CN112436942A - Attribute-based/identity-based heterogeneous revocable signcryption method - Google Patents

Abstract

The invention discloses a revocable signcryption method of attribute-based/identity-based isomerism. The method is characterized in that attribute-based encryption is combined in the same algorithm based on identity-based signatures in the construction, so that the problems of huge calculation amount and communication cost required by the traditional 'signature-first-encryption' method are solved, and the construction of a revocation list is introduced, so that the risk of key leakage is solved. When executing signcryption, a signcrypter signs the plain text by using an attribute strategy, a revocation list, a public key and a private key corresponding to the identity of the signcrypter; and the signcryption person carries out signcryption on the signcryption text through the corresponding private key and the public key, when the identity of the signcryption person is not in the revocation list, the signcryption person can recover the plaintext, otherwise, the signcryption person cannot recover the plaintext. The invention can be used in a cloud-based vehicle networking environment, provides confidentiality, integrity, authentication, non-repudiation and access control services for users in the cloud-based vehicle networking environment, and simultaneously supports revocation of the users.

Description

Attribute-based/identity-based heterogeneous revocable signcryption method

Technical Field

The invention relates to the field of information security and communication, in particular to a revocable signcryption method with attribute-based/identity-based isomerism.

Background

With the wide use of cloud computing technology in the fields of finance, medical treatment, services, daily life and the like, cloud-based information security and privacy protection also become a problem of great concern. In order to ensure confidentiality and access control in cloud-based data sharing, in 2006, Goyal et al proposed attribute-based encryption, whose core idea was to embed attributes and access policies in the ciphertext and key, respectively, and to complete decryption only when the attributes are compatible with the access policies. However, attribute-based encryption cannot realize an authentication function, and in order to ensure confidentiality, access control, and authentication, it is common to encrypt a message using attribute-based encryption and then sign-encrypt a transmitted message. In 1997, Zheng et al proposed the concept of signcryption, whose core idea was to achieve both message confidentiality and authentication in a reasonable step, which solved the huge computation and communication cost problems required by the traditional "signature first and then encryption" method. Since the conventional signcryption scheme is constructed based on PKI or based on identity, the access control function cannot be realized. Thus, attribute-based signcryption has been proposed. However, a signature generated by an attribute-based signcryption scheme can only determine attributes owned by the signer, and key leakage also presents a significant challenge to the signcryption scheme.

Disclosure of Invention

Aiming at the defects of the prior art, the invention provides an efficient and safe attribute-based/identity-based heterogeneous revocable signcryption scheme, solves the problems of huge calculation amount and communication cost required by the traditional method of signing before encrypting, and simultaneously provides direct revoking of signcryption.

In order to achieve the purpose of the invention, the invention is realized by adopting the following technical scheme:

the method integrates the advantages of attribute-based signcryption and identity-based signcryption, and introduces a revocation list into a signcryption text to complete direct revocation. The signcrypter signs the plaintext by using a private key, a public key and an access strategy of the signcrypter to generate a signed text; and the signcryption person receives the signcryption message and then uses the private key and the public key of the signcryption person to sign and decrypt the signcryption message to recover the message. The invention integrates the advantages of the attribute base signcryption and the identity base signcryption and introduces the revocation list into the attribute base/identity base heterogeneous signcryption scheme, thereby not only saving the calculation and communication cost, but also meeting the properties of confidentiality, non-repudiation, revocable property, access control and the like. The method comprises the following specific steps:

(1) the system establishes a Setup, namely, inputting security parameters and the maximum user revocation number, and running the algorithm by the KGC to generate system public parameters and a system master key;

(2) inputting system public parameters, user identities and attribute sets, and running the algorithm by the KGC to generate a private Key corresponding to the user;

(3) inputting system public parameters, a private key of a signcryption user, an access strategy and plaintext information, operating the algorithm by the signcryption user, generating a signcryption text and uploading the signcryption text to a cloud storage platform;

(4) and inputting the system public parameter, the signed text and the private key of the signing and decrypting user, firstly verifying whether the signing and decrypting is correct or not by the signing and decrypting user in a priori, and then executing the signing and decrypting.

Detailed Description

The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.

The method consists of seven algorithms, and the specific construction process is as follows:

(1) the system establishes a Setup, namely inputting a security parameter lambda and a maximum user revocation number d, and constructing two orders with the order of N as p₁p₂p₃Multiplication loop groups G and G_TWherein p is₁,p₂,p₃Is three prime numbers and satisfies the condition p₁,p₂,p₃＞2¹⁶⁰，G₁,G₂,G₃Three subgroups of group G, of respective order p₁,p₂,p₃(ii) a Defining a bilinear map e G → G_TIs provided with h₁Is G₁Is generated by₁₂₃Is the generation of GElement; randomly selecting a collision-resistant password hash function:

wherein

Is a positive integer group with the order of N; randomly selecting a commitment agreement pi_commitGet the corresponding public key CK by (c.setup, Commit, Open) and running c.setup (λ); KGC random selection

Computing

And T ═ e (h)₁,h₁₂₃)^αAnd using it as the master public key; the KGC secret holds the master private key α, and the publishing system public parameter pp ═ (e, h)₁,h₁₂₃,Π_commit,CK,H,d₁,d₂,t,t',u,u₀,u₁,{v_i}_i∈[0,d],T)；

(2) Inputting system public parameter pp and user use identity ID_useAnd attribute collection

The private key of the user use is generated as follows:

a) random selection

Wherein | S | is the magnitude of S;

b) computing

Using it as a de-signcryption key, wherein

c) Then calculate

Using it as the signing secret key and setting K_use＝(S_useSK, DK) is the user private key;

(3) signcrypt is that the Signcrypt is Alice; the access policy that needs to be satisfied for de-signcryption is (M, π), where M is an n₁Line n₂Matrix of columns,. pi.is a mapping from row numbers in M to attributes, M_i,jRepresents the jth row and ith column elements of the matrix M; RL ═ ID (ID)₁,ID₂,…,ID_l) Is a revocation list, and l is less than or equal to d; defining a plaintext information m E G_T. The specific signing and sealing process is as follows:

a) alice random selection

b) Alice calculation

And is provided with c_kIs the kth coefficient of the polynomial;

c) alice runs

Then randomly selecting

And calculate

d) Alice runs

And calculate

e) Alice output

As a signcryption.

(4) De-Signcrypt, after Bob receives Signcrypt, firstly randomly selecting y,

and performing a hash operation calculation

The following equation is then verified

If not, Bob refuses to unlock the signcryption; otherwise Bob calculates as follows:

a) bob's calculation

And is provided with c_kIs the kth coefficient of the polynomial;

b) bob's calculation

And look for { gamma_i}_i∈ISo that

Wherein I ∈ S_Bob，M_iIs the ith column of matrix M;

c) bob's calculation

d) Bob runs

The plaintext message is recovered.

Claims (3)

1. The attribute-based/identity-based heterogeneous revocable signcryption method is characterized by comprising the following steps:

(1) the signcryption user can simultaneously complete the encryption of the attribute base of the plaintext and the signature of the identity base of the plaintext in the signcryption algorithm; in the decryption algorithm, the signcryption user can complete decryption and verification of the signcryption text at the same time. The problems of huge calculation amount and communication cost required by the traditional method of signing before encrypting are avoided.

(2) The password system cancels by embedding the revocation list in the signed text, thereby realizing the direct cancellation of the user.

(3) The signcryption user signs the message by using a private key, a public key, an access strategy and a revocation list of the signcryption user when signing the message to generate a signcryption text; and after receiving the signed text, the signing and decrypting user decrypts the signed text by using the public key and the private key of the user to recover the message.

2. The method for revocable signcryption based on attribute-based/identity-based heterogeneity, as claimed in claim 1, wherein said method comprises the steps of:

(1) the system establishes a Setup, namely, inputting security parameters and the maximum user revocation number, and running the algorithm by the KGC to generate system public parameters and a system master key;

(2) inputting system public parameters, user identities and attribute sets, and running the algorithm by the KGC to generate a private Key corresponding to the user;

(3) inputting system public parameters, a private key of a signcryption user, an access strategy and plaintext information, operating the algorithm by the signcryption user, generating a signcryption text and uploading the signcryption text to a cloud storage platform;

(4) and inputting the system public parameter, the signed text and the private key of the signing and decrypting user, firstly verifying whether the signing and decrypting is correct or not by the signing and decrypting user in a priori, and then executing the signing and decrypting.

3. The revocable signcryption method of attribute-based/identity-based heterogeneity, as claimed in claim 2, wherein the specific algorithm of the method comprises:

(1) the system establishes a Setup, namely inputting a security parameter lambda and a maximum user revocation number d, and constructing two orders with the order of N as p₁p₂p₃Multiplication loop groups G and G_TWherein p is₁,p₂,p₃Is three prime numbers and satisfies the condition p₁,p₂,p₃＞2¹⁶⁰，G₁,G₂,G₃Three subgroups of group G, of respective order p₁,p₂,p₃(ii) a Defining a bilinear map e G → G_TIs provided with h₁Is G₁Is generated by₁₂₃Is the generator of G; randomly selecting a collision-resistant password hash function: h:

wherein

Is a positive integer group with the order of N; randomly selecting a commitment agreement pi_commitGet the corresponding public key CK by (c.setup, Commit, Open) and running c.setup (λ); KGC random selection

Computing

And T ═ e (h)₁,h₁₂₃)^αAnd using it as the master public key; the KGC secret holds the master private key α, and the publishing system public parameter pp ═ (e, h)₁,h₁₂₃,Π_commit,CK,H,d₁,d₂,t,t',u,u₀,u₁,{v_i}_i∈[0,d],T)；

(2) Inputting system public parameter pp and user use identity ID_useAnd attribute collection

The private key of the user use is generated as follows:

a) random selection

Wherein | S | is the magnitude of S;

b) computing

Using it as a de-signcryption key, wherein

c) Then calculate

Using it as the signing secret key and setting K_use＝(S_useSK, DK) is the user private key;

(3) signcrypt is that the Signcrypt is Alice; the access policy that needs to be satisfied for de-signcryption is (M, π), where M is an n₁Line n₂Matrix of columns,. pi.is a mapping from row numbers in M to attributes, M_i,jRepresents the jth row and ith column elements of the matrix M; RL ═ ID (ID)₁,ID₂,…,ID_l) Is a revocation list, and l is less than or equal to d; defining a plaintext information m E G_T. The specific signing and sealing process is as follows:

a) alice random selection

b) Alice calculation

And is provided with c_kIs the kth coefficient of the polynomial;

c) alice runs

Then randomly selecting

And calculate

d) Alice runs

And calculate

e) Alice output

As a signcryption.

(4) B, after receiving the signcryption, randomly selecting the Designypt from the Designypt

And performing a hash operation calculation

The following equation is then verified

If not, Bob refuses to unlock the signcryption; otherwise Bob calculates as follows:

a) bob's calculation

And is provided with c_kIs the kth coefficient of the polynomial;

b) bob's calculation

And look for { gamma_i}_i∈ISo that

Wherein I ∈ S_Bob，M_iIs the ith column of matrix M;

c) bob's calculation

d) Bob runs

The plaintext message is recovered.