WO2020103631A1 - Hidden-identity-based signcryption method employing asymmetric bilinear pairing - Google Patents

Abstract

The invention provides a hidden-identity-based signcryption method employing an asymmetric bilinear pairing. The method comprises: a private key generator generating a system master private key (I); employing asymmetric bilinear pairings Type-1 and Type-2, configuring a private key of a hidden-identity-based signcryption sender identified as (II) to be (III), and configuring a private key of a hidden-identity-based signcryption verifier identified as (IV) to be (V); Â selecting (VI), calculating (VII), and sending {X, C} to (VIII), wherein (IX) is a bilinear map; (VIII) calculating (X), and if (XI), then accepting hidden-identity-based signcryption information M; employing an asymmetric bilinear pairing Type-3, configuring a private key of a hidden-identity-based signcryption sender identified as (II) to be (XII), and configuring a private key of a hidden-identity-based signcryption verifier identified as (IV) to be (XIII); Â selecting (VI), calculating (VII), and sending {X, C} to (VIII), wherein (IX) is a bilinear map; and (VIII) calculating (XIV), and if (XI), then accepting the hidden-identity-based signcryption information M.

Description

A secret signcryption method based on asymmetric bilinear pair Technical field

The invention relates to the field of cryptographic technology, and in particular, to an identity-based signcryption method based on asymmetric bilinear pairs.

Background technique

Digital signature and public key encryption are the core contents of cryptography theory and application. Signcryption is a combination of digital signature and public key encryption, which not only ensures the integrity and verifiability of encrypted content, but also ensures the privacy of encrypted messages, and is more efficient than simply combining signatures and encryption For promotion. Compared with the traditional public key cryptosystem, identity-based signcryption uses the user's identity as the public key, which can simplify the management and issuance of public key certificates. However, the original identity-based signcryption schemes need to publicly transmit the user's identity and public key information, and the efficiency is poor. In the era of mobile internet, the computing and storage capabilities of the device are limited, and in many applications, the user's identity information is often sensitive information and needs to be protected. Therefore, the development of an efficient identity-based identity hiding signcryption method (abbreviated as "hiding signcryption") has important theoretical and practical significance.

Let G ₁ , G ₂ and G _T be three q-order cyclic groups (q can be prime or composite, such as RSA modulus). For the convenience of description, we refer to G ₁ , G ₂ and G _T as a multiplicative group (all the schemes described in the present invention also work when G ₁ , G ₂ and G _{T are} referred to as addition groups). Generally speaking, a bilinear pair

It is a bilinear mapping from G ₁ × G ₂ to G _T and satisfies the following properties:

(1) Bilinearity: Let g ₁ ∈ G ₁ , g ₂ ∈ G ₂ , x, y ∈ Z _q , have

(2) Non-degeneration: For each

There is always a g ₂ ∈G ₂ such that

among them,

Is the unit of G ₁ ,

Is the unit of G _T ;

(3) Bilinear mapping can be effectively calculated.

There are three types of bilinear pairs:

Type 1: G ₁ → G ₂ has an isomorphism that can be effectively calculated, in this case it is generally written as G ₁ = G ₂ (usually expressed by G). This type of bilinear pairing can generally be achieved with super-singular elliptic curves or super-elliptic curves.

Type 2: There is an effective calculation group homomorphism G ₂ → G ₁ , but there is no effective homomorphism from G ₁ to G _2. This type of bilinear pair is generally realized by a general elliptic curve on the prime field, G ₁ is the base field In the upper elliptic curve group, G ₂ is the elliptic curve subgroup in the extended domain, and the homomorphism of G ₂ → G ₁ is generally traced and mapped.

Type 3: There is no effective computable homomorphism of G ₂ → G ₁ or G ₁ → G ₂ (homology and even isomorphism must exist, in this case, there is no effectively computed isomorphism). This type of bilinear pair is also constructed with a general curve on the prime domain, and G ₂ generally takes the kernel of the trace map.

The method described in the present invention can work on any of the above three types of bilinear pairs, the difference is that: for type 1 bilinear pairs, G ₁ = G ₂ ; for type 2 bilinear pairs, the system The public parameters need to have an effectively calculated isomorphism ψ: G ₁ → G ₂ , that is, ψ is an effectively calculateable isomorphism that maps the elements in G ₁ to G ₂ ; for type 3 bilinear pairs, the system discloses There is no need to have an isomorphic ψ that can be effectively calculated in the parameters: G ₁ → G ₂ , but each user's private key is increased from one to two, which are used for signcryption and verification signcryption, respectively. In the following description of the invention scheme, the description is based on type-2 and type-3, and when applied to the type-1 bilinear pair, G ₁ = G ₂ .

Summary of the invention

In order to solve the above problems, the present invention provides an efficient identity-based secret signcryption method in an asymmetric environment, including: a private key generator generates a system master private key

Under asymmetric bilinear pair type-1 and type-2, the identity is

The private key of the secret signer of is

Identity is

The private key of the secret signing verifier is

Select

Calculation

And send {X, C} to

among them

Is a bilinear mapping.

Calculation

And

Then accept the secret sign information M. Under asymmetric bilinear pair type-3, the identity is

The private key of the secret signer of is

Identity is

The private key of the secret signing verifier is

Select

Calculation

And send {X, C} to

among them

Is a bilinear mapping.

Calculation

And

Then accept the secret sign information M.

BRIEF DESCRIPTION

FIG. 1 is a flowchart of an example of an inventive method (asymmetric bilinear pairing type-2).

Figure 2 is a flow chart of an example of an inventive method (asymmetric bilinear pairing type-3).

detailed description

FIG. 1 is a flowchart of an example of an inventive method (asymmetric bilinear pairing type-2); wherein, let G ₁ ≠ G ₂ ,

auxM is empty,

Is the unit element of group GT, H: {0, 1} ^* → G ₁ is the hash function, D is the decryption function corresponding to the encryption function E,

Refers to the use of the key K to decrypt the ciphertext C to get

It means x from

Randomly selected.

FIG. 2 is a flowchart of an example of an inventive method (asymmetric bilinear pairing type-3); wherein, let G ₁ ≠ G ₂ ,

aux _M is empty,

Is the unit element of the group G _T , H ₁ : {0, 1} ^* → G ₁ , H ₂ : {0, 1} ^* → G ₂ are two hash functions, D is the decryption function corresponding to the encryption function E ,

Refers to the use of the key K to decrypt the ciphertext C to get

It means x from

Randomly selected.

The present invention provides a secret signcryption method based on asymmetric bilinear pairs. Specific examples are given below:

System establishment: generate public system parameters, a security parameter n takes 128, bilinear pairing

_{G 1 × G 2 → G T} , wherein G _1, G _2, and G _T is a cyclic group of order q three, take 3594707740912722592580264824659245374581620005772120566140827390747490618210732713776201829166921179104690985316170865403357128018053115705235365035756944666781840271151398486024508905819032066430042870294016997308232041571009239026199854058373227102211040396565230117801219598111998342507534997235192001889 integer q, q binary length (denoted as | q |) is n polynomial; two Ha Greek function: H ₁ : {0, 1} ^* → G ₁ , H ₂ : {0, 1} ^* → G ₂ , using MD5 and SHA256 functions respectively; key derivation function KDF: {0, 1} ^* → { 0,1} ⁿ using the AES algorithm built KDF Openssl; g ₁ is a generator of _{G. 1,} the value 72026754027934651490995918212523766243371000525971101339334699885320636543746077563483364060839557244370694227487917252409638191550569389028359389164974323853180025346237445763293422583856014029352597479177910324941936807527651378495009235344516904490274731975063077229612562360754643102255089897348148780690, g ₂ ∈G ₂ generators of G _2, the value 7770630256160844001061836831347865610850334358908951970056605558701855341430296 85515167171155066983394736429814708688260424437418050442878466662894511336277513648432264837893503 36451089265057408624982566636736744757835440696623220350219622426665921578454579853475107616688094007335536946549349101096432348567,

It is the unit element of group G _T ; E adopts symmetric encryption function AES; the public parameters of the system include:

The public parameters of the system can be negotiated and decided by users in the system, or given by a trusted third party;

msk is 647581328478097883885856815637104132132453561065;

User private key extraction: Users with identity ID ∈ {0, 1} ^* are registered with PKG, and PKG generates private keys for them:

For convenience of description, the identity of the signcryption generator in the following method description is written as

make

Calculate signcryption and verify signcryption private key separately

The signcryption verifier is recorded as

make

Signcryption and verification signcryption private keys are

Secret signcryption generation: let M ∈ {0, 1} ^* for secret signcryption information, M takes the value 2MMMMMMMMMMMMMMMMmmmmmmMMMMMMMMMMMMMMMMMMMMM; user

Choose x = 344135958399807195458316225370763102587786809162, calculate

If using type-3 bilinear pair, calculate

(If type-2 bilinear pair is used, calculate

) If

(Otherwise re-select x, recalculate PS), calculate K = KDF (PS, aux _K ) = KDF (PS, aux _K ) = {rounds = 10; rd_key = 946168116 875979576 895575096 811676005 1969327858 1096281546 1949731314 1146599575 4252685724 3157080150},

Calculation

667afc15fc776f81b5f74e9028723c7236f804cf40491f86cbcc70a1ef3b5976e1343fe5cdedd30ad1da70fbfd61cf53a1a7ab57d004c56799351dd3afa32cdf13506dc5e10af7cd39fbd7cdd

Send {X, C} to the user

Secret signcryption verification: user

After receiving {X, C}, if using type-3 bilinear pair, calculate

(If type-1 bilinear pair is used, calculate

If type-2 bilinear pairs are used, calculate

If

Calculate K = KDF (PS, aux _K ) = {rounds = 10; rd_key = 946168116 875979576 895575096 811676005 1969327858 1096281546 1949731314 1146599575 4252685724 3157080150},

Use K to decrypt C

And

It is equal to the transmitted ciphertext, the verification is successful, and the secret signcryption information M is accepted.

Other features and advantages of the present invention will be explained in the subsequent description, and partly become obvious from the description, or be understood by implementing the present invention. The objects and other advantages of the present invention can be realized and obtained by the structures particularly pointed out in the description, claims and drawings.

It should be understood that the disclosed embodiments of the present invention are not limited to the specific processing steps disclosed herein, but should extend to equivalent replacements of these features as understood by those of ordinary skill in the relevant art. It should also be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not meant to be limiting.

The "two embodiments" or "embodiments" mentioned in the specification mean that a particular feature, structure, or characteristic described in connection with the embodiments is included in at least two embodiments of the present invention. Therefore, the phrases "two embodiments" or "embodiments" appearing in various places throughout the specification do not necessarily all refer to the same embodiment.

Although the above examples are used to illustrate the principles of the present invention in one or more applications, it is obvious to those skilled in the art that they can be used in form, usage and implementation without departing from the principles and ideas of the present invention Make various modifications to the details without paying creative efforts. Therefore, the present invention is defined by the appended claims.

Claims (7)

1. An efficient identity-based signcryption method based on asymmetric bilinear pairs, the method includes:

   System establishment: generating system public parameters, including: a security parameter n, bilinear pair

   

   

   Integer q, where G ₁ , G ₂ and G _T are three q-order cyclic groups, and the binary length of q (denoted by | q |) is a polynomial of n; two hash functions: H ₁ : {0, 1} ^* → G ₁ , H ₂ : {0, 1} ^* → G ₂ , an isomorphic ψ that can be effectively calculated: G ₁ → G ₂ , a key derivation function KDF: {0, 1} ^* → {0, 1} ^n; g ₁ ∈G ₁ so as generator of G _1, g ₂ ∈G ₂ is a generator of G _2,

   

   Is the unit element of group G _T ; E is a symmetric encryption function; the public parameters of the system are recorded as:

   

   The public parameters of the system can be negotiated and determined by the users in the system or given by a trusted third party; the private key generator (Private Key Generator, PKG for short) generates the user master key

   

   

   (msk from

   

   Randomly selected in

   

   The value range is an integer from 1 to q-1, and q is a large prime number); SysPar is publicly released, and msk is kept confidential.

   User private key generation: Users with identity ID ∈ {0, 1} ^* are registered with PKG, and PKG generates user private key based on master key msk and user identity:

   

   among them

   

   Used for signcryption,

   

   Used to verify signcryption. For the convenience of description, the signcryption generator is denoted as

   

   Signcryption and verification signcryption private keys are

   

   

   The signcryption verifier is recorded as

   

   Signcryption and verification signcryption private keys are

   

   

   Secret signcryption generation: Let M ∈ {0, 1} ^* be secret signcryption information;

   Construction method one (based on Type 1 bilinear pair): user

   

   Select

   

   Calculation

   

   

   Calculation

   

   If

   

   (Otherwise re-select x), calculate K = KDF (PS, aux _K ), aux _{K is} either empty, or is

   

   A subset of aux _K , the specific form of aux _K or the agreement between the two parties in advance or part of the protocol specification, aux _d can be empty or contain some additional information that will not disclose the identity of the communicating parties; calculation

   

   

   That is: use K as the key pair of the symmetric encryption function E

   

   Encrypt according to the prescribed or agreed coding method, where aux _M is a set that can be empty or contain a timestamp information; finally, the user

   

   Send {X, C} to the user

   

   Construction method two (based on Type 2 bilinear pair): user

   

   Select

   

   Calculation

   

   

   Calculation

   

   If

   

   (Otherwise re-select x), calculate K = KDF (PS, aux _K ), aux _{K is} either empty, or is

   

   A subset of aux _K , the specific form of aux _K or the agreement between the two parties in advance or part of the protocol specification, aux _d can be empty or contain some additional information that will not disclose the identity of the communicating parties; calculation

   

   That is: use K as the key pair of the symmetric encryption function E

   

   Encrypt according to the prescribed or agreed coding method, where aux _M is a set that can be empty or contain a timestamp information; finally, the user

   

   Send {X, C} to the user

   

   Construction method three (based on Type 3 bilinear pair): user

   

   Select

   

   Calculation

   

   

   Calculation

   

   If

   

   (Otherwise re-select x), calculate K = KDF (PS, aux _K ), aux _{K is} either empty, or is

   

   A subset of (here, the hash function H ₁ will

   

   Is mapped to the group G ₁ , the hash function H ₂ will

   

   Is mapped to group G ₂ , and

   

   And the specific form of aux _K is either agreed in advance by both parties or is part of the protocol specification. Aux _d can be empty or contain some additional information that will not reveal the identity of both parties in the communication; calculation

   

   That is: use K as the key pair of the symmetric encryption function E

   

   Encrypt according to the prescribed or agreed coding method, where aux _M is a set that can be empty or contain a timestamp information; finally, the user

   

   Send {X, C} to the user

   

   Secret signcryption verification: user

   

   After receiving {X, C}, decrypt and verify the above three secret signcryption algorithms as follows:

   Verification method 1 (based on Type 1 bilinear pair): calculation

   

   If

   

   Invalid characters are returned, indicating that the secret signcryption is invalid; otherwise, K = KDF (PS, aux _K ) is calculated, and _{K is} used to decrypt C to obtain

   

   If

   

   And

   

   If aux _{M is} valid, the secret sign _M is accepted, otherwise it is rejected.

   Verification method two (based on Type 2 bilinear pair): calculation

   

   If

   

   

   Invalid characters are returned, indicating that the secret signcryption is invalid; otherwise, K = KDF (PS, aux _K ) is calculated, and _{K is} used to decrypt C to obtain

   

   If

   

   And

   

   If aux _{M is} valid, the secret sign _M is accepted, otherwise it is rejected.

   Verification method three (based on Type 3 bilinear pair): calculation

   

   If

   

   Invalid characters are returned, indicating that the secret signcryption is invalid; otherwise, K = KDF (PS, aux _K ) is calculated, and _{K is} used to decrypt C to obtain

   

   If

   

   And

   

   If aux _{M is} valid, the secret sign _M is accepted, otherwise it is rejected.
2. The method of claim 1, wherein:

   Groups G ₁ and G ₂ can be equal (denoted as G), that is, a bilinear pairing structure based on Type 1 (such as construction method 1); q is prime or composite; from

   

   Randomly selected in, or in

   

   Randomly selected in

   

   or

   

   Is empty or contains a timestamp information; aux _d is empty or contains attachment information that will not reveal the identity of both parties to the communication; E is an authentication encryption function or an authentication encryption function with auxiliary input.
3. The method according to any one of claims 1 to 2, characterized in that, for Type 2 and Type 3 bilinear pairs, G ₁ ≠ G ₂ .
4. The method according to any one of claims 1 to 2, characterized in that, for Type 2 bilinear pairs, H ₁ = H ₂ : {0,1} ^* → G ₁ , which is denoted as H: {0 , 1} ^* → G ₁ , at this time there is

   

   
5. The method according to any one of claims 1 to 2, characterized in that, for the Type 2 bilinear pair, its construction method does not require a hash function H ₂ : {0, 1} ^* → G ₂ .
6. The method according to any one of claims 1 to 2, characterized in that, for the Type 3 bilinear pair, the construction method does not require an isomorphic ψ that can be effectively calculated: G ₁ → G ₂ .
7. The method according to any one of claims 1 to 2, wherein for Type 3 bilinear pairs,

   

   among them

   

   Used for signcryption,

   

   Used to verify signcryption.

Images