Summary of the invention
The technical problem that the present invention will solve is to overcome the deficiency of prior art, provides a kind of and signs decryption method with foretelling the thresholding ring based on identity that scheme of designing under the model has more fail safe at random.
For solving the problems of the technologies described above, the present invention adopts the basic design of technical scheme to be:
A kind of thresholding ring based on identity is signed decryption method, it is characterized in that: may further comprise the steps:
(1) system sets up: the picked at random parameter, and generation system parameter and corresponding master key, wherein system parameters is an open parameters, concrete steps are:
Make G, G
TBe that rank are the cyclic group of prime number p, e:G * G → G
TBe a bilinear mappings, two collisionless hash functions
With
It is n that the identity ID of random length and message m are exported length respectively
uAnd n
mBit string;
The picked at random parameter alpha ∈ Z of trusted third party
p, generator g ∈ G calculates g
1=g
aPicked at random parameter g
2, u ', m ' ∈ G, n
uDimensional vector
n
mDimensional vector
U wherein
i, m
i∈
RG, then system parameters does
Master key does
(2) private key extracts: input system parameter, master key and user's identity, obtain the private key of this user identity, and concrete steps are:
Given user identity ID is through hash function u=H
u(ID) length that calculates the representative of consumer identity is n
uBit string, make u that [i] representes the i position in this bit string, numerical value is 1 sequence number set Φ in the definition bit string
ID
Picked at random parameter r
u∈ Z
p, calculating user identity is the private key of ID
(3) label are close: given thresholding ring is signed close middle n member's set L={ID
1..., ID
n, actual sign under close t the identity of signing close person be designated as 1,2 ..., t} waits to sign close message m, signs close recipient's identity ID
R, sign close concrete steps and be:
Each signs close person ID
i(i=1 ..., t) select its sub secret s at random
i∈ Z
p, the structure coefficient is at Z
pT-1 order polynomial f
i(x)=a
I, 0+ a
I, 1X+ ... + a
I, t-1x
T-1, s wherein
i=a
I, 0Sign close person ID then
iCalculate open parameters
And sign close person to other and broadcast;
Calculate other and respectively sign close person ID
j(the secret sharing s of j ≠ i)
I, j=f
iAnd they are sent to other sign close person ID (j),
j(j=1,2 .., t; J ≠ i), oneself keeps s
I, i=f
i(i);
Other respectively sign close person ID
j(j=1,2 .., t; J ≠ i) sign close person ID from i
iObtain secret sharing s
I, jAfter, verify its validity with following equality:
After confirming secret sharing effectively, each signs close person ID
iCalculating its privately owned secret according to secret sharing does
According to ring members list of identities L={ID
1..., ID
n, t signs close person, waits to sign close message m and t the private key of signing close person, the close recipient's identity ID of ring label
R, obtain wait to sign under the close message m (t, n) the thresholding ring is signed close C, (t, n) expression thresholding ring sign close in the member add up to n, t is a threshold value, actual participation generates the thresholding ring and signs close number of members>=t, concrete steps are:
Make m ∈ GT for waiting to sign close message, this thresholding ring is signed close person's picked at random l
1..., l
n∈ Z
p, calculate
I=1 ..., n,
Order
It is C=(σ that the thresholding ring that then generates is signed close
1... σ
5, R
1... R
n).
(4) separate sign close: sign according to the thresholding ring and closely to sign close recipient ID with ring
RPrivate key calculate message, take the message that obtains to formula
In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, and the gained message error is returned step (1).
Preferably, carrying out the following step acquisition thresholding ring after the privately owned secret of the close middle acquisition of said step (3) label signs close::
For i ∈ 1,2 ..., t} establishes each and signs close person ID
iPrivate key be (d
I1, d
I2), calculate M=H
m(L, m), order
Be the set of the sequence number k of M [k]=1 in the bit string of message m, picked at random r
i∈ Z
p, calculating section thresholding ring is signed close
σ
I6=d
I2, and (σ
I1, σ
I2, σ
I3, σ
I4, σ
I5, σ
I6) send to t and sign and arbitraryly among the close person to sign the close close person of label in order to produce the thresholding ring, wherein
Be Lagrangian coefficient.
Preferably, the described close concrete steps of label of separating are following:
When receive the thresholding ring sign close after, the thresholding ring is signed close recipient and is utilized its private key at first to calculate to wait to sign close message m, m=σ
1E (d
R2, σ
3) e (d
R1, σ
2)
-1, calculating the length of waiting to sign close message through hash function then is n
mBit string, numerical value is 1 sequence number set M in the definition bit string;
With message substitution formula
In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, the gained message error.
After adopting technique scheme, the present invention compared with prior art has following beneficial effect: method of the present invention is constructed under master pattern, and foretells that at random scheme of designing is compared under the model, and fail safe is better.
Be described in further detail below in conjunction with the accompanying drawing specific embodiments of the invention.
Embodiment
As shown in Figure 1, a kind of thresholding ring based on identity is signed decryption method, may further comprise the steps:
S1, system set up: the picked at random parameter, and generation system parameter and corresponding master key, wherein system parameters is an open parameters, concrete steps are:
Make G, G
TBe that rank are the cyclic group of prime number p, e:G * G → G
TBe a bilinear mappings, two collisionless hash functions
With
It is n that the identity ID of random length and message m are exported length respectively
uAnd n
mBit string;
The picked at random parameter alpha ∈ Z of trusted third party
p, generator g ∈ G calculates g
1=g
aPicked at random parameter g
2, u ', m ' ∈ G, n
uDimensional vector
n
mDimensional vector
U wherein
i, m
i∈
RG, then system parameters does
Master key does
S2, private key extract: input system parameter, master key and user's identity, obtain the private key of this user identity, and concrete steps are:
Given user identity ID is through hash function u=H
u(ID) length that calculates the representative of consumer identity is n
uBit string, make u that [i] representes the i position in this bit string, numerical value is 1 sequence number set Φ in the definition bit string
ID
Picked at random parameter r
u∈ Z
p, calculating user identity is the private key of ID
Here when calculating private key, used sequence number set Φ
ID, for the d in the formula
1Promptly
Here
Be n
uDimensional vector, u
iGather Φ exactly
IDIn corresponding sequence number exist
In pairing element.
S3, sign close: given thresholding ring sign close in n member's set L={ID
1..., ID
n, actual sign under close t the identity of signing close person be designated as 1,2 ..., t} waits to sign close message m, signs close recipient's identity ID
R, sign close concrete steps and be:
Each signs close person ID
i(i=1 ..., t) select its sub secret s at random
i∈ Z
p, the structure coefficient is at Z
pT-1 order polynomial f
i(x)=a
I, 0+ a
I, 1X+ ... + a
I, t-1x
T-1, s wherein
i=a
I, 0Sign close person ID then
iCalculate open parameters
And sign close person to other and broadcast; (
The residue class group of expression integer mould p, this is a representation general in the cryptography)
Calculate other and respectively sign close person ID
j(the secret sharing s of j ≠ i)
I, j=f
iAnd they are sent to other sign close person ID (j),
j(j=1,2 .., t; J ≠ i), oneself keeps s
I, i=f
i(i);
Sign close person ID
j(j=1,2 .., t; J ≠ i) from signing close person ID
iObtain secret sharing s
I, jAfter, verify its validity with following equality:
After confirming secret sharing effectively, each signs close person ID
iCalculating its privately owned secret according to secret sharing does
Each signs close person ID
iBe all close persons of label that receive secret sharing.Give an example, suppose to have t to sign close person here, the numbering that might as well establish them is 1 ..., t.Sign now close person 1 and will calculate secret sharing to the close person of remaining label, same reason, remaining each sign close person and also will calculate secret sharing to removing the t-1 it the close person of label, therefore, the close person that respectively signs here is exactly t the close person of label here.
According to ring members list of identities L={ID
1..., ID
n, t signs close person, waits to sign close message m and t the private key of signing close person, the close recipient's identity ID of ring label
R, obtain wait to sign under the close message m (t, n) the thresholding ring is signed close C, (t, n) for the thresholding ring sign close in the member add up to n, t is a threshold value, actual participation generates the thresholding ring and signs close number of members>=t, when representing thresholding, all adopts this representation.Concrete steps are:
Make m ∈ G
TFor waiting to sign close message, this thresholding ring is signed close person's picked at random l
1..., l
n∈ Z
p, calculate
I=1 ..., n,
Order
It is C=(σ that the thresholding ring that then generates is signed close
1... σ
5, R
1... R
n);
S4, separate sign close: sign according to the thresholding ring and closely to sign close recipient ID with ring
RPrivate key calculate message, take the message that obtains to formula
In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, the gained message error.
Preferably, carrying out the following step acquisition thresholding ring after the privately owned secret of the close middle acquisition of said step S3 label signs close:
For i ∈ 1,2 ..., t} establishes each and signs close person ID
iPrivate key be (d
I1, d
I2), calculate M=H
m(L, m), order
Be the set of the sequence number k of M [k]=1 in the bit string of message m, picked at random r
i∈ Z
p, calculating section thresholding ring is signed close
σ
I6=d
I2, and (σ
I1, σ
I2, σ
I3, σ
I4, σ
I5, σ
I6) send to t and sign and arbitraryly among the close person to sign the close close person of label in order to produce the thresholding ring, wherein
Be Lagrangian coefficient.
Preferably, the described close concrete steps of label of separating are following:
When receive the thresholding ring sign close after, the thresholding ring is signed close recipient and is utilized its private key at first to calculate to wait to sign close message m, m=σ
1E (d
R2, σ
3) e (d
R1, σ
2)
-1, calculating the length of waiting to sign close message through hash function then is n
mBit string, numerical value is 1 sequence number set M in the definition bit string;
With message substitution formula
In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, the gained message error.
Here when verifying, used M, for
Here
Be n
mDimensional vector, m
iGather exactly that corresponding sequence number exists among the M
In pairing element.
Indistinguishability fail safe proof of the present invention is as shown in Figure 2, and the practical implementation step is:
1. hypothesis opponent A can attack this programme with the advantage of can not ignore, then can construction algorithm B, and B can utilize A to solve the DBDH problem.Instance (g, the g of a DBDH problem of given B
a, g
b, g
c, h), its target be judge whether h=e (g, g)
Abc, the challenger of B imitation A.
2. algorithm B sets l
u=2 (q
e+ q
s), l
m=2q
s, q wherein
eBe the number of times of A private key inquiry, q
sIt is the number of times that A signs close inquiry.Select k at random
uAnd k
m, satisfy 0≤k
u≤n
uWith 0≤k
m≤n
m, and supposition l
u(n
u+ 1)<p and l
m(n
m+ 1)<p.B selects
And length is n
uVectorial X=(x
i), wherein
Select
And length is n
mVector Z=(z
k), wherein
Last B selects y ', w ' ∈
RZ
p, length is n
uVectorial Y=(y
i), length is n
mVectorial W=(w
i), y wherein
i, w
i∈
RZ
pFor the member's identity ID among the L and the bit string u=H of message m
u(ID) and M=H
m(L m), defines following function:
Open parameters among algorithm B structure the present invention program is following:
g
1=g
a, g
2=g
b 1≤i≤n
u 1≤i≤n
uAlgorithm B sends to opponent A with open parameters then.
3. in the phase I, when opponent A initiated the inquiry of some, algorithm B responded as follows:
(1) private key inquiry: when opponent A inquires the private key of identity ID, though algorithm B does not know master key, supposition F (ID) ≠ 0mod p, B also can construct its private key d
IDB chooses r wantonly
u∈ Z
pAnd calculate:
If F (ID)=0mod p, top calculating can't be carried out, and B withdraws from failure.
(2) sign close inquiry: when opponent A inquiry ring members identity is L={ID
1..., ID
n, threshold value is that (t<n), message is m to t, and the close person of actual label is ID
i(i=1 ... t) and ring to sign close recipient be ID
RThe thresholding ring sign when close, algorithm B at first calculates M=H
m(L, m), sign close according to following steps output thresholding ring then:
1. algorithm B selects s, a at random
0, a
1..., a
T-1∈ Z
p, the structure number of times is polynomial f (x)=a of t-1
0+ a
1X+ ... + a
T-1x
T-1, s=a wherein
0
2. suppose for reality and sign close person ID
i(i=1 ... t), satisfy F (ID
i) ≠ 0mod p, then algorithm B calculates and respectively signs close person ID according to their private key of method construct in the private key inquiry
i(i=1 ... privately owned secret x t)
i=f (i) utilizes the close algorithm of label to generate corresponding thresholding ring then and signs close C.
If 3. condition F (ID
i) ≠ 0mod p, i=1 ... t is false, and algorithm B also can sign close by this thresholding ring of structure as the method for structure private key in the private key inquiry so.Suppose K (M) ≠ 0mod p, algorithm B selects r, r at random
1..., r
n, r
m∈ Z
p, calculate:
σ
1=e (g
1, g
2)
rM, σ
2=g
r,
Wherein
If K (M)=0mod p, top calculating can't be carried out, and B withdraws from failure.
(3) separate the close inquiry of label: when opponent A initiates to sign close recipient's identity at ring members tabulation L, ring is ID
RAnd separating under the ciphertext C be when signing close inquiry, and algorithm B at first moves the private key extraction algorithm and obtains ID
RPrivate key
Operation is separated and is signed close algorithm then, if C is an effective ciphertext, then exports m, otherwise, output false.
4. in the challenge stage, opponent A appoints the message m of getting two equal length
0, m
1, and ring members tabulated
And ring is signed close recipient's identity
Send to algorithm B.If A is at the private key that the phase I has been inquired
, then B withdraws from failure.{ 0,1} is if K is (M for the optional b ∈ of B
b) ≠ 0mod p,
B withdraws from failure so.If L
*In do not have t identity ID
*, satisfy F (ID
*) ≠ 0mod p, B withdraws from failure so; Otherwise, for describe convenient for the purpose of, might as well establish this t identity and do
B picked at random r, r
1..., r
n, r
m∈ Z
p, construct as follows:
i=1 wherein; ..., t.If h=e (g, g)
Abc, can know C
*Be that an effective thresholding ring is signed close.
5. in second stage, opponent A can send private key inquiry, the close inquiry of label and the deciphering inquiry of some, but A can not inquire as stage 1 that kind
Private key and to C
*Separate and sign close inquiry.
6. in the conjecture stage, opponent A output is to the conjecture b ' of b.If b=b ', then B output 1, with h=e (g, g)
AbcAs separating of DBDH problem; Otherwise B output 0 stops recreation.
Therefore; If existing an opponent can carry out CCA2 with the probability of can not ignore attacks; So exist an effective algorithm to solve the DBDH problem, and this and DBDH are that a difficult problem contradicts, so scheme is an IND-IDTRSC-CCA2 safety with the probability of can not ignore.
The unforgeable fail safe proof that exists of the present invention is as shown in Figure 3, and the practical implementation step is:
1. hypothesis adulterator A can attack this programme with the advantage of can not ignore, then can construction algorithm B, and B can utilize A to solve the CDH problem.Instance (g, the g of a CDH problem of given B
a, g
b), its target is to calculate g
Ab, the challenger of B imitation A.
2. algorithm B structure and identical system's open parameters during the front proves send it to opponent A then.
3. opponent A can initiate private key inquiry, the close inquiry of label of some and separate the close inquiry of label as in the before proof adaptively.
4. in the forgery stage, opponent A output is tabulated at ring members
Threshold value t, message m
*And the close recipient's identity of ring label does
Under forgery thresholding ring sign close C
*If algorithm B does not fail and withdraws from whole process, algorithm B checks whether following condition is set up so:
1.
is for all i ∈ (1; ..., n) all set up;
2. K (M
*)=0mod p, wherein M
*=H
m(L, m
*).
If above-mentioned condition is not set up simultaneously, algorithm B withdraws from failure so; Otherwise B can calculate
Separating of CDH problem that Here it is.
Therefore; If existing an opponent to forge an effective thresholding ring with the probability of can not ignore signs close; So just exist an algorithm to solve the CDH problem with the probability of can not ignore; And this and CDH problem are that a difficult problem contradicts, so scheme is an EUF-IDTRSC-CMIA safety.
In sum; Realized under master pattern, constructing new way and the new method of signing close scheme based on identity thresholding ring according to the present invention; And security reliability through the clear scheme of concrete solution security proof list; The realization of this method not only has theory significance, also has realistic meaning simultaneously.
Therefore the present invention constructs under master pattern, and this method has indistinguishability and unforgeable through experiment proof, so this method is with respect to foretelling under the model to have better fail safe for the scheme of designing at random.
The above only is a preferred implementation of the present invention; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; Can also make some improvement and retouching, these improvement and retouching also should be regarded as protection scope of the present invention.