWE difficult assumption, and the scheme further proves that the scheme has semantic security against a plaintext attack or collusion attack (IND-CPA-CA) selected by an adversary under a standard model.
[ summary of the invention ]
In view of this, the present invention provides a trap door binary one-way function-based broadcast encryption method and apparatus, the scheme mainly relates to a trap door binary one-way function key extraction method, and an RLWE-based difficulty assumption, and designs a multiple error learning Multi-LWE encryption scheme, and the scheme further proves that the scheme has semantic security against a plaintext attack or collusion attack (IND-CPA-CA) selected by an adversary under a standard model.
The above-described aspect and any possible implementation manner further provide a broadcast encryption method resistant to collusion attack, including the following steps:
s1: initialization algorithm Setup: taking a security parameter n as input, and outputting a public key pk and a master secret key msk through a trapdoor construction function TrapGen;
s2: key extraction algorithm Extract: each user has a unique serial number i, a public key pk, a master key msk and the serial number i of the user are used as input, and a trap door binary one-way function TB-OWF is utilized to construct a private key sk of the useriAnd outputs the private key sk of the useri
S3: and the encryption algorithm Encrypt the message M by taking the public key pk and the message M as input through a multiple error learning Multi-LWE encryption scheme and outputting a ciphertext C.
S4: the user uses the ciphertext C, the unique serial number i of the user and the respective private key skiAs input, the user then utilizes the private key skiAnd decrypting the broadcast ciphertext C by using a probability decryption algorithm with an error to obtain the message M.
As to the above-mentioned aspect and any possible implementation manner, there is further provided an implementation manner, and the implementation method of the initialization algorithm Setup in S1 specifically includes:
with a security parameter n, the calculation is based on the ring R ═ Z [ x ═ x]The RLWE trapdoor constructor TrapGen (n) at (x) results in a doublet (a, T), where the security parameter n is the strength of the cryptographic algorithm represented by an integer, usually representing the minimum length of a cryptographic parameter in a cryptographic system,
Figure BDA0002601484850000041
trapdoors associated with a
Figure BDA0002601484850000042
Then randomly select
Figure BDA0002601484850000043
At RqThe uniform random polynomial sample u is obtained, and pk is given as (a, c, u), and the value of the master key msk is equal to the trapdoor T.
As to the above-mentioned aspect and any possible implementation manner, there is further provided an implementation manner, and the implementation method of the key extraction algorithm Extract in S2 is specifically:
at Rq mOne random element o is selected for each user iiAnd sigma and xi are parameters of Gaussian distribution, and a Gaussian original image sampling algorithm SamplePre (a, T, u + co) is calculated by combining the public key pk, the master key msk and the user unique serial number iiσ, ξ) to obtain a short vector diAnd satisfy adi=u+coiThereby obtaining the private key sk of the useri=(oi,di)。
As to the above-mentioned aspect and any possible implementation manner, there is further provided an implementation manner, and a specific implementation method of the trapdoor binary one-way function TB-OWF in S2 is: given a
Figure BDA0002601484850000044
And
Figure BDA0002601484850000045
for any purpose
Figure BDA0002601484850000046
X multiplied by Y → Z is expressed as f (X, Y) ax + cy Z, and a trap gate of the TB-OWF function is T in the Gaussian primitive sampling algorithm SamplePre, and the trap gate binary one-way function TB-OWF meets the following properties:
1) easy to calculate: for each pair of inputs (x, y), there is an efficient algorithm a, computing the function value z as a (x, y) at polynomial time;
2) irreversibility: a. given z, for any y, x is calculated such that the probability of f (x, y) being z is negligible; b. given z, for any x, y is calculated such that the probability of f (x, y) being z is negligible;
3) the existence of the trap door: given z, for any y, there is a polynomial time algorithm g and a trapdoor T, calculating x-gT(z, y) satisfies z ═ f (x, y).
The above-mentioned aspects and any possible implementation manners further provide an implementation manner, that is, the encryption algorithm Encrypt in S3The implementation method specifically comprises the following steps: at RqSelecting a random value s, and then selecting the noise vector e belonging to the error distribution x, and selecting the noise vectors e 'and e' belonging to the error distribution xmUsing the public key pk and the message M E {0,1}nAnd is converted into R2The vector in (1) is used for encrypting the message M by an encryption scheme of multiple band error learning Multi-LWE, and the encryption algorithm is as follows:
Figure BDA0002601484850000051
Figure BDA0002601484850000052
Figure BDA0002601484850000053
the output ciphertext C ═ (C, t, z).
The above-mentioned aspect and any possible implementation manner further provide an implementation manner, and the method for constructing the encryption scheme of the Multi-band error learning Multi-LWE in S3 includes:
i: according to the assumed form of the difficulty problem of RLWE, let the function lwe (x) xs + e, where s e RqAnd e is a sample of χ distribution, and the public key pk ═ (a, c, u) is substituted with:
LWE(a)=as+e,
LWE(u)=us+e',
LWE(c)=cs+e”,
wherein e is an error distribution χ, e' are all selected from χmA sample of the distribution;
II: the relationship ad ═ u + co satisfied by the private key sk can be obtained
LWE(a)d=LWE(u)+LWE(c)o;
III: the message M is combined with the formula lwe (u) to obtain the ciphertext C ═ C, t, z.
The above-mentioned aspects and any possible implementation manners further provide an implementation manner, where in the decryption algorithm Decry in S4The pt implementation method specifically comprises the following steps: using the ciphertext C and the private key skiCalculating c ═ zdi-toi∈Rq(ii) a Then calculating R ═ c-c' epsilon RqIf the ith component r in riCloser to 0 than to
Figure BDA0002601484850000061
The ith component M in the message MiIs 0, otherwise is 1.
As for the above-mentioned aspect and any possible implementation manner, there is further provided an implementation manner, where the probabilistic decryption algorithm with error in S4 is specifically:
private key sk for useri=(oi,di) And all sufficiently small noise terms e, e' according to the relation ad satisfied by the private keyi=u+coiC' ═ zd can be obtainedi-toi∈RqI.e. by
c'=zdi-toi=(as+e”)di-(cs+e')oi=us+e”di-e'oi,
Calculating R ═ c-c' epsilon RqAnd r is represented by
Figure BDA0002601484850000062
When the error limit is satisfied
Figure BDA0002601484850000063
Under the condition of (1), when M isiWhen the content is equal to 0, the content,
Figure BDA0002601484850000064
when M isiWhen the number is equal to 1, the alloy is put into a container,
Figure BDA0002601484850000065
the algorithm decrypts and outputs the correct message M correctly.
The above-described aspects and any possible implementation manner further provide a collusion attack resistant broadcast encryption device, where the device includes a memory, a processor, and a collusion attack resistant broadcast encryption processing program stored on the memory and executable on the processor, and the collusion attack resistant broadcast encryption processing program, when executed by the processor, implements the steps of any one of the collusion attack resistant broadcast encryption methods.
The above-described aspect and any possible implementation manner further provide a computer-readable storage medium, where a collusion attack resistant broadcast encryption processing program is stored on the computer-readable storage medium, and when executed by a processor, the collusion attack resistant broadcast encryption processing program implements the steps of any of the collusion attack resistant broadcast encryption methods.
Compared with the prior art, the invention can obtain the following technical effects:
1) according to the broadcast encryption scheme based on the RLWE, the trap door binary one-way function is adopted to construct the private key, and under the condition that the trap door is not known, the solution of the private key becomes very difficult.
2) The invention adopts a Multi-band error learning Multi-LWE encryption scheme, thereby improving the encryption efficiency and the security of the ciphertext.
3) In the broadcast encryption system of the present invention, the number of users is unlimited. The sizes of the public key and the ciphertext are constant, and the private key is a short vector, so that the encryption scheme is more simplified.
4) The broadcast encryption scheme of the present invention is semantically secure against selective plaintext attacks with traitor collusion.
Of course, it is not necessary for any one product in which the invention is practiced to achieve all of the above-described technical effects simultaneously.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a broadcast encryption method according to an embodiment of the present invention.
[ detailed description ] embodiments
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
The invention provides a trap door binary one-way function-based broadcast encryption method and device and a readable storage medium. The invention is realized by the following technical scheme:
the main notations and the cited existing algorithms are explained first:
first, a polynomial f (x) ═ x (x) is definedn+1) in which n is a power of 2, with the definition R ═ Z [ x ═ x]Where R is a cyclotomic polynomial ring, the ring elements are polynomials of at most n-1 dimensions with integer coefficients, and a sufficiently large prime number q is chosen to be 1mod2n, let R beqR/qR is a ring in which the arithmetic operation of polynomial coefficients is performed modulo q, the coefficients being expressed as integers in the interval (-q/2, q/2), m > 1 for any integer,
Figure BDA0002601484850000091
Figure BDA0002601484850000092
represents RqThe ring elements on (A) are column vectors or matricesProsthetic word a [ k ]]Is the kth component of ring element a.
The probability of the function involved is negligible (negligible) as defined below:
the function ε (N) is probabilistic, and if there is one integer N for any positive integer c, then for all N > N, | ε (N) | < 1/NcThis is true.
The present invention relates to the arbitration problem based on the loop LWE (R-DLWE), which is defined as: for a prime number q and a distribution χ defined over the ring, an example of the decision RLWE problem is to access an unspecified challenge number O, which is either a noisy pseudorandom sample O with a uniformly chosen constant ssOr a uniform sample O$The method comprises the following steps:
Os: the output sample form is (a, b) — (a, as + e) ∈ Rq×RqWherein s is RqThe fixed value of the uniform distribution on the table is kept unchanged in the whole calling process, and a is RqUniformly selected above, e is the sample of the χ distribution.
O$: outputting a truly uniform random sample (a, b) e Rq×Rq
The invention relates to a process for the preparation of a compound based on the ring R ═ Z [ x]RLWE trapdoor constructor TrapGen at/< f (x) > with input parameters (κ, q), where κ is the security parameter, q is a prime number and q ═ 2k(k e), the algorithm outputs a vector a that is statistically close to uniform,
Figure BDA0002601484850000093
and a matrix of trapdoors T,
Figure BDA0002601484850000094
the invention relates to a Gaussian original image sampling algorithm SamplePre, the input parameters of which are (a, T, u, sigma, xi), wherein T is a trap gate of a, a and the trap gate T are generated according to an algorithm tranGen, u is a target parameter, sigma and xi are two Gaussian parameters, and the algorithm outputs a vector
Figure BDA0002601484850000101
And ax ═ u is satisfied.
For any m-dimensional lattice Λ, any real number ε > 0, and the smoothness parameter ηε(Λ) is a minimum real number σ > 0 and satisfies ρ1/σ*\ {0}) is less than or equal to epsilon. For vector c ∈ Rmξ -related real number ε ∈ (0,1) and σ ≧ ηε(Λ), vector
Figure BDA0002601484850000102
Obey error distribution χmThen the following equation is satisfied
Figure BDA0002601484850000103
The invention relates to a trapdoor one-way function, which is defined as follows:
the function f X → Y is called trapdoor unary one-way function if satisfied
1) Easy to calculate: for each input x, there is an efficient algorithm a, and the function value y is calculated at polynomial time as a (x).
2) Irreversibility: for a given y, calculate x ═ f-1The probability of (y) is negligible.
3) The existence of the trap door: for any y, there is a polynomial time algorithm g and a trapdoor T, calculating x-gT(y) and y ═ f (x).
The invention relates to a public key broadcasting scheme of RLWE, which comprises 4 sub-algorithms: as shown in fig. 1:
s1: initialization algorithm Setup: and outputting a public key pk and a master key msk by using the security parameter n as input through a trapdoor construction function TrapGen.
S2: key extraction algorithm Extract: each user has a unique serial number i, a public key pk, a master key msk and the serial number i of the user are used as input, and a trap door binary one-way function TB-OWF is used for constructing a private key sk of the useriAnd outputs the private key sk of the useri
S3: and the encryption algorithm Encrypt the message M by taking the public key pk and the message M as input through a multiple error learning Multi-LWE encryption scheme and outputting a ciphertext C.
S4: the user uses the ciphertext C, the user serial number i and the respective private key skiAs input, the user then utilizes the private key skiAnd decrypting the broadcast ciphertext C by using a probability decryption algorithm with an error to obtain the message M.
The implementation method of the initialization algorithm Setup comprises the following steps: with a security parameter n, the calculation is based on the ring R ═ Z [ x ═ x]/< f (x) > RLWE trapdoor constructor TrpGen (n) to obtain a doublet (a, T), wherein,
Figure BDA0002601484850000111
trapdoors associated with a
Figure BDA0002601484850000112
Then randomly select
Figure BDA0002601484850000113
At RqThe uniform random polynomial sample u is obtained, and pk is given as (a, c, u), and the value of the master key msk is equal to the trapdoor T.
The implementation method of the key extraction algorithm Extract comprises the following steps: at Rq mOne random element o is selected for each user iiSigma and xi are parameters of Gaussian distribution, and a Gaussian original image sampling algorithm SamplePre (a, T, u + co) is calculated by combining the public keys pk and msk and the user serial number iiσ, ξ) to obtain a short vector diAnd satisfy adi=u+coiThereby obtaining the private key sk of the useri=(oi,di)。
Further, the invention relates to a trap gate binary one-way function TB-OWF when constructing the private key, and in the relational expression that the private key satisfies, let the binary group of the private key be an unknown number (x, y), let u be an unknown number z, then the relational expression that the binary group of the private key satisfies is ax ═ z + cy, thus, the binary group of the private key satisfies the trap gate binary one-way function f (x, y) ═ ax-cy. Under the condition of no trapdoor T, the private key is difficult to obtain, so that the security of the user key in broadcast encryption is ensured.
Furthermore, the invention provides that the trap door binary one-way function TB-OWF is defined as follows: given a
Figure BDA0002601484850000121
And
Figure BDA0002601484850000122
for any purpose
Figure BDA0002601484850000123
The TB-OWF function f is X multiplied by Y → Z is expressed as f (X, Y) ax + cy Z, the trap gate is T in the Gaussian primitive sampling algorithm SamplePre, and the method is characterized in that:
1) easy to calculate: for each pair of inputs (x, y), there is an efficient algorithm a, computing the function value z as a (x, y) at polynomial time;
2) irreversibility: a. given z, for any y, x is calculated such that the probability of f (x, y) being z is negligible; b. given z, for any x, y is calculated such that the probability of f (x, y) being z is negligible;
3) the existence of the trap door: given z, for any y, there is a polynomial time algorithm g and a trapdoor T, calculating x-gT(z, y) satisfies z ═ f (x, y).
The method for realizing the encryption algorithm Encrypt comprises the following steps: at RqSelecting a random value s, and then selecting the noise vector e belonging to the error distribution x, and selecting the noise vectors e 'and e' belonging to the error distribution xmUsing the public key pk and the message M E {0,1}nAnd is converted into R2The message M is encrypted by a multiple error learning Multi-LWE encryption scheme
Figure BDA0002601484850000124
Figure BDA0002601484850000125
Figure BDA0002601484850000126
The output ciphertext C ═ (C, t, z).
Further, the encryption scheme of the Multi-band error learning Multi-LWE is constructed as follows:
first, let the function lwe (x) xs + e, where s e R, according to the assumed form of the difficulty problem of RLWEqAnd e is a sample of χ distribution, and the public key pk ═ (a, c, u) is substituted with:
LWE(a)=as+e,
LWE(u)=us+e',
LWE(c)=cs+e”,
wherein e, e' are all selected from XmA sample of the distribution;
then, the relation ad ═ u + co satisfied by the private key sk can be approximated to lwe (a) d ═ lwe (u) + lwe (c) o. Finally, combining the message M with the formula LWE (u) to obtain a ciphertext
C=(c,t,z)。
The method for realizing the decryption algorithm Decrypt comprises the following steps: using the ciphertext C and the private key skiCalculating c ═ zdi-toi∈Rq(ii) a Then calculating R ═ c-c' epsilon RqIf the ith component r in riCloser to 0 than to
Figure BDA0002601484850000131
The ith component M in the message MiIs 0, otherwise is 1.
Furthermore, in order to ensure the correctness of the scheme of the invention, a probability decryption algorithm with an error is utilized in the decryption algorithm Decrypt, and the private key sk of the user is subjected toi=(oi,di) And all sufficiently small noise terms e, e' according to the relation ad satisfied by the private keyi=u+coiC' ═ zd can be obtainedi-toi∈RqI.e. by
c'=zdi-toi=(as+e”)di-(cs+e')oi=us+e”di-e'oi,
Then countC-c' epsilon to RqAnd r can be represented as
Figure BDA0002601484850000141
When the error limit is satisfied
Figure BDA0002601484850000142
Under the condition of (1), when M isiWhen the content is equal to 0, the content,
Figure BDA0002601484850000143
when M isiWhen the number is equal to 1, the alloy is put into a container,
Figure BDA0002601484850000144
algorithm correct decryption and
the correct message M is output.
Further, the ciphertext of the broadcast encryption scheme of the present invention is semantically secure against chosen plaintext attacks, the security being defined by the following game between adversary a and challenger:
1) adversary a first outputs the i-th recipient he wants to attack.
2) The challenger runs the Setup algorithm to obtain the public key pk, and then sends the public key to adversary a.
3) Adversary A sends two messages M0And M1To the challenger, the challenger randomly selects b, b ∈ {0,1},
and runs the encryption function Encrypt (pk, M)b) Algorithm to obtain ciphertext C*The challenger then presents the ciphertext C*
To adversary a.
4) The adversary a outputs a guess b ', b ' e {0,1} about b, and if b ═ b ', the adversary wins the game.
The recipient decrypts the encrypted message with their own private key, and in this game, adversary A can know the keys of all users, and this adversary is called IND-CPA-CA adversary, which is defined by the present invention
Yi (Chinese character)
Figure BDA0002601484850000151
Win the game as enemy A, and have
Figure BDA0002601484850000152
The invention proves that the broadcast encryption scheme is semantically secure to the IND-CPA-CA.
Example 1:
for convenience of description, the present invention will be described with reference to certain symbols. R is a cyclotomic polynomial ring and is defined as R ═ x]Where the polynomial f (x) ═ x (x) >n+1), n being a power of 2. RqThe arithmetic operations representing the coefficients of polynomials in R are performed modulo q, i.e. RqR/qR, where q is a large prime number and satisfies q 1 modulo 2n, remembering
Figure BDA0002601484850000153
Represents RqThe ring elements above are column vectors or matrices, where m is an integer and m > 1, defining a k]Is the kth component of ring element a.
The broadcast encryption scheme for resisting collusion attack is defined on a ring and designed based on RLWE difficult assumption, a system comprises a group of users, the number of the users is unlimited, n is a safety parameter, the sizes of a public key and a ciphertext are constant, and a private key is a short vector.
1) An initialization algorithm: first, the system administrator calls the trapdoor construction function TrpGen (n) of RLWE according to the security parameter n to generate (a, T), wherein
Figure BDA0002601484850000154
T is the trapdoor of and, then he randomly selects one c,
Figure BDA0002601484850000155
and a polynomial sample u, u ∈ RqFinally, a public key pk ═ (a, c, u) master key msk ═ T is generated.
2) And (3) an extraction algorithm: the serial number of each user is i, and the system administrator randomly selects the element o for each useri,oi∈RmAnd σ and ξ are parameters of the Gaussian distribution, the Gaussian pre-image sampling algorithm SamplePre (a, T, u + co) is invokediσ, ξ) produces a short vector d for each useriAnd satisfy adi=u+coiThe system administrator assigns a private key sk to each useri=(oi,di)。
3) And (3) encryption algorithm: for message M, the sender randomly selects a secret s, s ∈ RqThen, error noise vectors e, e 'and e' are selected, e belonging to the error distribution x, e 'and e' belonging to the error distribution xmAnd calculating a ciphertext by using the public key pk according to the following method:
Figure BDA0002601484850000161
Figure BDA0002601484850000162
Figure BDA0002601484850000163
ciphertext C ═ C, t, z.
4) And (3) decryption algorithm: after the receiver receives the ciphertext transmitted by the sender, if the receiver is a valid user, the receiver can calculate the following equation by using the private key of the receiver
c'=zdi-toi=(as+e”)di-(cs+e')oi,
=us+e”di-e'oi∈Rq
And then the calculation of r is carried out,
Figure BDA0002601484850000164
limit error
Figure BDA0002601484850000165
The receiver can decrypt and output the correct message M correctly if the ith component r in riCloser to 0 than to
Figure BDA0002601484850000166
The ith component M in the message MiIs 0, otherwise is 1.
The invention can prove that the broadcast encryption scheme of the invention is consistent with semantic security by selecting plaintext attack or collusion attack under the condition of the difficulty assumption based on RLWE.
Assuming that there is a PPT adversary A, it destroys the IND-CPA-CA security of the BE scheme of the present invention with a preponderance epsilon, i.e.
Figure BDA0002601484850000171
That is, there is a simulator algorithm B that can solve the R-DLWER with a non-negligible probabilityq,χAnd (5) problems are solved.
Recall from the definition of R-DLWE, one R-DLWERq,χAn example of a problem may be taken as sample data O, which may be a true random number O$It may also be that the secret s e R is concernedqA noise pseudo random number OsB, inquiring the R-DLWE data O (-) for 2m +1 times to obtain a group of R-DLWE samples, namely
Figure BDA0002601484850000172
For data OsSatisfy yi=uis+eiFor data O$Has yi∈RqBy using
The following game describes the construction of B.
1) Initializing Init: adversary A announces the ith to attack*A receiver, then i*And sending the data to B.
2) Configuring Setup: b begins execution and first obtains 2m +1 (u) from R-DLWEi,yi)∈Rq×Rq,i∈[0,2m](ii) a Next, the 0 th R-DLWE sample u is allocated0Becomes a common polynomial sample u, u ═ u0(ii) a Next, the ith action u of a is setiFrom the R-DLWE sample i ∈ [1, m ]]To obtain
Figure BDA0002601484850000173
Then, the ith action u by setting ciFrom the R-DLWE sample i ∈ [ m +1,2m ∈ [ ]]To obtain
Figure BDA0002601484850000174
Finally, B returns the public key pk ═ (a, c, u) to the adversary.
3) Challenge: a sends two messages M0,M1E {0,1} gives B, B randomly selects B*E {0,1}, calculated using DLWE
Figure BDA0002601484850000175
t*=y1,z*=y2And has y0∈R,
Figure BDA0002601484850000181
And
Figure BDA0002601484850000182
finally B returns the challenge ciphertext C*=(c*,t*,z*)。
4) Guessing Guess: enemy output about b*B 'outputs 1 if B', otherwise 0.
The statistical distribution of the triplets (a, c, u) in the actual attack is close to uniform, since each of them is randomly chosen in the simulator described above, and the validity of the simulator is subsequently analyzed from two aspects, if a datum O is a pseudo-random number for s (O ═ O)s) Examples of R-DLWEs of (1), the present invention having y0=us+e,y1Cs + e' and y2=as+e”。
From the above assumptions, for valid ciphertext, adversary A can guess the correct b with a non-negligible dominance ε*Thus, the probability of B success in this game is significantly greater than 1/2, Pr [ B' ═ B*|O=Os]Is equal to or more than 1/2+ epsilon. The other is that the data O is distributed uniformly (O ═ O)$) Example of R-DLWE of (1), i.e. yi∈RqChallenge ciphertext
Figure BDA0002601484850000183
Always chosen uniformly, therefore, adversary A can guess b with a probability of 1/2*So B wins the game with a probability of 1/2, i.e.
Pr[b'=b*|O=O$]=1/2,
Then, the invention obtains through calculation
Figure BDA0002601484850000184
This means that B wins the game with a non-negligible probability e/2, thus proving that the inventive solution is semantically secure for IND-CPA-CA.
The semi-automatic welding forming device provided by the embodiment of the application is described in detail above. The above description of the embodiments is only for the purpose of helping to understand the method of the present application and its core ideas; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
As used in the specification and claims, certain terms are used to refer to particular components. As one skilled in the art will appreciate, manufacturers may refer to a component by different names. This specification and claims do not intend to distinguish between components that differ in name but not function. In the following description and in the claims, the terms "include" and "comprise" are used in an open-ended fashion, and thus should be interpreted to mean "include, but not limited to. "substantially" means within an acceptable error range, and a person skilled in the art can solve the technical problem within a certain error range to substantially achieve the technical effect. The description which follows is a preferred embodiment of the present application, but is made for the purpose of illustrating the general principles of the application and not for the purpose of limiting the scope of the application. The protection scope of the present application shall be subject to the definitions of the appended claims.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a good or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such good or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a commodity or system that includes the element.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The foregoing description shows and describes several preferred embodiments of the present application, but as aforementioned, it is to be understood that the application is not limited to the forms disclosed herein, but is not to be construed as excluding other embodiments and is capable of use in various other combinations, modifications, and environments and is capable of changes within the scope of the application as described herein, commensurate with the above teachings, or the skill or knowledge of the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the application, which is to be protected by the claims appended hereto.

Claims (9)

1. A trap door binary one-way function-based broadcast encryption method is characterized by comprising the following steps:
s1: initialization algorithm Setup: taking a security parameter n as input, and outputting a public key pk and a master key msk through a trapdoor construction function TrapGen;
s2: key extraction algorithm Extract: each user has a unique serial number i, a public key pk, a master key msk and the serial number i of the user are used as input, and a trap door binary one-way function TB-OWF is used for constructing a private key sk of the useriAnd outputs the private key sk of the useri
S3: an encryption algorithm Encrypt, namely taking a public key pk and a message M as input, encrypting the message M through an encryption scheme of Multi-band error learning Multi-LWE, and outputting a ciphertext C;
s4: the user uses the ciphertext C, the unique serial number i of the user and the respective private key skiAs input, the user then utilizes the private key skiDecrypting the ciphertext C by using a probability decryption algorithm with an error to obtain a message M;
the implementation method of the key extraction algorithm Extract in S2 is specifically as follows:
in that
Figure FDA0002997573160000011
One random element o is selected for each user iiAnd sigma and xi are parameters of Gaussian distribution, and a Gaussian primitive sampling algorithm SamplePre (a, T, u + co) is calculated by combining the public key pk, the master key msk and the unique serial number i of the user through a trap gate existing in a trap gate binary one-way function TB-OWFiσ, ξ) to obtain a short vector diAnd satisfy adi=u+coiThereby obtaining the private key sk of the useri=(oi,di)。
2. The broadcast encryption method according to claim 1, wherein the method for implementing the initialization algorithm Setup in S1 specifically comprises:
with a security parameter n, the calculation is based on the ring R ═ Z [ x ═ x]/< f (x) > on the loop with error learning RLWE trapdoor constructor TrpGen, two tuples (a, T) are obtained, wherein,
Figure FDA0002997573160000021
trapdoors associated with a
Figure FDA0002997573160000022
Then randomly select
Figure FDA0002997573160000023
At RqObtaining a uniform random polynomial sample u, and let pk be (a, c, u), the value of master key msk equal to trapdoor T,
wherein R isqIs that the arithmetic operation representing the polynomial coefficients in ring R is performed modulo q, q being a large prime number;
a is an m-dimensional vector on the ring Rq;
c is a randomly selected m-dimensional vector on the ring Rq;
u is a randomly selected constant on the ring Rq;
Figure FDA0002997573160000027
represents RqThe ring elements above are m-dimensional vectors, m is an integer and m is>1;
Z < x > is an integer polynomial;
(x) is a polynomial, f (x) ═ xn+1) where n is a power of 2.
3. The broadcast encryption method of claim 2, wherein the trapdoor binary one-way function TB-OWF is given
Figure FDA0002997573160000024
And
Figure FDA0002997573160000025
for any purpose
Figure FDA0002997573160000026
X multiplied by Y → Z is expressed as f (X, Y) ax + cy Z, and the trap gate is T in the Gaussian primitive sampling algorithm SamplePre, and the trap gate binary one-way function TB-OWF is characterized by comprising the following properties:
1) easy to calculate: for each pair of inputs (x, y), there is an efficient algorithm a, computing the function value z as a (x, y) at polynomial time;
2) irreversibility:
a. given z, for any y, x is calculated such that the probability of f (x, y) being z is negligible;
b. given z, for any x, y is calculated such that the probability of f (x, y) being z is negligible;
3) the existence of the trap door: given z, for any y, there is a polynomial time algorithm g and a trapdoor T, calculating x-gT(z, y) satisfies z ═ f (x, y).
4. The broadcast encryption method according to claim 1, wherein the implementation method of the encryption algorithm Encrypt in S3 is specifically: at RqSelecting a random value s, and then selecting the noise vector e belonging to the error distribution x, and selecting the noise vectors e 'and e' belonging to the error distribution xmUsing the public key pk and the message M E {0,1}nAnd is converted into R2The vector in (1) is used for encrypting the message M by an encryption scheme of multiple band error learning Multi-LWE, and the encryption algorithm is as follows:
Figure FDA0002997573160000031
Figure FDA0002997573160000032
Figure FDA0002997573160000033
output ciphertext C ═ (C, t, z);
packaging and calculating the message M according to the public key to obtain a constant c on the ring Rq, wherein t and z are M-dimensional vectors on the ring Rq; c. t, z together make up the ciphertext C.
5. The broadcast encryption method according to claim 4, wherein the encryption scheme of the multiple band error learning Multi-LWE in S3 is constructed by:
i: according to the assumed form of the difficulty problem of RLWE, let the function lwe (x) xs + e, where s e RqAnd e is a sample of χ distribution, and the public key pk ═ (a, c, u) is substituted with:
LWE(a)=as+e,
LWE(u)=us+e',
LWE(c)=cs+e”,
wherein e, e' are all selected from XmA sample of the distribution;
II: the relationship ad ═ u + co satisfied by the private key sk can be obtained
LWE(a)d=LWE(u)+LWE(c)o;
III: the message M is combined with the formula lwe (u) to obtain the ciphertext C ═ C, t, z.
6. The broadcast encryption method according to claim 2, wherein the decryption algorithm Decrypt in S4 is implemented by:
using the ciphertext C and the private key skiCalculating c ═ zdi-toi∈RqThen calculating R ═ c-c' epsilon RqIf the ith component r in riCloser to 0 than to
Figure FDA0002997573160000041
The ith component M in the message MiIs 0, otherwise 1, c' is a constant on the ring Rq.
7. The broadcast encryption method according to claim 6, wherein the probabilistic decryption algorithm with errors in S4 is specifically:
private key sk for useri=(oi,di) And all sufficiently small noise terms e, e' according to the relation ad satisfied by the private keyi=u+coiC' ═ zd can be obtainedi-toi∈RqI.e. by
c'=zdi-toi=(as+e”)di-(cs+e')oi=us+e”di-e'oi,
Calculating R ═ c-c' epsilon RqAnd r is represented by
Figure FDA0002997573160000042
When the error limit is satisfied
Figure FDA0002997573160000043
Under the condition of (1), when M isiWhen the content is equal to 0, the content,
Figure FDA0002997573160000051
when M isiWhen the number is equal to 1, the alloy is put into a container,
Figure FDA0002997573160000052
the algorithm decrypts and outputs the correct message M correctly.
8. A collusion attack resistant broadcast encryption apparatus, comprising a memory, a processor and a trapdoor binary one-way function based broadcast encryption processing program stored on the memory and executable on the processor, wherein the trapdoor binary one-way function based broadcast encryption processing program when executed by the processor implements the steps of the trapdoor binary one-way function based broadcast encryption method according to any one of claims 1 to 7.
9. A computer-readable storage medium, wherein the computer-readable storage medium has stored thereon a processing program for trapdoor binary one-way function based broadcast encryption, which when executed by a processor implements the steps of the trapdoor binary one-way function based broadcast encryption method of any one of claims 1 to 7.
CN202010725369.4A 2020-07-24 2020-07-24 Trap door binary one-way function-based broadcast encryption method and device Active CN111917547B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010725369.4A CN111917547B (en) 2020-07-24 2020-07-24 Trap door binary one-way function-based broadcast encryption method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010725369.4A CN111917547B (en) 2020-07-24 2020-07-24 Trap door binary one-way function-based broadcast encryption method and device

Publications (2)

Publication Number Publication Date
CN111917547A CN111917547A (en) 2020-11-10
CN111917547B true CN111917547B (en) 2021-06-01

Family

ID=73280459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010725369.4A Active CN111917547B (en) 2020-07-24 2020-07-24 Trap door binary one-way function-based broadcast encryption method and device

Country Status (1)

Country Link
CN (1) CN111917547B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112818362B (en) * 2021-01-29 2023-09-22 江苏理工学院 Public key encryption method based on R-LWE
CN115378573B (en) * 2022-07-22 2024-10-15 中国电子科技集团公司第三十研究所 Privacy information retrieval protocol formulation method, storage medium and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977109A (en) * 2010-10-21 2011-02-16 李晨 Linear mixed high ordered equation public key algorithm
CN104219047A (en) * 2013-05-31 2014-12-17 华为技术有限公司 A signature verification method and apparatus
CN105007270A (en) * 2015-07-13 2015-10-28 西安理工大学 Attribute-based encryption method for lattice multi-authority key strategy
CN105933102A (en) * 2016-04-06 2016-09-07 重庆大学 Identity-based and hidden matrix-constructed fully homomorphic encryption method
US10097351B1 (en) * 2016-09-15 2018-10-09 ISARA Corporation Generating a lattice basis for lattice-based cryptography

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789044B (en) * 2017-02-20 2019-12-27 西南石油大学 Searchable encryption method for cipher text data public key stored in cloud on grid under standard model
CN106803784B (en) * 2017-03-30 2020-11-27 福州大学 Lattice-based multi-user fuzzy searchable encryption method in secure multimedia cloud storage
US11139960B2 (en) * 2018-12-20 2021-10-05 International Business Machines Corporation File redaction database system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977109A (en) * 2010-10-21 2011-02-16 李晨 Linear mixed high ordered equation public key algorithm
CN104219047A (en) * 2013-05-31 2014-12-17 华为技术有限公司 A signature verification method and apparatus
CN105007270A (en) * 2015-07-13 2015-10-28 西安理工大学 Attribute-based encryption method for lattice multi-authority key strategy
CN105933102A (en) * 2016-04-06 2016-09-07 重庆大学 Identity-based and hidden matrix-constructed fully homomorphic encryption method
US10097351B1 (en) * 2016-09-15 2018-10-09 ISARA Corporation Generating a lattice basis for lattice-based cryptography

Also Published As

Publication number Publication date
CN111917547A (en) 2020-11-10

Similar Documents

Publication Publication Date Title
Canteaut et al. Stream ciphers: A practical solution for efficient homomorphic-ciphertext compression
CN110612696B (en) Post-quantum secure private stream aggregation
Biryukov et al. Cryptographic schemes based on the ASASA structure: Black-box, white-box, and public-key
Alperin-Sheriff et al. Circular and KDM security for identity-based encryption
US10511581B2 (en) Parallelizable encryption using keyless random permutations and authentication using same
CN111917547B (en) Trap door binary one-way function-based broadcast encryption method and device
Fay et al. Compressive sensing encryption modes and their security
Chotard et al. Multi-client functional encryption with repetition for inner product
Singh et al. Cryptanalysis of unidirectional proxy re-encryption scheme
Challa et al. Secure image processing using LWE based homomorphic encryption
Liu et al. Designated-ciphertext searchable encryption
Alwen et al. Post-Quantum Multi-Recipient Public Key Encryption
CN113079021B (en) Certificateless-based network coding lattice ring signcryption method
Hwang et al. Robust stream‐cipher mode of authenticated encryption for secure communication in wireless sensor network
Böhl et al. Encryption schemes secure under related-key and key-dependent message attacks
CN105915340B (en) Multi-receiver anonymous signcryption method based on Gu-Map1 multilinear mapping example on ideal lattice
CN114070549A (en) Key generation method, device, equipment and storage medium
CN111541669A (en) Broadcast encryption method and system
Ågren On some symmetric lightweight cryptographic designs
Yang et al. Identity‐Based Unidirectional Collusion‐Resistant Proxy Re‐Encryption from U‐LWE
Barhoush et al. Powerful Primitives in the Bounded Quantum Storage Model
JP2886517B2 (en) Common key communication system
Han et al. New multivariate-based certificateless hybrid signcryption scheme for multi-recipient
CN108768625B (en) Certificateless multi-receiver anonymous signcryption method with pre-judgment function
Li et al. Intelligent federated learning on lattice‐based efficient heterogeneous signcryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant