CN116074016A - Secret key protection method based on threshold mechanism - Google Patents
Secret key protection method based on threshold mechanism Download PDFInfo
- Publication number
- CN116074016A CN116074016A CN202211534582.2A CN202211534582A CN116074016A CN 116074016 A CN116074016 A CN 116074016A CN 202211534582 A CN202211534582 A CN 202211534582A CN 116074016 A CN116074016 A CN 116074016A
- Authority
- CN
- China
- Prior art keywords
- sender
- receiver
- time
- private key
- setting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a secret signing method of a protection key based on a threshold mechanism, which is characterized in that n trusted helpers are arranged, at least k of the n helpers are utilized to update real-time private keys of a sender and a receiver in different time periods, the sender generates a secret signing ciphertext, and the receiver generates a plaintext by using a decryption secret signing algorithm and performs signature verification; the method specifically comprises the following steps: (1) establishing system parameters; (2) private key extraction; (3) Generating real-time helper update information of a sender a and a receiver b in a time slice t; (4) Generating real-time private keys of a sender a and a receiver b in a time slice t; (5) signcryption; (6) decryption of the signcryption. The invention solves the problem of private key protection in an application scene of realizing encryption and signature in one logic step by using a threshold mechanism and key isolation.
Description
Technical Field
The invention relates to a secret key protection method, in particular to a secret key protection method based on a threshold mechanism.
Background
Cryptography is the underlying support technology for information security and is also the core for authentication and access control. Confidentiality and authentication are two important security objectives in cryptography. In the public key cryptosystem, the encryption and decryption schemes are two basic schemes, which are used for providing two security targets of confidentiality of a message and authentication of the message respectively. In some applications, such as email, e-commerce, it is desirable to achieve both of these security goals. The system can simultaneously complete the functions of encryption and signature in one logic step, and the calculated amount and the data amount are smaller than the sum of the two. The sender generates a signcrypt ciphertext through signcrypt computation. The receiver generates plaintext by means of a decryption signcryption calculation and verifies the signature.
Document "Identity based signcryption scheme without random oracles. Computer Standards & Interfaces,2009,39 (1): 56-62." proposes an identity-based signcryption method that is provably secure under standard models. The method is suitable for application scenes and the like which use the identity of a user instead of a random number as a public key for signing. The method mainly comprises the following steps: firstly, generating public system parameters and a system master key; second, generating a private key of the sender and a private key of the receiver; thirdly, the sender generates a signature and ciphertext; fourth, the recipient generates the ciphertext using a decryption algorithm and verifies the signature. In this method, encryption and signing are implemented in one logical step, and signcryption reduces the overall amount and communication cost of encrypting and signing a message as compared to conventional "sign-before-encrypt" messages.
The literature "threshold key isolation signature based on identity under standard model" Shanghai university of traffic university report, 2013,47 (8): 7.) proposes a threshold key isolation signature method based on identity that is provably secure under standard model. The method is suitable for application scenes and the like where the private key of the signer needs to be protected. The method mainly comprises the following steps: firstly, generating public system parameters and a system master key; secondly, generating an initial private key of a signer and n helper keys; thirdly, generating real-time private key updating information of the signer; fourth, generating a real-time private key of the signer; fifth, the signer generates a signature; sixth, the verifier verifies the validity of the signature. In the method, a user updates a signature private key at each time segment using at least k of n helper keys, thereby enhancing the system's ability to defend against key leakage.
The document "Identity-Based Key-isolated signature. Information, 2012,23 (1): 27-45." proposes an Identity-Based Key-isolation signcryption method that is provably secure under standard models. The method is suitable for application scenes and the like where private keys of a sender and a receiver need to be protected. The method mainly comprises the following steps: firstly, generating public system parameters and a system master key; second, generating an initial private key and an helper key of the sender and the receiver; thirdly, generating real-time private key updating information of the sender and the receiver; fourth, generating real-time private keys of the sender and the receiver; fifth, the sender generates a signature and ciphertext; sixth, the recipient generates ciphertext and verifies the signature using a decryption algorithm. In the method, the private keys of the sender and the receiver are updated at each time segment, so that the capability of the system for defending the private keys from leakage is enhanced.
However, this approach has some drawbacks: if the application scenario of secret key leakage of the helper cannot be used, secret key updating cannot be performed by using a plurality of the helper, and flexibility is lacking, so that the problem of secret key protection in the application scenario cannot be solved.
Disclosure of Invention
The invention aims to: aiming at the defects existing in the prior art, the invention provides a secret key protection method based on a threshold mechanism, which solves the problem of private key protection in an application scene of realizing encryption and signature in one logic step by using the threshold mechanism and key isolation.
The technical scheme is as follows: the invention discloses a secret signing method for protecting a secret key based on a threshold mechanism, which is characterized in that n trusted helpers are arranged, at least k of the n helpers are utilized to update real-time private keys of a sender and a receiver in different time periods, the sender generates a secret signing text, and the receiver generates a plaintext by using a decryption secret signing algorithm and performs signature verification.
The invention discloses a secret key protection method based on a threshold mechanism, which comprises the following steps:
(1) Establishing system parameters:
let u be a bit string of length nu representing identity, defineA set of all sequence numbers such that u is 1; setting a as the identity of a sender; b is set as the identity of the receiver; for a time segment t, use is made ofTo represent the set of all sequence numbers of 1 in the bit string t; let m be a bit string representing the length of the message in nm; g 1 And G 2 Are all multiplicative groups of order prime number p (determined by the safety factor k), G is G 1 Is a generator of (1); g 2 Is a multiplication loop group with the order of q, and e is G 1 ×G 1 →G 2 Is a bilinear map; z represents an integer set, Z p The expression set {0,1,2,., p-1}, with +.>Representing Z p {0}; let nv be the security parameter and select a hash function H v :{0,1} nm →{0,1} nv The method comprises the steps of carrying out a first treatment on the surface of the Defining a bijective V gamma-G 2 Here V -1 Representing its inverse mapping, Γ is {0,1} nu+nm+nv Has a subset of p elements; randomly selecting an integer alpha epsilon Z p Randomly select the integer g 2 ∈G 1 Setting g 1 =g α Set y=e (g 1 ,g 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Randomly selecting u' e G 1 When i=1,..nu, u is randomly selected i ∈G 1 Setting nu dimension vector +.>Randomly selecting w' e G 1 When i=1,..nw, w is randomly selected i ∈G 1 Setting nw-dimensional vector +.>Randomly select m' e G 1 When i=1,..nv, m is randomly selected i ∈G 1 Setting nv dimension vector +.>For integer i ε Z p And one is represented by Z p The set S of elements in the set is defined as the Bragg Lang Ri coefficientSetting a master private key msk=α, and setting a system public parameter as (G 1 ,G 2 ,e,V,g 1 ,g 2 ,u′,/>w′/>m′,)。
(2) Private key extraction:
(2.1) random selectionCalculate->An initial private key for computing identity u> Randomly selecting a k-1 th order polynomial f 1 So that f 1 (0)=α-β u The method comprises the steps of carrying out a first treatment on the surface of the Randomly select->A k-1 degree polynomial f 2 So that f 2 (0)=r u The method comprises the steps of carrying out a first treatment on the surface of the For each 1<i<n, setting the ith helper key to beThe n helper keys for user u are { HK u,i } 1≤i≤n
(2.2) sender a's initial private key and n helper keys are respectively
(2.3) the initial private key of receiver b and the n helper keys are respectively
(3) Generating real-time facilitator update information for sender a and receiver b at time slice t:
(3.2) similarly, the ith updated information fragment about t of sender a and receiver b is respectively
(4) Generating real-time private keys of the sender a and the receiver b at the time slice t:
update information fragment set { UI } of given user u at time fragment t u,t,i } i∈S′ Wherein Decomposing the temporary private key of user u in time segment t' into +.>To construct a temporary private key d of user u at time segment t u,t User u calculates
(5) Signcryption:
for message m, sender a performs signcryption as follows:
Order theTo make from H v (m) the j-th bit is different from the j-th bit of the set of subscripts j, i.e
Calculation of
Sender a outputs a ciphertext
And sends it to recipient b.
(6) Decryption of the signcryption:
receiver b decomposes the received ciphertext (t, sigma) into (t, (sigma) <1> ,σ <2> ,σ <3> ,σ <4> ,σ <5> ,σ <6> ,σ <7> ) A) is provided; receiver b breaks his temporary private key down into
Outputting a message m if the following equation holds, otherwise outputting a "decryption signcryption failure"
Working principle: the invention generates system parameters through the trusted center, the trusted center generates initial private keys of a sender and a receiver and n helper keys, at least k of the n helper keys are utilized to update the real-time private keys of the sender and the receiver in different time periods, the real-time private keys of the sender and the receiver are generated, the sender generates ciphertext by using a signcryption algorithm, and the receiver generates plaintext by using a decryption algorithm and verifies the signature.
The beneficial effects are that: compared with the prior art, the invention has the following advantages:
(1) Setting n independent and physically safe trusted assistor for the sender and the receiver, wherein at least k assistor are needed to generate an initial private key of the cipher system when the sender and the receiver use the secret value selected by themselves, so that the problem of identity revocation is avoided and the function of resisting key leakage is realized;
(2) The cryptographic system updates the real-time private keys of the sender and the receiver in different time periods by using at least k of the n cooperators, so that on one hand, the capability of the system for defending against key leakage is improved, and on the other hand, random key updating is allowed, and the flexibility is realized;
(3) The sender realizes encryption and signature in one logic step, so that the total amount and communication cost for encrypting and signing the message are reduced.
Drawings
Fig. 1 is a flow chart of a signcryption method of a protection key based on a threshold mechanism of the present invention.
Detailed Description
As shown in fig. 1, the process of the secret signing method of the protection key based on the threshold mechanism of the present invention is that n helper keys are set, at least k of the n helper keys are used to update the real-time private keys of the sender and the receiver in different time periods, the update information of the real-time private key is generated at the start point of each time period and the real-time private key is updated, the real-time private keys of the sender and the receiver are generated, the sender generates ciphertext by using a secret signing algorithm, and the receiver generates plaintext by using a secret signing decrypting algorithm and verifies the signature.
The invention discloses a secret key protection method based on a threshold mechanism, which comprises the following steps:
(1) Establishing system parameters:
let u be a bit string of length nu representing identity, defineA set of all sequence numbers such that u is 1; setting a as the identity of a sender; b is set as the identity of the receiver; for a time segment t, use is made ofTo represent the set of all sequence numbers of 1 in the bit string t; let m be a bit string representing the length of the message in nm; g 1 And G 2 Are all multiplicative groups of order prime number p (determined by the safety factor k), G is G 1 Is a generator of (1); g 2 Is a multiplication loop group with the order of q, and e is G 1 ×G 1 →G 2 Is a bilinear map; z represents an integer set, Z p The expression set {0,1,2,., p-1}, with +.>Representing Z p {0}; let nv be the security parameter and select a hash function H v :{0,1} nm →{0,1} nv The method comprises the steps of carrying out a first treatment on the surface of the Defining a bijective V gamma-G 2 Here V -1 Representing its inverse mapping, Γ is {0,1} nu+nm+nv Has a subset of p elements; randomly selecting an integer alpha epsilon Z p Randomly select the integer g 2 ∈G 1 Setting g 1 =g α Set y=e (g 1 ,g 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Randomly selecting u' e G 1 When i=1,..nu, followingMachine selection u i ∈G 1 Setting nu dimension vector +.>Randomly selecting w' e G 1 When i=1,..nw, w is randomly selected i ∈G 1 Setting nw-dimensional vector +.>Randomly select m' e G 1 When i=1,..nv, m is randomly selected i ∈G 1 Setting nv dimension vector +.>For integer i ε Z p And one is represented by Z p The set S of elements in the set is defined as the Bragg Lang Ri coefficientSetting a master private key msk=α, and setting a system public parameter as (G 1 ,G 2 ,e,V,g 1 ,g 2 ,u′,/>w′,/>m′,/>)。
(2) Private key extraction:
(2.1) random selectionCalculate->An initial private key for computing identity u> Randomly selecting a k-1 th order polynomial f 1 So that f 1 (0)=α-β u The method comprises the steps of carrying out a first treatment on the surface of the Randomly select->A k-1 degree polynomial f 2 So that f 2 (0)=r u The method comprises the steps of carrying out a first treatment on the surface of the For each 1<i<n, the i-th helper key is set to +.>The n helper keys for user u are { HK u,i } 1≤i≤n
(2.3) the initial private key of receiver b and the n helper keys are respectivelySum { HK b,i } 1≤i≤n
(3) Generating real-time facilitator update information for sender a and receiver b at time slice t:
(3.2) similarly, the ith updated information fragment about t of sender a and receiver b is respectively
(4) Generating real-time private keys of the sender a and the receiver b at the time slice t:
update information fragment set { UI } of given user u at time fragment t u,t,i } i∈S′ Wherein Decomposing the temporary private key of user u in time segment t' into +.>To construct a temporary private key d of user u at time segment t u,t User u calculates
Order theThen->Likewise, the temporary private keys of sender a and receiver b at time segment t are respectively
(5) Signcryption:
for message m, sender a performs signcryption as follows:
Order theTo make from H v (m) the j-th bit is different from the j-th bit of the set of subscripts j, i.eCalculation of
Sender a outputs a ciphertext
And sends it to recipient b.
(6) Decryption of the signcryption:
receiver b receives ciphertext (t, sigma)) Is decomposed into (t, (sigma) <1> ,σ <2> ,σ <3> ,σ <4> ,σ <5> ,σ <6> ,σ <7> )). Receiver b breaks his temporary private key down into
Outputting a message m if the following equation holds, otherwise outputting a "decryption signcryption failure"
Claims (5)
1. A secret signature method for protecting a secret key based on a threshold mechanism is characterized in that: the method comprises the steps of setting n trusted helpers, updating real-time private keys of a sender and a receiver in different time periods by using at least k of the n helpers, generating a signcrypt ciphertext by the sender, generating a plaintext by using a decryption algorithm by the receiver, and performing signature verification.
2. The method of claim 1, wherein the method is characterized by: the method comprises the following steps:
(1) Establishing system parameters:
let u be a bit string of length nu representing identity, defineA set of all sequence numbers such that u is 1; setting a as the identity of a sender; b is set as the identity of the receiver; for a time sliceSegment t, use ofTo represent the set of all sequence numbers of 1 in the bit string t; let m be a bit string representing the length of the message in nm; g 1 And G 2 Are all multiplicative groups of order prime number p, G is G 1 Is a generator of (1); g 2 Is a multiplication loop group with the order of q, and e is G 1 ×G 1 →G 2 Is a bilinear map; z represents an integer set, Z p The expression set {0,1,2,., p-1}, with +.>Representing Z p {0}; let nv be the security parameter and select a hash function H v :{0,1} nm →{0,1} nv The method comprises the steps of carrying out a first treatment on the surface of the Defining a bijective V gamma-G 2 Here V -1 Representing its inverse mapping, Γ is {0,1} nu+nm+nv Has a subset of p elements; randomly selecting an integer alpha epsilon Z p Randomly select the integer g 2 ∈G 1 Setting g 1 =g α Set y=e (g 1 ,g 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Randomly selecting u' e G 1 When i=1,..nu, u is randomly selected i ∈G 1 Setting nu dimension vector +.>Randomly selecting w' e G 1 When i=1,..nw, w is randomly selected i ∈G 1 Setting nw-dimensional vector +.>Randomly select m' e G 1 When i=1,..nv, m is randomly selected i ∈G 1 Setting nv dimension vector +.>For integer i ε Z p And one is represented by Z p The set S of elements of which, defined the Bragg Lang Ri coefficient as +.>Setting a main private key msk=alpha and setting a system public parameter as +.>
(2) Private key extraction:
(2.2) sender a's initial private key and n helper keys are
(2.3) initial private Key of receiver b and n helper keys are
(3) Generating real-time facilitator update information for sender a and receiver b at time slice t:
(3.1) ith helper random selectionWill be related to tIs set to the i-th update information fragment of
(4) Generating real-time private keys of the sender a and the receiver b at the time slice t:
update information fragment set { UI } of given user u at time fragment t u,t,i } i∈S′ Wherein Decomposing the temporary private key of user u in time segment t' into +.>To construct a temporary private key d of user u at time segment t u,t User u calculates
Likewise, sender a's temporary private key d at time segment t a,t The method comprises the following steps:
temporary private key d of receiver b at time segment t b,t Is that
(5) Signcryption:
for message m, sender a performs signcryption as follows:
Order theTo make from H v (m) the j-th bit is different from the j-th bit of the set of subscripts j, i.e
Calculation of
Sender a outputs a ciphertext
And sends it to recipient b
(6) Decryption of the signcryption:
receiver b decomposes the received ciphertext (t, sigma) into (t, (sigma) 1 >,σ 2 >,σ 3 >,σ 4 >,σ 5 >,σ< 6 >,σ 7 >) A) is provided; receiver b breaks down the temporary private key into
Outputting a message m if the following equation holds, otherwise outputting a "decryption signcryption failure"
3. The method of claim 1, wherein the method is characterized by: the prime number p in step (1) is determined by the safety factor k.
4. The method of claim 1, wherein the method is characterized by: in the step (2.1), randomly selectingCalculate->An initial private key for computing identity u> Randomly selecting a k-1 th order polynomial f 1 So that f 1 (0)=α-β u The method comprises the steps of carrying out a first treatment on the surface of the Randomly select->Polynomial f of degree k-1 2 So that f 2 (0)=r u The method comprises the steps of carrying out a first treatment on the surface of the For each 1<i<n, the i-th helper key is set to +.>The n helper keys for user u are { HK u,i } 1≤i≤n 。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211534582.2A CN116074016A (en) | 2022-12-02 | 2022-12-02 | Secret key protection method based on threshold mechanism |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211534582.2A CN116074016A (en) | 2022-12-02 | 2022-12-02 | Secret key protection method based on threshold mechanism |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116074016A true CN116074016A (en) | 2023-05-05 |
Family
ID=86177794
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211534582.2A Pending CN116074016A (en) | 2022-12-02 | 2022-12-02 | Secret key protection method based on threshold mechanism |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116074016A (en) |
-
2022
- 2022-12-02 CN CN202211534582.2A patent/CN116074016A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4712017B2 (en) | Message authentication code generation method using stream cipher, authentication encryption method using stream cipher, and authentication decryption method using stream cipher | |
CN103414569B (en) | A kind of method of the public key cryptography setting up attack resistance | |
CN107707358B (en) | EC-KCDSA digital signature generation method and system | |
US6298153B1 (en) | Digital signature method and information communication system and apparatus using such method | |
JP4405810B2 (en) | Encryption and signature scheme based on hierarchical identity | |
KR100930577B1 (en) | Message authentication code generation method using stream cipher, authentication encryption method using stream cipher, and authentication decryption method using stream cipher | |
CN107911209B (en) | Method for establishing security public key password for resisting quantum computing attack | |
CN107733648A (en) | The RSA digital signature generation method and system of a kind of identity-based | |
CN114095181B (en) | Threshold ring signature method and system based on cryptographic algorithm | |
CN110851845A (en) | Light-weight single-user multi-data all-homomorphic data packaging method | |
CN110855425A (en) | Lightweight multiparty cooperative SM9 key generation and ciphertext decryption method and medium | |
WO2012147001A1 (en) | Data encryption | |
CN111030821B (en) | Encryption method of alliance chain based on bilinear mapping technology | |
CN113132104A (en) | Active and safe ECDSA (electronic signature SA) digital signature two-party generation method | |
CN105393488B (en) | The method for establishing the public key cryptography of resisting quantum computation attack | |
US20050240762A1 (en) | Cryptographic method and apparatus | |
CN110943845A (en) | Method and medium for cooperatively generating SM9 signature by two light-weight parties | |
US6931126B1 (en) | Non malleable encryption method and apparatus using key-encryption keys and digital signature | |
CN103684764B (en) | A kind of efficient public key encryption with forward secrecy | |
Grewal | ElGamal: public-key cryptosystem | |
CN116074016A (en) | Secret key protection method based on threshold mechanism | |
CN112511311A (en) | Encryption threshold signature method based on confusion technology | |
JP2004246350A (en) | Enciphering device, deciphering device, enciphering system equipped with the same, enciphering method, and deciphering method | |
CN115296792A (en) | Identity-based signcryption method for protecting secret key | |
CN113347009B (en) | Certificateless threshold signcryption method based on elliptic curve cryptosystem |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |