CN103647642B

CN103647642B - A kind of based on certification agency re-encryption method and system

Info

Publication number: CN103647642B
Application number: CN201310572508.4A
Authority: CN
Inventors: 陆阳; 李继国
Original assignee: Hohai University HHU
Current assignee: Hohai University HHU
Priority date: 2013-11-15
Filing date: 2013-11-15
Publication date: 2016-07-06
Anticipated expiration: 2033-11-15
Also published as: CN103647642A

Abstract

The invention discloses a certificate-based proxy re-encryption method and system, and relates to the technical field of data encryption in information security. In order to solve the deficiencies in existing proxy re-encryption methods, the present invention combines certificate-based cryptosystem and proxy re-encryption to provide a certificate-based proxy re-encryption method, which includes generating system parameters and generating user public keys and private key pair, generate user certificate, encrypt message, generate proxy re-encryption key, proxy re-encryption, and recover message. The invention also provides a certificate-based proxy re-encryption system, including a system parameter generation module, a user key generation module, a certificate generation module, an encryption module, a proxy re-encryption key generation module, a proxy re-encryption module and a decryption module. The technical scheme of the invention not only simplifies the certificate management process, but also does not have the problems of key distribution and key trusteeship, and is convenient for application in an open network environment.

Description

A method and system for re-encryption based on certificate proxy

技术领域technical field

本发明涉及信息安全中的数据加密技术领域，特别涉及一种基于证书代理重加密方法及系统。The invention relates to the technical field of data encryption in information security, in particular to a certificate-based proxy re-encryption method and system.

背景技术Background technique

随着信息技术的高速发展，电子数据的安全性问题越来越受到数据所有者的重视。数据加密技术是保障电子数据机密性的核心和关键技术，它通过加密密钥及加密算法将数据转换成无意义的密文，从而避免数据被未经授权者访问，有效保障了数据的机密性。With the rapid development of information technology, the security of electronic data has been paid more and more attention by data owners. Data encryption technology is the core and key technology to ensure the confidentiality of electronic data. It converts data into meaningless ciphertext through encryption keys and encryption algorithms, thereby preventing data from being accessed by unauthorized persons and effectively ensuring data confidentiality. .

在现实社会中经常会遇到解密授权的情况。例如，一个公司经理需要到外地出差，为了不影响公司的业务，该经理需要委托一个可靠的助手在其出差期间帮他处理一些业务相关的加密邮件，但同时不希望将自己的私钥透露给该助手。为了解决上述解密授权的问题，Blaze等人于1998年提出了代理重加密的思想。在代理重加密系统中，一个拥有代理重加密密钥的半可信代理重加密中心，可以将经用户Alice的公钥所加密的消息M的密文直接转化为以用户Bob的公钥对消息M加密的密文，其中用户Alice称为委托方，用户Bob称为受理方。在这个过程中，半可信的代理重加密中心无法获知消息M的任何信息。由于代理重加密能够有效解决解密授权的问题，因此该方法有着很多重要的实际应用，如数字版权的跨域操作、加密电子邮件的转发以及公共云中安全数据的共享等。代理重加密一提出便受到广泛关注，国内外学者对其进行了深入的探讨和研究。但已有的代理重加密方法大多是在传统公钥密码体制下或基于身份密码体制下所提出的，因此这些方法要么存在复杂的证书管理问题，要么存在密钥分发和密钥托管的问题。而近期Sur等人所提出的无证书代理重加密方法尽管有效解决了复杂的证书管理和密钥托管问题，但仍存在密钥分发的问题。因此，现有的代理重加密方法在开放网络环境下的应用将会受到限制。Decryption authorization is often encountered in real society. For example, a company manager needs to go on a business trip. In order not to affect the company's business, the manager needs to entrust a reliable assistant to help him handle some business-related encrypted emails during his business trip, but at the same time he does not want to disclose his private key to the assistant. In order to solve the above-mentioned problem of decryption authorization, Blaze et al. proposed the idea of proxy re-encryption in 1998. In the proxy re-encryption system, a semi-trusted proxy re-encryption center with the proxy re-encryption key can directly convert the ciphertext of the message M encrypted by the user Alice's public key into the message M encrypted by the user Bob's public key. The ciphertext encrypted by M, in which the user Alice is called the entrusting party, and the user Bob is called the accepting party. During this process, the semi-trusted proxy re-encryption center cannot obtain any information about the message M. Since proxy re-encryption can effectively solve the problem of decryption authorization, this method has many important practical applications, such as cross-domain operation of digital rights, forwarding of encrypted emails, and sharing of secure data in public clouds. Proxy re-encryption has been widely concerned since it was proposed, and domestic and foreign scholars have conducted in-depth discussions and researches on it. However, most of the existing proxy re-encryption methods are proposed under the traditional public key cryptosystem or identity-based cryptosystem, so these methods either have complex certificate management problems, or key distribution and key escrow problems. However, although the certificateless proxy re-encryption method proposed by Sur et al. effectively solves the complex certificate management and key escrow problems, it still has the problem of key distribution. Therefore, the application of existing proxy re-encryption methods in open network environments will be limited.

基于证书密码体制是Gentry在2003年所提出的一种新型公钥密码体制，该体制有机结合了基于身份密码体制和传统公钥密码体制的优点，并有效克服了这两种密码体制中存在的缺陷。基于证书密码体制的一个最大的特点是提供了一种高效的隐证书机制，即用户证书仅发送给证书持有人，并与其私钥相结合产生最终的解密密钥或签名密钥。基于该特点，基于证书密码体制不仅消除了证书状态的第三方查询问题，简化了传统公钥密码体制中复杂的证书管理过程，而且同时克服了基于身份密码体制中固有的密钥分发问题和密钥托管问题。因此，基于证书密码体制是一个性能优良，便于开放网络环境中应用的新型公钥密钥体制。The certificate-based cryptosystem is a new type of public key cryptosystem proposed by Gentry in 2003. defect. One of the biggest features of the certificate-based cryptosystem is to provide an efficient hidden certificate mechanism, that is, the user certificate is only sent to the certificate holder, and combined with its private key to generate the final decryption key or signature key. Based on this feature, the certificate-based cryptosystem not only eliminates the third-party query problem of the certificate status, simplifies the complex certificate management process in the traditional public-key cryptosystem, but also overcomes the inherent key distribution problem and encryption problem in the identity-based cryptosystem Key escrow issues. Therefore, the certificate-based cryptosystem is a new type of public key encryption system with excellent performance and easy to apply in the open network environment.

发明内容Contents of the invention

本发明所要解决的技术问题是现有代理重加密方法中存在问题，本发明将基于证书密码体制和代理重加密体制相结合，提供了一种基于证书代理重加密方法。受益于基于证书密码体制的优良性能，本发明所提出的方法不仅简化了证书的管理过程，而且不存在密钥分发和密钥托管的问题。The technical problem to be solved by the present invention is a problem existing in the existing proxy re-encryption method. The present invention combines the certificate-based encryption system and the proxy re-encryption system to provide a certificate-based proxy re-encryption method. Benefiting from the excellent performance of the certificate-based cryptosystem, the method proposed by the invention not only simplifies the certificate management process, but also does not have the problems of key distribution and key custody.

本发明为解决上述技术问题采用以下技术方案：The present invention adopts the following technical solutions for solving the problems of the technologies described above:

一种基于证书代理重加密方法，包含以下步骤：A method for re-encrypting based on a certificate agent, comprising the following steps:

步骤A，生成系统主密钥和系统公开参数集；具体过程为：Step A, generate the system master key and system public parameter set; the specific process is:

步骤101，证书中心根据设定的安全参数k∈Z⁺，选择一个k比特的大素数p，并生成一个p阶加法循环群G和一个p阶乘法循环群G_T，以及定义在群G和群G_T上的双线性对e:G×G→G_T；其中：Z⁺是正整数，双线性对e:G×G→G_T是群G与自身的笛卡尔积G×G到群G_T的映射，即双线性对e:G×G→G_T是指函数z=e(P₁,P₂)，其中P₁,P₂∈G为自变量，z∈G_T为因变量；In step 101, the certificate center selects a k-bit large prime number p according to the set security parameter k∈Z ⁺ , and generates a p-order additive cyclic group G and a p-factorial cyclic group G _T , and defined in the group G and The bilinear pairing e:G×G→G _T on the group G _T ; where: Z ⁺ is a positive integer, and the bilinear pairing e:G×G→G _T is the Cartesian product of the group G and itself G×G to The mapping of the group G _T , that is, the bilinear pair e:G×G→G _T refers to the function z=e(P ₁ , P ₂ ), where P ₁ , P ₂ ∈G are independent variables, and z∈G _T is dependent variable;

步骤102，从加法循环群G中选择两个生成元P和Q并随机选择计算Q_pub=αQ，g=e(P,Q)和h=e(Q,Q)；其中：集合 Step 102, select two generators P and Q from the additive cyclic group G and randomly select Calculate Q _pub =αQ, g=e(P,Q) and h=e(Q,Q); where: set

步骤103，定义五个哈希函数H₂:{0,1}ⁿ→{0,1}ⁿ、H₄:G_T×G_T→{0,1}ⁿ以及其中：H₁是笛卡尔积{0，1}^*×G×G_T到的密码学哈希函数，H₂是{0,1}ⁿ到{0,1}ⁿ的密码学哈希函数，H₃是{0,1}^*到的密码学哈希函数，H₄是笛卡尔积G_T×G_T到{0,1}ⁿ的密码学哈希函数，H₅是笛卡尔积G_T×G_T到的密码学哈希函数，n表示明文的比特长度，{0,1}^*表示长度不确定的二进制串的集合，{0,1}ⁿ表示长度为n比特的二进制串的集合，{0,1}^*×G×G_T表示{0,1}^*、群G和群G_T的笛卡尔积，G_T×G_T表示群G_T和自身的笛卡尔积；Step 103, define five hash functions H ₂ : {0,1} ⁿ → {0,1} ⁿ , H ₄ :G _T ×G _T →{0,1} ⁿ and Where: H1 is the Cartesian product {0, ₁ } ^* ×G×G _T to The cryptographic hash function of H ₂ is the cryptographic hash function of {0,1} ⁿ to {0,1} ⁿ , and H ₃ is {0,1} ^* to H ₄ is the cryptographic hash function of the Cartesian product G _T ×G _T to {0,1} ⁿ , H ₅ is the Cartesian product G _T ×G _T to The cryptographic hash function, n represents the bit length of the plaintext, {0,1} ^* represents the set of binary strings of uncertain length, {0,1} ⁿ represents the set of binary strings of length n bits, {0, 1} ^* ×G×G _T represents the Cartesian product of {0,1} ^* , group G and group G _T , and G _T ×G _T represents the Cartesian product of group G _T and itself;

根据步骤101至步骤103，生成证书中心秘密保存的系统主密钥为msk=α，系统公开参数集为params={p,G,G_T,e,n,P,Q,Q_pub,g,h,H₁,H₂,H₃,H₄,H₅}。According to step 101 to step 103, the system master key stored secretly by the certificate center is msk=α, and the system public parameter set is params={p,G,G _T ,e,n,P,Q,Q _pub ,g, h,H ₁ ,H ₂ ,H ₃ ,H ₄ ,H ₅ }.

步骤B，根据所述系统公开参数集，以及用户的身份信息，生成用户的公钥和私钥对，所述用户包括发送者和接收者；具体过程如下：Step B, according to the public parameter set of the system and the identity information of the user, generate the user's public key and private key pair, the user includes the sender and the receiver; the specific process is as follows:

身份为id_U的用户首先在中随机选择一个整数作为自己的私钥SK_U，即SK_U=x_U；然后利用系统公开参数集params生成自己的公钥 ${PK}_{U} = ({PK}_{U}^{(1)}, {PK}_{U}^{(2)})$ $= (x_{U} Q, g^{x_{U}}) .$ The user whose identity is id _U is first in Randomly choose an integer from As your own private key SK _U , that is, SK _U =x _U ; then use the system public parameter set params to generate your own public key ${PK}_{u} = ({PK}_{u}^{(1)}, {PK}_{u}^{(2)})$ $= (x_{u} Q, g^{x_{u}}) .$

步骤C，根据所述系统主密钥和系统公开参数集、用户的身份信息和用户的公钥，生成用户的证书；具体过程如下：Step C, generating a user's certificate according to the system master key, the system public parameter set, the user's identity information, and the user's public key; the specific process is as follows:

身份为id_U的用户将自己的身份信息id_U和公钥PK_U提交给证书中心；证书中心产生用户id_U的证书Cert_U=(H₁(id_U,PK_U)+α)^-1Q，然后将证书Cert_U发送给身份为id_U的用户。The user with identity id _U submits his identity information id _U and public key PK _U to the certificate center; the certificate center generates the certificate Cert _{U of user id U} ₌ (H ₁ (id _U ,PK _U )+α) ^-1 Q , and then send the certificate Cert _U to the user whose identity is id _U.

步骤D，根据所述系统公开参数集、待加密的明文以及接收者的身份信息和公钥，生成原始密文；具体过程如下：Step D, generate the original ciphertext according to the public parameter set of the system, the plaintext to be encrypted and the recipient's identity information and public key; the specific process is as follows:

发送者使用接收者的身份id_V和公钥加密长度为n比特的明文M，发送者首先随机选择σ∈{0,1}ⁿ并计算r=H₃(M,σ,id_V,PK_V)；然后分别计算 $C_{1} = M &CirclePlus; H_{2} (σ), C_{2} = σ &CirclePlus; H_{4} (h^{r}, {({PK}_{V}^{(2)})}^{r}),$ C₃=rP和C₄=r(H₁(id_V,PK_V)Q+Q_Pub)；最后将C=(C₁,C₂,C₃,C₄)作为明文M的密文发送给接收者id_V。The sender uses the receiver's identity id _V and public key To encrypt plaintext M with length n bits, the sender first randomly selects σ∈{0,1} ⁿ and calculates r=H ₃ (M,σ,id _V ,PK _V ); then calculates $C_{1} = m &CirclePlus; h_{2} (σ), C_{2} = σ &CirclePlus; h_{4} (h^{r}, {({PK}_{V}^{(2)})}^{r}),$ C ₃ =rP and C ₄ =r(H ₁ (id _V ,PK _V )Q+Q _Pub ); finally send C=(C ₁ ,C ₂ ,C ₃ ,C ₄ ) as the ciphertext of plaintext M to Receiver id _V .

步骤E，根据所述系统公开参数集、发送者的身份信息、私钥和证书，以及接收者的身份信息和公钥，生成代理重加密密钥；具体过程如下：Step E, generating a proxy re-encryption key according to the system public parameter set, sender's identity information, private key and certificate, and receiver's identity information and public key; the specific process is as follows:

发送者id_U根据接收者id_V的公钥首先随机选择并计算然后根据使用自己的私钥SK_U和证书Cert_U以及接收者id_V的公钥 ${PK}_{V} = ({PK}_{V}^{(1)}, {PK}_{V}^{(2)}),$ 计算 ${PRK}_{U &RightArrow; V}^{(1)} = {SK}_{U} \cdot {PK}_{V}^{(1)}, {PRK}_{U &RightArrow; V}^{(2)} = s (H_{1} ({id}_{V}, {PK}_{V}) Q + Q_{Pub})$ 和 ${PRK}_{U &RightArrow; V}^{(3)} = {tCert}_{U};$ 最后将 ${PRK}_{U &RightArrow; V} = ({PRK}_{U &RightArrow; V}^{(1)}, {PRK}_{U &RightArrow; V}^{(2)}, {PRK}_{U &RightArrow; V}^{(3)})$ 作为代理重加密密钥。The sender id _U according to the public key of the receiver id _V First choose randomly and calculate Then use your own private key SK _U and certificate Cert _U and public key of recipient id _V ${PK}_{V} = ({PK}_{V}^{(1)}, {PK}_{V}^{(2)}),$ calculate ${PRK}_{u &Right Arrow; V}^{(1)} = {SK}_{u} &Center Dot; {PK}_{V}^{(1)}, {PRK}_{u &Right Arrow; V}^{(2)} = the s (h_{1} ({id}_{V}, {PK}_{V}) Q + Q_{Pub})$ and ${PRK}_{u &Right Arrow; V}^{(3)} = {tCert}_{u};$ Finally will ${PRK}_{u &Right Arrow; V} = ({PRK}_{u &Right Arrow; V}^{(1)}, {PRK}_{u &Right Arrow; V}^{(2)}, {PRK}_{u &Right Arrow; V}^{(3)})$ Acts as a proxy re-encryption key.

步骤F，根据所述系统公开参数集、原始密文以及代理重加密密钥，生成重加密密文；具体过程如下：Step F, generating re-encrypted ciphertext according to the system public parameter set, original ciphertext and proxy re-encryption key; the specific process is as follows:

根据发送者id_U提交的代理重加密密钥以及以发送者的身份id_U和公钥PK_U加密的原始密文C=(C₁,C₂,C₃,C₄)，首先分别置C₁′=C₁，C₂′＝C₂， ${C_{5}}^{'} = {PRK}_{U &RightArrow; V}^{(2)};$ 然后计算 ${C_{3}}^{'} = e (C_{3}, {PRK}_{U &RightArrow; V}^{(1)})$ 和 ${C_{4}}^{'} = e (C_{4}, {PRK}_{U &RightArrow; V}^{(3)});$ 最后将C′=(id_U,C₁′,C₂′,C₃′,C₄′,C₅′)作为代理重加密密文转发至接收者id_V。Proxy re-encryption key submitted by sender id _U And the original ciphertext C=(C ₁ , C ₂ , C ₃ , C ₄ ) encrypted with the sender’s identity id _U and public key PK _U , first set C ₁ ′=C ₁ , C ₂ ′=C ₂ , ${C_{5}}^{'} = {PRK}_{u &Right Arrow; V}^{(2)};$ then calculate ${C_{3}}^{'} = e (C_{3}, {PRK}_{u &Right Arrow; V}^{(1)})$ and ${C_{4}}^{'} = e (C_{4}, {PRK}_{u &Right Arrow; V}^{(3)});$ Finally, C′=(id _U , C ₁ ′, C ₂ ′, C ₃ ′, C ₄ ′, C ₅ ′) is forwarded to the receiver id _V as the proxy re-encrypted ciphertext.

步骤G，根据所述系统公开参数集、待解密的密文以及接收者的私钥和证书，恢复明文，待解密的密文包括原始密文或者重加密密文；具体过程如下：Step G, restore the plaintext according to the system public parameter set, the ciphertext to be decrypted, and the recipient's private key and certificate, and the ciphertext to be decrypted includes the original ciphertext or re-encrypted ciphertext; the specific process is as follows:

身份为id_V的接收者使用自己的私钥SK_V和证书Cert_V对密文C解密，根据密文C的类型，分为如下两种情形：The receiver whose identity is id _V uses his own private key SK _V and certificate Cert _V to decrypt the ciphertext C. According to the type of ciphertext C, it can be divided into the following two situations:

若密文C为未经重加密的原始密文，即C=(C₁,C₂,C₃,C₄)，接收者id_V首先计算 $σ = C_{2} &CirclePlus; H_{4} (e (C_{4}, {Cert}_{V}), {(C_{3}, Q)}^{{SK}_{V}}),$ 进而计算并获得明文 $M = C_{1} &CirclePlus; H_{2} (σ);$ 然后计算r=H₃(M,σ,id_V,PK_V)，并判断C₄=r(H₁(id_V,PK_V)Q+Q_Pub)是否成立：若成立，明文M有效；否则，密文无效，解密失败；If the ciphertext C is the original ciphertext without re-encryption, that is, C=(C ₁ ,C ₂ ,C ₃ ,C ₄ ), the receiver id _V first calculates $σ = C_{2} &CirclePlus; h_{4} (e (C_{4}, {Cert}_{V}), {(C_{3}, Q)}^{{SK}_{V}}),$ Then calculate and obtain the plaintext $m = C_{1} &CirclePlus; h_{2} (σ);$ Then calculate r=H ₃ (M,σ,id _V ,PK _V ), and judge whether C ₄ =r(H ₁ (id _V ,PK _V )Q+Q _Pub ) is true: if true, the plaintext M is valid; otherwise , the ciphertext is invalid, and the decryption fails;

若C为代理重加密密文，即C=(id_U,C₁′,C₂′,C₃′,C₄′,C₅′)，接收者id_V首先依次计算 $t = H_{5} (e ({C_{5}}^{'}, {Cert}_{V}), e {({C_{5}}^{'}, {Cert}_{V})}^{{SK}_{V}})$ 和 $σ = {C_{2}}^{'} &CirclePlus; H_{4} ({({C_{4}}^{'})}^{1 / t}, {({C_{3}}^{'})}^{{1 / SK}_{V}}),$ 进而计算并获得明文然后计算r=H₃(M,σ,id_U,PK_U)，并判断和C₄′=h^r是否成立：若成立，明文M有效；否则，密文无效，解密失败。If C is the agent re-encrypted ciphertext, that is, C=(id _U , C ₁ ′, C ₂ ′, C ₃ ′, C ₄ ′, C ₅ ′), the receiver id _V is first calculated sequentially $t = h_{5} (e ({C_{5}}^{'}, {Cert}_{V}), e {({C_{5}}^{'}, {Cert}_{V})}^{{SK}_{V}})$ and $σ = {C_{2}}^{'} &CirclePlus; h_{4} ({({C_{4}}^{'})}^{1 / t}, {({C_{3}}^{'})}^{{1 / SK}_{V}}),$ Then calculate and obtain the plaintext Then calculate r=H ₃ (M,σ,id _U ,PK _U ), and judge Whether and C ₄ ′=h ^r holds true: if true, the plaintext M is valid; otherwise, the ciphertext is invalid and the decryption fails.

本发明还提供一种基于证书代理重加密系统，包括：The present invention also provides a certificate-based proxy re-encryption system, including:

系统参数生成模块，用于根据输入的安全参数生成证书中心的主密钥以及密码系统的公开参数集；The system parameter generation module is used to generate the master key of the certificate center and the public parameter set of the cryptographic system according to the input security parameters;

用户密钥生成模块，用于根据系统参数生成模块生成的公开参数集，以及用户的身份信息，生成用户的公钥和私钥对，所述用户包括发送者和接收者；The user key generation module is used to generate the user's public key and private key pair according to the public parameter set generated by the system parameter generation module and the user's identity information, and the user includes a sender and a receiver;

证书生成模块，用于根据系统参数生成模块生成的主密钥和公开参数集、用户的身份信息以及用户密钥生成模块生成的公钥，生成用户的证书；The certificate generation module is used to generate the user's certificate according to the master key and public parameter set generated by the system parameter generation module, the user's identity information and the public key generated by the user key generation module;

加密模块，用于根据系统参数生成模块生成的公开参数集、待加密的明文、接收者的身份信息以及用户密钥生成模块生成的接收者的公钥，生成明文的原始密文；The encryption module is used to generate the original ciphertext of the plaintext according to the public parameter set generated by the system parameter generation module, the plaintext to be encrypted, the identity information of the recipient, and the recipient's public key generated by the user key generation module;

代理重加密密钥生成模块，用于根据系统参数生成模块生成的公开参数集、发送者的身份信息和接收者的身份信息、用户密钥生成模块生成的发送者的私钥和接收者的公钥，以及证书生成模块生成的发送者的证书，生成代理重加密密钥；The proxy re-encryption key generation module is used to generate the public parameter set generated by the system parameter generation module, the identity information of the sender and the identity information of the receiver, and the private key of the sender and the public key of the receiver generated by the user key generation module. key, and the sender's certificate generated by the certificate generation module to generate a proxy re-encryption key;

代理重加密模块，用于根据系统参数生成模块生成的公开参数集、加密模块输入的原始密文以及代理重加密密钥生成模块生成的代理重加密密钥，生成重加密密文；The proxy re-encryption module is used to generate re-encryption ciphertext according to the public parameter set generated by the system parameter generation module, the original ciphertext input by the encryption module, and the proxy re-encryption key generated by the proxy re-encryption key generation module;

解密模块，用于根据系统参数生成模块生成的公开参数集、加密模块生成的原始密文或代理重加密模块生成的重加密密文、用户密钥生成模块生成的接收者的私钥，以及证书生成模块生成的接收者的证书，恢复明文。The decryption module is used to generate the public parameter set generated by the system parameter generation module, the original ciphertext generated by the encryption module or the re-encrypted ciphertext generated by the proxy re-encryption module, the receiver's private key generated by the user key generation module, and the certificate Generate the recipient's certificate generated by the module, recovering the plaintext.

进一步的，本发明的一种基于证书代理重加密系统，所述解密模块具体包括密文解密单元和密文有效性验证单元；其中：Further, in the certificate-based proxy re-encryption system of the present invention, the decryption module specifically includes a ciphertext decryption unit and a ciphertext validity verification unit; wherein:

所述密文解密单元用于解密者对密文进行解密，恢复明文；The ciphertext decryption unit is used for the decryptor to decrypt the ciphertext and restore the plaintext;

所述密文有效性验证单元用于解密者对密文的有效性进行验证，进而判断密文解密单元输出的明文是否有效。The ciphertext validity verification unit is used for the decryptor to verify the validity of the ciphertext, and then judge whether the plaintext output by the ciphertext decryption unit is valid.

本发明采用以上技术方案与现有技术相比，具有以下技术效果：Compared with the prior art, the present invention adopts the above technical scheme and has the following technical effects:

本发明将基于证书密码体制和代理重加密体制相结合，提供了一种高效的隐证书机制，即用户的证书仅发送给证书持有人，并与其私钥相结合产生最终的解密密钥，有效克服了已有代理重加密方法中存在的问题，是一种非常适合于开放网络环境中应用的新型代理重加密方法。主要原因如下：The present invention combines the certificate-based encryption system with the proxy re-encryption system to provide an efficient hidden certificate mechanism, that is, the user's certificate is only sent to the certificate holder, and combined with its private key to generate the final decryption key. The method effectively overcomes the problems existing in the existing proxy re-encryption method, and is a novel proxy re-encryption method very suitable for application in an open network environment. The main reasons are as follows:

首先，由于用户仅在获得证书的情况下才能解密当前接收到的密文，因此发送方也就无须在发送加密信息前获取接收方的最新证书状态信息，因此本发明不仅消除了传统代理重加密方法中对证书状态的第三方询问问题，同时也简化了证书的撤销问题。First of all, since the user can decrypt the currently received ciphertext only after obtaining the certificate, the sender does not need to obtain the latest certificate status information of the receiver before sending the encrypted information, so the invention not only eliminates the traditional proxy re-encryption In the method, the third party asks questions about the status of the certificate, and also simplifies the revocation of the certificate.

其次，由于证书中心无法获知用户的私钥，所以该方法解决了基于身份代理重加密方法中固有的密钥托管问题。Second, since the certificate authority cannot know the user's private key, this method solves the inherent key escrow problem in the identity-based proxy re-encryption method.

此外，由于证书只是为了绑定用户公钥与用户身份之间的对应关系，可以公开地发送给用户，所以该方法也有效克服了基于身份代理重加密方法和无证书代理重加密方法中存在的密钥分发问题。In addition, since the certificate is only used to bind the corresponding relationship between the user's public key and the user's identity, it can be sent to the user publicly, so this method also effectively overcomes the problems existing in the identity-based proxy re-encryption method and the certificateless proxy re-encryption method. Key distribution problem.

附图说明Description of drawings

图1是本发明所述的基于证书代理重加密方法的流程图。Fig. 1 is a flow chart of the certificate-based proxy re-encryption method according to the present invention.

图2是依照本发明方法的密码系统执行的操作流程图。Fig. 2 is a flowchart of operations performed by the cryptographic system according to the method of the present invention.

图3是本发明所述的基于证书代理重加密系统的示意图。Fig. 3 is a schematic diagram of a certificate-based proxy re-encryption system according to the present invention.

具体实施方式detailed description

下面结合附图对本发明的技术方案做进一步的详细说明：Below in conjunction with accompanying drawing, technical scheme of the present invention is described in further detail:

本发明所述基于证书代理重加密方法可基于双线性对来实现，下面首先简要介绍双线性对的基本定义和它满足的性质。The certificate-based proxy re-encryption method of the present invention can be realized based on bilinear pairing. The basic definition of bilinear pairing and the properties it satisfies will be briefly introduced below.

设G是一个阶为p的加法循环群，G_T是一个阶为p的乘法循环群，并且P是群G的生成元，其中p是一个大素数。假设G和G_T这两个群上的离散对数问题都是困难问题。如果定义在群G和群G_T上一个映射e:G×G→G_T满足下面的三条性质，则称该映射为有效的双线性对。双线性对e:G×G→G_T是群G与自身的笛卡尔积G×G到群G_T的映射，即双线性对e:G×G→G_T是指函数z=e(P₁,P₂)，其中P₁,P₂∈G为自变量，z∈G_T为因变量。Let G be an additive cyclic group of order p, G _T be a multiplicative cyclic group of order p, and P be a generator of the group G, where p is a large prime number. Assume that the discrete logarithm problem on both groups G and G _T is hard. If a map e:G×G→G _T is defined on the group G and group G _T and satisfies the following three properties, the map is called an effective bilinear pairing. The bilinear pair e:G×G→G _T is the mapping of the Cartesian product G×G of the group G and itself to the group G _T , that is, the bilinear pair e:G×G→G _T refers to the function z=e (P ₁ , P ₂ ), where P ₁ , P ₂ ∈ G is the independent variable, and z ∈ G _T is the dependent variable.

双线性对应满足的三条性质为：The three properties that bilinear correspondences satisfy are:

（1）双线性.对于任意的P₁,P₂∈G和有e(aP₁,bP₂)=e(P₁,P₂)^ab。(1) Bilinear. For any P ₁ , P ₂ ∈ G and There is e(aP ₁ ,bP ₂ )=e(P ₁ ,P ₂ ) ^ab .

（2）非退化性.其中是群G_T的单位元。(2) Non-degenerate. in is the identity element of the group _GT .

（3）可计算性.对于任意的P₁,P₂∈G，存在有效的算法计算e(P₁,P₂)。(3) Computability. For any P ₁ , P ₂ ∈ G, there is an effective algorithm to calculate e(P ₁ , P ₂ ).

其中，大素数p对于离散对数问题而言不低于二进制表示的160比特，而对于大整数分解问题而言不低于二进制表示的1024比特。循环群的概念为：设H为群，如果存在一个元素P∈H使得H={kP|k∈Z}，则称H为加法循环群，称P是H的生成元；如果存在一个元素u∈H使得H={u^k|k∈Z}，则称H为乘法循环群，称u是H的生成元。若H为加法（乘法）循环群且生成元P(u)的阶为n,即n是使得P(u)的幂等于群H的单位元的最小正整数，则称H为n阶加法（乘法）循环群。简单来说，加法循环群是指该循环群的生成元能够以加法运算生成群中的所有元素，而乘法循环群是指该循环群的生成元能够以乘幂的方法生成群中的所有元素。此外，其中Z_p是指整数模素数p的剩余类，即Z_p={0,1,...,p-1}。Among them, the large prime number p is not lower than 160 bits of binary representation for discrete logarithm problems, and not lower than 1024 bits of binary representation for large integer decomposition problems. The concept of a cyclic group is: Let H be a group, if there is an element P∈H such that H={kP|k∈Z}, then H is called an additive cyclic group, and P is called a generator of H; if there is an element u ∈H makes H={u ^k |k∈Z}, then H is called a multiplicative cyclic group, and u is called a generator of H. If H is an additive (multiplicative) cyclic group and the order of the generator P(u) is n, that is, n is the smallest positive integer that makes the power of P(u) equal to the identity element of the group H, then H is called an addition of order n ( multiplication) cyclic group. In simple terms, an additive cyclic group means that the generator of the cyclic group can generate all the elements in the group by addition, while a multiplicative cyclic group means that the generator of the cyclic group can generate all the elements in the group by exponentiation . also, where Z _p refers to the residual class of integers modulo prime p, ie Z _p ={0,1,...,p-1}.

根据以上双线性对的描述，下面结合附图和实现例对本发明提出的基于证书代理重加密方法进行进一步说明，但并不作为对本发明的限定。According to the above bilinear pairing description, the certificate-based proxy re-encryption method proposed in the present invention will be further described below in conjunction with the accompanying drawings and implementation examples, but this is not intended to limit the present invention.

本发明所述方法设计的实体如下：The entity of the method design of the present invention is as follows:

（1）证书中心：负责系统参数生成，即生成系统主密钥和系统公开参数集，以及对系统用户进行验证并签发证书的可信第三方；(1) Certificate Center: responsible for generating system parameters, namely generating system master keys and system public parameter sets, and a trusted third party that verifies system users and issues certificates;

（2）委托方：加密消息的原始接收者，是委托受理方行使解密权的实体；(2) Client: The original recipient of the encrypted message is the entity that entrusts the recipient to exercise the right to decrypt;

（3）受理方：接收委托方的授权，代表委托方行使解密权的实体；(3) Accepting party: the entity that receives the authorization of the entrusting party and exercises the decryption right on behalf of the entrusting party;

（4）代理重加密中心：接收委托方的代理重加密委托，行使将委托方的原始密文转化为重加密密文的半可信第三方；(4) Proxy re-encryption center: accept the entrusting party's proxy re-encryption entrustment, and act as a semi-trusted third party that converts the entrusting party's original ciphertext into re-encrypted ciphertext;

（5）发送者：消息的原始发送实体；(5) Sender: the original sending entity of the message;

（6）接收者：密文的接收实体，可以是委托方，也可以是受理方。(6) Receiver: The receiving entity of the ciphertext, which can be the entrusting party or the accepting party.

参照图附图1和附图2，本发明所述方法的步骤具体描述如下：With reference to accompanying drawing 1 and accompanying drawing 2, the step of the method of the present invention is specifically described as follows:

步骤A，生成系统主密钥和系统公开参数集，具体步骤如下：Step A, generate the system master key and system public parameter set, the specific steps are as follows:

步骤101：根据设定的安全参数k∈Z⁺，选择一个k比特的大素数p，并生成一个p阶加法循环群G和一个p阶乘法循环群G_T，以及定义在群G和群G_T上的双线性对e:G×G→G_T，其中双线性对e:G×G→G_T是群G与自身的笛卡尔积G×G到群G_T的映射。Step 101: According to the set security parameter k∈Z ⁺ , select a k-bit large prime number p, and generate a p-order additive cyclic group G and a p-factorial cyclic group G _T , and define the group G and group G The bilinear pairing e:G×G→G _T on _T , where the bilinear pairing e:G×G→G _T is the mapping from the Cartesian product G×G of the group G and itself to the group G _T .

步骤102：从加法循环群G中选择两个生成元P和Q并随机选择计算Q_pub=αQ，g=e(P,Q)和h=e(Q,Q)，其中集合 Step 102: Select two generators P and Q from the additive cyclic group G and randomly select Calculate Q _pub =αQ, g=e(P,Q) and h=e(Q,Q), where the set

步骤103：定义五个哈希函数H₂:{0,1}ⁿ→{0,1}ⁿ、H₄:G_T×G_T→{0,1}ⁿ以及其中H₁是笛卡尔积{0,1}^*×G×G_T到的密码学哈希函数，H₂是{0,1}ⁿ到{0,1}ⁿ的密码学哈希函数，H₃是{0,1}^*到的密码学哈希函数，H₄是笛卡尔积G_T×G_T到{0,1}ⁿ的密码学哈希函数，H₅是笛卡尔积G_T×G_T到的密码学哈希函数，n表示明文的比特长度，{0,1}^*表示长度不确定的二进制串的集合，{0,1}ⁿ表示长度为n比特的二进制串的集合，{0,1}^*×G×G_T表示{0,1}^*、群G和群G_T的笛卡尔积，G_T×G_T表示群G_T和自身的笛卡尔积。Step 103: Define five hash functions H ₂ : {0,1} ⁿ → {0,1} ⁿ , H ₄ :G _T ×G _T →{0,1} ⁿ and where H1 is the Cartesian product _{ 0,1} ^* ×G×G _T to The cryptographic hash function of H ₂ is the cryptographic hash function of {0,1} ⁿ to {0,1} ⁿ , and H ₃ is {0,1} ^* to H ₄ is the cryptographic hash function of the Cartesian product G _T ×G _T to {0,1} ⁿ , H ₅ is the Cartesian product G _T ×G _T to The cryptographic hash function, n represents the bit length of the plaintext, {0,1} ^* represents the set of binary strings of uncertain length, {0,1} ⁿ represents the set of binary strings of length n bits, {0, 1} ^* ×G×G _T represents the Cartesian product of {0,1} ^* , group G and group G _T , and G _T ×G _T represents the Cartesian product of group G _T and itself.

根据步骤101、步骤102及步骤103的执行结果，从而获得系统公开参数集params={p,G,G_T,e,n,P,Q,Q_pub,g,h,H₁,H₂,H₃,H₄,H₅}和系统主密钥msk=α。According to the execution results of step 101, step 102 and step 103, the system public parameter set params={p,G,G _T ,e,n,P,Q,Q _pub ,g,h,H ₁ ,H ₂ , H ₃ , H ₄ , H ₅ } and system master key msk=α.

步骤B，根据所述系统公开参数集生成用户的公钥和私钥对，具体步骤如下：Step B, generating the user's public key and private key pair according to the system public parameter set, the specific steps are as follows:

步骤104：对于用户身份id_U，在中随机选择一个整数作为其私钥SK_U，即SK_U=x_U。Step 104: For user identity id _U , in Randomly choose an integer from As its private key SK _U , that is, SK _U =x _U .

步骤105：计算并获得用户id_U的公钥 Step 105: Calculate and obtain the public key of user id _U

步骤C，根据所述系统主密钥和系统公开参数集、用户的身份和用户的公钥，生成用户的证书，具体步骤如下：Step C, generating a user's certificate according to the system master key, the system public parameter set, the user's identity and the user's public key, the specific steps are as follows:

步骤106：对于用户身份id_U和公钥PK_U，计算并获得用户id_U的证书Cert_U=(H₁(id_U,PK_U)+α)^-1Q。Step 106: For the user identity id _U and the public key PK _U , calculate and obtain the certificate Cert _U =(H ₁ (id _U ,PK _U )+α) ^-1 Q of the user id _U.

步骤D，根据所述系统公开参数集、待加密的明文以及接收者的身份和公钥，生成原始密文，具体步骤如下：Step D, generating the original ciphertext according to the public parameter set of the system, the plaintext to be encrypted, and the identity and public key of the recipient, the specific steps are as follows:

步骤107：根据接收者的身份id_V和公钥以及待发送的明文M，首先随机选择σ∈{0,1}ⁿ并计算r=H₃(M,σ,id_V,PK_V)；然后依次计算 C₃=rP和C₄=r(H₁(id_V,PK_V)Q+Q_Pub)，从而获得明文M的原始密文C=(C₁,C₂,C₃,C₄)。Step 107: According to the receiver's identity id _V and public key As well as the plaintext M to be sent, first randomly select σ∈{0,1} ⁿ and calculate r=H ₃ (M,σ,id _V ,PK _V ); then calculate C ₃ =rP and C ₄ =r(H ₁ (id _V ,PK _V )Q+Q _Pub ), so as to obtain the original ciphertext C=(C ₁ ,C ₂ ,C ₃ ,C ₄ ) of the plaintext M.

步骤E，根据所述系统公开参数集、委托方的身份、私钥和证书以及受理方的身份和公钥，生成代理重加密密钥，具体步骤如下：Step E, generating a proxy re-encryption key according to the system public parameter set, the client's identity, private key and certificate, and the accepting party's identity and public key, the specific steps are as follows:

步骤108：根据委托方id_U的私钥SK_U和证书Cert_U以及受理方id_V的公钥 ${PK}_{V} = ({PK}_{V}^{(1)}, {PK}_{V}^{(2)}),$ 首先随机选择 $s &Element; Z_{p}^{*}$ 并计算 $t = H_{5} (h^{s}, e {(Q, {PK}_{V}^{(1)})}^{s});$ 然后依次计算 ${PRK}_{U &RightArrow; V}^{(1)} = {SK}_{U} \cdot {PK}_{V}^{(1)}, {PRK}_{U &RightArrow; V}^{(2)} = s (H_{1} ({id}_{V}, {PK}_{V}) Q + Q_{Pub})$ 和 ${PRK}_{U &RightArrow; V}^{(3)} = {tCert}_{U},$ 从而获得代理重加密密钥 ${PRK}_{U &RightArrow; V} = ({PRK}_{U &RightArrow; V}^{(1)}, {PRK}_{U &RightArrow; V}^{(2)}, {PRK}_{U &RightArrow; V}^{(3)}) .$ Step 108: According to the private key SK _U of the entrusting party id _U and the certificate Cert _U and the public key of the accepting party id _V ${PK}_{V} = ({PK}_{V}^{(1)}, {PK}_{V}^{(2)}),$ First choose randomly $the s &Element; Z_{p}^{*}$ and calculate $t = h_{5} (h^{the s}, e {(Q, {PK}_{V}^{(1)})}^{the s});$ and then calculate ${PRK}_{u &Right Arrow; V}^{(1)} = {SK}_{u} &Center Dot; {PK}_{V}^{(1)}, {PRK}_{u &Right Arrow; V}^{(2)} = the s (h_{1} ({id}_{V}, {PK}_{V}) Q + Q_{Pub})$ and ${PRK}_{u &Right Arrow; V}^{(3)} = {tCert}_{u},$ To obtain the proxy re-encryption key ${PRK}_{u &Right Arrow; V} = ({PRK}_{u &Right Arrow; V}^{(1)}, {PRK}_{u &Right Arrow; V}^{(2)}, {PRK}_{u &Right Arrow; V}^{(3)}) .$

步骤F，根据所述系统公开参数集、原始密文以及代理重加密密钥，生成重加密密文，具体步骤如下：Step F, generating re-encrypted ciphertext according to the system public parameter set, original ciphertext and proxy re-encryption key, the specific steps are as follows:

步骤109：根据代理重加密密钥以及以身份id_U和公钥PK_U加密的原始密文C=(C₁,C₂,C₃,C₄)，计算并获得以身份id_V和公钥PK_V加密的代理重加密密文C′=(id_U,C₁′,C₂′,C₃′,C₄′,C₅′)，其中C₁′=C₁，C₂′=C₂， ${C_{4}}^{'} = e (C_{4}, {PRK}_{U &RightArrow; V}^{(3)})$ 以及 ${C_{5}}^{'} = {PRK}_{U &RightArrow; V}^{(2)} .$ Step 109: Re-encrypt the key against the proxy And the original ciphertext C=(C ₁ , C ₂ , C ₃ , C ₄ ) encrypted with identity id _U and public key PK _U , calculate and obtain the proxy re-encrypted ciphertext encrypted with identity id _V and public key PK _V C′=(id _U ,C ₁ ′,C ₂ ′,C ₃ ′,C ₄ ′,C ₅ ′), where C ₁ ′=C ₁ , C ₂ ′=C ₂ , ${C_{4}}^{'} = e (C_{4}, {PRK}_{u &Right Arrow; V}^{(3)})$ as well as ${C_{5}}^{'} = {PRK}_{u &Right Arrow; V}^{(2)} .$

步骤G，根据所述系统公开参数集、待解密的密文（原始密文或重加密密文）以及解密者的私钥和证书，恢复明文，具体步骤如下：Step G, restore the plaintext according to the system public parameter set, the ciphertext to be decrypted (original ciphertext or re-encrypted ciphertext) and the decryptor's private key and certificate, the specific steps are as follows:

当密文C为未经重加密的原始密文，即C=(C₁,C₂,C₃,C₄)时，该解密模块7执行如下步骤：When the ciphertext C is the original ciphertext without re-encryption, that is, C=(C ₁ , C ₂ , C ₃ , C ₄ ), the decryption module 7 performs the following steps:

步骤110：根据解密者id_V的私钥SK_V和证书Cert_V，以及密文C=(C₁,C₂,C₃,C₄)，计算 $σ = C_{2} &CirclePlus; H_{4} (e (C_{4}, {Cert}_{V}), {(C_{3}, Q)}^{{SK}_{V}}),$ 进而计算并获得明文 $M = C_{1} &CirclePlus; H_{2} (σ) .$ Step 110: According to the private key SK _V and the certificate Cert _V of the decryptor id _V , and the ciphertext C=(C ₁ , C ₂ , C ₃ , C ₄ ), calculate $σ = C_{2} &CirclePlus; h_{4} (e (C_{4}, {Cert}_{V}), {(C_{3}, Q)}^{{SK}_{V}}),$ Then calculate and obtain the plaintext $m = C_{1} &CirclePlus; h_{2} (σ) .$

步骤111：计算r=H₃(M,σ,id_V,PK_V)，并判断C₄=r(H₁(id_V,PK_V)Q+Q_Pub)是否成立：若成立，明文M有效；否则，密文无效，解密失败。Step 111: Calculate r=H ₃ (M,σ,id _V ,PK _V ), and judge whether C ₄ =r(H ₁ (id _V ,PK _V )Q+Q _Pub ) is true: if true, the plaintext M is valid ; Otherwise, the ciphertext is invalid and decryption fails.

当密文C为代理重加密密文，即C=(id_U,C₁′,C₂′,C₃′,C₄′,C₅′)时，该解密模块7执行如下步骤：When the ciphertext C is a proxy re-encrypted ciphertext, that is, C=(id _U , C ₁ ′, C ₂ ′, C ₃ ′, C ₄ ′, C ₅ ′), the decryption module 7 performs the following steps:

步骤112：根据代理方id_V的私钥SK_V和证书Cert_V，以及密文C=(id_U,C₁′,C₂′,C₃′,C₄′,C₅′)，依次计算和 $σ = {C_{2}}^{'} &CirclePlus; H_{4} ({({C_{4}}^{'})}^{1 / t}, {({C_{3}}^{'})}^{{1 / SK}_{V}}),$ 进而计算并获得明文 $M = {C_{1}}^{'} &CirclePlus; H_{2} (σ) .$ Step 112: According to the private key SK _V and the certificate Cert _V of the agent id _V , and the ciphertext C=(id _U , C ₁ ′, C ₂ ′, C ₃ ′, C ₄ ′, C ₅ ′), calculate in sequence and $σ = {C_{2}}^{'} &CirclePlus; h_{4} ({({C_{4}}^{'})}^{1 / t}, {({C_{3}}^{'})}^{{1 / SK}_{V}}),$ Then calculate and obtain the plaintext $m = {C_{1}}^{'} &CirclePlus; h_{2} (σ) .$

步骤113：计算r=H₃(M,σ,id_U,PK_U)，并判断和C₄′=h^r是否成立：若成立，明文M有效；否则，密文无效，解密失败。Step 113: Calculate r=H ₃ (M,σ,id _U ,PK _U ), and judge Whether and C ₄ ′=h ^r holds true: if true, the plaintext M is valid; otherwise, the ciphertext is invalid and the decryption fails.

参见附图3，本发明还提供了一种基于证书代理重加密系统，所述系统包括：系统参数生成模块、用户密钥生成模块、证书生成模块、加密模块、代理重加密密钥生成模块、代理重加密模块以及解密模块；Referring to accompanying drawing 3, the present invention also provides a kind of system based on certificate proxy re-encryption, said system includes: system parameter generation module, user key generation module, certificate generation module, encryption module, proxy re-encryption key generation module, Proxy re-encryption module and decryption module;

所述系统参数生成模块用于证书中心根据输入的安全参数生成证书中心的主密钥以及密码系统的公开参数集。The system parameter generating module is used for the certificate center to generate the master key of the certificate center and the public parameter set of the cryptographic system according to the input security parameters.

所述用户密钥生成模块用于系统用户根据系统参数生成模块生成的公开参数集以及用户的身份信息，生成用户的公钥和私钥对。The user key generation module is used for the system user to generate the user's public key and private key pair according to the public parameter set generated by the system parameter generation module and the user's identity information.

所述证书生成模块用于证书中心根据系统参数生成模块生成的主密钥和公开参数集，用户的身份信息以及用户密钥生成模块生成的公钥，生成用户的证书。The certificate generation module is used for the certificate center to generate the user's certificate according to the master key and the public parameter set generated by the system parameter generation module, the user's identity information and the public key generated by the user key generation module.

所述加密模块用于发送者根据系统参数生成模块生成的公开参数集，待加密的明文，接收用户的身份信息以及用户密钥生成模块生成的接收用户的公钥，生成明文的原始密文。The encryption module is used for the sender to generate the original ciphertext of the plaintext according to the public parameter set generated by the system parameter generation module, the plaintext to be encrypted, the identity information of the receiving user and the public key of the receiving user generated by the user key generation module.

所述代理重加密密钥生成模块用于委托方根据系统参数生成模块生成的公开参数集，委托方的身份信息和受理方的身份信息，用户密钥生成模块生成的委托方的私钥和受理方的公钥以及证书生成模块生成的委托方的证书，生成代理重加密密钥。The proxy re-encryption key generation module is used for the public parameter set generated by the client according to the system parameter generation module, the identity information of the client and the identity information of the accepting party, the private key of the client generated by the user key generation module and the acceptance The public key of the party and the certificate of the entrusting party generated by the certificate generation module generate a proxy re-encryption key.

所述代理重加密模块用于代理冲加密中心根据系统参数生成模块生成的公开参数集，加密模块输入的原始密文以及代理重加密密钥生成模块生成的代理重加密密钥，生成重加密密文。The proxy re-encryption module is used to proxy the public parameter set generated by the encryption center according to the system parameter generation module, the original ciphertext input by the encryption module and the proxy re-encryption key generated by the proxy re-encryption key generation module to generate a re-encryption key arts.

所述解密模块用于解密者根据系统参数生成模块生成的公开参数集，加密模块生成的原始密文或代理重加密模块生成的重加密密文，用户密钥生成模块生成的解密者的私钥以及证书生成模块生成的解密者的证书，恢复出明文。The decryption module is used for the decryptor to generate the public parameter set according to the system parameter generation module, the original ciphertext generated by the encryption module or the re-encrypted ciphertext generated by the proxy re-encryption module, and the decryptor's private key generated by the user key generation module And the certificate of the decryptor generated by the certificate generation module, recovering the plaintext.

所述解密模块具体包括密文解密单元和密文有效性验证单元。The decryption module specifically includes a ciphertext decryption unit and a ciphertext validity verification unit.

所述密文解密单元用于解密者对密文进行解密，恢复明文。The ciphertext decryption unit is used for the decryptor to decrypt the ciphertext and recover the plaintext.

以上只是对本发明的优选实施方式进行了描述。对该技术领域的普通技术人员来说，根据以上实施方式可以很容易地联想到其它的优点和变形。因此，本发明并不局限于上述实施方式，其仅仅作为例子对本发明的一种形态进行详细、示范性的说明。在不背离本发明宗旨的范围内，本领域普通技术人员在本发明技术的方案范围内进行的通常变化和替换，都应包含在本发明的保护范围之内。The above is only a description of preferred embodiments of the present invention. For those skilled in the art, other advantages and modifications can be easily ascertained from the above embodiments. Therefore, the present invention is not limited to the above-mentioned embodiment, and it is merely a detailed and exemplary description of one aspect of the present invention as an example. Within the scope of not departing from the purpose of the present invention, ordinary changes and substitutions made by those skilled in the art within the scope of the technical solutions of the present invention shall be included in the protection scope of the present invention.

Claims

1. one kind based on certification agency re-encryption method, it is characterised in that described method comprises the steps of

Step A, generates system master key and the open parameter set of system；

Step B, generates PKI and the private key pair of user according to the identity information of the open parameter set of described system and user, and described user includes sender and recipient；

Step C, according to the open parameter set of described system master key and system, and the respective identity information of sender and recipient, PKI, generate the respective certificate of sender and recipient respectively；

Step D, according to the identity information of the open parameter set of described system, plaintext to be encrypted and recipient and PKI, generates original cipher text；

Step E, according to the open parameter set of described system, the identity information of sender, private key and certificate, and the identity information of recipient and PKI, generate and act on behalf of re-encrypted private key；

Step F, discloses parameter set, original cipher text according to described system and acts on behalf of re-encrypted private key, generates re-encryption ciphertext；

Step G, according to the private key of the open parameter set of described system, ciphertext to be decrypted and recipient and certificate, recovers expressly, and ciphertext to be decrypted includes original cipher text or re-encryption ciphertext.

2. one according to claim 1 is based on certification agency re-encryption method, it is characterised in that described step A detailed process is as follows:

Step 101, certificate center is according to the security parameter k ∈ Z set⁺, select the Big prime p of a k bit, and generate an a p rank addition cyclic group G and p factorial method cyclic group G_T, and definition is at group G and group G_TOn Bilinear map e:G × G → G_T；Wherein: Z⁺It is positive integer, Bilinear map e:G × G → G_TIt is crowd G cartesian product G × G to group G with self_TMapping, i.e. Bilinear map e:G × G → G_TRefer to function z=e (P₁,P₂), wherein P₁,P₂∈ G is independent variable, z ∈ G_TFor dependent variable；

Step 102, selects two from addition cyclic group G and generates unit P and Q and randomly chooseCalculate Q_pub=α Q, g=e (P, Q) and h=e (Q, Q)；Wherein: set

Step 103, defines five hash functionsH₂: { 0,1}ⁿ→ { 0,1}ⁿ、H₄:G_T×G_T→{0,1}ⁿAndWherein H₁It is cartesian product { 0,1}^*×G×G_TArriveCryptographic Hash function, H₂It is { 0,1}ⁿTo { 0,1}ⁿCryptographic Hash function, H₃It is { 0,1}^*ArriveCryptographic Hash function, H₄It is cartesian product G_T×G_TTo { 0,1}ⁿCryptographic Hash function, H₅It is cartesian product G_T×G_TArriveCryptographic Hash function, n represents bit length expressly, { 0,1}^*Represent the set of the uncertain binary string of length, { 0,1}ⁿRepresent the set of the binary string that length is n-bit, { 0,1}^*×G×G_TRepresent { 0,1}^*, group G and group G_TCartesian product, G_T×G_TRepresent group G_TCartesian product with self；

According to step 101 to step 103, the system master key that the central secret that Generates Certificate preserves is msk=α, and the open parameter set of system is params={p, G, G_T,e,n,P,Q,Q_pub,g,h,H₁,H₂,H₃,H₄,H₅}。

3. one according to claim 2 is based on certification agency re-encryption method, it is characterised in that described step B detailed process is as follows:

Identity is id_UUser first existIn randomly choose an integerPrivate key SK as oneself_U, i.e. SK_U=x_U；Then the open parameter set params of system is utilized to generate the PKI of oneself

4. one according to claim 3 is based on certification agency re-encryption method, it is characterised in that the detailed process of described step C is as follows:

Identity is id_UUser by the identity information id of oneself_UWith PKI PK_USubmit to certificate center；Certificate center produces user id_UCertificate Cert_U=(H₁(id_U,PK_U)+α)^-1Q, then by certificate Cert_UBeing sent to identity is id_UUser.

5. one according to claim 4 is based on certification agency re-encryption method, it is characterised in that described step D detailed process is as follows:

Sender uses the identity id of recipient_VAnd PKIEncryption length is the plaintext M of n-bit, and first sender randomly chooses σ ∈ { 0,1}ⁿAnd calculate r=H₃(M,σ,id_V,PK_V)；Then C is calculated respectively₁=M H₂(σ),C₃=rP and C₄=r (H₁(id_V,PK_V)Q+Q_Pub)；Finally by C=(C₁,C₂,C₃,C₄) it is sent to recipient id as the ciphertext of plaintext M_V。

6. one according to claim 5 is based on certification agency re-encryption method, it is characterised in that the detailed process of described step E is as follows:

Sender id_UAccording to recipient id_VPKIFirst randomly chooseAnd calculateThen the private key SK according to use oneself_UWith certificate Cert_UAnd recipient id_VPKICalculateWithFinally willAs acting on behalf of re-encrypted private key.

7. one according to claim 6 is based on certification agency re-encryption method, it is characterised in that the detailed process of described step F is as follows:

According to sender id_UThat submits to acts on behalf of re-encrypted private keyAnd the identity id with sender_UWith PKI PK_UOriginal cipher text C=(the C of encryption₁,C₂,C₃,C₄), put C first respectively₁'=C₁, C₂'=C₂,Then calculateWithFinally by C '=(id_U,C₁′,C₂′,C₃′,C₄′,C₅') it is forwarded to recipient id as acting on behalf of re-encryption ciphertext_V。

8. one according to claim 7 is based on certification agency re-encryption method, it is characterised in that the detailed process of described step G is as follows:

Identity is id_VRecipient use oneself private key SK_VWith certificate Cert_VCiphertext C is deciphered, the type according to ciphertext C, is divided into the following two kinds situation:

If ciphertext C is the original cipher text without re-encryption, i.e. C=(C₁,C₂,C₃,C₄), recipient id_VFirst calculateAnd then calculate and obtain plaintext M=C₁⊕H₂(σ)；Then r=H is calculated₃(M,σ,id_V,PK_V), and judge C₄=r (H₁(id_V,PK_V)Q+Q_Pub) whether set up: if setting up, plaintext M is effective；Otherwise, ciphertext is invalid, deciphers unsuccessfully；

If C is for acting on behalf of re-encryption ciphertext, i.e. C=(id_U,C₁′,C₂′,C₃′,C₄′,C₅'), recipient id_VFirst calculate successivelyWithAnd then calculate and obtain plaintext M=C₁′⊕H₂(σ)；Then r=H is calculated₃(M,σ,id_U,PK_U), and judgeAnd C₄'=h^rWhether set up: if setting up, plaintext M is effective；Otherwise, ciphertext is invalid, deciphers unsuccessfully.

9. one kind based on certification agency re-encryption system, it is characterised in that including:

Systematic parameter generation module, for Generate Certificate according to the security parameter the inputted master key at center and the open parameter set of cryptographic system；

User key generation module, for the open parameter set generated according to systematic parameter generation module, and the identity information of user, generating PKI and the private key pair of user, described user includes sender and recipient；

Certificates constructing module, for the master key generated according to systematic parameter generation module and open parameter set, and the respective identity information of sender and recipient, PKI, generate the respective certificate of sender and recipient respectively；

Encrypting module, for the PKI of the recipient that the open parameter set generated according to systematic parameter generation module, plaintext to be encrypted, the identity information of recipient and user key generation module generate, generates original cipher text expressly；

Act on behalf of re-encrypted private key generation module, the private key of the sender generated for the open parameter set generated according to systematic parameter generation module, the identity information of sender and the identity information of recipient, user key generation module and the PKI of recipient, and the certificate of the sender of certificates constructing module generation, generate and act on behalf of re-encrypted private key；

Act on behalf of re-encryption module, for the original cipher text inputted according to the open parameter set of systematic parameter generation module generation, encrypting module and the re-encrypted private key of acting on behalf of acting on behalf of the generation of re-encrypted private key generation module, generation re-encryption ciphertext；

Deciphering module, the private key of the original cipher text generated for the open parameter set generated according to systematic parameter generation module, encrypting module or the recipient acting on behalf of the re-encryption ciphertext of re-encryption module generation, the generation of user key generation module, and the certificate of the recipient of certificates constructing module generation, recover expressly.

10. one according to claim 9 is based on certification agency re-encryption system, it is characterised in that described deciphering module specifically includes ciphertext decryption unit and ciphertext validation verification unit；Wherein:

Ciphertext is decrypted by described ciphertext decryption unit for deciphering person, recovers expressly；

The effectiveness of ciphertext is verified by described ciphertext validation verification unit for deciphering person, and then judges that whether the plaintext that ciphertext decryption unit exports is effective.