KR101327980B1 - ID-based additive homomorphic encryption method - Google Patents

Abstract

Disclosed is an ID-based additive quasi-homogenous encryption method. Using an algorithm with the input of the safety parameter (λ), we create a subgroup G of a cyclic group with modulo with the square of N, the product of two prime factors p, q, and subgroup G Generate a system parameter (pk) based on any function, N, subgroup G, and generator g, which has a range, and generate a master key (sk) consisting of two prime factors, p, q, A discrete algebraic value based on the generator g is output as a user secret key using an algorithm that takes as inputs a function, a subgroup G, a generator g and a master key sk.

Description

ID-based additive homomorphic encryption method

The present invention relates to an encryption method, and more specifically, to an ID-based encryption combined with ID-based encryption (IBE) and homo-morphic encryption (HE), which implements an additive quasi-morphic property. It relates to a decoding method.

Quasi-homogenous encryption is a technology that supports operations between encrypted data using mathematical operations to obtain plain text calculated after decryption. Generally, data stored in the server through encryption in cloud computing is decrypted until decrypted. I don't know anything about it, but this technique allows me to analyze the content without precipitating the data.

In addition, ID-based encryption is a key authentication problem that occurs when using public key-based cryptography, that is, a procedure that establishes a binding between a user and a public key to verify that a given public key matches the user's public key. This is the proposed method to solve the problem of collecting the user's public key or keeping it in the directory. In other words, the IBE uses the user's ID information, which can be easily identified, as a public key.

The technical problem to be solved by the present invention is to provide an effective encryption and decryption method in consideration of the quasi-homogenous nature of the addition in ID-based encryption.

, 상기 N, 상기 서브그룹 G 및 상기 생성자 g를 기초로 시스템 파라메타(pk)를 생성하고 상기 두 소인수 p,q로 구성되는 마스터키(sk)를 생성하는 단계; 및 사용자 아이디(ID)에 대한 상기

, 상기 서브그룹(G), 상기 생성자(g) 및 상기 마스터키(sk)를 입력으로 하는 알고리즘을 이용하여, 상기 생성자(g)에 기초한 이산대수 값을 사용자 비밀키로 출력하는 단계;를 포함한다.In order to solve the above technical problem, one example of the ID-based addition semi-synthetic encryption method according to the present invention, by using an algorithm that takes the safety parameter (λ) as an input, the square of N, which is the product of two prime factors p, q Creating a subgroup G of a cyclic group modulo and having a generator g; Any function with the subgroup G as range

Generating a system parameter (pk) based on the N, the subgroup G and the generator g, and generating a master key (sk) consisting of the two prime factors p, q; And reminding about user ID

And outputting a discrete algebra value based on the generator (g) as a user secret key using an algorithm for inputting the subgroup (G), the generator (g), and the master key (sk). .

길이의 암호문을 결합하기 위하여 단지

의 곱셈(multiplication)을 요구한다. The present invention provides a definition of an ID-based additive quasi-typed cipher and an example thereof, so that key management of the additive quasi-typed cipher can be efficiently performed. ID-based addition quasi-dong cryptography, which can be obtained by transforming existing ID-based multiply quasi-dong cryptography, needs to solve a discrete algebra problem for decryption and requires a pairing operation. It is easy to apply in real life. Specifically, the present invention requires two and one exponentiation for encryption and decryption, respectively, and therefore has the same computational cost as the best known results for Additvie Homomorphic Encryption (AHE). Also, by using quasi-homogenous nature

Only to join ciphertext of length

Requires multiplication of.

The encryption method according to the present invention is secure against a choice-plaintext attack in a random oracle model under DCR (Desicional Composite Residuosity).

1 is a diagram illustrating an example of an ID-based quasi-dynamic encryption structure;
2 is a diagram illustrating an example of an ID-based addition quasi-dynamic encryption structure according to the present invention;
3 is a diagram illustrating an example of an ID-based additive quasi-dynamic encryption method according to the present invention.

Cryptographic related general terms such as Discrete Logarithm (DL), Cyclic group G, Discrete Logarithm Problem (DLP), etc. are obvious terms in the technical field of the present invention. Detailed description will be omitted. In addition, the 'algorithm' used in the present invention may be implemented in the form of a program driven through a hardware device such as a central controller and a memory in a key generation center or each server, or may be implemented in the form of hardware such as a chip. . In the following description, for convenience of description, an algorithm is expressed regardless of hardware or software implementation.

Hereinafter, with reference to the accompanying drawings will be described in detail with respect to the ID-based addition quasi-dong encryption and decryption method according to the present invention.

1 is a diagram illustrating an example of an ID-based quasi-dynamic encryption structure.

Referring to FIG. 1, ID-based homomorhpic encryption (ID-HE) includes five algorithms as follows.

The setup algorithm 100 outputs the public parameter pk and the master secret key sk for the input of the security parameter λ.

)를 출력한다.The KeyGen algorithm 110, for input of public parameters (pk), master secret key (sk) and ID (ID∈ {0,1} ^* ), uses the user private key (

).

Enc algorithm 120 receives the public parameter (pk), ID (ID) and the message (m) of the message space (message space), and outputs the cipher text (C).

) 및 암호문(C)을 입력받고, 메시지(m)를 출력한다. Dec algorithm 140 uses public parameters (pk), private keys (

) And the cipher text C, and outputs a message m.

) 및 연산자(

)를 입력으로 하고, 암호문(C)을 출력한다. 여기서

는 메시지

의 암호문이다. 만약

이 1이면 Evaluate 알고리즘의 출력은

이다.Evaluate algorithm 130 is a public parameter (pk), a number of cipher text (

) And operator (

) Is input and the ciphertext (C) is output. here

Message

Is the ciphertext. if

If 1, the output of the Evaluate algorithm is

to be.

)에 대한 IB-HE가 타당하다고 할 수 있다.If you satisfy the following equation (1):

IB-HE for) is reasonable.

,

이고, 모든 양의 정수

와

, 모든 ID들과 메시지 공간의 모든 메시지

에 대해,

,

이다. here,

,

, Any positive integer

Wow

, All IDs and all messages in the message space

About,

,

to be.

)를 부여한다. 비밀키를 부여받은 사용자 A(160)는 Enc 알고리즘(120) 또는 Evaluate 알고리즘(130)을 이용하여 암호문을 생성한 후 이를 사용자 B(170)에게 전송하며, 사용자 B(170)는 Dec 알고리즘(140)을 이용하여 수신한 암호문을 복호화한다. Evaluate 알고리즘(130)은 사용자 A(160) 뿐만 아니라 사용자 B(170)나 또 다른 사용자 A'(180)에 의해서도 사용될 수 있다.Referring back to FIG. 1, the key generation center 150 generates a public parameter (pk) and a master secret key (sk) through the setup algorithm 100, and each ID of users A 160 and B 170. Based on the KeyGen algorithm 110 to drive the user A (160) and B (170) for each secret key (

). The user A 160, who has been given the secret key, generates a cipher text using the Enc algorithm 120 or the Evaluate algorithm 130, and then transmits the encrypted text to the user B 170, and the user B 170 sends the Dec algorithm 140. ) To decrypt the received cipher text. Evaluate algorithm 130 may be used not only by user A 160 but also by user B 170 or another user A '180.

The biggest difference between the conventional IBE structure and the IB-HE structure shown in FIG. 1 is the presence or absence of Evaluate 130. The Evaluate algorithm 130 does not input personal information such as a master key or a user private key as an input and thus does not affect security. Therefore, the security definition of the IB-HE structure of FIG. 1 is the same as that of the conventional IBE structure.

However, since the quasi-homogenous encryption requires security against a chosen-plaintext attack, it is examined whether the IB-HE structure of FIG. 1 provides chosen-plaintext security.

Choice-text security is defined as the next game between opponent A and challenger C.

이다. 그리고 챌린저(C)는 공개 파라메타(pk)를 상대방(A)에게 주고 마스터 비밀키(sk)를 보안상태로 유지한다.Setup: The challenger (C) selects the safety parameter ([lambda]) and runs the Salping Setup algorithm earlier to generate the public parameter (pk) and master secret key (sk). In other words,

to be. The challenger C gives the public parameter pk to the other party A and keeps the master secret key sk in a secure state.

에 대한 KeyGen 질의(query)를 발행한다. 챌린저(C)는 아이디

에 해당하는 개인키(

)로 응답한다. 이때 챌린저(C)는 마스터 비밀키(sk)를 이용하여 KeyGen 질의에 응답한다.Phase 1: The other party (A) is an ID

Issue a KeyGen query for. Challenger (C) ID

Corresponding private key (

Answer At this time, the challenger C responds to the KeyGen query using the master secret key sk.

와 Phase 1에서 KeyGen 알고리즘에 질의하지 않은 다른 아이디(

)를 선택한다. 상대방(A)은

와 다른 아이디(

)를 챌린저(C)에게 전송한다. 그러면 챌린저(C)는 랜덤한 비트(

)를 선택하고 Enc(

,

,

) 알고리즘을 구동하여 암호문(

)를 생성한 후 그 암호문(

)을 상대방(A)에게 전송한다.Challenge: After the other party (A) completes Phase 1, two messages with the same bit length in the message space

And other IDs that did not query the KeyGen algorithm in Phase 1 (

Select). The other party A

And another ID (

) Is sent to the challenger (C). The challenger C then picks up a random bit (

) And select Enc

,

,

Algorithm to run the ciphertext (

) And the ciphertext (

) Is transmitted to the other party (A).

)를 제외한 KeyGen 질의들을 생성한다. 이후 챌린저(C)는 Phase 1과 동일한 과정을 통해 응답한다.Phase 2: The opponent (A) is selected by the challenger

Generates KeyGen queries other than). The challenger C then responds via the same process as in Phase 1.

)를 출력한다. Guess: The other party (A) is a bit (

).

In the IND-ID-CPA safety game, the advantage of the opponent A over the IB-HE structure is defined as in Equation 2 below.

이 모든 다항시간(polynomial time) 상대방(A)에 대하여 무시될 수 있다면, IB-HE 스킴은 IND-ID-CPA 안전성이 있다. Where λ is the safety parameter of the above choice-plain safety game, and the probability is for the random selection of coins of opponent A and challenger C. if

If all of these polynomial time counterparts A can be ignored, the IB-HE scheme is IND-ID-CPA safe.

의 DCR 문제는 실현 불가능하다고 가정한다. To demonstrate the security of the present invention in a selective-plain attack,

The DCR problem is assumed to be impractical.

의 DCR 문제는

인 z에 대하여

을 만족하는 y가 존재하는지 여부를 결정하는 것이다.Definition 1 (DCR Issues):

DCR problem

About z

It is to determine whether or not y satisfies.

은 안전성 파라메타(

)를 입력으로 하고 RSA modulus N을 출력으로 하는 알고리즘이다. DCR 문제의 그룹

의 모듈러스(modulus)에 대한 생성자로써

을 정의한다.Definition 2:

Is the safety parameter (

) As the input and RSA modulus N as the output. Group of DCR Issues

As a constructor for the modulus of

.

에서 DCR 문제를 푸는 상대방(A)의 이익(advantage)을 다음과 같이 정의한다. Definition 3:

Defines the advantage of the counterpart A to solve the DCR problem as follows.

이고, y는

에서 랜덤하게 선택된 요소이고,

이고, Z는

에서 랜덤하게 선택된 요소이다. here,

And y is

Is a randomly selected element from,

And Z is

Is a randomly selected element from.

The following algorithm is defined for the encryption method according to the present invention.

TDLGen: The TDLGen algorithm is an algorithm for outputting a finite cyclic group G having a generator g and its trapdoor information τ for the input of the safety parameter λ.

SolveTDL: The SolveTDL algorithm takes as input a finite circulation group (G), a generator of G (g), trapdoor information (τ), and a target element (h) of DLP, and a discrete logarithm (DL) of h based on g. The algorithm to output

Gen: Gen algorithm is an algorithm that inputs safety parameter (λ) and drives TDLGen (λ) algorithm to output (G, g). If (G, g, τ) is the output of TDLGen (λ) and the DLP for G is difficult for the output (G, g) of Gen, G is called a trapdoor DL group.

의 최대 서브그룹 G는 트랩도어 DL 그룹의 일 예가 된다. N이 세 개의 소수들보다 많은 곱으로 이루어지면, G를 치역으로 갖는 암호학적으로 안전한 함수는 알려지지 않고 있다. If N is the product of primes and its trapdoor is factoring of N,

The maximum subgroup G of is an example of a trapdoor DL group. If N is a product of more than three prime numbers, a cryptographically safe function with G as the range is unknown.

혹은 이의 약수를 위수로 갖는 (이때, μ=gcd(p-1,q-1)) 트랩도어 DL 그룹 G를 생성한다. 이 트랩도어 DL 그룹 G는

의 순환 서브 그룹이다. 또한 트랩도어는 N의 인수분해이다. ID-based additive quasi-dynamic encryption (IB-AHE) structure according to the present invention

Or a trapdoor DL group G having a divisor of the above number, where μ = gcd (p-1, q-1). This trapdoor DL group G

Is a cyclic subgroup of. The trapdoor is also a factorization of N.

2 is a diagram illustrating an example of an ID-based additive quasi-dynamic encryption structure according to the present invention.

Referring to FIG. 2, the ID-based additive quasi-dynamic encryption (IB-AHE) structure includes five algorithms.

(1) Setup (λ) (200): This algorithm drives the Salping TDLGen (λ) algorithm and outputs parameters (N, G, g, τ). Where N is the product of the prime p, q of η-bits. p, q is the greatest common divisor gcd (p-1, q-1) = μ, and p-1 and q-1 are both B-smooth integers. Where B is determined by the security parameters. Here, as an example of G, when μ = 2, it may be selected as follows.

의 서브그룹이고,

은 위수

의 생성자

를 가진다.

은

의 요소이고,

는

의 생성자이고,

는

의 생성자이다. 그리고 트랩도어 정보(τ)는 (p,q)이다.G

Is a subgroup of

Silver number

Constructor

.

silver

Is an element of

The

Is the constructor of

The

Is the constructor of. The trap door information τ is (p, q).

의 예로 다음 수학식 3과 같이 정의할 수 있다.Arbitrary function with G as range

For example, it may be defined as Equation 3 below.

은 임의의 함수이고,

은 x modulo N의 야코비(Jacobi) 심볼을 의미한다. 이 알고리즘은 시스템 파라메타(pk)와 마스터키(sk)를 다음과 같이 출력한다.here,

Is an arbitrary function,

Denotes the Jacobi symbol of x modulo N. This algorithm outputs the system parameters (pk) and master key (sk) as follows.

)에 대해 앞서 살핀 SolveTDL 알고리즘을 구동하고, 사용자 비밀키(

)를 출력한다.(2) KeyGen (pk, sk, ID) (210): Given the user's ID, this algorithm inputs (G, g, sk,

Run the SolveTDL algorithm, which you have previously checked, and the user secret key (

).

)을 선택하고, 암호문(C)을 다음과 같이 계산한다.(3) Enc (pk, ID, m) 220: Given the message m, this algorithm is a random integer (

), And calculate the ciphertext (C) as follows:

이다.And outputs the ciphertext (C). Where the message space is

to be.

)(240): 암호문 C=(U,V)이 주어지면, 이 알고리즘은

및

을 계산한다. 그리고 이 알고리즘은 메시지

을 출력한다.(4) Dec (

(240): Given the ciphertext C = (U, V), this algorithm

And

. And this algorithm is a message

.

)(230):

이 주어지면, 이 알고리즘은 다음의 수학식을 계산하여 C를 출력한다.(5) Evaluate (

) (230):

Given this, the algorithm computes the following equation and outputs C:

의 트랩도어 DL 그룹에 기반한 ID-기반 암호화 구조와

의 AHE 구조를 결합함으로써 얻을 수 있다. 종래의 AHE 구조에서, 공개키는 위수

의 그룹의 한 요소로 구성된다. 여기서 N은 두 개의 안전한 소수의 곱이다. 만약 IBE 구조가 HE 구조와 아무런 변경 없이 결합된다면, 키생성센터는 네 개의 큰 소수 정수들의 곱인, 위수

의 그룹에 대한 DLP를 풀어야만 하는데, 이는 비현실적이다. That is, the structure according to the present invention

ID-based encryption scheme based on Trapdoor DL group

It can be obtained by combining the AHE structure of. In the conventional AHE architecture, the public key is an integer

Consists of one element of a group. Where N is the product of two safe prime numbers. If the IBE structure is combined with the HE structure without any changes, then the key generation center is a product of four large prime integers,

We have to solve the DLP for the group of, which is unrealistic.

In order to solve this problem, the present invention is an example for defining a trapdoor DL group as described above, p≡3 mod 4, q≡1 mod 4, gcd (p-1, q-1) = two prime numbers N is defined as the product of p, q. Where p-1 and q-1 are both B-smooth integers and B is determined by the security parameters.

의 그룹에 대한 DLP를 풀어야 한다. 이러한 키 생성 알고리즘을 빠르게 하기 위하여, 선행계산(pre-computation)을 가진 DL 알고리즘을 이용할 수 있다. The present invention can be used to generate a user private key

Solve the DLP for a group of. To speed up this key generation algorithm, a DL algorithm with pre-computation can be used.

라고 가정한다. 그러면, 암호문 C는 다음과 같다.It looks at whether the encryption method according to the present invention is valid. First for ciphertext C,

. Then, the ciphertext C is

이다. 따라서 본 발명에 따른 구조는 타당하다.And,

to be. The structure according to the invention is therefore justified.

3 is a diagram illustrating an example of an ID-based additive quasi-dynamic encryption method according to the present invention.

의 서브그룹 G를 생성한다. 여기서 N은 두 소인수 p,q의 곱이며, 두 소인수는 도 2에서 살핀 바와 같이 소정의 조건을 만족하는 소인수이다.2 and 3 together, the key generation center first generates various parameters (N, G, g, τ) by using an algorithm for inputting the safety parameter λ (S300). That is, the key generation center 250 has a generator g

Create a subgroup G of. Where N is the product of two prime factors p, q, and two prime factors are prime factors that satisfy a predetermined condition as shown in FIG.

The key generation center 250 generates a system parameter (pk) based on a function having G as a range, N, a subgroup G, and a generator g, and comprises a master key composed of two prime factors p, q, which are factoring values of N ( sk) is generated (S310).

,

의 서브그룹 G,

의 생성자 g 및 마스터키(sk)를 입력으로 하는 알고리즘을 이용하여, 생성자 g에 기초한 이산대수 값을 사용자 비밀키로 출력한다(S330).The key generation center 250, given the user ID (ID), the hash function for the user ID

,

Subgroup G of,

A discrete algebraic value based on the generator g is output as the user secret key using an algorithm that takes the generator g and the master key sk as input (S330).

Thereafter, the user A 260, which has received the user private key, encrypts the message based on the system parameter and the user ID (S330). That is, user A 260 generates an encrypted text using Enc algorithm 220 or Evaluate algorithm 230. User B 270 decrypts the cipher text received from user A 260 using the user secret key and system parameters (S340). Evaluate algorithm 230 may be used by user B 270 and user A '280 as well as user A 260.

The present invention can also be embodied as computer-readable codes on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage, and the like. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

So far I looked at the center of the preferred embodiment for the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

Claims (5)

Generating a subgroup G of a cyclic group having a modulator of modulo with a square of N, the product of two prime factors p, q, using an algorithm that takes the safety parameter λ as an input;
Generate a system parameter (pk) based on any function having the subgroup G as a range, the N, the subgroup G and the generator g, and generate a master key sk consisting of the two prime factors p, q. Making; And
Discrete algebraic values based on the generator (g) by using an algorithm for inputting the function for the user ID (ID), the subgroup (G), the generator (g), and the master key (sk) Outputting a secret key; ID-based addition quasi-type encryption method comprising a. The method of claim 1,
For the two prime factors p, q, p-1 and q-1 are B-smooth integer values, respectively, and when the greatest common factor (p-1, q-1) = μ, G is

Having as order

ID-based addition semi-homologous encryption method characterized in that it has a subgroup of the group G 'above. The method of claim 1,
Generating a cipher text by inputting the system parameter (pk), the ID (ID) and the given message (m), ID-based addition semi-homographic encryption method further comprising. The method of claim 3, wherein
And decrypting the cipher text using a public key and a user secret key. A computer-readable recording medium having recorded thereon a program for performing the method according to any one of claims 1 to 4.

Images