CN111092720A - Certificate-based encryption method capable of resisting leakage of master key and decryption key - Google Patents
Certificate-based encryption method capable of resisting leakage of master key and decryption key Download PDFInfo
- Publication number
- CN111092720A CN111092720A CN201911154312.7A CN201911154312A CN111092720A CN 111092720 A CN111092720 A CN 111092720A CN 201911154312 A CN201911154312 A CN 201911154312A CN 111092720 A CN111092720 A CN 111092720A
- Authority
- CN
- China
- Prior art keywords
- certificate
- user
- decryption
- key
- decryption key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a certificate-based encryption method capable of resisting the leakage of a master key and a decryption key, wherein an authentication center generates a certificate, the certificate is sent to a decryption user, and the encryption user randomly selects a first random number s belonging to Z after verifying the validity of evidencenAnd generating a ciphertext according to the first random number s and the message to be transmitted, sending the ciphertext to a decryption user, obtaining a decryption key by the decryption user, decrypting the ciphertext by using the decryption key to obtain the message to be transmitted, so that the decryption user can more safely obtain the message to be transmitted by the encryption user, and the security of the message to be transmitted in the transmission process is improved.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a certificate-based encryption method capable of resisting leakage of a master key and a decryption key.
Background
In order to solve the certificate management problem of the conventional public key cryptosystem and the key escrow problem of the identity-based cryptosystem, Gentry proposes a certificate-based encryption mechanism. Since then, based on the assumption that: the master key and the decryption key are absolutely secret, and some specific schemes are constructed:
in the real world, however, this is not the case and some side-channel attacks are gradually discovered. From these attacks, an attacker can obtain some secret information by observing the execution time, energy consumption, etc. of the cryptosystem, which results in secret information leakage, including important partial information such as the master key and the decryption key. Side-channel attacks enhance the advantages of an adversary because the adversary can obtain partial information such as keys. Thus, in this case, the security of the previous encryption scheme is compromised and a new model must be built to capture the attack.
In order to ensure the security of a cryptographic system under certain conditions, an attack model is usually defined to limit the behavior of an attacker. If the attacker satisfies the constraints, the corresponding cryptographic scheme is considered secure in the model. The leaky resilient cryptographic model is used to capture side channel attacks. In fact, it has become a focus of research in cryptography in recent years.
There have been some anti-leakage schemes constructed in the traditional public key cryptosystem and in the identity-based cryptosystem. There is no encryption scheme that can resist decryption key leakage and master key leakage based on the public key cryptosystem of the certificate.
Disclosure of Invention
In view of the above problems, the present invention provides a certificate-based encryption method that is resistant to master key and decryption key leakage.
To achieve the object of the present invention, there is provided a certificate-based encryption method capable of resisting leakage of a master key and a decryption key, comprising the steps of:
s10, the certification center generates a certificate and sends the certificate to the decryption user;
s20, after the proof of the encryption user is verified to be valid, the encryption user randomly selects a first random number S belonging to ZnGenerating a ciphertext according to the first random number s and the message to be transmitted, and sending the ciphertext to a decryption user;
and S30, the decryption user acquires the decryption key, and the ciphertext is decrypted by using the decryption key to obtain the message to be transmitted.
In one embodiment, the certificate authority generates a certificate, and before sending the certificate to the decryption user, the method further includes:
authentication center creates a compound-rank bilinear group (N ═ p)1p2p3,G,GTE) random selectionAndgen algorithm running Pi generates common reference character string crs and selects it randomlyAndwherein n.gtoreq.2 is an integer; a master public key and a master private key are generated.
In one embodiment, the certificate authority generating the certificate comprises:
authentication center random selectionAnd n +1 elementsAnd (3) calculating:obtaining a certificate, wherein the certificate is:
wherein, CertIDCertificate representing user ID, ID' representing new identity information derived from user ID, pkIDA public key representing a user ID, the ID representing a user identity,it is shown that the hash function is represented,to representNeutralization ofRelated moiety, D1To representNeutral and K1Related moiety, D2To representNeutral and K2The parts that are of interest are,representing the corresponding portion of the private key,to representN random numbers of (1), K3Representing the corresponding part in the private key, r' representsRandom number of (1), u1To representRandom number of (1), h1To representThe random number in (1) is selected,to representThe number of the n +2 elements is as follows,indicating pairing operation, and n indicates the number of random numbers.
As an embodiment, the decrypting user obtaining the decryption key includes:
the decryption user randomly selects a first random sequenceSecond random sequenceAnd a second random number t ∈ ZNCalculated as follows:by means of certificatesAnd obtaining a decryption key: the decryption key includes:
wherein dkIDWhich represents a decryption key, is presented,three parts representing the decryption key are shown,information representing the exponential operation of the three parts of the certificate,which represents a number n of random numbers,which represents a multiplication and an exponential operation,it is indicated that the pairing operation is performed,to representAnd n +2 elements.
In one embodiment, the encrypted user randomly selects a first random number s ∈ Z after verifying the validity of the proofnGenerating a ciphertext according to the first random number s and the message to be transmitted, and before sending the ciphertext to a decryption user, the method further includes:
encrypted user authentication β whether e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf so, the proof of verification is determined to be valid, wherein β represents a random number, e (g)1,v1)αβRepresents e (g)1,v1)αThe result of performing the operation of exponent β, e (g)1,v1)αRepresents a pairing e (g)1,v1) The exponent α operation is performed.
In the certificate-based encryption method capable of resisting the leakage of the master key and the decryption key, the authentication center generates a certificate, the certificate is sent to the decryption user, and the encryption user randomly selects the first random number s E to Z after verifying the validity of the evidencenAnd generating a ciphertext according to the first random number s and the message to be transmitted, sending the ciphertext to a decryption user, obtaining a decryption key by the decryption user, decrypting the ciphertext by using the decryption key to obtain the message to be transmitted, so that the decryption user can more safely obtain the message to be transmitted by the encryption user, and the security of the message to be transmitted in the transmission process is improved.
Drawings
FIG. 1 is a simplified flow diagram of a conventional certificate-based encryption scheme;
FIG. 2 is a flowchart of a certificate-based encryption method that is resistant to master key and decryption key leakage, according to one embodiment;
fig. 3 is a functional block diagram of a certificate-based encryption system that is resistant to master key and decryption key leakage according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The above-mentioned related concepts of certificate-based encryption methods that are resistant to master key and decryption key leakage are given below:
definition 1: bilinear mapping
Suppose G and GTAre multiplication cyclic groups of order q and P is a generator of G, a bilinear map e: G → GTHas the following three characteristics:
(1) bilinear: for P, Q ∈ G and a, b ∈ Z*,e(Pa,Qb)=e(P,Q)ab;
(2) Non-degradability: any P, Q belongs to G, e (P, Q) ≠ 1;
(3) calculability: there is an efficient algorithm to compute e (P, Q) e GT。
Definition 2: non-interactive zero-knowledge proof system
Let R be a binary relation in language L. For (x, w) ∈ R, x is called a statement and w is called evidence. A non-interactive zero-knowledge (NIZK) proof system includes an algorithm (Ge)n, Prf, Ver). Algorithm Gen with safety parameter 1θThe common reference string crs is output as an input. Prover Prf takes (crs, x, w) as input and gives a proof or proof if (x, w) ∈ R. The verifier Ver takes (crs, x, pi) as input and outputs either "accept" or "reject". If (Gen, Prf, Ver) on the relationship R satisfies three conditions: positive certainty, completeness, zero knowledge; we call (Gen, Prf, Ver) an NIZK proof system for relation R.
Definition 3: collision resistant hash function
For hash functions{0,1}*→{0,1}kIf, ifm0≠m1,Then the algorithm A is said to be corruptedThe advantage obtained in collision resistance is epsilon, where the advantage is all the random numbers for a. The hash function is said to be collision-resistant if any of the advantages that may be gained by the PPT adversaries are negligible.
Definition 4: composite order bilinear group
Boneh et al present a compound-order bilinear group concept. Let ψ denote a complex-order bilinear group generation algorithm. Psi takes the safety parameter as input, and outputs a compound order bilinear group description omega ═ N ═ p1p2p3,G,GTE }, where p1,p2,p3Prime numbers G and G being three λ bits longTIs of order N ═ p1p2p3E is a bilinear map: g → GT。
Are used separatelyAnddenotes the middle order of group G as p1,p2,p3A subgroup of (a). If it is notThen there is e (h)i,hj) 1. For example, supposeG is a generator of G. In this way it is possible to obtain,is thatIs generated by the one of the generators of (1),is thatIs generated by the one of the generators of (1),is thatThus, there is α1,α2So thatAndthenIn this way it is possible to obtain,andare mutually orthogonal.
If the element X can be represented as a unique oneAnd an element ofThe product of the elements, which are respectively called "X" for the two partsOf the moieties "and" XSection ".
Define a vector with <, > and represent the set of elements with (,). The product of the vectors is denoted by · and the component products are denoted by ×. The number of elements or the length of W is represented by | W |.
The exponential product of the vectors is defined as follows: if G e is equal to G, the value of G,a∈ZN,definition ofThe result is an element of Gn. For bilinear group G, GnThe pairing calculation in (1) is defined as follows: if it is notAnd
the complex order group generation algorithm is denoted by ψ. With a safety parameter 1θFor input, ψ outputs a complex order bilinear group description. Also hasThat is to say that the first and second electrodes,wherein N ═ p1p2p3. Suppose g1,g2And g3Are respectively a subgroupAndthe generator of (1).
Assume that 1: given D1=(N,G,GT,e,g1,g3) No PPT adversary can successfully distinguish with non-negligible advantageAndwherein Z, v ∈ ZN。
Assume 2: given aWherein Z, v, u, rho epsilon ZNNo PPT adversary can successfully distinguish with non-negligible advantageAndwherein omega, kappa, sigma epsilon ZN。
Assume that 3: given aWherein α, s, v, u ∈ ZNNo PPT adversary can successfully distinguish with non-negligible advantageAnd
According to the bilinear pairing, the non-interactive zero-knowledge proof system, the anti-collision hash function and the three static assumptions, the existing certificate-based encryption method will be further described below.
First, a simple flow chart of a standard certificate-based dual system encryption scheme is given, as shown in fig. 1.
As shown in fig. 1, the certificate-based dual-system encryption scheme includes 7 modules, a system parameter setting module, a certificate generating module, a user public key generating module, a user private key generating module, a decryption key generating module, an encrypting module, and a decrypting module.
The prior art has the disadvantage that no encryption scheme that can simultaneously resist decryption key leakage and master key leakage exists. Based on the above, inspired by the disclosure of the public secure certificateless encryption (CLE) and the certificate-based encryption, the invention provides the first certificate-based encryption method which can resist the disclosure of the master key and the decryption key in the standard model. The relative leak rate of the decryption key and the master key can reach 1/3 by using the two-system encryption technology.
Referring to fig. 2, fig. 2 is a flowchart of a certificate-based encryption method capable of resisting disclosure of a master key and a decryption key according to an embodiment, including the following steps:
and S10, the certification center generates a certificate and sends the certificate to the decryption user.
Specifically, the authentication center may operate an initialization algorithm to initialize the required parameters, then operate a certificate generation algorithm to generate a corresponding certificate, and send the certificate to the decryption user.
The encryption user and the decryption user are user ends managed by the authentication center, and in a certain encryption process, the decryption users in other encryption processes can also become encryption users in the encryption process.
S20, after the proof of the encryption user is verified to be valid, the encryption user randomly selects a first random number S belonging to ZnAnd generating a ciphertext according to the first random number s and the message to be transmitted, and sending the ciphertext to a decryption user.
Specifically, the encrypting user can run an algorithm Ver of [ ] to verify the validity of the proof π, i.e., to verify whether β is e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf so, then π is valid, and s ∈ Z is chosen randomlynAnd a ciphertext is obtained. In one example, the resulting ciphertext includes:
And S30, the decryption user acquires the decryption key, and the ciphertext is decrypted by using the decryption key to obtain the message to be transmitted.
The decryption key can be used by the decryption user after the decryption key is fetchedDecrypting ciphertextObtaining a messageThe message is the message to be transmitted of the encrypted user.
In the certificate-based encryption method capable of resisting the leakage of the master key and the decryption key, the authentication center generates a certificate, the certificate is sent to the decryption user, and the encryption user randomly selects the first random number s E to Z after verifying the validity of the evidencenAnd generating a ciphertext according to the first random number s and the message to be transmitted, sending the ciphertext to a decryption user, obtaining a decryption key by the decryption user, decrypting the ciphertext by using the decryption key to obtain the message to be transmitted, so that the decryption user can more safely obtain the message to be transmitted by the encryption user, and the security of the message to be transmitted in the transmission process is improved.
In one embodiment, the certificate authority generates a certificate, and before sending the certificate to the decryption user, the method further includes:
authentication center creates a compound-rank bilinear group (N ═ p)1p2p3,G,GTE) random selectionAndgen algorithm running Pi generates common reference character string crs and selects it randomlyAndwherein n.gtoreq.2 is an integer; a master public key and a master private key are generated.
In this embodiment, the authentication center operates an initialization algorithm to initialize the required parameters.
In one example, the initialization algorithm is: first, a compound-order bilinear group (N ═ p) is created1p2p3,G,GTE) then, randomly selectingAndnext run the Gen algorithm at II to generate a common reference string crs and select randomlyAndwherein n.gtoreq.2 is an integer. The value of n is variable. Algorithm generation of master public keyAnd a master private keyThe master public key is public and the master private key is to be kept secret.
In the initialization algorithm, the certification authority first presents a non-interactive zero knowledge (NIZK) proof system ═ Gen (Prf, Ver), where Gen is used to generate system parameters, Prf is used to generate evidence information, and Ver is used to verify the correctness of the evidence, given that ═ Gen (Gen, Prf, Ver) is the language L { β: Y }βZ } where β e ZNAnd Y, Z ∈ GT。Is a hash function in whichIs a space of identities that is,is a public key space. The main role is to maintain the safety of a CLE protocol when converted to a CBE protocol. Without loss of generality, assumeZNIs the set of all non-negative integers less than N.
In one embodiment, the user terminals, such as the encryption user and the decryption user, can both run the private key generation algorithm to generate the private key and run the public key generation algorithm to generate the public key. Wherein, the private key generating algorithm comprises: user setting private key skIDβ where β e ZN. The public key generation algorithm comprises: user ID setting public key pkID=(Y,π)=(e(g1,v1)αβπ), where π ← Prf (crs, (e (g)1,v1)αβ,e(g1,v1)α) β) is about β being e (g)1,v1)αβRelative to the radical e (g)1,v1)αNIZK proof of discrete logarithm of.
In one embodiment, the certificate authority generating the certificate comprises:
authentication center random selectionAnd n +1 elementsAnd (3) calculating:obtaining a certificate, wherein the certificate is:
wherein, CertIDA certificate representing a user ID (e.g. a decrypting user), ID' representing new identity information derived from the user ID, pkIDA public key representing a user ID, the ID representing a user identity,it is shown that the hash function is represented,to representNeutralization ofRelated moiety, D1To representNeutral and K1Related moiety, D2To representNeutral and K2The parts that are of interest are,representing the corresponding portion of the private key,to representN random numbers of (1), K3Representing the corresponding part in the private key, r' representsRandom number of (1), u1To representRandom number of (1), h1To representThe random number in (1) is selected,to representThe number of the n +2 elements is as follows,indicating pairing operation, and n indicates the number of random numbers.
The user in this embodiment may refer to a decryption user.
In this embodiment, the certificate authority may run a certificate generation algorithm to generate the certificate. Specifically, the certificate generation algorithm includes:
CA (authentication center) random selectionAnd n +1 elementsThe CA may then also perform the following operation to compute a hash function:obtaining a certificateIn one example, if z'i=yi+zi(i ∈ { 1.,. n }) and r ″ ═ r + r', Cert ∈ { 1.,. n })IDIs/are as followsCan be viewed as part
As an embodiment, the decrypting user obtaining the decryption key includes:
the decryption user randomly selects a first random sequenceSecond random sequenceAnd a second random number t ∈ ZNCalculated as follows:by means of certificatesAnd obtaining a decryption key: the decryption key includes:
wherein dkIDWhich represents a decryption key, is presented,three parts representing the decryption key are shown,information representing the exponential operation of the three parts of the certificate,represents n random numbersThe number of the machines is increased,which represents a multiplication and an exponential operation,it is indicated that the pairing operation is performed,to representAnd n +2 elements.
Specifically, the decryption user can acquire the decryption key through a decryption key generation algorithm. The decryption key generation algorithm includes:
decryption user random selectionAnd t ∈ ZNCalculated as follows:further passing the certificateDeriving a decryption key
Wherein dkIDWhich represents a decryption key, is presented,three parts representing the decryption key are shown,information representing the exponential operation of the three parts of the certificate,which represents a number n of random numbers,which represents a multiplication and an exponential operation,it is indicated that the pairing operation is performed,to representAnd n +2 elements.
In one embodiment, the encryption user operates to randomly select a first random number s e Z after verifying that the proof is validnGenerating a ciphertext according to the first random number s and the message to be transmitted, and before sending the ciphertext to a decryption user, the method further includes:
encrypted user authentication β whether e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf yes, the proof of verification is determined to be valid, wherein β represents e (g)1,v1)αThe result of performing the operation of exponent β, e (g)1,v1)αRepresents a pairing e (g)1,v1) The exponent α operation is performed.
Specifically, the algorithm Ver for the encrypted user to run pi verifies the validity of the proof pi, i.e. whether β is e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf yes, then pi is valid, so as to accurately judge whether the verification evidence is valid.
In an embodiment, the above certificate-based encryption method capable of resisting leakage of the master key and the decryption key may also refer to fig. 3, where a system parameter setting module of the CA generates the master key and the master public key, a private key generation algorithm of the decryption user generates a user private key according to the master public key, a public key generation algorithm of the decryption user generates a user corresponding public key according to the master public key and the corresponding private key, a certificate generation algorithm of the certificate authority generates a user certificate according to the user identity, the encryption user runs an encryption algorithm to encrypt the message, the decryption user runs a decryption key generation algorithm to generate a decryption key, and further runs the decryption algorithm to decrypt the ciphertext through the decryption key.
The CA is an authentication center, and the CA runs an initialization algorithm and a certificate generation algorithm:
first, a non-interactive zero knowledge (NIZK) proof system is given, II ═ (Gen, Prf, Ver). In case II ═ is given the language L ═ β: YβZ } where β e ZNAnd Y, Z ∈ GT。Is a hash function in whichIs a space of identities that is,is a public key space. The main role is to maintain the safety of a CLE protocol when converted to a CBE protocol. Without loss of generality, assumeThe LR-CBE algorithm of the invention specifically consists of the following seven algorithms: an initialization algorithm, a private key generation algorithm, a public key generation algorithm, a certificate generation algorithm, an encryption algorithm, a decryption key generation algorithm, and a decryption algorithm.
In one example, the application of the above certificate-based encryption method against the leakage of the master key and the decryption key in engineering is explained.
According to the steps of the certificate-based encryption method for resisting the leakage of the master key and the decryption key, when the certificate-based encryption system for resisting the leakage of the master key and the decryption key is used in the XX company, an initialization algorithm module of a company authentication center operating system generates a master public key mpk and a master private key msk, the master public key is disclosed in the company, and the master private key authentication center stores the master public key in a secret manner; each employee of the company has corresponding identity information ID, and the certificate authority of the company runs certificatesGeneration algorithm module for generating certificate Cert for ID user (company employee) identityIDAnd is stored in the employee card. Each user operates the private key generation algorithm module to set the own private key sk according to the master public key mpkIDSecretly storing and operating public key generating algorithm module to set own public key pkIDAnd discloses. When a user a (employee a) wants to send encrypted information (ciphertext) of a message M to a user B (employee B, assuming that the identity information is ID), the user a runs an encryption algorithm according to the master public key mpk and the identity information ID of the user B who wants to receive the information to generate a ciphertext C of the message M and publishes it. The user whose identity information is ID uses the master public key mpk and certificate CertIDRunning the decryption key generation algorithm to generate the decryption key dkID, and then running the decryption algorithm through the decryption key dkIDAnd decrypting the ciphertext C to obtain the message M.
The certificate-based encryption method for resisting the leakage of the master key and the decryption key aims at the problem that the existing certificate-based encryption method cannot tolerate the leakage of the master key, and provides a certificate-based encryption system and a method which can resist the leakage of not only the decryption key but also the master key. Where the leakage includes a decryption key leakage and a master key leakage. The security of the method is reduced to a complex order bilinear group hypothesis. This is the first certificate-based encryption scheme to resist master key leakage. The method provided by the invention has good leakage elasticity. The master key and key leakage rate may reach 1/3.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
It should be noted that the terms "first \ second \ third" referred to in the embodiments of the present application merely distinguish similar objects, and do not represent a specific ordering for the objects, and it should be understood that "first \ second \ third" may exchange a specific order or sequence when allowed. It should be understood that "first \ second \ third" distinct objects may be interchanged under appropriate circumstances such that the embodiments of the application described herein may be implemented in an order other than those illustrated or described herein.
The terms "comprising" and "having" and any variations thereof in the embodiments of the present application are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, product, or device that comprises a list of steps or modules is not limited to the listed steps or modules but may alternatively include other steps or modules not listed or inherent to such process, method, product, or device.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (5)
1. A certificate-based encryption method that is resistant to master key and decryption key leakage, comprising the steps of:
s10, the certification center generates a certificate and sends the certificate to the decryption user;
s20, after the proof of the encryption user is verified to be valid, the encryption user randomly selects a first random number S belonging to ZnGenerating a ciphertext according to the first random number s and the message to be transmitted, and sending the ciphertext to a decryption user;
and S30, the decryption user acquires the decryption key, and the ciphertext is decrypted by using the decryption key to obtain the message to be transmitted.
2. The certificate-based encryption method capable of resisting disclosure of a master key and a decryption key as claimed in claim 1, wherein the certificate authority generates a certificate, and before sending the certificate to the decryption user, further comprising:
authentication center creates a compound-rank bilinear group (N ═ p)1p2p3,G,GTE) randomly selecting g1,u1,h1,Andgen algorithm running Pi generates common reference character string crs and selects it randomlyAndwherein n.gtoreq.2 is an integer; a master public key and a master private key are generated.
3. The certificate-based encryption method resistant to master key and decryption key leakage according to claim 1, wherein the certificate authority generating the certificate includes:
authentication center random selectionAnd n +1 elementsAnd (3) calculating:obtaining a certificate, wherein the certificate is:
wherein, CertIDCertificate representing user ID, ID' representing new identity information derived from user ID, pkIDA public key representing a user ID, the ID representing a user identity,it is shown that the hash function is represented,to representNeutralization ofRelated moiety, D1To representNeutral and K1Related moiety, D2To representNeutral and K2The parts that are of interest are,representing the corresponding portion of the private key,to representN random numbers of (1), K3Representing the corresponding part in the private key, r' representsRandom number of (1), u1To representRandom number of (1), h1To representThe random number in (1) is selected,to representThe number of the n +2 elements is as follows,indicating pairing operation, and n indicates the number of random numbers.
4. The certificate-based encryption method resistant to master key and decryption key leakage according to claim 3, wherein the decryption user obtaining the decryption key comprises:
the decryption user randomly selects a first random sequenceSecond random sequenceAnd a second random number t ∈ ZNCalculated as follows:by means of certificatesAnd obtaining a decryption key: the decryption key includes:
wherein dkIDWhich represents a decryption key, is presented,three parts representing the decryption key are shown,information representing the exponential operation of the three parts of the certificate,which represents a number n of random numbers,which represents a multiplication and an exponential operation,it is indicated that the pairing operation is performed,represents Gp3And n +2 elements.
5. A certificate-based encryption method resistant to master and decryption key leakage according to any one of claims 1 to 4, characterized in that said encrypting user randomly selects a first random number s e Z after verifying the validity of the proofnGenerating a ciphertext according to the first random number s and the message to be transmitted, and before sending the ciphertext to a decryption user, the method further includes:
encrypted user authentication β whether e (g)1,v1)αβRelative to the radical e (g)1,v1)αIf so, the proof of verification is determined to be valid, wherein β represents a random number, e (g)1,v1)αβRepresents e (g)1,v1)αThe result of performing the operation of exponent β, e (g)1,v1)αRepresents a pairing e (g)1,v1) The exponent α operation is performed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911154312.7A CN111092720A (en) | 2019-11-22 | 2019-11-22 | Certificate-based encryption method capable of resisting leakage of master key and decryption key |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911154312.7A CN111092720A (en) | 2019-11-22 | 2019-11-22 | Certificate-based encryption method capable of resisting leakage of master key and decryption key |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111092720A true CN111092720A (en) | 2020-05-01 |
Family
ID=70393532
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911154312.7A Pending CN111092720A (en) | 2019-11-22 | 2019-11-22 | Certificate-based encryption method capable of resisting leakage of master key and decryption key |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111092720A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113014397A (en) * | 2021-03-17 | 2021-06-22 | 杭州师范大学 | Rapid and safe identity authentication method |
CN113873027A (en) * | 2021-09-24 | 2021-12-31 | 深信服科技股份有限公司 | Communication method and related device |
-
2019
- 2019-11-22 CN CN201911154312.7A patent/CN111092720A/en active Pending
Non-Patent Citations (1)
Title |
---|
QIHONG YU: "Certificate-based encryption resilient to key leakage", 《THE JOURNAL OF SYSTEMS AND SOFTWARE》, 8 July 2015 (2015-07-08), pages 2 - 8 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113014397A (en) * | 2021-03-17 | 2021-06-22 | 杭州师范大学 | Rapid and safe identity authentication method |
CN113014397B (en) * | 2021-03-17 | 2023-08-18 | 杭州师范大学 | Quick and safe identity authentication method |
CN113873027A (en) * | 2021-09-24 | 2021-12-31 | 深信服科技股份有限公司 | Communication method and related device |
CN113873027B (en) * | 2021-09-24 | 2024-02-27 | 深信服科技股份有限公司 | Communication method and related device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Castagnos et al. | Bandwidth-efficient threshold EC-DSA | |
CN106936593B (en) | Certificateless multi-receiver signcryption method based on elliptic curve efficient anonymity | |
US5796833A (en) | Public key sterilization | |
US7221758B2 (en) | Practical non-malleable public-key cryptosystem | |
CN114157427B (en) | SM2 digital signature-based threshold signature method | |
CN101931529B (en) | Data encryption method, data decryption method and nodes | |
US11870891B2 (en) | Certificateless public key encryption using pairings | |
CN110545279A (en) | block chain transaction method, device and system with privacy and supervision functions | |
CN110113150B (en) | Encryption method and system based on non-certificate environment and capable of repudiation authentication | |
CN110086599B (en) | Hash calculation method and signcryption method based on homomorphic chameleon Hash function | |
CN102201920A (en) | Method for constructing certificateless public key cryptography | |
Huang et al. | Generic certificateless encryption in the standard model | |
EP2792098B1 (en) | Group encryption methods and devices | |
CN111342976A (en) | Verifiable ideal lattice upper threshold proxy re-encryption method and system | |
CN104767612A (en) | Signcryption method from certificateless environment to public key infrastructure environment | |
CN108809650B (en) | Certificateless anonymous multi-receiver signcryption method without secure channel | |
Cheng et al. | An Improved Certificateless Signcryption in the Standard Model. | |
CN106713349B (en) | Inter-group proxy re-encryption method capable of resisting attack of selecting cipher text | |
Wei et al. | Remove key escrow from the BF and Gentry identity-based encryption with non-interactive key generation | |
CN104767611A (en) | Signcryption method from public key infrastructure environment to certificateless environment | |
Lai et al. | Efficient CCA-secure PKE from identity-based techniques | |
CN111092720A (en) | Certificate-based encryption method capable of resisting leakage of master key and decryption key | |
CN108055134B (en) | Collaborative computing method and system for elliptic curve point multiplication and pairing operation | |
EP3664361B1 (en) | Methods and devices for secured identity-based encryption systems with two trusted centers | |
Yang et al. | Certificateless cryptography with KGC trust level 3 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200501 |
|
RJ01 | Rejection of invention patent application after publication |