CN115296792A - An Identity-Based Signcryption Method for Protecting Keys - Google Patents

Abstract

The invention discloses an identity-based signcryption method for protecting a secret key, which is characterized in that two credible assistors are arranged, the two assistors alternately help a sender and a receiver to generate an initial private key and a public key and update the private key at the starting point of each time period, the sender generates a signcryption ciphertext, and the receiver generates a plaintext by using a signcryption algorithm and performs signature verification. The invention sets two independent and physically safe credible assistors for the sender and the receiver respectively, and the two assistors help the sender and the receiver to generate the initial private key of the cryptosystem by using the secret value selected by the sender and the receiver, thereby avoiding the problem of identity revocation and realizing the function of resisting key leakage; the invention utilizes two assistors to alternately and respectively update the real-time private keys of the sender and the receiver in different time periods, thereby on one hand, allowing frequent real-time private key update, and on the other hand, reducing the secret key leakage probability of the assistors.

Description

An Identity-Based Signcryption Method for Key Protection

technical field

The invention relates to information security, in particular to an identity-based signcryption method for key protection.

Background technique

Cryptography is the underlying supporting technology of information security and the core of authentication and access control. Secrecy and authentication are two important security goals in cryptography. In the public key cryptosystem, the encryption and decryption schemes are the two most basic schemes, which are used to provide two security goals of message confidentiality and message authentication respectively. In some applications, such as e-mail, e-commerce, etc., it is necessary to achieve these two security goals at the same time. The signcryption cryptosystem can simultaneously complete the dual functions of encryption and signature in one logical step, and the amount of computation and data is less than the sum of the two. The sender generates signcrypted ciphertext through signcrypt calculation. The receiver generates plaintext and verifies the signature by decrypting the signcryption calculation.

The closest existing technology to this method is the identity-based key isolation signcryption method proposed in the document "Identity-Based Key-InsulatedSigncryption.Informatica, 23(1):27-45.", which is provably safe. This method is suitable for application scenarios where the private keys of the sender and receiver need to be protected. The main steps of the method are: first, generate public system parameters and system master key; second, generate the initial private key of the sender and receiver and a facilitator key; third, generate the sender and receiver’s Real-time private key update information; Fourth, generate real-time private keys of the sender and receiver; Fifth, the sender generates a signed ciphertext; Sixth, the receiver generates a ciphertext and verifies the signature using the decryption signcryption algorithm. In this method, the private keys of the sender and the receiver are updated every time segment, thereby enhancing the system's ability to defend against private key leaks. However, there are some defects in this method. This method cannot be used in the application scenario where the facilitator key is leaked, so it cannot solve the problem of private key protection in this application scenario.

Contents of the invention

Purpose of the invention: The purpose of the invention is to provide an identity-based signcryption method for key protection, so as to solve the problem of private key protection in application scenarios where encryption and signature are implemented within one logical step.

Technical solution: The identity-based signcryption method for protecting keys according to the present invention is based on the principle that two facilitator keys are set, and the two facilitators generate real-time private key update information at the starting point of each time period and update The real-time private key is updated to generate the real-time private key of the sender and receiver. The sender uses the signcryption algorithm to generate ciphertext, and the receiver uses the decryption signcryption algorithm to generate plaintext and verify the signature. The method comprises the steps of:

(1) Establish system parameters:

表示Z_p\{0}；选取二个哈希函数H_u:{0,1}^*→{0,1}^nu，H_v:{0,1}^nm→{0,1}^nv，此处nu、 nm和nv均为安全参数；设身份为一个长度为nu的位串，设消息为一个长度为 nm的位串；定义一个双射V:Γ→G₂，这里V^-1表示它的逆映射，Γ为{0,1}^nu+nm+nv的具有p个元素的子集；选取一个伪随机函数F：给定一个κ比特的输入参数x 和一个κ比特的种子，函数F将输出一个κ比特长的随机字符串F_s(x)；随机选择整数α∈Z_p，随机选择整数g₂∈G₁，设定g₁＝g^α，设定Y＝e(g₁,g₂)；随机选择u′∈G₁，当i＝1,...,nu,随机选择u_i∈G₁，设定nu维向量

随机选择m′∈G₁，当i＝ 1,...,nv,随机选择m_i∈G₁，设定nv维向量

设定主私钥

设定系统公开参数为

Both G ₁ and G ₂ are multiplicative groups whose order is a prime number p, and g is the generator of G ₁ ; G ₂ is a multiplicative cyclic group whose order is q, and e:G ₁ ×G ₁ →G ₂ is a bilinear property mapping; Z _p represents the set {0,1,2,...,p-1}, with

represents Z _p \{0}; select two hash functions H _u :{0,1} ^* →{0,1} ^nu , H _v :{0,1} ^nm →{0,1} ^nv , where nu, nm and nv are security parameters; let identity be a bit string with length nu, let message be a bit string with length nm; define a bijection V:Γ→G ₂ , where V ^-1 represents its Inverse mapping, Γ is a subset of {0,1} ^nu+nm+nv with p elements; choose a pseudorandom function F: Given a κ-bit input parameter x and a κ-bit seed, the function F will Output a random character string F _s (x) of κ bit length; randomly select an integer α∈Z _p , randomly select an integer g ₂ ∈G ₁ , set g ₁ =g ^α , set Y=e(g ₁ ,g ₂ ); randomly select u′∈G ₁ , when i=1,...,nu, randomly select u _i ∈G ₁ , set nu-dimensional vector

Randomly select m′∈G ₁ , when i=1,...,nv, randomly select m _i ∈G ₁ , set nv-dimensional vector

Set the master private key

Set the system public parameters to

(2) Private key extraction:

为使得u[i]＝1的下标i的集合；设w_u,-1为H_u(u||-1)的输出，并设w_u,-1[i]为w_u,-1的第i位；设w_u,0为H_u(u||0)的输出，并设w_u,0[i]为w_u,0的第i位；定义

为使得w_u,-1[i]＝1的下标i的集合；定义

为使得w_u,0[i]＝1的下标i的集合；随机选取二个协助器密钥HK_u,1，HK_u,0∈{0,1}^κ并计算

随机选取

计算身份u的初始私钥

(2.1) Let u be a bit string representing an identity with a length of nu; let u[i] be the i-th bit of u; define

For the set of subscript i such that u[i]=1; let w _u,-1 be the output of H _u (u||-1), and let w _u,-1 [i] be w _u,-1 the i-th bit of ; let w _u,0 be the output of H _u (u||0), and let w _u,0 [i] be the i-th bit of w _u,0 ; define

be the set of subscript i such that w _u,-1 [i]=1; define

To set w _u,0 [i]=1 subscript i; randomly select two helper keys HK _u,1 , HK _u,0 ∈{0,1} ^κ and calculate

choose randomly

Compute the initial private key of identity u

(2.2) The sender's facilitator key and initial private key are HK _a,1 , HK _a,0 and

(2.3) The recipient’s facilitator key and initial private key are HK _b,1 , HK _b,0 and

(3) Generate the real-time assistant update information of the sender and receiver at time slice t:

为使得w_u,t[i]＝1的下标i的集合；同样设w_u,t-2为H_u(u||t-2)的输出，并设w_u,t-2[i] 为w_u,t-2的第i位，定义

为使得w_u,t-2[i]＝1的下标i的集合；计算

和

为了构建将用户u的时间片段t的临时私钥更新信息UI_u,t，计算：(3.1) Let w _u,t be the output of H _u (u||t), and let w _u,t [i] be the i-th bit of w _u,t , define

In order to make w _u,t [i]=1 set of subscript i; also set w _u,t-2 as the output of H _u (u||t-2), and set w _u,t-2 [i ] is the i-th bit of w _u,t-2 , define

For the set of subscript i such that w _u,t-2 [i]=1; calculate

and

In order to construct the update information UI _u,t of the temporary private key of user u for time segment t, calculate:

(3.2) The temporary private key update information for the time segment t of the sender and the receiver are respectively:

(4) Generate the real-time private keys of the sender and receiver in time slice t:

将时间片段t的临时私钥更新信息分解为

为了构建用户u在时间片段t的临时私钥d_u,t，用户u计算：Decompose the temporary private key of user u at time segment t-1 as

Decompose the temporary private key update information of time segment t into

To construct the temporary private key d _u,t of user u at time segment t, user u computes:

For any identity u and any time segment t, the temporary private key d _u,t has the following form:

Similarly, the temporary private keys of the sender and receiver at time segment t are:

(5) Sign encryption:

For message m, sender A performs signcryption as follows:

Sender A decomposes his ephemeral private key into

随机选取r∈{0,1}^nv使得a||m||r∈ΓRandomly select r _m , r′ _t-1 ,

Randomly select r∈{0,1} ^nv such that a||m||r∈Γ

为使得从H_v(m)的第j位不同于r的第j位的下标j的集合，即

make

In order to make the j-th bit of H _v (m) different from the set of subscript j of the j-th bit of r, that is

calculate:

Let r _t-1 =r′ _t-1 +k _a,t-1 , r _t =r′ _t +k _a,t ,

Sender A outputs a ciphertext:

and send it to receiver B;

(6) Sign decryption:

Receiver B decomposes the received ciphertext (t,σ) into (t,(σ ^<1> ,σ ^<2> ,σ ^<3> ,σ ^<4> ,σ ^<5> ,σ ^<6> , σ ^<7> ,σ ^<8> ,σ ^<9> )); receiver B decomposes his temporary private key into

calculate

generate

If the following equation is true, then output the message m, otherwise output "signcryption decryption failed";

A computer storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the above-mentioned identity-based signcryption method for protecting keys is implemented.

A computer device, comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, when the processor executes the computer program, the above-mentioned identity-based signature for protecting a key is realized. encryption method.

Beneficial effect: compared with the prior art, the present invention has the following advantages:

1. Set up two independent and physically secure trusted facilitators for the sender and the receiver, and these two facilitators help the sender and the receiver generate the initial private key of the cryptographic system when using the secret value they choose , which avoids the problem of revocation of identity and realizes the function of anti-key disclosure;

2. The cryptographic system uses two facilitators to update the real-time private keys of the sender and the receiver alternately in different time periods. On the one hand, it allows frequent real-time private key updates, and on the other hand, it can reduce the facilitator key. Leakage probability;

3. The sender implements encryption and signature in one logical step, which reduces the total calculation and communication costs for encrypting and signing messages.

Description of drawings

Fig. 1 is a flow chart of steps of the present invention.

Detailed ways

The technical solution of the present invention will be further described below in conjunction with the accompanying drawings.

As shown in Figure 1, an identity-based signcryption method for protecting keys includes the following steps:

(1) Establish system parameters:

表示Z_p\{0}；选取二个哈希函数H_u:{0,1}^*→{0,1}^nu，H_v:{0,1}^nm→{0,1}^nv，此处nu、 nm和nv均为安全参数；设身份为一个长度为nu的位串，设消息为一个长度为 nm的位串；定义一个双射V:Γ→G₂，这里V^-1表示它的逆映射，Γ为{0,1}^nu+nm+nv的具有p个元素的子集；选取一个伪随机函数F：给定一个κ比特的输入参数x 和一个κ比特的种子，函数F将输出一个κ比特长的随机字符串F_s(x)；随机选择整数α∈Z_p，随机选择整数g₂∈G₁，设定g₁＝g^α，设定Y＝e(g₁,g₂)；随机选择u′∈G₁，当i＝1,...,nu,随机选择u_i∈G₁，设定nu维向量

随机选择m′∈G₁，当i＝1,...,nv,随机选择m_i∈G₁，设定nv维向量

设定主私钥

设定系统公开参数为

Both G ₁ and G ₂ are multiplicative groups whose order is a prime number p, and g is the generator of G ₁ ; G ₂ is a multiplicative cyclic group whose order is q, and e:G ₁ ×G ₁ →G ₂ is a bilinear property mapping; Z _p represents the set {0,1,2,...,p-1}, with

represents Z _p \{0}; select two hash functions H _u :{0,1} ^* →{0,1} ^nu , H _v :{0,1} ^nm →{0,1} ^nv , where nu, nm and nv are security parameters; let identity be a bit string with length nu, let message be a bit string with length nm; define a bijection V:Γ→G ₂ , where V ^-1 represents its Inverse mapping, Γ is a subset of {0,1} ^nu+nm+nv with p elements; choose a pseudorandom function F: Given a κ-bit input parameter x and a κ-bit seed, the function F will Output a random character string F _s (x) of κ bit length; randomly select an integer α∈Z _p , randomly select an integer g ₂ ∈G ₁ , set g ₁ =g ^α , set Y=e(g ₁ ,g ₂ ); randomly select u′∈G ₁ , when i=1,...,nu, randomly select u _i ∈G ₁ , set nu-dimensional vector

Randomly select m′∈G ₁ , when i=1,...,nv, randomly select m _i ∈G ₁ , set nv-dimensional vector

Set the master private key

Set the system public parameters to

(2) Private key extraction:

为使得u[i]＝1的下标i的集合；设w_u,-1为H_u(u||-1)的输出，并设w_u,-1[i]为w_u,-1的第i位；设w_u,0为H_u(u||0)的输出，并设w_u,0[i]为w_u,0的第i位；定义

为使得w_u,-1[i]＝1的下标i的集合；定义

为使得w_u,0[i]＝1的下标i的集合；随机选取二个协助器密钥HK_u,1，HK_u,0∈{0,1}^κ并计算

随机选取

计算身份u的初始私钥

(2.1) Let u be a bit string representing an identity with a length of nu; let u[i] be the i-th bit of u; define

For the set of subscript i such that u[i]=1; let w _u,-1 be the output of H _u (u||-1), and let w _u,-1 [i] be w _u,-1 the i-th bit of ; let w _u,0 be the output of H _u (u||0), and let w _u,0 [i] be the i-th bit of w _u,0 ; define

be the set of subscript i such that w _u,-1 [i]=1; define

To set w _u,0 [i]=1 subscript i; randomly select two helper keys HK _u,1 , HK _u,0 ∈{0,1} ^κ and calculate

choose randomly

Compute the initial private key of identity u

(2.2) The sender's facilitator key and initial private key are HK _a,1 , HK _a,0 and

(2.3) The recipient’s facilitator key and initial private key are HK _b,1 , HK _b,0 and

(3) Generate the real-time assistant update information of the sender and receiver at time slice t:

为使得w_u,t[i]＝1的下标i的集合；同样设w_u,t-2为H_u(u||t-2)的输出，并设w_u,t-2[i] 为w_u,t-2的第i位，定义

为使得w_u,t-2[i]＝1的下标i的集合；计算

和

为了构建将用户u的时间片段t的临时私钥更新信息UI_u,t，计算：(3.1) Let w _u,t be the output of H _u (u||t), and let w _u,t [i] be the i-th bit of w _u,t , define

In order to make w _u,t [i]=1 set of subscript i; also set w _u,t-2 as the output of H _u (u||t-2), and set w _u,t-2 [i ] is the i-th bit of w _u,t-2 , define

For the set of subscript i such that w _u,t-2 [i]=1; calculate

and

In order to construct the update information UI _u,t of the temporary private key of user u for time segment t, calculate:

(3.2) The temporary private key update information for the time segment t of the sender and the receiver are respectively:

(4) Generate the real-time private keys of the sender and receiver in time slice t:

将时间片段t的临时私钥更新信息分解为

为了构建用户u在时间片段t的临时私钥d_u,t，用户u计算：Decompose the temporary private key of user u at time segment t-1 as

Decompose the temporary private key update information of time segment t into

To construct the temporary private key d _u,t of user u at time segment t, user u computes:

For any identity u and any time segment t, the temporary private key d _u,t has the following form:

Similarly, the temporary private keys of the sender and receiver at time segment t are:

(5) Sign encryption:

For message m, sender A performs signcryption as follows:

Sender A decomposes his ephemeral private key into

随机选取r∈{0,1}^nv使得a||m||r∈ΓRandomly select r _m , r′ _t-1 ,

Randomly select r∈{0,1} ^nv such that a||m||r∈Γ

为使得从H_v(m)的第j位不同于r的第j位的下标j的集合，即

make

In order to make the j-th bit of H _v (m) different from the set of subscript j of the j-th bit of r, that is

calculate:

Let r _t-1 =r′ _t-1 +k _a,t-1 , r _t =r′ _t +k _a,t ,

Sender A outputs a ciphertext:

and send it to receiver B;

(6) Sign decryption:

Receiver B decomposes the received ciphertext (t,σ) into (t,(σ ^<1> ,σ ^<2> ,σ ^<3> ,σ ^<4> ,σ ^<5> ,σ ^<6> , σ ^<7> ,σ ^<8> ,σ ^<9> )); receiver B decomposes his temporary private key into

calculate

generate

If the following equation is true, then output the message m, otherwise output "signcryption decryption failed";

Claims (3)

1. An identity-based signcryption method for protecting keys, comprising the following steps: (1) Establish system parameters: Both G ₁ and G ₂ are multiplicative groups whose order is a prime number p, and g is the generator of G ₁ ; G ₂ is a multiplicative cyclic group whose order is q, and e:G ₁ ×G ₁ →G ₂ is a bilinear property mapping; Z _p represents the set {0,1,2,...,p-1}, with

represents Z _p \{0}; select two hash functions H _u :{0,1} ^* →{0,1} ^nu , H _v :{0,1} ^nm →{0,1} ^nv , where nu, nm and nv are security parameters; let the identity be a bit string of length nu, let the message be a bit string of length nm; define a bijection V:Γ→G ₂ , where V ^-1 represents its Inverse mapping, Γ is a subset of {0,1} ^nu+nm+nv with p elements; choose a pseudorandom function F: Given a κ-bit input parameter x and a κ-bit seed, the function F will Output a random character string F _s (x) of κ bit length; randomly select an integer α∈Z _p , randomly select an integer g ₂ ∈G ₁ , set g ₁ =g ^α , set Y=e(g ₁ ,g ₂ ); randomly select u′∈G ₁ , when i=1,...,nu, randomly select u _i ∈G ₁ , set nu-dimensional vector

Randomly select m′∈G ₁ , when i=1,...,nv, randomly select m _i ∈G ₁ , set nv-dimensional vector

Set the master private key

Set the system public parameters to

(2) Private key extraction: (2.1) Let u be a bit string representing an identity with a length of nu; let u[i] be the i-th bit of u; define

For the set of subscript i such that u[i]=1; let w _u,-1 be the output of H _u (u||-1), and let w _u,-1 [i] be w _u,-1 the i-th bit of ; let w _u,0 be the output of H _u (u||0), and let w _u,0 [i] be the i-th bit of w _u,0 ; define

be the set of subscript i such that w _u,-1 [i]=1; define

To set w _u,0 [i]=1 subscript i; randomly select two helper keys HK _u,1 , HK _u,0 ∈{0,1} ^κ and calculate

choose randomly

Compute the initial private key of identity u

(2.2) The sender's facilitator key and initial private key are HK _a,1 , HK _a,0 and

(2.3) The recipient’s facilitator key and initial private key are HK _b,1 , HK _b,0 and

(3) Generate the real-time assistant update information of the sender and receiver at time slice t: (3.1) Let w _u,t be the output of H _u (u||t), and let w _u,t [i] be the i-th bit of w _u,t , define

In order to make w _u,t [i]=1 set of subscript i; also set w _u,t-2 as the output of H _u (u||t-2), and set w _u,t-2 [i ] is the i-th bit of w _u,t-2 , define

For the set of subscript i such that w _u,t-2 [i]=1; calculate

and

In order to construct the update information UI _u,t of the temporary private key of user u for time segment t, calculate:

(3.2) The temporary private key update information for the time segment t of the sender and the receiver are respectively:

(4) Generate the real-time private keys of the sender and receiver in time slice t: Decompose the temporary private key of user u at time segment t-1 as

Decompose the temporary private key update information of time segment t into

To construct the temporary private key d _u,t of user u at time segment t, user u computes:

For any identity u and any time segment t, the temporary private key d _u,t has the following form:

Similarly, the temporary private keys of the sender and receiver at time segment t are:

(5) Sign encryption: For message m, sender A performs signcryption as follows: Sender A decomposes his ephemeral private key into

choose randomly

Randomly select r∈{0,1} ^nv such that a||m||r∈Γ make

In order to make the j-th bit of H _v (m) different from the set of subscript j of the j-th bit of r, that is

calculate:

Let r _t-1 =r′ _t-1 +k _a,t-1 , r _t =r _t ′+k _a,t ,

Sender A outputs a ciphertext:

and send it to receiver B; (6) Sign decryption: Receiver B decomposes the received ciphertext (t, σ) into

Receiver B decomposes his ephemeral private key into

calculate

generate

If the following equation is true, then output the message m, otherwise output "signcryption decryption failed";

2. A computer storage medium, on which a computer program is stored, characterized in that, when the computer program is executed by a processor, the identity-based authentication of a protection key according to any one of claims 1-5 is realized. Signcryption method. 3. A computer device, comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, characterized in that, when the processor executes the computer program, it realizes claims 1-5 An identity-based signcryption method for protecting keys according to any one of the above.

Images