CN114189329B - Public key authentication repudiation encryption method and system - Google Patents
Public key authentication repudiation encryption method and system Download PDFInfo
- Publication number
- CN114189329B CN114189329B CN202111309079.2A CN202111309079A CN114189329B CN 114189329 B CN114189329 B CN 114189329B CN 202111309079 A CN202111309079 A CN 202111309079A CN 114189329 B CN114189329 B CN 114189329B
- Authority
- CN
- China
- Prior art keywords
- sender
- encryption
- message
- identity
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
Abstract
The invention belongs to the technical field of information encryption, and discloses a public key authentication non-repudiation encryption (PKADE) method and a system, which comprise: the system comprises a trusted authority and users, wherein the users comprise a sender and a receiver, and each user has a unique identity; the trusted authority is used for generating public parameters and a main private key of the system, an encryption key of a sender and a decryption key of a receiver; the sender is used for submitting the encryption key, the identity of the message receiver and the message to the system and requesting to generate a ciphertext; in addition, the sender is also used for submitting the encryption key, the identity of the message receiver, the original encrypted message, the random number and the false message to the system, and requesting to generate the false random number for opening the original ciphertext into the false message; the receiver is used for submitting the decryption key, the identity of the expected sender and the ciphertext to the system to request decryption. The invention can realize the non-repudiation of the sender and support the identity authentication of the sender and the receiver. The invention can achieve the expected safety target.
Description
Technical Field
The invention belongs to the technical field of information encryption, and particularly relates to a method and a system for repudiation and encryption of public key authentication
Background
Encryption schemes such as AES and RSA are widely used to protect the confidentiality of information transmitted over public channels. While general encryption schemes may provide security for messages under eavesdropping attacks, the confidentiality of messages in the face of duress or bribery attacks may no longer be guaranteed. To this end, canetti et al propose a repudiatable encryption (DE) primitive that allows communication participants to obfuscate transmitted ciphertext. Specifically, in the DE system, there is a "fake algorithm" that allows a sender (receiver) to generate a pseudo random number (pseudo private key) after transmission of a ciphertext. When parties to the communication are required to disclose plaintext associated with the transmitted ciphertext, a random number used by the sender for encryption, and a private key held by the receiver, they will provide these pseudo-random number and pseudo-private key and use them to open the transmitted ciphertext into a different plaintext without being detectable, thus, DE renders the duress and bribery attacks useless. DE has found wide application due to its unique advantages. For example, DE implies a non-commitment cryptographic primitive, which is the core tool in an adaptive setting to build secure multiparty computing protocols. In addition, DE is also very useful in various real-world scenarios, such as electronic elections, electronic auctions, intelligence work, cloud storage services, and the like.
Although DE ensures message confidentiality under mandatory circumstances, existing solutions are still impractical in terms of availability and efficiency. Canetti et al propose an elegant DE scheme based on semi-transparent sets, which can be implemented with trapdoor permutations and hard-kernel predicates. Because the scheme only supports bit-by-bit encryption and the ciphertext length is inversely proportional to the forgery probability, the efficiency is low in practical application. To this end, they further propose a weak concept, flexible repudiation or multi-distribution repudiation. Under the flexible deniability framework, there have been many DE schemes based on semi-transparent set design. Furthermore, O' Neill et al also proposed a first two-party repudiatable encryption scheme based on simulatable public key encryption, which has non-interactivity and negligible repudiation. However, since these constructs are implemented under a flexible deniable framework, problems of suspicion, negotiation, and misuse are liable to arise. To avoid the above problems, subsequent research efforts focused on constructing the DE solution under a completely repudiatable framework. In 2011, D ü rmuth et al proposed a complete sender repudiation encryption scheme based on sample encryption, however, this scheme later proved insecure. DE has not made a major breakthrough until Sahai et al propose the first complete sender repudiatable encryption scheme that satisfies negligible repudiation. Canetti et al, later, proposed an interactive scheme where both parties can deny encryption, again providing negligible deniability. However, both of the above-described solutions are designed based on iO, and therefore, inefficiency is inevitable. Recently, cao et al proposed a delta (n) -DE scheme in a completely repudiatable framework that uses simple binary string placement and bit flipping operations, which greatly reduces the communication overhead.
In addition to focusing on improving the efficiency of the DE, the present invention also finds that none of the previous DE constructions consider the user (including sender and receiver) authentification. However, authentication is a necessary function in various application scenarios of DE. For example, in an electronic election scenario, a voting center needs to verify the identity and qualification of the voter to ensure that only authorized voters can cast a unique vote. If the voter identity cannot be correctly identified, repeated voting is inevitable. That is, the voter may attempt multiple votes. In the worst case, the voter may vote on behalf of other voters, i.e., voter masquerading. These actions will affect the final result of the vote, thus undermining the fair and fair nature of the election. Furthermore, from the voter's perspective, their privacy is involved in the voting process. Therefore, in order to protect their privacy from being compromised by the voting center, they need to ensure that they are about to contact the real voting center, not an illegal agency. In the intelligence working scenario, identity authentication is a basic security requirement. If the special workers do not confirm each other's identity before starting the communication, anyone, even if not the target special worker, can exchange secrets, which will result in the disclosure of intelligence and special worker identity information. Therefore, implementing bidirectional authentication in the DE primitive is an important step to improve the utility of the DE. To date, no DE scheme has provided a two-way authentication function.
Through the above analysis, the problems and defects of the prior art are as follows:
(1) Existing solutions are still not practical in terms of availability and efficiency; the DE scheme under the flexible repudiation framework has an alternative encryption algorithm or a key generation algorithm or both, so that problems of doubt, negotiation, misuse and the like can be caused; the DE scheme under the framework can be completely denied that huge communication and calculation expenses exist, and the efficiency is poor.
(2) So far, all DE architectures do not consider the user (including sender and receiver) authentification, i.e. no DE scheme can provide a bidirectional authentication function.
The difficulty in solving the above problems and defects is: bidirectional authentication is supported while repudiation is achieved under a fully repudiation framework, and efficiency is improved.
The significance of solving the problems and the defects is as follows: the public key authentication repudiation encryption scheme is designed to realize the identity authentication of a communication party, realize secret communication under the condition of coercion or bribery and be more suitable for practical application; in addition, the scheme efficiency is improved, and the implementation in practice is more convenient.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a public key authentication repudiatable encryption method and system.
The invention is realized in such a way that a public key authentication can deny the encryption method, and the public key authentication can deny the encryption method comprises the following steps:
step one, generating a system public parameter and a main private key by a trusted authority, disclosing the system public parameter and storing the main private key;
step two, the sender and the receiver send the identity information to a trusted authority to respectively request to generate an encryption key and a decryption key, and the trusted authority respectively generates the encryption key and the decryption key by using a main private key and a public parameter;
step three, the sender inputs the public parameters, the encryption key, the identity information of the receiver and the message to generate a ciphertext;
step four, the receiver inputs the public parameter, the decryption key, the identity information of the expected sender and the ciphertext, if the input identity information of the expected sender is consistent with the source of the ciphertext, the message is recovered, otherwise, the decryption fails;
and step five, when the sender is stressed, the sender inputs the public parameters, the encryption key, the identity information of the receiver, the original message, the random number and the false message to generate the false random number for opening the ciphertext into the false message.
Further, a trusted authority in the public key authentication deniable encryption method is responsible for generating public parameters and a main private key of the system, an encryption key of a sender and a decryption key of a receiver; one with identity id s And a corresponding encryption key ek s Can embed the message at the same time as encrypting the messageIdentity of target receiving party
Thus, this ciphertext contains both the sender and receiver identities; the sender can also generate a false, but true-looking random number for opening this ciphertext into a different message; a recipient will attempt to decrypt a ciphertext; first he selects an intended sender whose identity is
Using decryption key dk r And
decrypting a ciphertext; if the source of the expected sender identity information is consistent with that of the ciphertext, the message is recovered, otherwise, the decryption fails. The public key authentication can deny the proposal of the concept of encrypted PKADE, and comprises the following steps:
further, the public key authentication repudiatable encryption method comprises the following six algorithms:
(1)Setup(1 λ n) → (pp, msk): the setting algorithm is executed by a trusted authority, a security parameter lambda and a parameter are input
And outputting the public parameter pp and the master private key msk.
(2)SGen(pp,msk,id s )→ek s : the encryption key generation algorithm is executed by a trusted authority, and for any request of a sender encryption key, the algorithm inputs pp, msk and the identity id of the sender s Output identity id s Is encrypted by the encryption key ek s Then encrypt the key ek s Sent to the sender of the encryption key request over a secure channel.
(3)RGen(pp,msk,id r )→dk r : the decryption key generation algorithm is executed by a trusted authority, and for any request of a receiving party for decryption key, the algorithm inputs pp, msk and the identity id of the receiving party r Output identity id r Solution of (2)Secret key dk r Then decrypt the key dk r Sent to the recipient of the decryption key request over a secure channel.
(4)
The encryption algorithm is executed by the sender, pp is input, sender encryption key ek s Identity of the intended recipient
A message
And a random number r, outputting a ciphertext c.
(5)
Or ∞: the decryption algorithm is executed by the receiver, the pp is entered, the receiver decryption key dk r Identity of the target sender
And a ciphertext c, outputting the plaintext m or an error symbol.
(6)
The forgery algorithm is executed by the sender, pp is input, sender encryption key ek s Identity of the intended recipient
Original message
And a random number r and a dummy message
Outputting a forged random number r'.
Further, the public key authentication can deny the PKADE construction supporting single-bit encryption in the encryption method, including:
realizing repudiation by adopting a semi-transparent set paradigm; the semi-transparent set is a subset of the full set, and the pseudo-random elements can be efficiently sampled from the semi-transparent set only by using public key information; when the private key associated with the semi-transparent set is unknown, the pseudo-random element may be declared to be a random element; when encrypting 1, k ≡ 1 mod 2 pseudo-random elements are sampled; when encrypting 0, k ≡ 0 mod 2 pseudo-random elements are sampled; when the sender is duress, the sender can forge its message in both directions, i.e., from 1 to 0 or 0 to 1, by asserting that a pseudorandom element is a random element;
the idea of matching encryption is adopted to realize bidirectional authentication, and the idea of matching encryption comprises the following steps: in the encryption phase, the sender can specify the identity of the message recipient while embedding his/her own identity; in the decryption stage, the receiver can also specify the source of the ciphertext, and the message can be correctly recovered only when the identities of the two parties are successfully matched; in the PKADE structure supporting single-bit encryption, a sender generates a pseudo-random element containing the identity of a communication participant; the sender uses a unique encryption key generated by a trusted authority by using a main private key and the identity of the sender to generate a pseudo-random sub-ciphertext or element and embeds the pseudo-random sub-ciphertext or element into the identity of a message receiver; the receiver uses the decryption key corresponding to the identity of the receiver and inputs a desired ciphertext source, namely the identity of the sender who wants to communicate, to decrypt a ciphertext; only when the two identities input by the receiver are matched with the two identities contained in the pseudorandom subconcrete text at the same time, the plaintext can be recovered, and otherwise, the plaintext returns to the value of reverse sign; if the receiver can recover the plaintext from the sub-ciphertext, he/she confirms that the sender is a sender authenticated by the trusted authority; if the receiver correctly decrypts the pseudorandom sub-ciphertext, he/she must appear to the sender as the target receiver, since only the target receiver holds the unique decryption key issued by the trusted authority for his identity; about message spaces
The construction of (2) is as follows:
(1)Setup(1 λ n) is as follows: input safety parameter lambda and an even number
Generating a bilinear group
Selecting two random integers
Calculation G = G α Selecting three anti-collision hash functions
And
selecting a fill function
Where l = η + λ +1, for any γ ∈ {0,1} η ,
Here the invention requires {0,1} l The probability that a random element in (2) is a valid padding is negligible. Finally outputting the public parameter
And a master private key msk = (α, β).
(2)SGen(pp,msk,id s ): input pp, msk and identity id of sender s The algorithm outputs an encryption key ek s =H s (id s ) β 。
(3)RGen(pp,msk,id r ): input pp, msk and identity id of the receiver r The algorithm outputs a decryption key dk r =(dk r,1 ,dk r,2 )=(H r (id r ) α ,H r (id r ) β )。
(4)
Input pp, ek s Identity of the intended recipient
Message
And a random number r, the algorithm being performed as follows:
1. randomly choosing k e [ n ] to satisfy k [ identical to ] m mod 2, wherein [ n ] represents a set {1, 2.
2. For i e k]Selecting random integers
Random number gamma i ∈{0,1} η (ii) a For i e n]\[k]Random selection of
C i ∈{0,1} l . Finally, let r = (k, { (u) i ,v i ,γ i )} i∈[k] ,{(U i ,V i ,C i )} i∈[n]\[k] )。
3. For i e [ k ]]First, calculate
Then calculate
Final calculation of
4. Output ciphertext c = (c) 1 ,c 2 ,...,c n ) Wherein c is i =(U i ,V i ,C i )。
(5)
Input pp, dk r Identity of the target sender
And a ciphertext c, the algorithm performing as follows:
1. parsing ciphertext c into c 1 ,c 2 ,...,c n Further c is i Resolved into U i ,V i ,C i 。
2. Calculating K 1,1 =e(dk r,1 ,V 1 ),
Then calculate
If it is used
Is an effective filler to recover gamma 1 Is therein provided with
Otherwise there is
The algorithm stops.
3. For i e n]V 1, calculating K 1,i =e(dk r,1 ,V i ),
From
Recovery of gamma i Until returning T, outputting gamma i The maximum index i in (1).
4. Let k = i, calculate m = k mod 2, and output the encrypted message m.
(6)
Input pp, ek s Identity of the intended recipient
Original message
And a random number r and a dummy message
The algorithm performs as follows:
1. if m '= m, output r' = r.
2. Let k' = k-1, if k =1, the forgery failure algorithm stops.
3. Instruction { (u' i ,v′ i ,γ′ i )} i∈[k′] ={(u i , v i,γ i )} i∈[k′] 。
4. Order to
Calculating out
And
finally, make it
5. Let { (U' i ,V′ i ,C′ i )} i∈[n]\[k′+1′] ={(U i ,V i ,C i )} i∈[n]\[k′+1′] 。
6. Let r ' = (k ', { (u ' i ,v′ i ,γ′ i )} i∈[k′] ,{(U′ i ,V′ i ,C′ i )} i∈[n]\[k′′] ) And outputs r'.
Further, the public key authentication deniable PKADE construction supporting large message encryption in the encryption method includes:
using binary bit positions and bit flipping operations to design a PKADE construction that supports large message encryption, in the encryption phase, the sender selects the bit string a = (a) according to it n ,a n-1 ,...,a 1 ) Determining a position k, where a k =1; the sender puts the ciphertext corresponding to the real transmission plaintext at a position k; for the remaining binary string positions, if a i =1, put one pseudo-random element, otherwise put one random element; in the decryption stage, the receiver recovers the binary string a by judging whether the sub-ciphertext is the pseudorandom element; recovering a position k according to the binary string a, and further obtaining a real transmission plaintext; sending the command a when the coercion occurs k =0, while asserting sub-ciphertext c k Is a randomly selected random element, based on (a) n ,...a k+1 ,0,a k-1 ,...,a 1 ) A false position k' is generated, and a false communication message m is recovered k′ (ii) a The method for realizing authentication in a single-bit encryption structure is adopted to realize the authentication of the PKADE structure supporting the large message encryption, namely a pseudo-random sub-ciphertext is generated by using a unique encryption key of a sender issued by a trusted authority and the identity of a message target receiver;
message space
The construction of (2) is as follows:
(1)Setup(1 λ n) is as follows: inputting a safety parameter lambda and an even number
Generate oneBilinear group
Selecting two random integers
Calculation of G = G α Selecting three anti-collision hash functions
And
selecting a fill function
Where l = η + λ +1, for any
Here the invention requires 0,1 l The probability that a random element in (a) is a valid padding is negligible. Family of slave functions
Randomly selecting a function f, and finally outputting public parameters
And a master private key msk = (α, β).
(2)SGen(pp,msk,id s ): input pp, msk and identity id of sender s The algorithm outputs an encryption key ek s =H s (id s ) β 。
(3)RGen(pp,msk,id r ): input pp, msk and identity id of the receiver r The algorithm outputs a decryption key dk r =(dk r,1 ,dk r,2 )=(H r (id r ) α ,H r (id r ) β )。
(4)
Input pp, ek s Identity of the intended recipient
Message
And a random number r, the algorithm performing as follows:
1. randomly selecting a = (a) n ,a n-1 ,...,a 1 )∈{0,1} n And f (a) = k is calculated.
2. For a i =1,i∈[n]Selecting random integers
For a i =1,i∈[n]K, randomly selecting a message
For a i =0,i∈[n]Random selection of
C i ∈{0,1} l . Finally, make it
3. For a i =1,i∈[n]First of all, calculate
Then calculate
When i = k, calculate
For a i =1,i∈[n]K, calculating
4. Output ciphertext c = (c) 1 ,c 2 ,...,c n ) Wherein c is i =(U i ,V i ,C i )。
(5)
Input pp, dk r Identity of the target sender
And a ciphertext c, the algorithm performing as follows:
1. parsing ciphertext c into c 1 ,c 2 ,...,c n Further mixing c i Resolved into U i ,V i ,C i 。
2. For c i =(U i ,V i ,C i ) Calculating K 1,i =e(dk r,1 ,V i ),
If it is used
Is an effective filling and is recovered
And mark a i =1, otherwise ≠ t, and marks a i =0。
3. Calculating f (a) = k, where a = (a) n ,a n-1 ,...,a 1 ) Obtained from the previous step and finally output
(6)
Input pp, ek s Identity of the intended recipient
Original message
And a random number r and a dummy message
The algorithm performs as follows:
1. if m '= m, output r' = r.
2. Calculating f (a) = k, setting a '= (a' n ,...,a′ 1 )=(a n ,...,a k+1 ,0,a k-1 ...,a 1 ) Calculating f (a ') = k', and making
The message purporting to be transmitted is
3. Order to
Calculating out
And
finally make
4. To a' i =1,i∈[n]\ { k' }, order
Line (u' k′ ,v′ k′ ,⊥)=(u k′ ,v k′ ,⊥)。
5. To a' i =0,i∈[n]\ { k }, order (U' i ,V′ i ,C′ i )=(U i ,V i ,C i )。
6. Order to
The PKADE structure supporting large message encryption can be properly modified to support messages of any size by using AES, SHA256 and hash function
When a is i =1 sub-ciphertext of
Wherein
A key for AES; when a is i =0, sub-ciphertext by random element U i ,V i ,C i ,H i And (4) forming.
Another object of the present invention is to provide a public key authentication deniable encryption system using the public key authentication deniable encryption method, the public key authentication deniable encryption system comprising:
the system establishing module is used for generating public parameters and a main private key of the system;
the encryption key generation module is used for generating an encryption key of the sender;
the decryption key generation module is used for generating a decryption key of the receiver;
the encryption module is used for encrypting the message to generate a ciphertext;
the decryption module is used for decrypting the ciphertext and outputting a plaintext or an error symbol inverted T;
and the counterfeiting module is used for generating a pseudo random number and opening the ciphertext into a fake message.
It is a further object of the invention to provide a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of:
generating a system public parameter and a main private key by a trusted authority, disclosing the system public parameter and storing the main private key; the sender and the receiver send the identity information to a trusted authority to respectively request to generate an encryption key and a decryption key, and the trusted authority respectively generates the encryption key and the decryption key by using a main private key and a public parameter; the sender inputs the public parameter, the encryption key, the identity information of the receiver and the message to generate a ciphertext; the receiver inputs the public parameter, the decryption key, the identity information of the prospective sender and the ciphertext, if the input identity information of the prospective sender is consistent with the source of the ciphertext, the message is recovered, otherwise, the decryption fails; when the sender is stressed, the sender inputs the public parameter, the encryption key, the identity information of the receiver, the original message, the random number and the false message to generate the false random number for opening the ciphertext into the false message.
It is another object of the present invention to provide a computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of:
generating a system public parameter and a main private key by a trusted authority, disclosing the system public parameter and storing the main private key; the sender and the receiver send the identity information to the trusted authority to respectively request to generate an encryption key and a decryption key, and the trusted authority respectively generates the encryption key and the decryption key by using the main private key and the public parameter; the sender inputs the public parameter, the encryption key, the identity information of the receiver and the message to generate a ciphertext; the receiver inputs the public parameter, the decryption key, the identity information of the expected sender and the ciphertext, if the input identity information of the expected sender is consistent with the source of the ciphertext, the message is recovered, otherwise, the decryption fails; when the sender is stressed, the sender inputs the public parameters, the encryption key, the identity information of the receiver, the original message, the random number and the false message to generate the false random number for opening the ciphertext into the false message.
Another object of the present invention is to provide an information data processing terminal for realizing the public key authentication repudiation encryption system.
By combining all the technical schemes, the invention has the advantages and positive effects that: the invention can realize the repudiation of the sender and the identity authentication of the sender and the receiver at the same time. Specifically, a pseudorandom element and a random element are adopted to encode a ciphertext during encryption, and identity information of a sender and an information receiver is embedded during generation of the pseudorandom ciphertext; when the sender is forced to open the ciphertext, the sender can realize the deniability of the sender by denying the pseudorandom elements into the random elements; in addition, the receiver can perform identity authentication by identifying whether the sub-ciphertext is a pseudo-random element, if the receiver can correctly decrypt the sub-ciphertext, an expected sender designated by the receiver is consistent with the source of the ciphertext, and if decryption fails, both parties are not respective expected parties.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a public key authentication repudiatable encryption method according to an embodiment of the present invention.
FIG. 2 is a block diagram of a public key authentication repudiation encryption system according to an embodiment of the present invention;
in the figure: 1. a system establishing module; 2. an encryption key generation module; 3. a decryption key generation module; 4. an encryption module; 5. a decryption module; 6. and (5) forging the module.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
In view of the problems in the prior art, the present invention provides a method and a system for repudiation and encryption of public key authentication, and the following describes the present invention in detail with reference to the accompanying drawings.
As shown in fig. 1, the method for authenticating and repudiating the encryption by the public key provided by the embodiment of the present invention includes the following steps:
s101, generating a system public parameter and a main private key by a trusted authority, disclosing the system public parameter and storing the main private key;
s102, the sender and the receiver send the identity information to a trusted authority to respectively request to generate an encryption key and a decryption key, and the trusted authority respectively generates the encryption key and the decryption key by using a main private key and a public parameter;
s103, the sender inputs the public parameters, the encryption key, the identity information of the receiver and the message to generate a ciphertext;
s104, the receiver inputs the public parameter, the decryption key, the identity information of the expected sender and the ciphertext, if the input identity information of the expected sender is consistent with the source of the ciphertext, the message is recovered, otherwise, the decryption fails;
s105, when the sender is stressed, the sender inputs the public parameter, the encryption key, the identity information of the receiver, the original message, the random number and the false message to generate the false random number for opening the ciphertext into the false message.
As shown in fig. 2, the public key authentication repudiatable encryption system provided by the embodiment of the present invention includes:
the system establishing module 1 is used for generating public parameters and a main private key of a system;
an encryption key generation module 2, configured to generate an encryption key of a sender;
a decryption key generation module 3, configured to generate a decryption key of the receiving party;
the encryption module 4 is used for encrypting the message to generate a ciphertext;
the decryption module 5 is used for decrypting the ciphertext and outputting a plaintext or an error symbol T;
and the counterfeiting module 6 is used for generating a pseudo random number and opening the ciphertext into a fake message.
The technical solution of the present invention is further described with reference to the following specific examples.
1. The invention can provide the non-repudiation of the sender and simultaneously support the identity authentication function of the sender and the receiver. Meanwhile, the two PKADE schemes under the completely repudiatable framework in the invention are provably safe under a random prophetic model, and compared with a related repudiatable Encryption (DE) scheme, the scheme provided by the invention not only provides bidirectional authentication, but also has high efficiency. Therefore, the scheme provided by the invention is more suitable for practical application.
The invention considers the bidirectional authentication function in DE for the first time. Specifically, the contributions of the present invention are summarized below:
(1) The present invention proposes the concept of Public Key Authentication Disclainable Encryption (PKADE) that supports authentication of communication participants while preserving the properties of the original DE. In addition, the present invention defines the syntax and security requirements of PKADE.
(2) The invention provides two specific PKADE structures under a completely repudiatable framework, and the two specific PKADE structures respectively support single-bit encryption and large message encryption. Furthermore, the present invention also demonstrates that the proposed configuration efficiently achieves the desired properties.
2. Preliminary knowledge
2.1 bilinear mapping
Order to
Are two multiplication loop groups of order prime p, g
A random generator of (2). If one of the mappings for which the two groups are bilinear
The following properties are satisfied:
(1) Bilinear: given arbitrary
With e (u) α ,v β )=e(u,v) αβ This is true.
(2) Non-degeneration:
is formed in which
Is that
A unit cell of (a).
(3) Calculability: given arbitrary
An algorithm with a Probability Polynomial Time (PPT) is available to compute e (u, v).
2.2 difficult assumptions
Definition 1: (BCDH hypothesis). Order to
Is a bilinear group, if for an arbitrary PPT adversary, a tuple (g, g) is given α ,g β ,g γ ) For any one
Output e (g, g) αβγ Is negligible, then BCDH assumes true.
Before describing the next hypothesis, the concept of δ (n) -proximity is reviewed first.
Definition 2: (δ (n) -proximal). Given two sets of probability distributions
And
defining a function
If for an arbitrary polynomial discriminator D and n large enough, | Pr (D (A) n )=1)-Pr(D(B n ) = 1) | < δ (n), the two distributions are δ (n) close.
If δ (n) is a negligible amount, the distributions A and B are computationally indistinguishable.
Definition 3: (one bit flip distribution hypothesis). For an arbitrary character string a = (a) n ,a n-1 ,...,a 1 )∈{0,1} n Defining a family of functions
For arbitrary PPT adversaries and arbitrary
Given two distributions A n ={a|a∈{0,1} n } and B n ={a′|a′=(a n ,...,a f(a)+1 ,0,a f(a)-1 ,...,a 1 ),a←{0,1} n \{0 n }, distinguish A n And B n Is δ (n) close, wherein
3. Public key authentication repudiatable encryption
The present invention defines the syntax and necessary security requirements for public key authentication repudiation encryption (PKADE).
3.1 PKADE syntax
In a PKADE system, there are two entities, a trusted authority and a user (including a sender and a recipient). Note that each user holds a unique identity. Generally, a trusted authority is responsible for generating the public parameters and the master private key of the system, as well as the encryption key of the sender and the decryption key of the receiver. One with identity id s And a corresponding encryption key ek s Can embed the identity of the intended recipient while encoding the message
Thus, this ciphertext contains both the sender and receiver identities. In addition, the sender can also generate a false but seemingly authentic random number for opening this ciphertext into a different message. A recipient will attempt to decode a ciphertext. In particular, he/she first specifies a desired ciphertext source, i.e. he/she selects a target sender having the identity of
He/she then uses the decryption key dk r And
to decrypt a ciphertext. However, the message can only be correctly recovered if both parties are the target, otherwise an error will be returned.
Definition 4: (PKADE). One has message space
The PKADE scheme of (a) contains 6 PPT algorithms, defined as follows:
(1)Setup(1 λ n) → (pp, msk): the setting algorithm is executed by a trusted authority, a security parameter lambda and a parameter are input
The public parameter pp and the master private key msk are output.
(2)SGen(pp,msk,id s )→ek s : the encryption key generation algorithm is executed by a trusted authority, and for any request of a sender encryption key, the algorithm inputs pp, msk and the identity id of the sender s Output identity id s Is encrypted by the encryption key ek s Then the encryption key ek is used s Sent to the sender of the encryption key request over a secure channel.
(3)RGen(pp,msk,id r )→dk r : the decryption key generation algorithm is executed by a trusted authority, and for any request of a receiving party for decryption key, the algorithm inputs pp, msk and the identity id of the receiving party r Output identity id r Decryption key dk of r Then decrypt the key dk r Sent over a secure channel to the recipient of the decryption key request.
(4)
The encryption algorithm is executed by the sender, pp is input, sender encryption key ek s Identity of the intended recipient
A message
And a random number r, outputting a ciphertext c.
(5)
Or ^ t: the decryption algorithm is executed by the receiver, the pp is entered, the receiver decryption key dk r Identity of the target sender
And a ciphertext c, outputting the plaintext m or an error symbol.
(6)
The forgery algorithm is executed by the sender, pp is input, sender encryption key ek s Identity of the intended recipient
Original message
And a random number r and a dummy message
Outputting a forged random number r'.
Intuitively, the correctness of the PKADE scheme ensures that the receiver can recover the message with a very high probability using its own decryption key only when the identity of the sender matches the identity of the intended sender of the receiver and the identity of the receiver matches the identity of the intended receiver of the sender, otherwise the decryption algorithm outputs ×. Note that correctness also implies implicit authentication of the recipient. This is because from the sender's point of view, only the intended recipient may recover the transmitted information, i.e., the sender considers the recipient capable of recovering the message to be the intended recipient with an overwhelming probability.
Definition 5: (accuracy). A PKADE scheme satisfies correctness if for any λ, (pp, msk) ← Setup (1) λ ,n),
And arbitrary identity
Satisfy the requirement of
The invention is provided with
Wherein ek s ←SGen(pp,msk,id s ),dk r ←RGen(pp,msk,id r )。
3.2 PKADE security requirements
A PKADE scheme must satisfy semantic security, authenticity, and repudiation, which passes through challengers and adversaries
Is defined by the game being executed. Here allowing an adversary
Querying a prediction machine executed by algorithms SGen and RGen
Of course, to prevent enemies
Win the game in the ordinary way
Set some restrictions. Furthermore, let T SGen And T RGen Represent
The query record of (2).
Semantic security requires that no PPT adversary can distinguish ciphertexts
And ciphertext
Wherein
Is chosen by the adversary. Furthermore, the identity of the intended recipient is not allowed
Visit prophone
Since the enemy can obviously pass through the pair
To proceed with
And accessing to obtain a decryption key so as to distinguish the ciphertext.
Definition 6: (semantic security). A PKADE scheme satisfies semantic security if it is for all PPT adversaries involved in the underlying game
Satisfies the following conditions:
(pp,msk)←Setup(1 λ ,n);
ek s ←SGen(pp,msk,id s )
If b' = b, return 1, otherwise return 0.
The authenticity is intended to ensure that if a ciphertext is successfully decrypted, it must be generated by an encryption key issued by a trusted authority. Intuitively, it provides sender authentication by ensuring the authenticity of the ciphertext. In particular, authenticity requires the generation of a tuple for an arbitrary PPT adversary
Satisfy the requirement of
Is not feasible where the adversary is not allowed to hold
Is encrypted with a key
And id r Decryption key dk of r 。
Definition 7: (authenticity). A PKADE scheme satisfies authenticity if it is true for all PPT adversaries involved in the underlying game
Satisfies the following conditions:
(pp,msk)←Setup(1 λ ,n);
dk r ←RGen(pp,msk,id r );
and if m is not equal to ≠ T, returning to 1, otherwise returning to 0.
Repudiation requires a distinct distribution for any PPT adversary
And
is difficult, wherein
Is chosen by the adversary. Similar to the analysis of semantic security, the identity of the intended recipient is not allowed in order to rule out trivial attacks
Visit prophone
Definition 8: (repudiation). A PKADE scheme satisfies repudiation if it is true for all PPT adversaries involved in the underlying game
Satisfies the following conditions:
(pp,msk)←Setup(1 λ ,n);
ek s ←SGen(pp,msk,id s );
When b =1, return
If b' = b, return 1, otherwise return 0.
4. PKADE scheme supporting single-bit encryption
4.1 the present invention aims to design a PKADE scheme supporting single bit encryption, which has both non-repudiation and two-way authentication. To achieve non-repudiation, the present invention still employs a semi-transparent set paradigm to encode a transmitted message. Informally, the semi-transparent set is a subset of the full set, and the pseudo-random elements can be efficiently sampled from the semi-transparent set using only public key information. Knowing the private key associated with the semi-transparent set, these pseudo-random elements can be easily distinguished from the random elements in the full set. That is, when the private key associated with the semi-transparent set is unknown, the pseudo-random element may be declared to be a random element. In the proposed architecture of the invention, k ≡ 1 mod 2 pseudo-random elements are sampled when encrypting 1; when encrypting 0, k ≡ 0 mod 2 pseudo-random elements are sampled. When the sender is duress, the sender can sound a pseudo-random element as a random element, and forge its message in both directions (from 1 to 0 or 0 to 1).
In order to realize the bidirectional authentication, the invention adopts the idea of matching encryption. Roughly speaking, the main idea of matching encryption is: in the encryption phase, the sender can specify the identity of the message recipient while embedding his/her own identity; in the decryption phase, the receiver can also specify the source of the ciphertext, however, the message can only be correctly recovered if the identity of the two parties matches successfully. The main trick of the construction of the present invention is that the sender will generate a pseudo-random element containing the identity of the communication participants. More precisely, the sender generates a pseudo-random sub-cipher text (element) using a unique encryption key generated by a trusted authority with a master private key and sender identity, while embedding the identity of the message recipient. The recipient uses the decryption key corresponding to its identity and inputs a desired source of the ciphertext (i.e., the identity of the sender who wants to communicate) to decrypt a ciphertext. Only when the two identities input by the receiver and the two identities contained in the pseudorandom subconcrete are matched at the same time, the plaintext can be recovered, and otherwise, the plaintext returns reverse. Thus, if the recipient is able to recover the plaintext from the sub-ciphertext, he/she may confirm that the sender is a sender authenticated by a trusted authority. Furthermore, this also implies: if the receiver correctly decrypts the pseudorandom sub-ciphertext, he/she must appear to the sender to be the intended receiver because only the intended receiver holds the unique decryption key issued by the trusted authority for its identity.
4.2 concrete Structure
About message spaces
The construction of (a) is as follows:
(1)Setup(1 λ n): input safety parameter lambda and an even number
Generating a bilinear group
Selecting two random integers
Calculation of G = G α Selecting three anti-collision hash functions
And
selecting a fill function
Where l = η + λ +1, for any γ ∈ {0,1} η ,
Here the invention requires {0,1} l The probability that a random element in (a) is a valid padding is negligible. Finally outputting the public parameter
And a master private key msk = (α, β).
(2)SGen(pp,mskid s ): input pp, msk and identity id of sender s The algorithm outputs an encryption key ek s =H s (id s ) β 。
(3)RGen(pp,msk,id r ): input pp, msk and identity id of the receiver r The algorithm outputs a decryption key dk r =(dk r,1 ,dk r,2 )=(H r (id r ) α ,H r (id r ) β )。
(4)
Input pp, ek s Identity of the intended recipient
Message
And a random number r, the algorithm being performed as follows:
1. randomly choosing k e [ n ] to satisfy k [ identical to ] m mod 2, wherein [ n ] represents a set {1, 2.
2. For i e [ k ]]Selecting random integers
Random number gamma i ∈{0,1} η (ii) a For i e n]\[k]Random selection of
C i ∈{0,1} l . Finally, let r = (k, { (u)) i ,v i ,γ i )} i∈[k] ,{(U i ,V i ,C i )} i∈[n]\[k] )。
3. For i e [ k ]]First, calculate
Then calculate
Final calculation
4. Outputting the ciphertextc=(c 1 ,c 2 ,...,c n ) Wherein c is i =(U i ,V i ,C i )。
(5)
Input pp, dk r Identity of the target sender
And a ciphertext c, the algorithm performing as follows:
1. parsing ciphertext c into c 1 ,c 2 ,...,c n Further mixing c i Resolved into U i ,V i ,C i 。
2. Calculating K 1,1 =e(dk r,1 ,V 1 ),
Then calculate
If it is not
Is an effective filler to recover gamma 1 Is hiding at
Otherwise there is
The algorithm stops.
3. For i e n]V 1, calculating K 1,i =e(dk r,1 ,V i ),
From
Recovery of gamma i Until returning T, outputting gamma i The maximum index i in (1).
4. Let k = i, calculate m = k mod 2, and output the encrypted message m.
(6)
Input pp, ek s Identity of the intended recipient
Original message
And a random number r and a dummy message
The algorithm performs as follows:
1. if m '= m, output r' = r.
2. Let k = k-1, if k =1, the forgery failure algorithm stops.
3. Instruction { (u' i ,v′ i ,γ′ i )} i∈[k′] ={(u i ,v i ,γ i )} i∈[k′] 。
4. Order to
Computing
And
finally, let
5. Let { (U' i ,V′ i ,C′ i )} i∈[n]\[k′+1′] ={(U i ,V i ,C i )} i∈[n]\[[k′+1′] 。
6. Let r ' = (k ', { (u ' i ,v′ i ,γ′ i )} i∈[k′] ,{(U′ i ,V′ i ,C′ i )} i∈[n]\[k′′] ) And outputs r'.
5. PKADE scheme supporting large message encryption
5.1 the object of the present invention is to propose a PKADE scheme that supports large message encryption. Cao et al have devised an efficient DE scheme that supports encryption of multi-bit messages using simple binary bit positions and bit flipping operations. The present invention also uses binary bit positions and bit flipping operations to construct the inventive scheme. Specifically, in the encryption phase, the sender first selects a bit string a = (a) according to the sender n ,a n-1 ,...,a 1 ) Determining a position k, where a k And =1. Then the sender puts the ciphertext corresponding to the actual transmission plaintext at position k. For the remaining binary string positions, if a i =1, one pseudo-random element is placed, otherwise one random element is placed. In the decryption stage, the receiver first recovers the binary string a by judging whether the sub-ciphertext is a pseudorandom element. And then recovering a position k according to the binary string a, thereby obtaining a real transmission plaintext. In case of duress, the sender order a k =0 while asserting the sub-ciphertext c k Is a randomly chosen random element, and is thus based on (a) n ,...a k+1 ,0,a k-1 ,...,a 1 ) A false position k' is generated, and a false communication message m is recovered k′ . In addition, in order to realize the bidirectional authentication, the invention adopts the idea of realizing the authentication in the single-bit encryption structure, namely, the unique encryption key of the sender issued by the trusted authority and the identity of the target receiver of the message are used for generating the pseudorandom sub-ciphertext.
5.2 concrete Structure
With respect to message spaceWorkshop
The construction of (2) is as follows:
(1)Setup(1 λ n): inputting a safety parameter lambda and an even number
Generating a bilinear group
Selecting two random integers
Calculation G = G α Selecting three anti-collision hash functions
And
selecting a fill function
Where l = η + λ +1, for arbitrary
Here the invention requires 0,1 l The probability that a random element in (a) is a valid padding is negligible. Family of slave functions
Randomly selecting a function f, and finally outputting public parameters
And a master private key msk = (α, β).
(2)SGen(pp,msk,id s ): input pp, msk and transmitIdentity id of the sending party s The algorithm outputs an encryption key ek s =H s (id s ) β 。
(3)RGen(pp,msk,id r ): input pp, msk and identity id of the receiver r The algorithm outputs a decryption key dk r =(dk r,1 ,dk r,2 )=(H r (id r ) α ,H r (id r ) β )。
(4)
Input pp, ek s Identity of the intended recipient
Message
And a random number r, the algorithm being performed as follows:
1. randomly choosing a = (a) n ,a n-1 ,...,a 1 )∈{0,1} n And f (a) = k is calculated.
2. For a i =1,i∈[n]Selecting random integers
For a i =1,i∈[n]K, randomly selecting a message
For a i =0,i∈[n]Random selection of
C i ∈{0,1} l . Finally, let
3. For a i =1,i∈[n]First, calculate
Then calculate
When i = k, calculate
For a i =1,i∈[n]K, calculating
4. Output ciphertext c = (c) 1 ,c 2 ,...,c n ) Wherein c is i =(U i ,V i ,C i )。
(5)
Input pp, dk r Identity of the target sender
And a ciphertext c, the algorithm performing as follows:
1. parsing ciphertext c into c 1 ,c 2 ,...,c n Further mixing c i Resolved into U i ,V i ,C i 。
2. For c i =(U i ,V i ,C i ) Calculating K 1,i =e(dk r,1 ,V i ),
If it is not
Is an effective filling and is recovered
And mark a i =1, otherwise ≠ t, and flags a i =0。
3. Calculating f (a) = k, where a = (a) n ,a n-1 ,...,a 1 ) Obtained from the previous step and finally output
(6)
Input pp, ek s Identity of the intended recipient
Original message
And a random number r and a dummy message
The algorithm performs as follows:
1. if m '= m, output r' = r.
2. Calculating f (a) = k, setting a '= (a' n ,...,a′ 1 )=(a n ,...,a k+1 ,0,a k-1 ...,a 1 ) Calculating f (a ') = k', and making
The message purporting to be transmitted is
3. Order to
Calculating out
And
finally order
4. To a' i =1,i∈[n]\ { k' }, order
Ream (u' k′ ,v′ k′ ,⊥)=(u k′ ,v k ′,⊥)。
5. To a' i =0,i∈[n]\ { k }, order (U' i ,V′ i ,C′ i )=(U i ,V i ,C i )。
6. Order to
In addition, the present invention notes that any η bit message can be encrypted with the above scheme, but the size of the transmitted message is not always η bit in practical applications. To this end, the present invention modifies the above scheme appropriately to support messages of arbitrary size. In particular, the present invention uses AES, SHA256 and hash functions
When a is i Sub-ciphertext of =1
Wherein
Is the key of AES. When a is i =0, sub-ciphertext by random element U i ,V i ,C i ,H i And (4) forming.
6. Efficiency analysis and comparison
In the present invention, the present invention will discuss the performance of the proposed scheme by theoretical comparison with other related schemes in terms of features, computation, communication and storage overhead.
In table 1, the proposed scheme is compared with the Party scheme of Canetti et al, sahai et al, canetti et al, and Cao et al in terms of features including authentification, repudiatable encryption type, repudiation, and underlying difficult assumptions. For convenience of description, the trapdoor permutation is abbreviated as TDP, the hard-kernel predicate is abbreviated as HCP, the one-way function is abbreviated as OWF, the subgroup membership problem assumption is abbreviated as SMP, and the one-bit upset distribution assumption is abbreviated as OBF. Note that all schemes satisfy the deniability, except that Canetti et al scheme supports both party deniability, others only support sender deniability. In particular, the Party scheme of Canetti et al and the proposed single bit scheme achieve the deniability of the inverse polynomial, however, the proposed single bit scheme is based on a more extensive and classical hypothesis BCDH. While the proposed large message scheme and the scheme of Cao et al achieve deniability of δ (n), where δ (n) is less than 1/n. The Sahai et al and Canetti et al schemes achieve negligible repudiation, but their security is based on a sub-exponential assumption, i.e., iO. In particular, only two proposed solutions have an identity authentication function.
TABLE 1 comparison of characteristics
In table 2, the present invention compares the proposed single bit scheme with the Party scheme of Canetti et al. The present invention assumes a set in the Canetti et al Party scheme
Or
The size of the middle element is equal to that of the sub-ciphertext in the proposed single-bit scheme, and is defined as τ (for example, using elliptic curve SS1024, set the fill function)
When the input size of (a) is η =2048, the present invention has logp =1024, λ =112, τ =2logp + η + λ +1= 4209). Let κ be a sufficiently large integer related to τ and n be the number of child ciphertexts. For convenience, T, I, B, M, E, P are defined as a trapdoor operation, an inversion operation, a hard-core predicate operation, a multiplication operation, an exponent operation, and a pair operation, respectively. Both schemes support only single-bit encryption and the required communication overhead is the same. However, the proposed single bit scheme requires less communication overhead, since κ is a sufficiently large integer.
Table 2 comparison with Canetti et al Party protocol
Table 3 comparison with Cao et al protocol
In table 3, the proposed large message scheme is compared by the present invention with the scheme of Cao et al. Let l be a message in the Cao et al schemeSize, typically l =40 bits. Let η be the fill function
The input length of (1), i.e. the plaintext length of the proposed large message scheme, is η. Let l = η + λ +1 be the fill function
The output length of (c). Let N, q be integers as defined in the Cao et al scheme. L, D are defined as solving discrete logarithm and division operations, respectively. Both schemes support encryption of multi-bit messages, however, when encrypting a η -bit message (e.g., η = 2048), the proposed large message encryption scheme is optimal in terms of computational overhead. In addition, the storage and communication overhead of the proposed large message scheme is also smaller than that of Cao et al. For example, the present invention considers a security level of 112 bits, i.e., cao et al uses a 2048 bit RSA modulo N, and the proposed large message scheme uses elliptic curve SS1024. Therefore, the present invention has log p = log q =1024. Clearly, the proposed large message scheme requires less storage and communication overhead.
7. It may be denied that cryptographic (DE) primitives provide an affirmative solution to duress or bribing attacks. However, existing DE schemes cannot support mutual authentication, which is a very important function in many applications of DE (e.g., electronic voting). The present invention first introduces the concept of public key authentication, repudiation encryption, which can provide both repudiation and mutual authentication. In addition, two specific constructions were proposed in the framework of complete repudiation and their provable security was demonstrated in a stochastic prophetic model. The proposed DE configuration can efficiently achieve the desired properties compared to the related DE configuration.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When used in whole or in part, can be implemented in a computer program product that includes one or more computer instructions. When loaded or executed on a computer, cause the flow or functions according to embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.)). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.
Claims (5)
1. A public key authentication repudiation encryption method, characterized in that the public key authentication repudiation encryption method comprises the steps of:
step one, generating a system public parameter and a main private key by a trusted authority, disclosing the system public parameter and storing the main private key;
step two, the sender and the receiver send the identity information to a trusted authority to respectively request to generate an encryption key and a decryption key, and the trusted authority respectively generates the encryption key and the decryption key by using a main private key and a public parameter;
step three, the sender inputs the public parameters, the encryption key, the identity information of the receiver and the message to generate a ciphertext;
step four, the receiver inputs the public parameter, the decryption key, the identity information of the expected sender and the ciphertext, if the input identity information of the expected sender is consistent with the source of the ciphertext, the message is recovered, otherwise, the decryption fails;
step five, when the sender is stressed, the sender inputs the public parameters, the encryption key, the identity information of the receiver, the original message, the random number and the false message to generate the false random number for opening the ciphertext into the false message;
the trusted authority in the public key authentication deniable encryption method is responsible for generating public parameters and a main private key of the system, an encryption key of a sender and a decryption key of a receiver; one with identity id s And a corresponding encryption key ek s Can embed the identity of the intended recipient while encrypting the message
Thus, this ciphertext contains both the sender and receiver identities; the sender can also generate a false, but true-looking random number for opening this ciphertext into a different message; a recipient will attempt to decrypt a ciphertext; first he selects a prospective sender whose identity is
Using decryption key dk r And
decrypting a ciphertext; if the source of the identity information of the expected sender is consistent with that of the ciphertext, recovering the message, otherwise, failing to decrypt;
the public key authentication repudiation encryption method comprises the following six algorithms:
(1)Setup(1 λ n) → (pp, msk): the setting algorithm is executed by a trusted authority, a security parameter lambda and a parameter are input
Outputting a public parameter pp and a master private key msk;
(2)SGen(pp,msk,id s )→ek s : the encryption key generation algorithm is executed by a trusted authority, and for any request of a sender encryption key, the algorithm inputs pp, msk and the identity id of the sender s Output identity id s Encryption key ek of s (ii) a Then the encryption key ek s Sending the encryption key request to a sender of the encryption key request through a secure channel;
(3)RGen(pp,msk,id r )→dk r : the decryption key generation algorithm is executed by a trusted authority and inputs pp, msk and identity id of the receiver for any request of the receiver for decryption key r Output identity id r Decryption key dk of r (ii) a Then decrypt the key dk r Sending the decryption key request to a receiver of the decryption key request through a secure channel;
(4)
the encryption algorithm is executed by the sender, pp is input, sender encryption key ek s Identity of the intended recipient
A message
And a random number r, outputting a ciphertext c;
(5)
or ∞: the decryption algorithm is executed by the receiver, the pp is entered, the receiver decryption key dk r Identity of the target sender
And cipher text c, outputting plain text m or an error symbol⊥;
(6)
The forgery algorithm is executed by the sender, pp is input, sender encryption key ek s Identity of the intended recipient
Original message
And a random number r and a dummy message
Outputting a forged random number r;
the public key authentication repudiation encryption method also comprises a PKADE structure supporting single-bit encryption, and the repudiation is realized by adopting a semi-transparent set paradigm; the semi-transparent set is a subset of the full set, and the pseudo-random elements can be efficiently sampled from the semi-transparent set only by using public key information; when the private key associated with the semi-transparent set is unknown, the pseudo-random element may be declared to be a random element; when encrypting 1, k ≡ 1 mod 2 pseudo-random elements are sampled; when encrypting 0, k ≡ 0 mod 2 pseudo-random elements are sampled; when the sender is duress, the sender can forge its message in both directions, i.e., from 1 to 0 or 0 to 1, by asserting that a pseudorandom element is a random element;
the idea of matching encryption is adopted to realize bidirectional authentication, and the idea of matching encryption comprises the following steps: in the encryption phase, the sender can specify the identity of the message recipient while embedding his/her own identity; in the decryption stage, the receiver can also specify the source of the ciphertext, and the message can be correctly recovered only when the identities of the two parties are successfully matched; in the PKADE structure supporting single-bit encryption, a sender generates a pseudo-random element containing the identity of a communication participant; the sender uses a unique encryption key generated by a trusted authority by using a main private key and the identity of the sender to generate a pseudo-random sub-ciphertext or element and embeds the pseudo-random sub-ciphertext or element into the identity of a message receiver; the receiver uses the decryption key corresponding to the identity of the receiver and inputs a desired ciphertext source, namely the identity of the sender who wants to communicate, to decrypt a ciphertext; only when the two identities input by the receiver are matched with the two identities contained in the pseudorandom subconcrete text at the same time, the plaintext can be recovered, and otherwise, the plaintext returns to the value of reverse sign; if the receiver can recover the plaintext from the sub-ciphertext, he/she confirms that the sender is a sender authenticated by the trusted authority; if the receiver correctly decrypts the pseudorandom sub-ciphertext, he/she must appear to the sender as the target receiver, since only the target receiver holds the unique decryption key issued to its identity by the trusted authority;
about message spaces
The construction of (a) is as follows:
(1)Setup(1 λ n): inputting a safety parameter lambda and an even number
Generating a bilinear group
Selecting two random integers
Calculation of G = G α Selecting three anti-collision hash functions
And
selecting a fill function
Where l = η + λ +1, for any γ ∈ {0,1} η ,
Require {0,1} l The probability that a random element in (a) is a valid fill is negligible; finally outputting the public parameter
And a master private key msk = (α, β);
(2)SGen(pp,msk,id s ): input pp, msk and identity id of sender s The algorithm outputs an encryption key ek s =H s (id s ) β ;
(3)RGen(pp,msk,id r ): input pp, msk and identity id of the receiver r The algorithm outputs a decryption key dk r =(dk r,1 ,dk r,2 )=(H r (id r ) α ,H r (id r ) β );
(4)
Input pp, ek s Identity of the intended recipient
Message
And a random number r, the algorithm performing as follows:
randomly selecting k from [ n ] to satisfy k [ identical to ] m mod 2, wherein [ n ] represents a set {1, 2., n };
for i e [ k ]]Selecting random integers
Random number gamma i ∈{0,1} η (ii) a For i e n]\[k]Random selection of
e i ∈{0,1} l (ii) a Finally, let r = (k, { (u) i ,v i ,γ i )} i∈[k] ,{(U i ,V i ,e i )} i∈[n]\[k] );
For i e k]First, calculate
Then calculate
Final calculation
Output ciphertext c = (c) 1 ,c 2 ,...,c n ) Wherein c is i =(U i ,V i ,C i );
(5)
Input pp, dk r Identity of the target sender
And ciphertext c, the algorithm performs as follows:
parsing ciphertext c into c 1 ,c 2 ,...,c n Further mixing c i Resolved into U i ,V i ,C i ;
Calculating K 1,1 =e(dk r,1 ,V 1 ),
Then calculate
If it is used
Is an effective filler to recover gamma 1 Is hiding at
Otherwise there is
Stopping the algorithm;
for i e n]V 1, calculating K 1,i =e(dk r,1 ,V i ),
From
Recovery of gamma i Until returning T, outputting gamma i The maximum index i in (1);
let k = i, calculate m = k mod 2, output the encrypted message m;
(6)
input pp, ek s Identity of the intended recipient
Original message
And a random number r and a dummy message
The algorithm performs as follows:
if m '= m, output r' = r;
let k' = k-1, if k =1, the forgery failure algorithm stops;
let { u' i ,v′ i ,γ′ i )} i∈[k′] ={(u i ,v i ,γ i )} i∈[k′] ;
Order to
Calculating out
And
order to
Let { (U' i ,V′ i ,C′ i )} i∈[n]\[k′+1] ={(U i ,V i ,C i )} i∈[n]\[k′+1] ;
Let r ' = (k ', { (u ' i ,v′ i ,γ′ i )} i∈[k′] ’{(U′ i ,v′ i ,C′ i )} i∈[n]\[k”] ) And outputting r';
the public key authentication repudiation encryption method also comprises a PKADE structure supporting the encryption of the large message, the PKADE structure supporting the encryption of the large message is designed by using binary bit positions and bit flipping operation, and in an encryption stage, a = (a) bit string selected by a sender according to the sender n ,a n-1 ,...,a 1 ) Determining a position k, where a k =1; the sender puts the ciphertext corresponding to the real transmission plaintext at a position k; for the remaining binary string positions, if a i =1, placing a pseudo-random element, otherwise placing a random element; in the decryption stage, a receiving party recovers a binary string a by judging whether the sub-ciphertext is a pseudorandom element; recovering a position k according to the binary string a, and further obtaining a real transmission plaintext; sending the command a when the coercion occurs k =0, while asserting the submultipleText c k Is a randomly selected random element, based on (a) n ,...a k+1 ,0,a k-1 ,...,a 1 ) A false position k' is generated, and a false communication message m is recovered k′ (ii) a The authentication of the PKADE structure supporting the large message encryption is realized by adopting a method for realizing the authentication in a single-bit encryption structure, namely a pseudo-random sub-ciphertext is generated by using a unique encryption key of a sender issued by a trusted authority and the identity of a message target receiver;
message space
The construction of (2) is as follows:
(1)Setup(1 λ n): inputting a safety parameter lambda and an even number
Generating a bilinear group
Selecting two random integers
Calculation G = G α Selecting three anti-collision hash functions
And
selecting a fill function
Where l = η + λ +1, for arbitrary
{01} l The probability that a random element in (a) is a valid filling is negligibleThe method (1); from a family of functions
Randomly selecting a function f, and finally outputting public parameters
And master private key msk = (α, β);
(2) SGen (pp, msk, ids): input pp, msk and identity id of sender s The algorithm outputs an encryption key ek s =H s (id s ) β ;
(3)RGen(pp,msk,id r ): input pp, msk and identity id of the receiver r The algorithm outputs a decryption key dk r =(dk r,1 ,dk r,2 )=(H r (id r ) α ,H r (id r ) β );
(4)
Input pp, ek s Identity of the intended recipient
Message
And a random number r, the algorithm performs as follows:
randomly selecting a = (a) n ,a n-1 ,...,a 1 )∈{0,1} n Calculating f (a) = k;
for a i =1,i∈[n]Selecting random integers
For a i =1, i ∈ m \ k, randomly selects message
For a i =0,i∈[n]Random selection of
C i ∈{0,1} l (ii) a Finally, make it
For a i =1,i∈[n]First, calculate
Then calculate
When i = k, calculate
For a i =1,i∈[n]\ { k }, calculating
Output ciphertext c = (c) 1 ,c 2 ,...,c n ) Wherein c is i =(U i ,V i ,C i );
(5)
Input pp, dk r Identity of the target sender
And a ciphertext c, the algorithm performing the following:
parsing the ciphertext c into c 1 ,c 2 ,...,c n Further mixing c i Resolved into U i ,V i ,c i ;
For c i =(U i ,V i ,C i ) Calculating K 1,i =e(dk r,1 ,V i ),
If it is used
Is an effective filling and is recovered
And mark a i =1, otherwise ≠ t, and flags a i =0;
Calculating f (a) = k, where a = (a) n ,a n-1 ,...,a 1 ) Obtained from the previous step and finally output
(6)
Input pp, ek s Identity of the intended recipient
Original message
And a random number r and a dummy message
The algorithm performs as follows:
if m '= m, output r' = r;
calculating f (a) = k, setting a '= (a' n ,...,a′ 1 )=(a n ,...,a k+1 ,0,a k-1 ...,a 1 ) Calculating f (a ') = k', such that
The message purporting to be transmitted is
Order to
Computing
And
finally order
To a' i =1,i∈[n]\ { k' }, order
Line (u' k′ ,v′ k′ ,⊥)=(u k′ ,v k′ ,⊥);
To a' i =0,i∈[n]\ { k }, order (U' i ,V′ i ,C′ i )=(U i ,V i ,C i );
Order to
The PKADE structure supporting large message encryption can be properly modified to support messages of any size, and AES, SHA256 and hash function are used
When a is i =1 sub-ciphertext of
Wherein
A key for AES; when a is i =0, sub-ciphertext is composed of random element U i ,V i ,C i ,H i And (4) forming.
2. A public key authentication repudiation encryption system for implementing the public key authentication repudiation encryption method of claim 1, wherein the public key authentication repudiation encryption system comprises:
the system establishing module is used for generating public parameters and a main private key of the system;
the encryption key generation module is used for generating an encryption key of the sender;
the decryption key generation module is used for generating a decryption key of the receiver;
the encryption module is used for encrypting the message to generate a ciphertext;
the decryption module is used for decrypting the ciphertext and outputting a plaintext or an error symbol T;
and the forging module is used for generating a pseudo random number and opening the ciphertext into a fake message.
3. A computer device comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the public key authentication repudiatable encryption method of claim 1.
4. A computer-readable storage medium storing a computer program that, when executed by a processor, causes the processor to perform the public-key authentication repudiatable-encryption method of claim 1.
5. An information data processing terminal characterized by being configured to implement the public key authentication disclaimable encryption system according to claim 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111309079.2A CN114189329B (en) | 2021-11-05 | 2021-11-05 | Public key authentication repudiation encryption method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111309079.2A CN114189329B (en) | 2021-11-05 | 2021-11-05 | Public key authentication repudiation encryption method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114189329A CN114189329A (en) | 2022-03-15 |
| CN114189329B true CN114189329B (en) | 2022-12-09 |
Family
ID=80601902
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111309079.2A Active CN114189329B (en) | 2021-11-05 | 2021-11-05 | Public key authentication repudiation encryption method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114189329B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110120939A (en) * | 2019-04-08 | 2019-08-13 | 淮阴工学院 | A kind of encryption method and system of the deniable authentication based on heterogeneous system |
| CN111835516A (en) * | 2020-06-14 | 2020-10-27 | 西安电子科技大学 | Public key repudiatable encryption method and system |
-
2021
- 2021-11-05 CN CN202111309079.2A patent/CN114189329B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110120939A (en) * | 2019-04-08 | 2019-08-13 | 淮阴工学院 | A kind of encryption method and system of the deniable authentication based on heterogeneous system |
| CN111835516A (en) * | 2020-06-14 | 2020-10-27 | 西安电子科技大学 | Public key repudiatable encryption method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114189329A (en) | 2022-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Menezes et al. | Handbook of applied cryptography | |
| CN111314089B (en) | SM 2-based two-party collaborative signature method and decryption method | |
| Clark et al. | A survey of authentication protocol literature: Version 1.0 | |
| Unger et al. | Improved strongly deniable authenticated key exchanges for secure messaging | |
| US20060195402A1 (en) | Secure data transmission using undiscoverable or black data | |
| CN112106322A (en) | Password-based threshold token generation | |
| US8683204B2 (en) | Efficient techniques for achieving secure transactions using tamper-resistant tokens | |
| GB2490407A (en) | Joint encryption using base groups, bilinear maps and consistency components | |
| Dong et al. | Cryptographic Protocol | |
| CN113711564A (en) | Computer-implemented method and system for encrypting data | |
| CA2819211C (en) | Data encryption | |
| Cao et al. | Efficient public-key authenticated deniable encryption schemes | |
| Degabriele et al. | The security of ChaCha20-Poly1305 in the multi-user setting | |
| Agrawal et al. | Game-set-MATCH: Using mobile devices for seamless external-facing biometric matching | |
| CN111835516B (en) | Public key repudiatable encryption method and system | |
| EP3462668A1 (en) | Plaintext equivalence proof techniques in communication systems | |
| Pu et al. | Post quantum fuzzy stealth signatures and applications | |
| Chien et al. | Provably secure password-based three-party key exchange with optimal message steps | |
| CN114189329B (en) | Public key authentication repudiation encryption method and system | |
| CN116318636A (en) | SM 2-based threshold signature method | |
| Li et al. | A verifiable multi-secret sharing scheme based on short integer solution | |
| Longo | Formal Proofs of Security for Privacy-Preserving Blockchains and other Cryptographic Protocols | |
| Sugauchi et al. | Fully Subliminal-Free Schnorr Signature for Nonce | |
| WO2023115603A1 (en) | Multi-party privacy computation method and apparatus based on semi-trusted hardware | |
| KR102304831B1 (en) | Encryption systems and method using permutaion group based cryptographic techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |