KR101727691B1 - Server and system for identity-based revocation - Google Patents
Server and system for identity-based revocation Download PDFInfo
- Publication number
- KR101727691B1 KR101727691B1 KR1020150173472A KR20150173472A KR101727691B1 KR 101727691 B1 KR101727691 B1 KR 101727691B1 KR 1020150173472 A KR1020150173472 A KR 1020150173472A KR 20150173472 A KR20150173472 A KR 20150173472A KR 101727691 B1 KR101727691 B1 KR 101727691B1
- Authority
- KR
- South Korea
- Prior art keywords
- key
- user
- encryption
- private key
- server
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
An embodiment according to the concept of the present invention relates to an ID based receiver limit cipher server and system, and more particularly, to a receiver limit cipher server and system capable of generating a ciphertext by designating a receiver in a broadcast environment.
Conventionally, a receiver limited cryptosystem (revocation system) is known. In particular, Public-Key Revocation (PKR) system based on public key is a variant of Public-Key Broadcast Encryption (PKBE) based on a set of users whose ciphertext is excluded from the receiver do. In other words, each user has his / her public key / private key, and the cipher text is generated so that only the users other than those having a specific public key can decrypt it. Similar to public key based broadcast cryptography, it combines the complete subtree (CS) / subset difference (SD) scheme with identity-based ciphers, hierarchical identity-based ciphers, Techniques can be designed. An Identity-based Revocation (IBR) system is a variant of Identity-based Broadcast Encryption (IBBE) that is created for a set of users whose ciphertext is excluded from the recipient.
However, the existing receiver limited cryptosystem limits the maximum number of users of the system. To support infinitely many devices in the Internet of Things (IoT) environment, there should be no limit on the number of system users.
In addition, although the proof is proved in a strong assumption such as q-type assumption, in case of q-type assumption, the size of q depends on the attacker's ability. It is easy to see that the safety of the technique is lowered. On the other hand, since the standard / simple assumption is not affected by the conditions occurring in the proof model, but depends only on the security parameters, .
In addition, most of the existing technologies have been proved to be safe in a random oracle model. Such a proof can be said to be theoretically safe, but it does not directly reflect the safety in reality.
SUMMARY OF THE INVENTION It is an object of the present invention to provide an efficient ID-based receiver limit crypto server and system capable of supporting an infinite number of users and providing higher safety.
The encryption server according to an embodiment of the present invention includes a security constant
) And a binary tree ) Depth ) To the master key ( ) And an open parameter ( ) And a user ' s private key < RTI ID = 0.0 > ), And the private key ( ) To the user's terminal.In the case of the ID based receiver limit cipher server and system according to the embodiment of the present invention, the receiver limit cipher scheme can be implemented for an infinite number of users.
In addition, because it is proven in the standard / simple assumption, it can provide higher security than existing technologies, and it can be proved safe in a model without random Oracle, so it can be guaranteed realistic security.
Further, since the public parameters used in the present invention are small in size and efficient in decoding operation, the present invention can be easily applied to a mobile device with a small amount of resources.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to more fully understand the drawings recited in the detailed description of the present invention, a detailed description of each drawing is provided.
1 is a conceptual diagram for explaining an encryption method according to an embodiment of the present invention.
2 shows an encryption system according to an embodiment of the present invention.
3 is a functional block diagram of the encryption server shown in FIG.
It is to be understood that the specific structural or functional description of embodiments of the present invention disclosed herein is for illustrative purposes only and is not intended to limit the scope of the inventive concept But may be embodied in many different forms and is not limited to the embodiments set forth herein.
The embodiments according to the concept of the present invention can make various changes and can take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It should be understood, however, that it is not intended to limit the embodiments according to the concepts of the present invention to the particular forms disclosed, but includes all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.
The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms may be named for the purpose of distinguishing one element from another, for example, without departing from the scope of the right according to the concept of the present invention, the first element may be referred to as a second element, The component may also be referred to as a first component.
It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like are used to specify that there are features, numbers, steps, operations, elements, parts or combinations thereof described herein, But do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.
Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings attached hereto. Prior to describing the present invention in detail, the background art will be described as follows.
<Bilinear Map>
Wow Is a prime number If a group is a circulating group, the function satisfying the following three properties Is called a folded linear function.
1) Bilinearity: arbitrary
Wow about .2) Non-degeneracy:
Asleep Lt; / RTI >3) Computability:
about There is an efficient algorithm to calculate
<Decisional Bilinear Diffie Hellman assumption>
Gastric count
Two multiplicative cyclic groups such as Wow And a folded linear function When there is To Let's say you're a generator. At this time, With a non-negligible probability within the polynomial time for If there is no attacker able to determine the DBDH problem is defined as difficult to solve.
<SD (Subset Difference) Technique>
The SD scheme refers to a technique for selecting only leaf nodes except for a certain number of leaf nodes of a binary tree. The Setup, Assign, Cover, , And Match (Match).
Binary tree
Each node of Let's say. depth From the root node Means the length of the path or path up to the node and the depth of the root node Is zero. The Is a subtree having root as a root, end When the node is a descendant of < RTI ID = 0.0 > Gt; . In other words, Except for the child nodes of Quot; node " The Quot; leaf nodes " of < / RTI > The Of the leaf node. In other words, to be. To Let's say a fixed label of. You can assign 0 (left node) or 1 (right node) to each node, The labels assigned to the nodes on the path up to < RTI ID = 0.0 > Can be generated.
In the setup algorithm,
And each user is assigned to a leaf node.
In the assignment algorithm, a private set corresponding to the user node
. Specifically, all nodes on the path from the root node to the user-assigned node Wow , And the subset .
In the cover algorithm,
. A node that is revoked or one step higher node And an uppermost node on the path including the corresponding node, which does not include another excluded node as a lower node, . At this time, Excluded from The value of .
In the match algorithm,
And a secret set in , , And A subset satisfying Wow . If there is a subset that satisfies the condition, the user is not included in the exclusion list, otherwise the user is included in the exclusion list.
≪ Broadcast Encryption (BE) >
A symmetric key-based broadcast cryptosystem is a scheme that generates and transmits a ciphertext to a plurality of sets of users rather than a single user in a trust authority. A typical example is Naor et al. Using a binary subtree (CS) and a subset difference (SD) technique. Public-Key Broadcast Encryption (PKBE) is a technique in which a non-trusting user generates a cipher text for a set of users using a public key of each user. Identity-based Broadcast Encryption (IBBE) is a technique that does not limit the number of users participating in the system by using the public key in the PKBE as the user's ID.
Further details of the SD technique and the broadcast cryptographic technique described above can be found in D. Naor, M. Naor and J. Lotspiech, "Revocation and tracing schemes for stateless receivers (Proceedings of the CRYPTO 2001, Vol.2139 of LNCS, pp. 41-62, Feb. 2001.) "can be referred to.
<Revocation System>
Public-Key Revocation (PKR) system is a variant of PKBE that is generated for a set of users whose ciphertext is excluded from the recipient. In other words, each user has his / her public key / private key, and the cipher text is generated so that only the users other than those having a specific public key can decrypt it. Similar to public key-based broadcast cryptography, we can design a PKR scheme by combining CS / SD with ID-based cryptography (IBE), hierarchical ID-based cryptography (HIBE), and SRE techniques. Identity-based Revocation (IBR) The Identity-based Revocation (IBR) system is a variation of IBBE that generates a set of identities for users whose ciphertexts are excluded from the recipient.
In the present invention, a Single Revocation Encryption (SRE) scheme, which is more secure than a conventional scheme (which can be proved in a weak assumption), is designed first, and an ID based recipient- -based revocation, IBR). Hereinafter, the SRE technique and the IBR technique will be described in detail.
First, a detailed description of the SRE technique is as follows.
A cipher text generation method capable of decrypting only the remaining users except for one user in the group,
And revoked member labels Lt; / RTI > The and The ciphertext can be decrypted. This technique can be extended to design a receiver-restricted cryptosystem that restricts the decryption of multiple users. The SRE technique consists of a setup step, a key generation step, an encryption step, and a decryption step.In the setup step (SRE.Setup), a security parameter
As the input, In-line linear group And the generation source . At this time, The size of to be. Any index And hash function , And any element And the master key And disclosure parameters Is output as follows.
Master key
Lt; RTI ID = 0.0 > Is open to the public.
In the key generation step SRE.GenKey,
And the master key , And open parameters As an input, Private key for Is output as follows.
Private key
Is securely issued to the user.
In the encryption step (SRE.Encrypt)
And messages , And open parameters As an input, For ciphertext Is output as follows.
In the decryption step (SRE.Decrypt), a cipher text
And private key , And open parameters As an input, , The following operation is performed to determine whether the message . If the condition is not satisfied .
The accuracy of SRE can be confirmed by the following formula.
The above-described SRE technique is safe for selective plaintext attacks in the selective safety model under the assumption of a simple assumption (Decisional Bilinear Diffie Hellman). Based on the above technique, it is possible to design a technique that can demonstrate safety in a full model using the technique of Dual System Encryption based on the synthetic number group, and CHK (Ran Canetti, Shai Halevi, and Jonathan Katz ) Transformation techniques can be used to modify the technique to be secure against selective cipher attacks and to prove its safety.
A detailed description of the IBR technique is as follows.
SD scheme and Symmetric Key Encryption (SKE) scheme as a primitive for designing IBR scheme are defined as SD = (SD.Setup, SD.Assign, SD.Cover, SD.Match) and SKE = SKE.Gen, SKE.Enc, SKE.Dec). The IBR scheme consists of a setup step (IBR.Setup), a key generation step (IBR.GenKey), an encryption step (IBR.Encrypt) and a decryption step (IBR.Decrypt). Hereinafter, a conceptual diagram for explaining an encryption method according to an embodiment of the present invention will be described with reference to FIG.
In the setup phase (IBR.Setup), the security constant
And binary tree Depth of As input A binary tree from an algorithm Lt; / RTI > From the algorithm, And the first disclosure parameter . IBR master key And stored securely, and the disclosure parameter .
In the key generation step IBR.GenKey,
And master keys , And open parameters As an input, A secret set from an algorithm . At this time, And the labels of the leaf nodes match, each user is assigned to the corresponding leaf node. bracket About Is extracted From an algorithm Key for . here Label ≪ / RTI > . Finally, the user's private key .
In the encryption phase (IBR.Encrypt), first,
And messages , And open parameters As input Covering set from algorithm . Session key Is selected, and each About Is extracted Label from algorithm And session key Ciphertext for . And Messages from the algorithm Ciphertext for . Finally, .
In the decryption step (IBR.Decrypt), a cipher text
And private key , And open parameters As input If Matching tuples from an algorithm To find From the algorithm to the session key , Otherwise . Finally Messages from the algorithm And outputs the decoded data.
Figure 2 illustrates an encryption system in accordance with an embodiment of the present invention.
1 and 2, a
The
The transmitting
Each of the plurality of receiving
FIG. 3 shows the encryption server shown in FIG. 2. FIG.
1 to 3, the
The
The
Each of the configurations of the
Also, in this specification, "part" may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, the module may mean a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and does not necessarily mean a physically connected code or a kind of hardware.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.
10: Cryptographic system
100: Password server
110: Setup section
130:
300: transmitting terminal
500: receiving terminal
Claims (8)
The encryption server comprises:
Security Constants ( ) And a binary tree ) Depth ) To the master key ( ) And an open parameter ( ); And
The user's private key ( ), And the private key ( To the user's terminal,
The transmitting terminal may include a set of users excluded from the receiver ), message( ), And the disclosure parameters ( ) To generate a cipher text ( ),
The transmitting terminal includes:
The user set ( ), The message ), And the disclosure parameters ( (Subset difference) scheme with the input ), The covering set ( ),
The session key ( ) Is selected,
bracket Label for ( ) Is extracted,
The first encryption algorithm ( ) To label ( ) And the session key ( ) ≪ / RTI > ),
The second encryption algorithm ( ) ≪ / RTI > The second cipher text ( ),
The ciphertext defined by equation (3) ),
Equation (3) sign,
Cryptographic system.
The first encryption algorithm is a process of encrypting the input label ( ), The session key ( ), And the disclosure parameters ( The first public parameter < RTI ID = 0.0 > ) To obtain an arbitrary index ( The first ciphertext ( ),
Wherein the second encryption algorithm is an encryption algorithm of a symmetric key encryption scheme,
Cryptographic system.
And transmitting the ciphertext ( ) From the encryption server, and transmits the private key ), And the private key ) And the disclosure parameter ( ) Using the cipher text ( Further comprising a terminal of the user for decrypting the encrypted data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150173472A KR101727691B1 (en) | 2015-12-07 | 2015-12-07 | Server and system for identity-based revocation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150173472A KR101727691B1 (en) | 2015-12-07 | 2015-12-07 | Server and system for identity-based revocation |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101727691B1 true KR101727691B1 (en) | 2017-04-19 |
Family
ID=58705997
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150173472A KR101727691B1 (en) | 2015-12-07 | 2015-12-07 | Server and system for identity-based revocation |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101727691B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20210073390A (en) | 2019-12-10 | 2021-06-18 | 국방과학연구소 | Method for Constructing for Revocable Identity Based Encryption with Subset Difference Methods |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101533422B1 (en) * | 2013-06-21 | 2015-07-10 | 고려대학교 산학협력단 | Broadcast encryption method and system |
-
2015
- 2015-12-07 KR KR1020150173472A patent/KR101727691B1/en active IP Right Grant
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101533422B1 (en) * | 2013-06-21 | 2015-07-10 | 고려대학교 산학협력단 | Broadcast encryption method and system |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20210073390A (en) | 2019-12-10 | 2021-06-18 | 국방과학연구소 | Method for Constructing for Revocable Identity Based Encryption with Subset Difference Methods |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Xiong et al. | Partially policy-hidden attribute-based broadcast encryption with secure delegation in edge computing | |
Xu et al. | Secure fine-grained access control and data sharing for dynamic groups in the cloud | |
Wei et al. | Secure data sharing in cloud computing using revocable-storage identity-based encryption | |
US8290146B2 (en) | Ciphertext generating apparatus, cryptographic communication system, and group parameter generating apparatus | |
EP2719149B1 (en) | Method and system for modifying an authenticated and/or encrypted message | |
US10411885B2 (en) | Method and system for group-oriented encryption and decryption with selection and exclusion functions | |
KR20060095077A (en) | The hierarchial threshold tree-based broadcast encryption method | |
US9130744B1 (en) | Sending an encrypted key pair and a secret shared by two devices to a trusted intermediary | |
KR101516114B1 (en) | Certificate-based proxy re-encryption method and its system | |
Bayat et al. | A lightweight and efficient data sharing scheme for cloud computing | |
Karati et al. | Provably secure threshold-based abe scheme without bilinear map | |
CN110784314A (en) | Certificateless encrypted information processing method | |
KR101308023B1 (en) | Broadcast encryption method for securing recipient privacy | |
KR101533422B1 (en) | Broadcast encryption method and system | |
Luo et al. | Hierarchical identity-based encryption without key delegation in decryption | |
JP4288184B2 (en) | Key update method, cryptographic system, cryptographic server, terminal device and external device | |
Azaim et al. | Design and implementation of encrypted SMS on Android smartphone combining ECDSA-ECDH and AES | |
KR101695361B1 (en) | Terminology encryption method using paring calculation and secret key | |
Seo et al. | Zigbee security for visitors in home automation using attribute based proxy re-encryption | |
Li et al. | Mathematical model and framework of physical layer encryption for wireless communications | |
KR101727691B1 (en) | Server and system for identity-based revocation | |
KR101373577B1 (en) | Apparatus of id based dynamic threshold encryption and method thereof | |
Nayak | A secure ID-based signcryption scheme based on elliptic curve cryptography | |
Doshi | An enhanced approach for CP-ABE with proxy re-encryption in IoT paradigm | |
KR100388059B1 (en) | Data encryption system and its method using asymmetric key encryption algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |