CN118337372A

CN118337372A - Security traceable group key negotiation method and system based on aggregated broadcast

Info

Publication number: CN118337372A
Application number: CN202410401561.6A
Authority: CN
Inventors: 杜瑞颖; 彭云璐; 陈晶; 何琨
Original assignee: Wuhan University WHU
Current assignee: Wuhan University WHU
Priority date: 2024-04-03
Filing date: 2024-04-03
Publication date: 2024-07-12

Abstract

The invention discloses a security traceable group key negotiation method and a system based on an aggregate broadcast, which are used for solving the problem of group message transmission security of a plurality of participants in an unsafe communication network. The invention uses the key tree to divide the group users into a plurality of subgroups, introduces a signature-based polymerizable broadcast encryption scheme and combines the key encapsulation idea to carry out key negotiation among the subgroups, and dynamically realizes the operations of creating groups, adding and deleting users, updating keys and the like. The invention designs a double ratchet tree key exchange scheme, which can meet the security attributes such as privacy, forward and backward security, traceability after key leakage and the like of a group key, respectively reduce the computation complexity and communication expenditure of a group sender and a group receiver to O (log) and O (1), and has certain feasibility in medium-sized groups of tens to hundreds of users.

Description

Security traceable group key negotiation method and system based on aggregated broadcast

Technical Field

The invention belongs to the technical field of cryptography, relates to a group key negotiation method and system, and in particular relates to a security traceable group key negotiation method and system based on a polymerizable broadcast.

Background

Today, society increasingly relies on instant messaging, and communication and dissemination of information all require the internet or other digital communication networks to achieve. End-to-end communication applications, such as Whatsapp, signal, etc., are one of the most widely used encryption applications on the internet, providing two-party communication or multi-party group communication services for billions of everyday users. However, while these applications bring convenience to life, the problem of message leakage threatens personal privacy of people from time to time, and this threat often causes more serious negative effects in group communication. A secure messaging protocol enables users to communicate securely over an untrusted infrastructure, and as such, increasing the security and privacy of internet instant messaging is of increasing interest.

The group key negotiation protocol is a type of cryptographic protocol for negotiating and managing a shared group key among a plurality of participants. In group communications, multiple members may need to share a key to secure communications, and a group key agreement protocol is designed to achieve this. Currently, there are many effective solutions to the problem of two-party secure communication, such as Signal protocol introducing dual ratchet algorithm and two-party key agreement protocol without certificate, which not only ensures the privacy of two-party communication data, but also ensures the forward security (FS, forward secrecy) and backward security (PCS, post-compromise security) of message keys in user communication, etc., but the group key agreement protocol under the group scene still has no satisfactory solution. In the communication protocol, forward security means that even if a certain party leaks the shared key at the moment, the message transferred before the leak is still secure; conversely, backward security means that after the leak problem is repaired, the security of the protocol can be restored as originally. However, once the protocols designed for the two-party communication scenario are extended to be applied to the group communication protocol, only the manner of the group user pair communication can be adopted, so that the square of the communication overhead is increased, and the forward and backward security of the group message is difficult to ensure.

Considering the problem of difficult expansion of two-party protocols in multiparty scenes, the newly proposed protocols mostly aim at the characteristic of negotiation of a plurality of users in a group, take a key tree as a main structure, and complete negotiation of a group key in a form of encrypting information broadcast. The system is difficult to lock and remove malicious users in time, and cannot enter the next stage quickly and restore the security of the protocol.

Disclosure of Invention

In order to ensure that the communication overhead of key updating is reduced to a certain extent and simultaneously ensure a plurality of safety characteristics of group private keys, the invention abandons a mode of calculating public keys and private keys layer by layer through a tree structure, only keeps shared calculation of the private keys, and provides a safety traceable group key negotiation method and a system based on the polymerizable broadcasting by utilizing a signature-based polymerizable public key broadcasting scheme.

The technical scheme adopted by the method is as follows: a security traceable group key negotiation method based on an aggregate broadcast comprises an initialization method, a group creation method, a member addition method, a member removal method, a key update method and a message processing method;

the initialization method comprises the steps of initializing a public key to generate a security parameter, and generating a public parameter by using a signature-based polymerizable broadcast encryption scheme based on the security parameter; initializing a user sequence identifier to form a user list, recording the current state of a user, wherein an initialization variable is used for tracking the change of a public key tree generated based on a group, and an initialization sequence is used for tracking the change of a signature tree generated by the user based on the group in each round of updating;

The group creation method comprises the steps of creating a new group, generating public and private key pairs for each user by using a signature-based polymerizable broadcast encryption scheme, calculating a signature, and creating a public key tree and a signature tree to generate an initial group key;

the member adding method comprises the steps of generating a new public and private key pair according to a new user identifier when a new user is added in a group, creating a new leaf node record user key information in a public key tree and a signature tree, and updating the public key tree and the signature tree;

the member removing method comprises the steps that when a group has a user to be removed, the user is found in a key tree, key information of the user is deleted, and the key tree information is updated;

The key updating method comprises the steps of generating a new public key pair and a new group key under the condition that a group needs to update a key, and updating key tree information;

The message processing method comprises message transmission among group users and encryption and decryption of messages.

Preferably, in the initializing method, each user can obtain IDs of all users in the group G, and signs each ID except for the user by using a public and private key of the user, and the signature value is broadcast to other users for downloading by the user; after receiving the broadcast, the user downloads the signatures of all other users to the self ID, and creates and calculates a private signature tree.

Preferably, when a user creates a new group, firstly initializing group user information and related state variables, and constructing a group public key tree and a user signature tree according to user key information; every time a change of a group member or an update operation of a key is performed, the current group state is updated, and the group public key tree and the user signature tree structure are updated, so that the group is promoted to enter the next state.

Preferably, in the group creation method, all current group members are divided into different subgroups according to the arrangement in the public key tree, all users contained under each intermediate node form a unique subgroup, and the aggregate public key contained in the intermediate node is called subgroup public key; the group key updated by the user is sent to the corresponding subgroup after the group key is encapsulated by the subgroup public key of the public key tree, and the user contained in the subgroup decrypts by using the private key of the user; when the user increases or decreases, the user key information is updated or the group key needs to be updated, the public key tree and the signature tree operate corresponding operations to update for one round.

Preferably, in the group creation method, a ratchet tree is created, including a public key tree and a signature tree, the public key tree and the signature tree are constructed and generated according to key information, tree nodes are traversed, intermediate nodes are calculated by homomorphic multiplication, and complete key tree information is output;

the ratchet tree creation algorithm TREECREATE specifically includes the following steps:

Step 1: inputting a user set g= (ID ₀,ID₁,ID₂,...,ID_n-1), and a key set k= (K _n-1,k_n,k_n+1,...,k_2n-2), wherein a user key corresponding to each ID _i is K _i+n-1;

step 2: creating a ratchet tree tau according to the number of users, the key information of each leaf node comprising (ID _i,k_i+n-1);

step 3: traversing and calculating other tree nodes;

Calculating intermediate nodes upwards from the leaf node k _n-1, wherein key information of each intermediate node is calculated by a corresponding child node; if k _i is the public key of the user, the intermediate node adopts public key homomorphic multiplication calculation, namely Up to the calculation of the root nodeIf k _i is the user signature, the intermediate node adopts signature homomorphic multiplication calculation, namely k _i/2＝k_i⊙k_i+1, until the root node is calculated

Step 4: the ratchet tree τ is output.

The key tree updating algorithm TreeUpdate updates key tree information by adopting a dual ratchet tree key exchange scheme, and specifically comprises the following steps:

step 1: inputting a ratchet tree tau and updated key information (ID _i,k_i);

Step 2: the corresponding key k _i+n-1 of ID _i is modified to k'.

Step 3: traversing and calculating update tree nodes;

Step 4: the ratchet tree τ' is output.

Preferably, the security parameter is used for generating public parameters by using a signature-based polymerizable broadcast encryption scheme, a public-private key pair is constructed by using a bilinear pairing principle, and for any input character string, the following four operations are performed, so that a valid signature is generated, the validity of the signature is verified, a ciphertext is encrypted and output, and the plaintext is decrypted. The method is a broadcast encryption scheme under public key system, and it can be used as both signature scheme and broadcast scheme. The generated public key may be used to both sign and encrypt the message, and any valid signature may be used to decrypt the ciphertext under the public key, except that the ciphertext may be decrypted with a valid private key. For a public key pair generated by the same system parameter, the combination of the signatures of the same message by two different public keys is also a valid signature for the message, and the combination of the given public keys can be used for verification, and ciphertext encrypted by the combination public keys can also be decrypted.

Preferably, the method uses a signature-based polymerizable broadcast encryption scheme to generate public-private key pairs for each user and calculate a signature, when the user creates a new group, the group user information and related state variables are initialized first, and a group public key tree and a user signature tree are constructed according to the user key information. The signature information is broadcast in subgroups divided by the key tree, and the current initial group key is obtained through initial round update. Every time the change of the group member or the updating operation of the secret key is carried out, the current group state is updated, the corresponding algorithm of the public key tree and the signature tree is called to update the tree structure, and the group is caused to enter the next state. The availability of the group key at each stage is ensured through the maintenance of the group state, and the forward and backward security of the group key is ensured.

The system of the invention adopts the technical proposal that: a security traceable group key negotiation system based on an aggregate broadcast comprises an initialization module, a group creation module, a member addition module, a member removal module, a key update module and a message processing module;

the initialization module is used for initializing the public key to generate a security parameter, and generating a public parameter by using a signature-based polymerizable broadcast encryption scheme based on the security parameter; initializing a user sequence identifier to form a user list, recording the current state of a user, wherein an initialization variable is used for tracking the change of a public key tree generated based on a group, and an initialization sequence is used for tracking the change of a signature tree generated by the user based on the group in each round of updating;

The group creation module is used for creating a new group, generating public and private key pairs for each user by using a signature-based polymerizable broadcast encryption scheme, calculating a signature, and creating a public key tree and a signature tree to generate an initial group key;

The member adding module is used for generating a new public and private key pair according to a new user identifier when a new user is added in the group, creating a new leaf node record user key information in the public key tree and the signature tree, and updating the group public key tree and the user signature tree;

the member removing module is used for finding the user in the key tree and deleting the key information of the user when the user needs to be removed in the group, and updating the key tree information;

the key updating module is used for generating a new public and private key pair and a group key under the condition that the group needs to update the key, and updating the key tree information;

the message processing module is used for message transmission among group users and encryption and decryption of messages.

Compared with the prior art, the invention has the advantages and positive effects mainly represented in the following aspects:

1. The invention provides a novel traceable group key negotiation protocol based on the aggregate broadcasting, which expands the public key broadcasting scheme originally used under the constraint of static group conditions to safely share the group key in a dynamic group, ensures the privacy of the message key in communication and ensures the forward security and the backward security in long-term communication.

2. The invention designs a double ratchet tree key exchange scheme, which utilizes the key encapsulation idea to carry out intra-group key exchange, reduces the broadcast communication overhead of key update, reduces the complexity to the minimum, and simultaneously ensures the traceability after the key leakage.

3. The invention compares the aspects of security, communication overhead, storage space and the like with the prior proposal, realizes the security characteristics of key privacy, forward and backward security, traceability after key leakage and the like of group key negotiation, and has certain expandability in medium-sized groups of tens to hundreds of users.

Drawings

The following examples, as well as specific embodiments, are used to further illustrate the technical aspects of the present invention. In addition, in the course of describing the technical solutions, some drawings are also used. Other figures and the intent of the present invention can be derived from these figures without inventive effort for a person skilled in the art.

Fig. 1 is a block diagram of a method of an embodiment of the present invention.

FIG. 2 is a schematic diagram of a group public key tree according to an embodiment of the present invention.

FIG. 3 is a schematic diagram of a user signature tree of an embodiment of the present invention.

Fig. 4 is a schematic diagram of sending a packaged group key to a subgroup by an update node in an embodiment of the invention.

Detailed Description

In order to facilitate the understanding and practice of the invention, those of ordinary skill in the art will now make further details with reference to the drawings and examples, it being understood that the examples described herein are for the purpose of illustration and explanation only and are not intended to limit the invention thereto.

Referring to fig. 1, the security traceable group key negotiation method based on the polymerizable broadcast according to the present embodiment includes an initialization method, a group creation method, a member addition method, a member removal method, a key update method, and a message processing method.

The initialization method comprises the steps of initializing a public key to generate a security parameter lambda, and generating a public parameter pi-ParaGen (1 ^λ) by using a signature-based polymerizable broadcast encryption scheme based on the security parameter; a group-related state variable is initialized. The initialization user sequence identifier ID forms a user list, records the current state of the user, the initialization variable tau is used for tracking the change of the public key tree generated based on the group, and the initialization tau _i sequence is used for tracking the change of the signature tree generated by the user based on the group in each round of updating.

In the same group, since the IDs of the users are different, the private signature trees of the users are different, so that the sender uses the same public key in the public key tree during encryption, but the decryption private keys calculated by the private signature trees of the different users are also different.

In one embodiment, a new group is created using the initialized user information, specifically comprising the steps of:

Step 1: input user set g= (ID ₀,ID₁,ID₂,...,ID_n-1); wherein, ID ₀,ID₁,ID₂,...,ID_n-1 is the identity of n users;

Step 2: a key pair is obtained. Generating a package key using a signature-based, aggregatable broadcast scheme, creating a total of n key pairs for each user ID _i in the group set G: (pk _i,sk_i) ≡keygen (pi); wherein pk _i,sk_i is the public and private keys of user ID _i, respectively;

step 3: a signature is calculated. Each user ID _i e G signs all user IDs _j e G in the user set: σ _i(ID_j)←Sign(pk_i,sk_i,ID_j); wherein user ID _i uses private key sk _i to sign σ _i(ID_i of ID _i) is stored privately by the user himself, broadcasting public key information pk _i and other signatures σ_i＝(σ_i(ID₁),...,σ_i(ID_i-1),σ_i(ID_i+1)...,σ_i(ID_n-1)) to other users; where σ≡sign (pk, sk, s) is the output of a public/private key pair (pk, sk) at the input of pi.

Step 4: a public key tree and a signature tree are created. The public key pk= (pk ₀,pk₁,...,pk_n-1) broadcasted by the input set G and each user and the signature information sigma= (sigma ₀,σ₁,...,σ_n-1) of each user are respectively called to create a ratchet tree algorithm to obtain a public key tree tau≡ TREECREATE (G, pk) and n user signature trees tau _i←TreeCreate(G,σ_i.

Step 5: group key transmission and reception. The group creator generates the group key gk ₀ as the initial group key and sends it through the key tree to km≡ SendKey (ID _i,gk₀) in the subgroup, decrypting it individually by the subgroup users to obtain gk ₀＝RecKey(ID_j, KM).

Step 6: the public key tree τ, all τ _i are output.

The dual ratchet tree key exchange scheme of this embodiment includes a public key tree and a signature tree, see fig. 2 and 3. After one operation, all users need to negotiate a private group key shared in a group, the users use a public key tree to carry out key encapsulation on the private group key and then distribute the private group key to different subgroups, and subgroup users calculate different private keys according to a signature tree to carry out key deblocking to obtain the private group key, so that one key negotiation task is completed.

In one embodiment, the creating ratchet tree algorithm TREECREATE specifically includes the following steps:

step 3: traversing and calculating other tree nodes;

Step 4: the ratchet tree τ is output.

In one embodiment, when a user creates a new group, first initializing group user information and related state variables, and constructing a group public key tree and a user signature tree according to user key information; every time the change of the group member or the updating operation of the key is carried out, the current group state is updated, and the corresponding algorithm of the public key tree and the signature tree is called to update the key tree structure so as to promote the group to enter the next state.

The member adding method comprises the steps of generating a new public and private key pair according to a new user identifier when a new user is added in a group, creating a new leaf node record user key information in a public key tree and a signature tree, and updating a key tree;

In one embodiment, all current group members may be partitioned into different subgroups according to an arrangement in a key tree, with all users contained under each intermediate node constituting a unique subgroup, and the aggregate public key contained by this intermediate node being referred to as a subgroup public key; the group key which the user wants to update is sent to the corresponding subgroup after being subjected to key encapsulation by the subgroup public key of the public key tree, and the users contained in the subgroup decrypt by using the private key of the users; when the user increases or decreases, the user key information is updated or the group key needs to be updated, the public key tree and the signature tree can operate corresponding operations to update for one round.

In one embodiment, adding a new user to the group specifically comprises the steps of:

Step 1: inputting a new user ID _k and a public key tree tau;

step 2: checking whether ID _k is already present in G, if so, the addition fails;

Step 3: obtaining a new key pair (pk _k,sk_k) ≡keygen (pi);

Step 4: a signature is calculated. The new user ID _k signs the current set G to obtain the signature set σ _k＝(σ_k(ID₀),...,σ_k(ID_n)) and broadcasts the signature value to other users.

Step 5: invoking a ratchet tree addition user node algorithm to update the shared public key tree τ' ≡adduser (τ, ID _k,pk_k) and the user signature tree τ _i'←AddUser(τ_i,ID_k,σ_k(ID_i), respectively);

Step 6: user ID _k generates a symmetric key gk _l+1 as a new group key and sends it to km≡ SendKey (ID _k,gk_l+1) in the subgroup, where it is decrypted separately by the subgroup users to obtain gk _l+1＝RecKey(ID_i, KM);

step 7: the public key tree τ' is output.

In one embodiment, the adding user node algorithm AddUser specifically includes the following steps:

Step 1: inputting a ratchet tree tau and new user information (ID _i,k_i);

Step 2: checking whether the ID _i exists in the G or not, and if so, cannot be added;

Step 3: empty leaf nodes are checked. If the empty node exists in the fruit tree, the key information is stored in the first empty node; creating a new node if no empty node exists;

step 4: update tree τ' ≡ TreeUpdate (τ, ID _i,k_i);

step 5: the ratchet tree τ' is output.

In one embodiment, the tree updating algorithm TreeUpdate specifically includes the following steps:

step 1: inputting a ratchet tree tau and updated key information (ID _i,k_i);

Step 2: the corresponding key k _i+n-1 of ID _i is modified to k'.

Step 3: traversing and calculating update tree nodes;

Step 4: the ratchet tree τ' is output.

The member removing method comprises the steps that when a group has a user to be removed, the user is found in a key tree, key information of the user is deleted, and the key tree information is updated according to a double ratchet tree key exchange scheme;

in one embodiment, deleting an existing user from the group specifically comprises the steps of:

Step 1: inputting a removal user ID _k;

Step 2: checking whether the ID _k exists in G, if not, removing the failure;

Step 3: invoking a ratchet tree deletion user node algorithm to update the shared public key tree τ' ≡ RemUser (τ, ID _k,pk_k) and the user signature tree τ _i'←RemUser(τ_i,ID_k,σ_k(ID_i), respectively;

Step 4: ID _k generates a symmetric key gk _l+1 as a new shared group key and sends the symmetric key to a subgroup KM≡ SendKey (ID _k,gk_l+1), and the symmetric key gk _l+1＝RecKey(ID_i and KM are obtained by independent decryption of subgroup users;

step 5: the public key tree τ' is output.

In one embodiment, the deleting user node RemUser algorithm specifically includes the following steps:

Step 1: inputting a ratchet tree tau and deleting user information (ID _i,k_i);

Step 2: checking whether the ID _k exists in the G or not, and if not, failing to delete;

Step 3: the tree nodes on the modified path are calculated from the deleted and updated nodes to the root node. Deleting and setting the key information in the leaf node to 1, updating the tree τ' ≡ TreeUpdate (τ, ID _i,k_i);

Step 4: the ratchet tree τ' is output.

The key updating method comprises the steps that when a group needs to update a key, such as a user key is lost or a group key is revealed, a new public key pair and a new group key are generated, and key tree information is updated;

In one embodiment, the method for updating the key specifically includes the following steps:

Step 1: inputting an update user ID _k;

Step 2: checking whether the ID _k exists in G, if not, removing the failure;

Step 3: obtaining a new key pair (pk _k',sk_k') ∈ (pi);

Step 4: invoking an update tree algorithm of the ratchet tree to update the shared public key tree τ' ≡ TreeUpdate (τ, ID _k,pk_k) and the user signature tree τ _i'←TreeUpdate(τ_i,ID_k,σ_k(ID_i), respectively);

Step 5: ID _k generates a symmetric key gk _l+1 as a new shared group key and sends the symmetric key to a subgroup KM≡ SendKey (ID _k,gk_l+1), and the symmetric key gk _l+1＝RecKey(ID_i and KM are obtained by independent decryption of subgroup users;

step 6: the public key tree τ' is output.

In one embodiment, the key sending SendKey algorithm specifically includes the following steps:

step 1: inputting a user ID _k, a group key gk;

Step 2: selecting brother nodes of all nodes on the path from the ID _k leaf nodes to the root node, and acquiring the corresponding public key or subgroup public key;

Step 3: the group key encryptions (pk _k-1, gk) (or encryptions (gpk _i, gk)) are encrypted with the public key pk _k-1 (or the aggregated valid public key gpk _i) contained by these nodes, and the encapsulated logn keys KM are output and sent to the corresponding subgroups as shown in fig. 4.

In one embodiment, the key sending RecKey algorithm specifically includes the following steps:

Step 1: inputting a user ID _k and packaging a key KM;

Step 2: obtaining a corresponding node signature (or an aggregate signature value of a subgroup node) in a signature tree corresponding to the packaged key, and performing deblocking calculation on the key to obtain an updated group key gk (gk= Decrypt (pk _k-1,ID_k,σ_k-1, KM) (or gk= Decrypt (gpk _i,ID_k,σ_i, KM));

Step 3: the group key gk is output.

The message processing of the present embodiment includes sending and receiving messages. Sending a message: after the message m sent by the user is encrypted by the group key gk _l to obtain the ciphertext c, the ciphertext c is sent to each subgroup. Receiving a message: and decrypting the ciphertext c received by the user by using the shared group key gk _l to obtain a plaintext.

The embodiment also provides a security traceable group key negotiation system based on the aggregated broadcast, which comprises an initialization module, a group creation module, a member addition module, a member removal module, a key update module and a message processing module;

In the invention, when a user creates a new group, a shared ratchet tree tau for storing public keys of all users is generated, each leaf node represents a public key of the current user, the value of each intermediate node is calculated by the public key value of the child node, and still represents a valid public key, and the root node records the group member group aggregation public key; at the same time, each user creates a private ratchet tree for storing the signatures of other users, each leaf node representing a current user's signature of the tree owner ID, each intermediate node's value calculated from its child node signature value, still representing a valid signature, and its root node representing the aggregate signature value of each user's signature of the signature tree owner ID.

In the initialization stage, each user can obtain the IDs of all users in the group G, and signs each ID except the user by using the public and private keys, and the signature value is broadcasted to other users for downloading by the users. After receiving the broadcast, the user downloads the signatures of all other users to the self ID, and creates and calculates a private signature tree. In the same group, since the IDs of the users are different, the private signature trees of the users are different, so that the sender uses the same public key in the public key tree during encryption, but the decryption private keys calculated by the private signature trees of the different users are also different.

In the present invention, all the current group members may be divided into different subgroups according to the arrangement in the tree structure, and all the users contained under each intermediate node constitute a unique subgroup, and the aggregate public key contained in this intermediate node is called subgroup public key. The group key which the user wants to update is sent to the corresponding subgroup after being subjected to key encapsulation by the subgroup public key of the public key tree, and the users contained in the subgroup decrypt by using the private key of the users. When the user increases or decreases, the user key information is updated or the group key needs to be updated, the public key tree and the signature tree can operate corresponding operations to update for one round.

The invention uses the key tree to divide the group users into a plurality of subgroups, introduces a signature-based polymerizable broadcast encryption scheme and combines the key encapsulation idea to carry out key negotiation among the subgroups, and dynamically realizes the operations of creating groups, adding and deleting users, updating keys and the like. The invention designs a double ratchet tree key exchange scheme, which can meet the security attributes such as privacy, forward and backward security, traceability after key leakage and the like of a group key, respectively reduce the computation complexity and communication expenditure of a group sender and a group receiver to O (log) and O (1), and has certain feasibility in medium-sized groups of tens to hundreds of users.

It should be understood that the embodiments described above are some, but not all, embodiments of the invention. In addition, the technical features of each embodiment or the single embodiment provided by the invention can be combined with each other at will to form a feasible technical scheme, and the combination is not limited by the sequence of steps and/or the structural composition mode, but is necessarily based on the fact that a person of ordinary skill in the art can realize the combination, and when the technical scheme is contradictory or can not realize, the combination of the technical scheme is not considered to exist and is not within the protection scope of the invention claimed.

It should be understood that the foregoing description of the preferred embodiments is not intended to limit the scope of the invention, but rather to limit the scope of the claims, and that those skilled in the art can make substitutions or modifications without departing from the scope of the invention as set forth in the appended claims.

Claims

1. A security traceable group key negotiation method based on an aggregate broadcast is characterized in that: the method comprises an initialization method, a group creation method, a member adding method, a member removing method, a key updating method and a message processing method;

the member adding method comprises the steps of generating a new public and private key pair according to a new user identifier when a new user is added in a group, creating a new leaf node record user key information in a public key tree and a signature tree, and updating a user key tree;

2. The security traceable group key negotiation method based on an aggregated broadcast according to claim 1, wherein: according to the initialization method, each user can obtain the IDs of all users in the group G, and signs each ID except the user by using the public and private keys of the user, and the signature value of each ID can be broadcast to other users for downloading by the users; after receiving the broadcast, the user downloads the signatures of all other users to the self ID, and creates and calculates a private signature tree.

3. The security traceable group key negotiation method based on an aggregated broadcast according to claim 1, wherein: when a user creates a new group, initializing group user information and related state variables, and constructing a group public key tree and a user signature tree according to user key information; every time a change of a group member or an update operation of a key is performed, the current group state is updated, and the group public key tree and the user signature tree structure are updated, so that the group is promoted to enter the next state.

4. The security traceable group key negotiation method based on an aggregated broadcast according to claim 1, wherein: in the group creation method, all current group members are divided into different subgroups according to the arrangement in a key tree, all users contained under each intermediate node form a unique subgroup, and an aggregate public key contained in the intermediate node is called a subgroup public key; the group public key of the group key public key tree updated by the user is sent to the corresponding subgroup after the key encapsulation, and the user contained in the subgroup decrypts by using the private key of the user; when the user increases or decreases, the user key information is updated or the group key needs to be updated, the public key tree and the signature tree operate corresponding operations to update for one round.

5. The security traceable group key negotiation method based on an aggregated broadcast according to claim 1, wherein: in the group creation method, a ratchet tree is created, which comprises a public key tree and a signature tree, a group public key tree and a user signature tree are constructed and generated according to key information, tree nodes are traversed, intermediate nodes are calculated by homomorphic multiplication, and complete key tree information is output;

The step of creating the ratchet tree specifically comprises the following steps:

step 3: traversing and calculating other tree nodes;

Step 4: the ratchet tree τ is output.

6. The security traceable group key negotiation method based on an aggregated broadcast of claim 5, wherein: in the key updating method, a double ratchet tree key exchange scheme is adopted to update key tree information; the method specifically comprises the following steps:

step 1: inputting a ratchet tree tau and updated key information (ID _i,k_i);

Step 2: traversing and calculating update tree nodes;

Step 3: the ratchet tree τ' is output.

7. The security traceable group key negotiation method based on an aggregated broadcast according to any of claims 1-6, wherein: the method comprises the following steps of generating public parameters by utilizing a signature-based polymerizable broadcast encryption scheme based on security parameters, constructing public and private key pairs by utilizing a bilinear pairing principle, and for any input character string, comprising four operations: and generating a valid signature, verifying the validity of the signature, encrypting and outputting a ciphertext, and decrypting to obtain a plaintext.

8. The security traceable group key negotiation method based on an aggregated broadcast according to any of claims 1-6, wherein: generating public and private key pairs for each user by using a signature-based polymerizable broadcast encryption scheme, calculating a signature, creating a new group by the user, initializing group user information and related state variables, and constructing a group public key tree and a user signature tree according to the user key information; broadcasting signature information in subgroups divided by a key tree, and obtaining a current initial group key through initial round updating; every time the change of the group member or the updating operation of the secret key is carried out, the current group state is updated, the corresponding algorithm of the public key tree and the signature tree is called to update the tree structure, and the group is caused to enter the next state.

9. A security traceable group key negotiation system based on an aggregated broadcast, characterized by: the system comprises an initialization module, a group creation module, a member adding module, a member removing module, a key updating module and a message processing module;