CN102694654A - Identity-based threshold ring signcryption method - Google Patents

Abstract

An identity-based threshold ring signcryption method includes (1) system setup (2) private key extraction (3) signcryption and (4) de-signcryption under a standard model. The identity-based threshold ring signcryption method is constructed under the standard model and better in safety as compared with that of design schemes under random prediction models.

Description

Thresholding ring based on identity is signed decryption method

Technical field

The present invention relates to a kind of ring and sign decryption method, especially a kind of thresholding ring based on identity is signed decryption method.

Background technology

In the conventional public-key cryptographic system, an important problem is the authenticity of PKI.In general, in order in real world, to use public key algorithm, need a kind of mechanism and can verify getting in touch between certain PKI and certain subject identity at any time.Usually the way that adopts is to set up PKIX, and the PKI digital certificate through its authentication center's issue bundles PKI and user's identity.In the system of this type based on the PKI digital certificate, before the PKI that uses the user, people need obtain this user's PKI digital certificate and verify the correctness and the legitimacy of its certificate.This just needs bigger memory space to store the public key certificate of different user, also needs more time overhead to verify user's public key certificate.This is the shortcoming that traditional public-key cryptosystem is difficult to overcome.

In order to solve public key certificate storage huge in the conventional public-key cryptographic system and checking overhead issues, Shamir had creatively proposed the public key cryptography thought based on identity in 1984.In public-key cryptosystem based on identity, user's PKI can be can the identifying user identity information, like E-mail, ID card No. etc., user's private key is then produced according to user's identity information by trusted third party.Make that based on the cryptographic system of identity any two users can secure communication; User's PKI and user identity bind together naturally; Do not need public key certificate; Also needn't use online third party, only need a believable Key Distribution Center for each for the first time the user of connecting system issue a private key just.It has solved the shortcoming that the conventional public-key cryptography is difficult to overcome, and because himself characteristic also makes it have wide application.

Because based on the advantage that identification cipher is learned, released much cryptographic systems based on identity, be exactly one of them based on the label dense body system of identity.Simultaneously, signing dense body system can also combine with some cryptographic techniques with special nature, and structure has the label dense body system of special nature, combines as encircling close scheme of label and secret sharing scheme, thereby obtains signing close based on the thresholding ring of identity.

Bilinearity also is the important tool of structure based on the cryptographic system of identity to being the algebro geometric important tool of research, is playing the part of very important role in field of cryptography.

In addition, for for the common key cryptosystem of identity, the method for proof of present relatively good usefulness is to foretell the machine model at random.Yet for proving based on the fail safe of foretelling model at random; The cryptographic hash function that needs hypothesis in public-key cryptosystem, to use has the security property of foretelling machine at random; Foretell that at random the security password scheme under the model is not necessarily safe in actual environment; And prove its unique difficulty that depends on trap door onr way function that public-key cryptosystem comprises based on the fail safe of master pattern.Therefore, signing close scheme based on the thresholding ring of identity under the structure master pattern and both had higher fail safe and also have realistic meaning simultaneously, is problem demanding prompt solution.

In view of this, special proposition the present invention.

Summary of the invention

The technical problem that the present invention will solve is to overcome the deficiency of prior art, provides a kind of and signs decryption method with foretelling the thresholding ring based on identity that scheme of designing under the model has more fail safe at random.

For solving the problems of the technologies described above, the present invention adopts the basic design of technical scheme to be:

A kind of thresholding ring based on identity is signed decryption method, it is characterized in that: may further comprise the steps:

(1) system sets up: the picked at random parameter, and generation system parameter and corresponding master key, wherein system parameters is an open parameters, concrete steps are:

Make G, G _TBe that rank are the cyclic group of prime number p, e:G * G → G _TBe a bilinear mappings, two collisionless hash functions

With

It is n that the identity ID of random length and message m are exported length respectively _uAnd n _mBit string;

The picked at random parameter alpha ∈ Z of trusted third party _p, generator g ∈ G calculates g ₁=g ^aPicked at random parameter g ₂, u ', m ' ∈ G, n _uDimensional vector

n _mDimensional vector

U wherein _i, m _i∈ _RG, then system parameters does $\mathrm{Param}=(G,G_T,e,g,g_1,g_2,u^{\′},\hat{U},m^{\′},\hat{M},H_u,H_m),$ Master key does

(2) private key extracts: input system parameter, master key and user's identity, obtain the private key of this user identity, and concrete steps are:

Given user identity ID is through hash function u=H _u(ID) length that calculates the representative of consumer identity is n _uBit string, make u that [i] representes the i position in this bit string, numerical value is 1 sequence number set Φ in the definition bit string _ID

Picked at random parameter r _u∈ Z _p, calculating user identity is the private key of ID

$d_{\mathrm{ID}}=(d_1,d_2)=(g_2^{\mathrm{\α}}{\left(u^{\′}\underset{i\∈{\mathrm{\Φ}}_{\mathrm{ID}}}{\mathrm{\Π}}{u}_i\right)}^{r_u},g^{r_u}).$

(3) label are close: given thresholding ring is signed close middle n member's set L={ID ₁..., ID _n, actual sign under close t the identity of signing close person be designated as 1,2 ..., t} waits to sign close message m, signs close recipient's identity ID _R, sign close concrete steps and be:

Each signs close person ID _i(i=1 ..., t) select its sub secret s at random _i∈ Z _p, the structure coefficient is at Z _pT-1 order polynomial f _i(x)=a _{I, 0}+ a _{I, 1}X+ ... + a _{I, t-1}x _T-1, s wherein _i=a _{I, 0}Sign close person ID then _iCalculate open parameters

And sign close person to other and broadcast;

Calculate other and respectively sign close person ID _j(the secret sharing s of j ≠ i) _{I, j}=f _iAnd they are sent to other sign close person ID (j), _j(j=1,2 .., t; J ≠ i), oneself keeps s _{I, i}=f _i(i);

Other respectively sign close person ID _j(j=1,2 .., t; J ≠ i) sign close person ID from i _iObtain secret sharing s _{I, j}After, verify its validity with following equality:

After confirming secret sharing effectively, each signs close person ID _iCalculating its privately owned secret according to secret sharing does

According to ring members list of identities L={ID ₁..., ID _n, t signs close person, waits to sign close message m and t the private key of signing close person, the close recipient's identity ID of ring label _R, obtain wait to sign under the close message m (t, n) the thresholding ring is signed close C, (t, n) expression thresholding ring sign close in the member add up to n, t is a threshold value, actual participation generates the thresholding ring and signs close number of members>=t, concrete steps are:

Make m ∈ GT for waiting to sign close message, this thresholding ring is signed close person's picked at random l ₁..., l _n∈ Z _p, calculate $U_i=u^{\′}\underset{j\∈{\mathrm{\Φ}}_{{\mathrm{ID}}_i}}{\mathrm{\Π}}{\hat{u}}_j,$ I=1 ..., n, $R_1={\mathrm{\σ}}_{16}{g}^{l_1},...,R_t={\mathrm{\σ}}_{t6}{g}^{l_t},$ $R_{t+1}=g^{l_{t+1}},...,R_n=g^{l_n}.$ Order ${\mathrm{\σ}}_1={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i1}\·m,$ ${\mathrm{\σ}}_2={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i2},$ ${\mathrm{\σ}}_3={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i3},$ ${\mathrm{\σ}}_4={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i4}\·\underset{i=1}{\overset{n}{\mathrm{\Π}}}{\left(U_i\right)}^{l_i},$ ${\mathrm{\σ}}_5={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i5},$ It is C=(σ that the thresholding ring that then generates is signed close ₁... σ ₅, R ₁... R _n).

(4) separate sign close: sign according to the thresholding ring and closely to sign close recipient ID with ring _RPrivate key calculate message, take the message that obtains to formula $e{(\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)...e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, and the gained message error is returned step (1).

Preferably, carrying out the following step acquisition thresholding ring after the privately owned secret of the close middle acquisition of said step (3) label signs close::

For i ∈ 1,2 ..., t} establishes each and signs close person ID _iPrivate key be (d _I1, d _I2), calculate M=H _m(L, m), order

Be the set of the sequence number k of M [k]=1 in the bit string of message m, picked at random r _i∈ Z _p, calculating section thresholding ring is signed close ${\mathrm{\σ}}_{i1}=e{(g_1,g_2)}^{r_i},$ ${\mathrm{\σ}}_{i2}=g^{r_i},$ ${\mathrm{\σ}}_{i3}={\left(u^{\′}\underset{j\∈{\mathrm{\Φ}}_{{\mathrm{ID}}_R}}{\mathrm{\Π}}{\hat{u}}_J\right)}^{r_i},$ ${\mathrm{\σ}}_{i4}=d_{i1}{\left(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{\hat{m}}_i\right)}^{x_i{\mathrm{\η}}_i},$ ${\mathrm{\σ}}_{i5}=g^{x_i{\mathrm{\η}}_i},$ σ _I6=d _I2, and (σ _I1, σ _I2, σ _I3, σ _I4, σ _I5, σ _I6) send to t and sign and arbitraryly among the close person to sign the close close person of label in order to produce the thresholding ring, wherein

Be Lagrangian coefficient.

Preferably, the described close concrete steps of label of separating are following:

When receive the thresholding ring sign close after, the thresholding ring is signed close recipient and is utilized its private key at first to calculate to wait to sign close message m, m=σ ₁E (d _R2, σ ₃) e (d _R1, σ ₂) ^-1, calculating the length of waiting to sign close message through hash function then is n _mBit string, numerical value is 1 sequence number set M in the definition bit string;

With message substitution formula $e{(\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)...e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, the gained message error.

After adopting technique scheme, the present invention compared with prior art has following beneficial effect: method of the present invention is constructed under master pattern, and foretells that at random scheme of designing is compared under the model, and fail safe is better.

Be described in further detail below in conjunction with the accompanying drawing specific embodiments of the invention.

Description of drawings

Fig. 1 is a basic flow sheet of the present invention;

Fig. 2 is to the stipulations of finding the solution the DBDH problem from the attack of thresholding being signed close algorithm;

Fig. 3 signs close to the stipulations of finding the solution the CDH problem from forging thresholding.

Embodiment

As shown in Figure 1, a kind of thresholding ring based on identity is signed decryption method, may further comprise the steps:

S1, system set up: the picked at random parameter, and generation system parameter and corresponding master key, wherein system parameters is an open parameters, concrete steps are:

Make G, G _TBe that rank are the cyclic group of prime number p, e:G * G → G _TBe a bilinear mappings, two collisionless hash functions With

It is n that the identity ID of random length and message m are exported length respectively _uAnd n _mBit string;

The picked at random parameter alpha ∈ Z of trusted third party _p, generator g ∈ G calculates g ₁=g ^aPicked at random parameter g ₂, u ', m ' ∈ G, n _uDimensional vector

n _mDimensional vector

U wherein _i, m _i∈ _RG, then system parameters does $\mathrm{Param}=(G,G_T,e,g,g_1,g_2,u^{\′},\hat{U},m^{\′},\hat{M},H_u,H_m),$ Master key does

S2, private key extract: input system parameter, master key and user's identity, obtain the private key of this user identity, and concrete steps are:

Given user identity ID is through hash function u=H _u(ID) length that calculates the representative of consumer identity is n _uBit string, make u that [i] representes the i position in this bit string, numerical value is 1 sequence number set Φ in the definition bit string _ID

Picked at random parameter r _u∈ Z _p, calculating user identity is the private key of ID

$d_{\mathrm{ID}}=(d_1,d_2)=(g_2^{\mathrm{\α}}{\left(u^{\′}\underset{i\∈{\mathrm{\Φ}}_{\mathrm{ID}}}{\mathrm{\Π}}{u}_i\right)}^{r_u},g^{r_u});$

Here when calculating private key, used sequence number set Φ _ID, for the d in the formula ₁Promptly

Here

Be n _uDimensional vector, u _iGather Φ exactly _IDIn corresponding sequence number exist

In pairing element.

S3, sign close: given thresholding ring sign close in n member's set L={ID ₁..., ID _n, actual sign under close t the identity of signing close person be designated as 1,2 ..., t} waits to sign close message m, signs close recipient's identity ID _R, sign close concrete steps and be:

Each signs close person ID _i(i=1 ..., t) select its sub secret s at random _i∈ Z _p, the structure coefficient is at Z _pT-1 order polynomial f _i(x)=a _{I, 0}+ a _{I, 1}X+ ... + a _{I, t-1}x ^T-1, s wherein _i=a _{I, 0}Sign close person ID then _iCalculate open parameters

And sign close person to other and broadcast; (

The residue class group of expression integer mould p, this is a representation general in the cryptography)

Calculate other and respectively sign close person ID _j(the secret sharing s of j ≠ i) _{I, j}=f _iAnd they are sent to other sign close person ID (j), _j(j=1,2 .., t; J ≠ i), oneself keeps s _{I, i}=f _i(i);

Sign close person ID _j(j=1,2 .., t; J ≠ i) from signing close person ID _iObtain secret sharing s _{I, j}After, verify its validity with following equality: After confirming secret sharing effectively, each signs close person ID _iCalculating its privately owned secret according to secret sharing does

Each signs close person ID _iBe all close persons of label that receive secret sharing.Give an example, suppose to have t to sign close person here, the numbering that might as well establish them is 1 ..., t.Sign now close person 1 and will calculate secret sharing to the close person of remaining label, same reason, remaining each sign close person and also will calculate secret sharing to removing the t-1 it the close person of label, therefore, the close person that respectively signs here is exactly t the close person of label here.

According to ring members list of identities L={ID ₁..., ID _n, t signs close person, waits to sign close message m and t the private key of signing close person, the close recipient's identity ID of ring label _R, obtain wait to sign under the close message m (t, n) the thresholding ring is signed close C, (t, n) for the thresholding ring sign close in the member add up to n, t is a threshold value, actual participation generates the thresholding ring and signs close number of members>=t, when representing thresholding, all adopts this representation.Concrete steps are:

Make m ∈ G _TFor waiting to sign close message, this thresholding ring is signed close person's picked at random l ₁..., l _n∈ Z _p, calculate $U_i=u^{\′}\underset{j\∈{\mathrm{\Φ}}_{{\mathrm{ID}}_i}}{\mathrm{\Π}}{\hat{u}}_j,$ I=1 ..., n, $R_1={\mathrm{\σ}}_{16}{g}^{l_1},...,R_t={\mathrm{\σ}}_{t6}{g}^{l_t},$ $R_{t+1}=g^{l_{t+1}},...,R_n=g^{l_n}.$ Order ${\mathrm{\σ}}_1={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i1}\·m,$ ${\mathrm{\σ}}_2={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i2},$ ${\mathrm{\σ}}_3={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i3},$ ${\mathrm{\σ}}_4={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i4}\·\underset{i=1}{\overset{n}{\mathrm{\Π}}}{\left(U_i\right)}^{l_i},$ ${\mathrm{\σ}}_5={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i5},$ It is C=(σ that the thresholding ring that then generates is signed close ₁... σ ₅, R ₁... R _n);

S4, separate sign close: sign according to the thresholding ring and closely to sign close recipient ID with ring _RPrivate key calculate message, take the message that obtains to formula $e{(\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)...e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, the gained message error.

Preferably, carrying out the following step acquisition thresholding ring after the privately owned secret of the close middle acquisition of said step S3 label signs close:

For i ∈ 1,2 ..., t} establishes each and signs close person ID _iPrivate key be (d _I1, d _I2), calculate M=H _m(L, m), order

Be the set of the sequence number k of M [k]=1 in the bit string of message m, picked at random r _i∈ Z _p, calculating section thresholding ring is signed close ${\mathrm{\σ}}_{i1}=e{(g_1,g_2)}^{r_i},$ ${\mathrm{\σ}}_{i2}=g^{r_i},$ ${\mathrm{\σ}}_{i3}={\left(u^{\′}\underset{j\∈{\mathrm{\Φ}}_{{\mathrm{ID}}_R}}{\mathrm{\Π}}{\hat{u}}_J\right)}^{r_i},$ ${\mathrm{\σ}}_{i4}=d_{i1}{\left(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{\hat{m}}_i\right)}^{x_i{\mathrm{\η}}_i},$ ${\mathrm{\σ}}_{i5}=g^{x_i{\mathrm{\η}}_i},$ σ _I6=d _I2, and (σ _I1, σ _I2, σ _I3, σ _I4, σ _I5, σ _I6) send to t and sign and arbitraryly among the close person to sign the close close person of label in order to produce the thresholding ring, wherein

Be Lagrangian coefficient.

Preferably, the described close concrete steps of label of separating are following:

When receive the thresholding ring sign close after, the thresholding ring is signed close recipient and is utilized its private key at first to calculate to wait to sign close message m, m=σ ₁E (d _R2, σ ₃) e (d _R1, σ ₂) ^-1, calculating the length of waiting to sign close message through hash function then is n _mBit string, numerical value is 1 sequence number set M in the definition bit string;

With message substitution formula $e{(\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)...e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, the gained message error.

Here when verifying, used M, for

Here

Be n _mDimensional vector, m _iGather exactly that corresponding sequence number exists among the M

In pairing element.

Indistinguishability fail safe proof of the present invention is as shown in Figure 2, and the practical implementation step is:

1. hypothesis opponent A can attack this programme with the advantage of can not ignore, then can construction algorithm B, and B can utilize A to solve the DBDH problem.Instance (g, the g of a DBDH problem of given B ^a, g ^b, g ^c, h), its target be judge whether h=e (g, g) ^Abc, the challenger of B imitation A.

2. algorithm B sets l _u=2 (q _e+ q _s), l _m=2q _s, q wherein _eBe the number of times of A private key inquiry, q _sIt is the number of times that A signs close inquiry.Select k at random _uAnd k _m, satisfy 0≤k _u≤n _uWith 0≤k _m≤n _m, and supposition l _u(n _u+ 1)＜p and l _m(n _m+ 1)＜p.B selects And length is n _uVectorial X=(x _i), wherein

Select

And length is n _mVector Z=(z _k), wherein

Last B selects y ', w ' ∈ _RZ _p, length is n _uVectorial Y=(y _i), length is n _mVectorial W=(w _i), y wherein _i, w _i∈ _RZ _pFor the member's identity ID among the L and the bit string u=H of message m _u(ID) and M=H _m(L m), defines following function:

$F\left(\mathrm{ID}\right)=x^{\′}+\underset{i\∈\mathrm{\Φ}}{\mathrm{\Σ}}{x}_i-l_u{k}_u,$ $J\left(\mathrm{ID}\right)=y^{\′}+\underset{i\∈\mathrm{\Φ}}{\mathrm{\Σ}}{y}_i$

$K\left(M\right)=z^{\′}+\underset{i\∈M}{\mathrm{\Σ}}{z}_i-l_m{k}_m,$ $L\left(M\right)=w^{\′}+\underset{i\∈M}{\mathrm{\Σ}}{w}_i$

Open parameters among algorithm B structure the present invention program is following:

g ₁=g _a, g ₂=g _b $u^{\′}=g_2^{{-l}_u{k}_u+x^{\′}}{g}^{y^{\′}},$ $u_i=g_2^{x_i}{g}^{y_i},$ 1≤i≤n _u $m^{\′}=g_2^{{-l}_m{k}_m+z^{\′}}{g}^{w^{\′}},$ $m_i=g_2^{z_i}{g}^{w_i},$ 1≤i≤n _uAlgorithm B sends to opponent A with open parameters then.

3. in the phase I, when opponent A initiated the inquiry of some, algorithm B responded as follows:

(1) private key inquiry: when opponent A inquires the private key of identity ID, though algorithm B does not know master key, supposition F (ID) ≠ 0mod p, B also can construct its private key d _IDB chooses r wantonly _u∈ Z _pAnd calculate:

$d_{{\mathrm{ID}}_u}=(d_{u1},d_{u2})=(g_1^{-J\left(\mathrm{ID}\right)/F\left(\mathrm{ID}\right)}{\left(u^{\′}\underset{i\∈{\mathrm{\Φ}}_u}{\mathrm{\Π}}{u}_i\right)}^{r_u},g_1^{-1/F\left(\mathrm{ID}\right)}{g}^{r_u}),$ If F (ID)=0mod p, top calculating can't be carried out, and B withdraws from failure.

(2) sign close inquiry: when opponent A inquiry ring members identity is L={ID ₁..., ID _n, threshold value is that (t＜n), message is m to t, and the close person of actual label is ID _i(i=1 ... t) and ring to sign close recipient be ID _RThe thresholding ring sign when close, algorithm B at first calculates M=H _m(L, m), sign close according to following steps output thresholding ring then:

1. algorithm B selects s, a at random ₀, a ₁..., a _T-1∈ Z _p, the structure number of times is polynomial f (x)=a of t-1 ₀+ a ₁X+ ... + a _T-1x ^T-1, s=a wherein ₀

2. suppose for reality and sign close person ID _i(i=1 ... t), satisfy F (ID _i) ≠ 0mod p, then algorithm B calculates and respectively signs close person ID according to their private key of method construct in the private key inquiry _i(i=1 ... privately owned secret x t) _i=f (i) utilizes the close algorithm of label to generate corresponding thresholding ring then and signs close C.

If 3. condition F (ID _i) ≠ 0mod p, i=1 ... t is false, and algorithm B also can sign close by this thresholding ring of structure as the method for structure private key in the private key inquiry so.Suppose K (M) ≠ 0mod p, algorithm B selects r, r at random ₁..., r _n, r _m∈ Z _p, calculate:

σ ₁=e (g ₁, g ₂) ^rM, σ ₂=g ^r,

$\mathrm{\σ}=\left(\underset{i=1}{\overset{n}{\mathrm{\Π}}}{\left(U_i\right)}^{r_i}\right)g_1^{-\mathrm{TL}\left(M\right)/K\left(M\right)}{\left(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i\right)}^{r_m},$ ${\mathrm{\σ}}_5=g^{r_m},$ $R_1=g^{r_1},...,R_n=g^{r_n},$ Wherein

If K (M)=0mod p, top calculating can't be carried out, and B withdraws from failure.

(3) separate the close inquiry of label: when opponent A initiates to sign close recipient's identity at ring members tabulation L, ring is ID _RAnd separating under the ciphertext C be when signing close inquiry, and algorithm B at first moves the private key extraction algorithm and obtains ID _RPrivate key

Operation is separated and is signed close algorithm then, if C is an effective ciphertext, then exports m, otherwise, output false.

4. in the challenge stage, opponent A appoints the message m of getting two equal length ₀, m ₁, and ring members tabulated

And ring is signed close recipient's identity

Send to algorithm B.If A is at the private key that the phase I has been inquired

, then B withdraws from failure.{ 0,1} is if K is (M for the optional b ∈ of B _b) ≠ 0mod p,

B withdraws from failure so.If L ^*In do not have t identity ID ^*, satisfy F (ID ^*) ≠ 0mod p, B withdraws from failure so; Otherwise, for describe convenient for the purpose of, might as well establish this t identity and do

B picked at random r, r ₁..., r _n, r _m∈ Z _p, construct as follows:

${\mathrm{\σ}}_1^{*}=h\·m_b,$ ${\mathrm{\σ}}_2^{*}=g^c,$ ${\mathrm{\σ}}_3^{*}=g^{\mathrm{cJ}\left({\mathrm{ID}}_R^{*}\right)}={\left(u^{\′}\underset{j\∈{\mathrm{\Φ}}_{{\mathrm{ID}}_R^{*}}}{\mathrm{\Π}}{\hat{u}}_j\right)}^c,$

${\mathrm{\σ}}_4^{*}=\underset{i=1}{\overset{t}{\mathrm{\Π}}}{g}_1^{\frac{-J\left({\mathrm{ID}}_i^{*}\right)}{F\left({\mathrm{ID}}_i^{*}\right)}}{\left(g_2^{F\left({\mathrm{ID}}_i^{*}\right)}{g}^{J\left({\mathrm{ID}}_i^{*}\right)}\right)}^{r_i}\·\underset{i=t+1}{\overset{n}{\mathrm{\Π}}}{\left(g_2^{F\left({\mathrm{ID}}_i^{*}\right)}{g}^{J\left({\mathrm{ID}}_i^{*}\right)}\right)}^{r_i}\·g^{r_{m}L\left(M_b\right)},$ ${\mathrm{\σ}}_5^{*}=g^{r_m},$

$R_1^{*}=g^{{\tilde{r}}_1},...,R_t^{*}=g^{{\tilde{r}}_t},$ $R_{t+1}^{*}=g^{r_{t+1}},...,R_n^{*}=g^{r_n},$

i=1 wherein; ..., t.If h=e (g, g) ^Abc, can know C ^*Be that an effective thresholding ring is signed close.

5. in second stage, opponent A can send private key inquiry, the close inquiry of label and the deciphering inquiry of some, but A can not inquire as stage 1 that kind

Private key and to C ^*Separate and sign close inquiry.

6. in the conjecture stage, opponent A output is to the conjecture b ' of b.If b=b ', then B output 1, with h=e (g, g) ^AbcAs separating of DBDH problem; Otherwise B output 0 stops recreation.

Therefore; If existing an opponent can carry out CCA2 with the probability of can not ignore attacks; So exist an effective algorithm to solve the DBDH problem, and this and DBDH are that a difficult problem contradicts, so scheme is an IND-IDTRSC-CCA2 safety with the probability of can not ignore.

The unforgeable fail safe proof that exists of the present invention is as shown in Figure 3, and the practical implementation step is:

1. hypothesis adulterator A can attack this programme with the advantage of can not ignore, then can construction algorithm B, and B can utilize A to solve the CDH problem.Instance (g, the g of a CDH problem of given B ^a, g ^b), its target is to calculate g ^Ab, the challenger of B imitation A.

2. algorithm B structure and identical system's open parameters during the front proves send it to opponent A then.

3. opponent A can initiate private key inquiry, the close inquiry of label of some and separate the close inquiry of label as in the before proof adaptively.

4. in the forgery stage, opponent A output is tabulated at ring members

Threshold value t, message m ^*And the close recipient's identity of ring label does

Under forgery thresholding ring sign close C ^*If algorithm B does not fail and withdraws from whole process, algorithm B checks whether following condition is set up so:

1.

is for all i ∈ (1; ..., n) all set up;

2. K (M ^*)=0mod p, wherein M ^*=H _m(L, m ^*).

If above-mentioned condition is not set up simultaneously, algorithm B withdraws from failure so; Otherwise B can calculate

${\left(\frac{{\mathrm{\σ}}_4^{*}}{{R_1}^{J\left({\mathrm{ID}}_1^{*}\right)}...{R_n}^{J\left({\mathrm{ID}}_n^{*}\right)}{R_m}^{L\left(M^{*}\right)}}\right)}^{1/t}={\left(\frac{g_2^{\mathrm{ta}}{\left(u^{\′}\underset{i\∈{\mathrm{\Φ}}_{{\mathrm{ID}}_i^{*}}}{\mathrm{\Π}}{u}_i\right)}^{r_i}...{\left(u^{\′}\underset{i\∈{\mathrm{ID}}_n^{*}}{\mathrm{\Π}}{u}_i\right)}^{r_i}{\left(m^{\′}\underset{k\∈M}{\mathrm{\Π}}{m}_j\right)}^{r_m}}{g^{J\left({\mathrm{ID}}_1^{*}\right)r_1}...g^{J\left({\mathrm{ID}}_n^{*}\right)r_n}{g}^{L\left(M^{*}\right)r_m}}\right)}^{1/t}={\left(g_2^{\mathrm{ta}}\right)}^{1/t}=g_2^a=g^{\mathrm{ab}}$

Separating of CDH problem that Here it is.

Therefore; If existing an opponent to forge an effective thresholding ring with the probability of can not ignore signs close; So just exist an algorithm to solve the CDH problem with the probability of can not ignore; And this and CDH problem are that a difficult problem contradicts, so scheme is an EUF-IDTRSC-CMIA safety.

In sum; Realized under master pattern, constructing new way and the new method of signing close scheme based on identity thresholding ring according to the present invention; And security reliability through the clear scheme of concrete solution security proof list; The realization of this method not only has theory significance, also has realistic meaning simultaneously.

Therefore the present invention constructs under master pattern, and this method has indistinguishability and unforgeable through experiment proof, so this method is with respect to foretelling under the model to have better fail safe for the scheme of designing at random.

The above only is a preferred implementation of the present invention; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; Can also make some improvement and retouching, these improvement and retouching also should be regarded as protection scope of the present invention.

Claims (3)

1. the thresholding ring based on identity is signed decryption method, it is characterized in that: may further comprise the steps:

(1) system sets up: the picked at random parameter, and generation system parameter and corresponding master key, wherein system parameters is an open parameters, concrete steps are:

Make G, G _TBe that rank are the cyclic group of prime number p, e:G * G → G _TBe a bilinear mappings, two collisionless hash functions

With

It is n that the identity ID of random length and message m are exported length respectively _uAnd n _mBit string;

The picked at random parameter alpha ∈ Z of trusted third party _p, generator g ∈ G calculates g ₁=g ^aPicked at random parameter g ₂, u ', m ' ∈ G, n _uDimensional vector n _mDimensional vector

U wherein _i, m _i∈ _RG, then system parameters does $\mathrm{Param}=(G,G_T,e,g,g_1,g_2,u^{\′},\hat{U},m^{\′},\hat{M},H_u,H_m),$ Master key does

(2) private key extracts: input system parameter, master key and user's identity, obtain the private key of this user identity, and concrete steps are:

Given user identity ID is through hash function u=H _u(ID) length that calculates the representative of consumer identity is n _uBit string, make u that [i] representes the i position in this bit string, numerical value is 1 sequence number set Φ in the definition bit string _ID

Picked at random parameter r _u∈ Z _p, calculating user identity is the private key of ID

$d_{\mathrm{ID}}=(d_1,d_2)=(g_2^{\mathrm{\α}}{\left(u^{\′}\underset{i\∈{\mathrm{\Φ}}_{\mathrm{ID}}}{\mathrm{\Π}}{u}_i\right)}^{r_u},g^{r_u}).$

(3) label are close: given thresholding ring is signed close middle n member's set L={ID ₁..., ID _n, actual sign under close t the identity of signing close person be designated as 1,2 ..., t} waits to sign close message m, signs close recipient's identity ID _R, sign close concrete steps and be:

Each signs close person ID _i(i=1 ..., t) select its sub secret s at random _i∈ Z _p, the structure coefficient is at Z _pT-1 order polynomial f _i(x)=a _{I, 0}+ a _{I, 1}X+ ... + a _{I, t-1}x _T-1, s wherein _i=a _{I, 0}Sign close person ID then _iCalculate open parameters

And sign close person to other and broadcast;

Calculate other and respectively sign close person ID _i(the secret sharing s of j ≠ i) _{I, j}=f _iAnd they are sent to other sign close person ID (j), _j(j=1,2 .., t; J ≠ i), oneself keeps s _{I, i}=f _i(i);

Other respectively sign close person ID _j(j=1,2 .., t; J ≠ i) sign close person ID from i _iObtain secret sharing s _{I, j}After, verify its validity with following equality: After confirming secret sharing effectively, each signs close person ID _iCalculating its privately owned secret according to secret sharing does

According to ring members list of identities L={ID ₁..., ID _n, t signs close person, waits to sign close message m and t the private key of signing close person, the close recipient's identity ID of ring label _R, obtain wait to sign under the close message m (t, n) the thresholding ring is signed close C, (t, n) expression thresholding ring sign close in the member add up to n, t is a threshold value, actual participation generates the thresholding ring and signs close number of members>=t, concrete steps are:

Make m ∈ G _TFor waiting to sign close message, this thresholding ring is signed close person's picked at random l ₁..., l _n∈ Z _p, calculate $U_i=u^{\′}\underset{j\∈{\mathrm{\Φ}}_{{\mathrm{ID}}_i}}{\mathrm{\Π}}{\hat{u}}_j,$ I=1 ..., n, $R_1={\mathrm{\σ}}_{16}{g}^{l_1},...,R_t={\mathrm{\σ}}_{t6}{g}^{l_t},$ $R_{t+1}=g^{l_{t+1}},...,R_n=g^{l_n}.$ Order ${\mathrm{\σ}}_1={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i1}\·m,$ ${\mathrm{\σ}}_2={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i2},$ ${\mathrm{\σ}}_3={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i3},$ ${\mathrm{\σ}}_4={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i4}\·\underset{i=1}{\overset{n}{\mathrm{\Π}}}{\left(U_i\right)}^{l_i},$ ${\mathrm{\σ}}_5={\mathrm{\Π}}_{i=1}^t{\mathrm{\σ}}_{i5},$ It is C=(σ that the thresholding ring that then generates is signed close ₁... σ ₅, R ₁... R _n).

(4) separate sign close: sign according to the thresholding ring and closely to sign close recipient ID with ring _RPrivate key calculate message, take the message that obtains to formula $e{(\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)...e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, and the gained message error is returned step (1).

2. the thresholding ring based on identity according to claim 1 is signed decryption method, it is characterized in that: carry out the following step acquisition thresholding ring during said step (3) label are close after the privately owned secret of acquisition and sign close::

For i ∈ 1,2 ..., t} establishes each and signs close person ID _iPrivate key be (d _I1, d _I2), calculate M=H _m(L, m), order

Be the set of the sequence number k of M [k]=1 in the bit string of message m, picked at random r _i∈ Z _p, calculating section thresholding ring is signed close ${\mathrm{\σ}}_{i1}=e{(g_1,g_2)}^{r_i},$ ${\mathrm{\σ}}_{i2}=g^{r_i},$ ${\mathrm{\σ}}_{i3}={\left(u^{\′}\underset{j\∈{\mathrm{\Φ}}_{{\mathrm{ID}}_R}}{\mathrm{\Π}}{\hat{u}}_J\right)}^{r_i},$ ${\mathrm{\σ}}_{i4}=d_{i1}{\left(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{\hat{m}}_i\right)}^{x_i{\mathrm{\η}}_i},$ ${\mathrm{\σ}}_{i5}=g^{x_i{\mathrm{\η}}_i},$ σ _I6=d _I2, and (σ _I1, σ _I2, σ _I3, σ _I4, σ _I5, σ _I6) send to t and sign and arbitraryly among the close person to sign the close close person of label in order to produce the thresholding ring, wherein Be Lagrangian coefficient.

3. sign decryption method according to claim 1 or 2 or 3 described thresholding rings based on identity, it is characterized in that: the described close concrete steps of label of separating are following:

When receive the thresholding ring sign close after, the thresholding ring is signed close recipient and is utilized its private key at first to calculate to wait to sign close message m, m=σ ₁E (d _R2, σ ₃) e (d _R1, σ ₂) ^-1, calculating the length of waiting to sign close message through hash function then is n _mBit string, numerical value is 1 sequence number set M in the definition bit string;

With message substitution formula $e{(\mathrm{\σ}}_4,g)=e{(g_1,g_2)}^{t}e(U_1,R_1)...e(U_n,R_n)e(m^{\′}\underset{i\∈M}{\mathrm{\Π}}{m}_i,{\mathrm{\σ}}_5)$ In, when and if only if equality was set up, the thresholding ring signed that close effectively gained message is correct, otherwise that gained thresholding ring is signed is close invalid, the gained message error.

Images