[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN112152813B - Certificateless content extraction signcryption method supporting privacy protection - Google Patents

Certificateless content extraction signcryption method supporting privacy protection Download PDF

Info

Publication number
CN112152813B
CN112152813B CN202010950341.0A CN202010950341A CN112152813B CN 112152813 B CN112152813 B CN 112152813B CN 202010950341 A CN202010950341 A CN 202010950341A CN 112152813 B CN112152813 B CN 112152813B
Authority
CN
China
Prior art keywords
message
key
sub
user
commitment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010950341.0A
Other languages
Chinese (zh)
Other versions
CN112152813A (en
Inventor
孟博
刘加兵
王德军
覃俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South Central Minzu University
Original Assignee
South Central University for Nationalities
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South Central University for Nationalities filed Critical South Central University for Nationalities
Priority to CN202010950341.0A priority Critical patent/CN112152813B/en
Publication of CN112152813A publication Critical patent/CN112152813A/en
Application granted granted Critical
Publication of CN112152813B publication Critical patent/CN112152813B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a certificateless content extraction signcryption method supporting privacy protection. The key generation center of the invention constructs a finite field by selecting prime numbers of bits, selects a circular addition group with the order of prime numbers to construct an elliptic parameter according to the finite field, randomly selects a master key to calculate a master public key, and selects a hash function to further generate partial secret keys of users and construct private keys and public keys of the users; dividing an original message into a plurality of sub-message blocks, constructing a salt tree, calculating commitment values of the sub-message blocks by combining root salt values generated by the salt tree, constructing a commitment binary tree, assigning values to leaf nodes of the commitment binary tree according to the commitment values of the sub-message blocks, and generating a signature of the original message by a signer according to the commitment binary tree; extracting the signcrypter to execute a signcryption extraction algorithm, extracting the privacy message and executing signcryption operation; the verifier executes the signcryption verification algorithm to return a verification message. The invention improves the signature efficiency and the certificate management security.

Description

Certificateless content extraction signcryption method supporting privacy protection
Technical Field
The invention belongs to the field of information security, and particularly relates to a certificateless content extraction signcryption method supporting privacy protection.
Background
Blockchain intelligence contract data originates from cross-chains, side chains, or the internet, etc., but essentially originates from outside the blockchain. Therefore, security of intelligent contracts to access data outside the chain is very important. The digital signature technology is used as a basic technology and measure for guaranteeing network information safety, can realize safety attributes such as authentication, integrity and the like, and is very important for guaranteeing the network information safety.
Common digital signatures require that an attacker cannot forge the signature of a new message, thereby ensuring the security of the message. This requirement, however, prevents the signer from operating properly on the signed data to some extent. In 2001, Steinfeld R and the like firstly propose content extraction signatures and also give a specific implementation scheme. The content extraction signature is different from the common digital signature, the content extraction signature supports that under the condition that the content extraction signature does not interact with an original signer, a signature holder can extract a required message block from a signed message according to the requirement, meanwhile, the signature is calculated for the extracted message block, a trusted third party can prove the authenticity of the extracted message block, and therefore the content extraction signature is widely applied. However, the content extraction signature has three problems to be solved:
when the current content extraction signature sends verification information to a verifier, privacy protection is lacked;
the traditional public key system needs a digital certificate to ensure the consistency of the user identity and the public key, and has the problem of certificate management;
in a certificateless public key cryptosystem, the signature based on bilinear pairwise operation has high cost and low efficiency.
Disclosure of Invention
The invention mainly solves the technical problems in the prior art and provides an intelligent contract out-of-chain data access method and system based on content extraction signcryption. The method and the system adopt a certificateless content extraction signcryption technology supporting privacy protection, and the problem of privacy data leakage is solved based on content extraction signcryption, so that privacy protection in a signature process is realized. And elliptic curve encryption and certificateless design are adopted, so that the problems of low signature efficiency and certificatemanagement are solved.
The technical problem of the invention is mainly solved by the following technical scheme:
a certificateless content extraction signcryption method to support privacy protection, comprising:
step 1, a key generation center constructs a finite field by selecting k-bit prime numbers, a circular addition group with the order of prime numbers constructs an elliptic parameter according to the finite field, a master key is randomly selected to calculate a master public key, the key generation center selects a hash function, the master key is stored, public parameters are constructed, partial secret keys of a user are further generated, and a private key and a public key of the user are constructed;
step 2, dividing the original message into a plurality of sub-message blocks, constructing a salt tree, calculating the commitment value of the sub-message blocks by combining the sub-message blocks with the root salt value generated by the salt tree, constructing a commitment binary tree, assigning values to leaf nodes of the commitment binary tree according to the commitment value of the sub-message blocks, and generating the signature of the original message by a signer according to the commitment binary tree;
step 3, extracting the signcryption person to execute a signcryption extraction algorithm, extracting the privacy message and executing signcryption operation;
step 4, the verifier executes the signcryption verification algorithm to return verification information;
preferably, the finite field in step 1 is FpOf order pk
Step 1, the circular addition group with prime order is selected, and ellipse parameters are constructed according to a finite field as follows:
the key generation center selects a cyclic addition group G with the order of prime p, defining E/FpIs a finite field FpThe above elliptic curve, P is the generator of G, gets { Fp,E/FpG, P }, E represents an elliptic curve, E/FpDefining elliptic curve in finite field FpThe above step (1);
step 1 said randomly selecting master key to calculate master public key is:
key generation center random selection parameters
Figure BDA0002676685350000021
x is the main key, the main key x is kept secret, and the main public key P is obtained through calculationpub=xP,
Figure BDA0002676685350000022
An integer group of an arbitrary order;
step 1, the key generation center selects a hash function as follows:
Figure BDA0002676685350000023
H2:{0,1}*→G,H3:{0,1}*→G、
Figure BDA0002676685350000024
H1、H2、H3、H4sequentially represents a first collision-free hash function, a second collision-free hash function, a third collision-free hash function, a fourth collision-free hash function, {0,1}*Representing a set of combinations of binary sequences of arbitrary bit length,
Figure BDA0002676685350000025
integer groups of arbitrary order are represented, → representing a set-to-group mapping;
the construction public parameters in the step 1 are as follows:
params={Fp,E/Fp,G,P,H1,H2,H3,H4}
the step 1 of generating the partial secret key of the user is as follows:
user A randomly selects parameters
Figure BDA0002676685350000026
Calculating P as a secret valueA=xAP, mixing PATo a key generation center, PAGenerating element for user A;
the key generation center passes through a system master key x and a generation element P of a user AAAnd a common parameter, params ═ Fp,E/Fp,G,P,H1,H2,H3,H4Calculating to obtain a partial secret key D of the user AAThe method comprises the following steps:
key generation center random selection parameters
Figure BDA0002676685350000031
RA=rAP, calculate hA=H1(IDA,RA,PA) Wherein IDAFor the identity of user A in an identity-based cryptographic environment, RATo sign a key, PAGenerating element for user A;
the key generation center calculates sA=(rA+hAx) mod n, mod being modular transportCalculating sAFor the parameters of the partial key of the user A, the partial key D of the user A is generated by combining the signing keyA={sA,RAAnd sending the data to the user A;
step 1, the private key and the public key of the user are constructed as follows:
user A converts the secret value of user A, namely xAAnd a parameter s of a partial key of the user AAConstructing the private Key SK of user AAI.e. SKA=(xA,sA)。
Constructing the public key PK of user AAI.e. PKA=(PA,RA);PAAs a generator of user A, RAA signing key for user a;
preferably, in step 2, the original message is divided into a plurality of sub-message blocks, and the specific method includes:
M={M[1],M[2],…,M[i],…,M[n]}
wherein M is an original message, M [ i ] represents the ith sub-message block, n is the number of the sub-message blocks, and i belongs to [1, n ];
2, inputting a random value to the constructed salt tree, and obtaining a pseudorandom root salt value through a variable-length pseudorandom model to construct the salt tree;
step 2, the commitment value of the sub-message block is calculated by combining the sub-message block with the root salt value generated by the salt tree, and is as follows:
Figure BDA0002676685350000032
wherein C [ i ] represents the commitment value of the ith sub-message block, C represents a commitment algorithm, and the commitment value about the message block is generated, and the privacy of the message block M [ i ] can be effectively protected by using the commitment algorithm;
the specific way is that the message block M [ i ]]Corresponding and pseudo-random salt values
Figure BDA0002676685350000033
Binding and generating a commitment character string
Figure BDA0002676685350000034
The commitment string c relates to the message M [ i ]]Is determined, the message M' is recalculated during the verification process [ i]Promise of (1)
Figure BDA0002676685350000035
The validity of the signature can be described by verifying whether c ═ c' is true;
M[i]denotes the ith sub-message block, n is the number of sub-message blocks,
Figure BDA0002676685350000036
inrIndicates the message name, icIndicating the sub-message block name.
Step 2, constructing a commitment binary tree, and assigning values to leaf nodes of the commitment binary tree according to the commitment values of the sub message blocks as follows:
the number of the committed binary tree is L;
the jth node of the kth layer is Vk,j,k∈[1,L],j∈[1,2k-1];
For k-th leaf node, the total number of nodes is 2k-1. Will promise the value c [ i ]]Is given to va[i]I.e. va[i]=c[i];
For k e [1, L-1]Nodes of a layer, every two sibling nodes being subjected to a hash function H2Calculating va=H2(va[i],va[i+1]) All v are obtainedaUntil the final root node value v is obtained0
Step 2, the signature of the original message generated by the signer according to the commitment binary tree is as follows:
step 2.1, random selection
Figure BDA0002676685350000041
As a master key of the system, it is,
Figure BDA0002676685350000042
randomly selecting a prime number P with k bits for an integer group with an arbitrary order, and calculating a parameter R which is l.P and is a generator of G;
step 2.2, calculating parameter H ═ H3(v0,R,PKA);H3Is a third collision-free hash function, v0To commit a binary tree root node value, PKAIs the public key of user A;
step 2.3, judging whether gcd (l + h, n) is 1 or not through a greatest common divisor function, if yes, executing step 2.4, and if not, returning to step 2.1; l is the system master key, h is the hash value generated in step 2.6, and n is the number of message blocks;
step 2.4, calculate s ═ (l + h)-1(xA+sA) mod n; l is the system master key, h is the hash value generated in step 2.2, xAIs the secret value of user A, sAIs a parameter of the partial key of user a.
Step 2.5, by combining the parameters CEAS, R, s, c [ i ]]i∈nConstructing the signature of the original message, outputting the signature sigmaF=(CEAS,R,s,c[i]i∈n);
CEAS is content extraction access control structure, R is generator of G, s is system partial key, c [ i ]]i∈nA set of commitment values for all message blocks;
the signer sends the original message and the signature of the original message to the signer who extracted the signcryption.
Preferably, the extraction of the signature σ of the original message received by the signcryptor in step 3 is performedFThen, calculating a new root node value v according to the method in the step 20At the same time, calculate hA=H1(IDA,RA,PA) And H ═ H3(v0,R,PKA);
IDAFor the identity of user A in an identity-based encrypted environment, PAFor a generator, R, of user AATo sign the key, hAFor A-based identity digest hash values, h is the generated hash value, v0For commitment of a binary tree root node value, R is a generator of G, PKAIs the public key of user A;
further verify the equation s (R + hP) ═ PA+RA+hAPpubWhether it is true or not, if the equality is not trueStopping, otherwise, continuing to execute the following steps:
wherein, M '[ i ] represents the extracted sub-message with the number i, ext (i) represents the set of sub-message blocks i in the original message M contained in the sub-message set M', CEAS is the content extraction access structure, and i is the sub-message block name.
Constructing ext (i) from the content extraction access structure CEAS; CEAS is a content extraction access control structure, ext (i) represents a set of sub-message blocks i in the original message M contained in the sub-message set M';
replacing M { M [1], M [2], …, M ' [ i ], …, M ' [ n ] } by M ═ { M [1], M [2], …, M [ i ], …, M [ n ] }, if i ∈ ext (i), then M ' [ i ] ═ M [ i ], indicating that the sub-message block was extracted; otherwise, M' [ i ] ═ c [ i ]; m '[ i ] represents the extracted sub-message with the number of i, M [ i ] represents the sub-message block with the original number of i, and ext (i) represents a set of sub-message blocks i in the original message M contained in the sub-message set M';
calculation of EA=l(PA+RA+hAPpub),
Figure BDA0002676685350000051
l is the system master key, PAOne generator, R, for user AATo sign the key, hAAs identity ID based on AADigest hash value, PpubIs the system master public key, EAFor the encryption key, M' is the set of sub-messages, E is the encryption ciphertext, H4In order to be a function of the hash function,
Figure BDA0002676685350000052
is an exclusive or operation;
step 3.4, output and extraction signcryption sigmaEAnd E is an encrypted ciphertext, CEAS is a content extraction access control structure, ext (i) represents a set of sub-message blocks i in an original message M contained in a sub-message set M', R is a generator of G, and s is a system partial key.
Preferably, in step 4, the verifier executing the signcryption verification algorithm returns a verification message that:
the verifier receives the extracted signcryption sigmaEThen, the following operations are performed to verify the signcryption:
step 4.1, judging whether the ext (i) epsilon CEAS is established or not, and if not, terminating the algorithm; otherwise, carrying out the next step; ext (i) represents a set of sub-message blocks i in the original message M contained in a sub-message set M' [ i ], and CEAS is an access control structure for content extraction;
step 4.2, calculate EB=s(xA+sA)(PA+RA+ R + h.P), decryption
Figure BDA0002676685350000053
s is a system partial key, xAIs the secret value of user A, sAPartial key D for user AAParameter of (A), PAFor a generator, R, of user AAR is a generator of G, h is a hash value generated in the step 3, and P is a randomly selected prime number;
step 4.3, according to M' [ i ]]And ext (i) recovery v'0The method comprises the following specific steps: first, it is determined whether i ∈ ext (i) is true, and if so, M' [ i ] is restored]A value of (d); otherwise, keeping the original value unchanged; v 'is then calculated'0;M'[i]For the regenerated message, ext (i) represents the set of sub-message blocks i, v 'in the original message M contained in the set of sub-messages M'0A new commitment binary tree root node value is calculated;
step 4.4, calculate hA=H1(IDA,RA,PA) And H is H4(v0',R,PKA) While verifying the equation s (R + hP) ═ PA+RA+hAPpubAnd if the result is positive, the signcryption verification is successful, otherwise, the signcryption verification fails. ID (identity)AFor the identity of user A in an identity-based cryptographic environment, PAFor a generator, R, of user AAFor the signing key, h is the regenerated hash value, v0For commitment of a binary tree root node value, R is a generator of G, PKAIs the public key of user a. h isAAs identity ID based on AADigest hash value, PpubIs the system master public key.
The method has the advantages that the signcryption is extracted based on the content, so that the problem of privacy data leakage is solved, and privacy protection in the signing process is realized; and elliptic curve encryption and certificateless design are adopted, so that the problems of low signature efficiency and certificatemanagement are solved.
Drawings
FIG. 1: the method of the invention is a flow chart.
FIG. 2: the salt tree and the commitment binary tree generate a graph.
FIG. 3: the signature generates a graph.
FIG. 4: and (5) signcryption extraction of the graph.
FIG. 5: and (5) signing and verifying the graph.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The invention provides a certificateless content extraction signcryption method supporting privacy protection, which comprises the following steps:
step 1, a key generation center constructs a finite field by selecting k-bit prime numbers, a circular addition group with the order of prime numbers constructs an elliptic parameter according to the finite field, a master key is randomly selected to calculate a master public key, the key generation center selects a hash function, the master key is stored, public parameters are constructed, partial secret keys of a user are further generated, and a private key and a public key of the user are constructed;
step 1 the finite field is FpOf order pk
Step 1, the circular addition group with prime order is selected, and ellipse parameters are constructed according to a finite field as follows:
the key generation center selects a cyclic addition group G with the order of prime p 13, defining E/FpIs a finite field FpThe above elliptic curve, P is the generator of G, gets { Fp,E/FpG, P }, E represents an elliptic curve, E/FpDefining elliptic curve in finite field FpThe above step (1);
step 1 said randomly selecting master key to calculate master public key is:
key generation center random selection parameters
Figure BDA0002676685350000071
x is the main key, the main key x is kept secret, and the main public key P is obtained through calculationpub=xP,
Figure BDA0002676685350000072
An integer group of an arbitrary order;
step 1, the key generation center selects a hash function as follows:
Figure BDA0002676685350000073
H2:{0,1}*→G,H3:{0,1}*→G、
Figure BDA0002676685350000074
H1、H2、H3、H4sequentially represents a first collision-free hash function, a second collision-free hash function, a third collision-free hash function, a fourth collision-free hash function, {0,1}*Representing a set of combinations of binary sequences of arbitrary bit length,
Figure BDA0002676685350000075
integer groups of arbitrary order are represented, → representing a set-to-group mapping;
the construction public parameters in the step 1 are as follows:
params={Fp,E/Fp,G,P,H1,H2,H3,H4}
the step 1 of generating the partial secret key of the user is as follows:
user A randomly selects parameters
Figure BDA0002676685350000076
Calculating P as a secret valueA=xAP, mixing PATo a key generation center, PAGenerating element for user A;
the key generation center passes through a system master key x and a generation element P of a user AAAnd a common parameter, params ═ Fp,E/Fp,G,P,H1,H2,H3,H4Calculating to obtain a partial secret key D of the user AAThe method comprises the following steps:
key generation center random selection parameters
Figure BDA0002676685350000077
RA=rAP, calculate hA=H1(IDA,RA,PA) Wherein IDAFor the identity of user A in an identity-based cryptographic environment, RATo sign a key, PAGenerating element for user A;
the key generation center calculates sA=(rA+hAx) mod 8, mod being a modulo operation, sAFor the parameters of the partial key of the user A, the partial key D of the user A is generated by combining the signing keyA={sA,RAAnd sending the data to the user A;
step 1, the private key and the public key of the user are constructed as follows:
user A converts the secret value of user A, namely xAAnd a parameter of a partial key of the user A, i.e. sAConstructing the private Key SK of user AAI.e. SKA=(xA,sA)。
Constructing the public key PK of user AAI.e. PKA=(PA,RA);PAFor the generator of user A, RAA signing key for user a;
step 2, dividing the original message into 8 sub-message blocks, constructing a salt tree, calculating commitment values of the sub-message blocks by combining root salt values generated by the salt tree, constructing a commitment binary tree, assigning values to leaf nodes of the commitment binary tree according to the commitment values of the sub-message blocks, and generating a signature of the original message by a signer according to the commitment binary tree;
step 2, dividing the original message into a plurality of sub-message blocks, specifically comprising:
M={M[1],M[2],…,M[i],…,M[8]}
wherein M is an original message, M [ i ] represents the ith sub-message block, the number of the sub-message blocks is 8, i belongs to [1, …,8 ];
2, inputting a random value into the salt tree construction, and obtaining a pseudorandom root salt value through a variable-length pseudorandom model to construct a salt tree;
step 2, the commitment value of the sub-message block is calculated by combining the sub-message block with the root salt value generated by the salt tree, and is as follows:
Figure BDA0002676685350000081
wherein C [ i ] represents the commitment value of the ith sub-message block, C represents a commitment algorithm, and the commitment value about the message block is generated, and the privacy of the message block M [ i ] can be effectively protected by using the commitment algorithm;
the specific way is that the message block M [ i ]]Corresponding and pseudo-random salt values
Figure BDA0002676685350000082
Binding and generating a commitment character string
Figure BDA0002676685350000083
The commitment string c relates to the message M [ i ]]Is determined, the message M' is recalculated during the verification process [ i]Promise of (1)
Figure BDA0002676685350000084
The validity of the signature can be described by verifying whether c ═ c' is true;
M[i]indicating the ith sub-message block, the number of sub-message blocks being 8,
Figure BDA0002676685350000085
inrIndicates the message name, icIndicating the sub-message block name.
Step 2, constructing a commitment binary tree, and assigning values to leaf nodes of the commitment binary tree according to the commitment values of the sub message blocks as follows:
the number of the committed binary tree is L;
the jth node of the kth layer is Vk,j,k∈[1,L],j∈[1,2k-1];
For the k-th leaf node, the total number of nodes is 2k-1. Will promise value c [ i ]]Is given to va[i]I.e. va[i]=c[i];
For k e [1, L-1]Nodes of a layer, every two sibling nodes being subjected to a hash function H2Calculating va=H2(va[i],va[i+1]) Obtaining all vaUntil the final root node value v is obtained0
Step 2, the signature of the original message generated by the signer according to the commitment binary tree is as follows:
step 2.1, random selection
Figure BDA0002676685350000091
As a master key of the system, it is,
Figure BDA0002676685350000092
randomly selecting a prime number 13 with k bits for an integer group with an arbitrary order, and calculating a parameter R as l.13, wherein R is a generator of G;
step 2.2, calculating parameter H ═ H3(v0,R,PKA);H3Is a third collision-free hash function, v0To commit to a binary tree root node value, PKAIs the public key of user A;
step 2.3, judging whether gcd (l + h,8) is 1 or not through a greatest common divisor function, if yes, executing step 2.4, otherwise, returning to step 2.1; l is the system master key, h is the hash value generated in step 2.6, and n is the number of message blocks;
step 2.4, calculate s ═ (l + h)-1(xA+sA) mod 8; l is the system master key and h is generated in step 2.2Hash value, xAIs the secret value of user A, sAIs a parameter of the partial key of user a.
Step 2.5, by combining the parameters CEAS, R, s, c [ i ]]i∈nConstructing the signature of the original message, outputting the signature sigmaF=(CEAS,R,s,c[i]i∈n);
CEAS is content extraction access control structure, R is generator of G, s is system partial key, c [ i ]]i∈nA set of commitment values for all message blocks;
the signer sends the original message and the signature of the original message to the signer.
Step 3, extracting the signcryption person to execute a signcryption extraction algorithm, extracting the privacy message and executing a signcryption operation;
step 3, extracting the signature sigma of the original message received by the signatoryFThen, calculating a new root node value v according to the method in the step 20At the same time, calculate hA=H1(IDA,RA,PA) And H ═ H3(v0,R,PKA);
IDAFor the identity of user A in an identity-based cryptographic environment, PAFor a generator, R, of user AATo sign the key, hAFor A-based identity digest hash values, h is the generated hash value, v0For commitment of a binary tree root node value, R is a generator of G, PKAA public key for user A;
further verify the equation s (R + h.13) as PA+RA+hAPpubIf the equation is not satisfied, stopping if the equation is not satisfied, otherwise, continuing to execute the following steps:
wherein, M '[ i ] represents the extracted sub-message with the number i, ext (i) represents the set of sub-message blocks i in the original message M contained in the sub-message set M', CEAS is the content extraction access structure, and i is the sub-message block name.
Constructing ext (i) according to a Content Extraction Access Structure (CEAS); CEAS is a content extraction access control structure, ext (i) represents a set of sub-message blocks i in the original message M contained in the sub-message set M';
replacing M { M [1], M [2], …, M ' [ i ], …, M ' [ n ] } by M ═ { M [1], M [2], …, M [ i ], …, M [ n ] }, if i ∈ ext (i), then M ' [ i ] ═ M [ i ], indicating that the sub-message block was extracted; otherwise, M' [ i ] ═ c [ i ]; m '[ i ] represents the extracted sub-message with the number of i, M [ i ] represents the sub-message block with the original number of i, and ext (i) represents a set of sub-message blocks i in the original message M contained in the sub-message set M';
calculation of EA=l(PA+RA+hAPpub),
Figure BDA0002676685350000101
l is the system master key, PAFor a generator, R, of user AATo sign the key, hAAs identity ID based on AADigest hash value, PpubIs a system master public key, EAFor the encryption key, M' is the set of sub-messages, E is the encryption ciphertext, H4In order to be a function of the hash function,
Figure BDA0002676685350000102
is an exclusive or operation;
step 3.4, output and extraction signcryption sigmaEE, CEAS, ext (i), R, s, E is an encrypted ciphertext, CEAS is a content extraction access control structure, ext (i) represents a set of sub-message blocks i in the original message M included in the sub-message set M', R is a generator of G, and s is a system partial key.
Step 4, the verifier executes the signcryption verification algorithm to return verification information;
step 4, the verifier executes the signcryption verification algorithm and returns a verification message as follows:
the verifier receives the extracted signcryption sigmaEThen, the following operations are performed to verify the signcryption:
step 4.1, judging whether the ext (i) epsilon CEAS is established or not, and if not, terminating the algorithm; otherwise, carrying out the next step; ext (i) represents a set of sub-message blocks i in the original message M contained in a sub-message set M' [ i ], and CEAS is a structure for extracting access control for content;
step 4.2, calculate EB=s(xA+sA)(PA+RA+ R + h.p), decryption
Figure BDA0002676685350000103
s is a system partial key, xAIs the secret value of user A, sAPartial key D for user AAParameter of (A), PAFor a generator, R, of user AAR is a generator of G, h is a hash value generated in the step 3, and p is a randomly selected prime number 13;
step 4.3, according to M' [ i ]]And ext (i) recovery v'0The method comprises the following specific steps: first, it is determined whether i ∈ ext (i) is true, and if so, M' [ i ] is restored]A value of (d); otherwise, keeping the original value unchanged; v 'is then calculated'0;M'[i]For the regenerated message, ext (i) represents the set of sub-message blocks i, v 'in the original message M contained in the set of sub-messages M'0A new commitment binary tree root node value is calculated;
step 4.4, calculate hA=H1(IDA,RA,PA) And H ═ H4(v0',R,PKA) While verifying the equation s (R + hp) ═ PA+RA+hAPpubAnd if the result is positive, the signcryption verification is successful, otherwise, the signcryption verification fails. IDAFor the identity of user A in an identity-based encrypted environment, PAFor a generator, R, of user AAFor the signing key, h is the regenerated hash value, v0For commitment of a binary tree root node value, R is a generator of G, PKAIs the public key of user a. h isAAs identity ID based on AADigest hash value, PpubIs the system master public key.
It should be understood that parts of the specification not set forth in detail are well within the prior art.
It should be understood that the above description of the preferred embodiments is illustrative, and not restrictive, and that various changes and modifications may be made therein by those skilled in the art without departing from the scope of the invention as defined in the appended claims.

Claims (3)

1. A certificateless content extraction signcryption method that supports privacy protection, comprising:
step 1, a key generation center constructs a finite field by selecting k-bit prime numbers, a circular addition group with the order of prime numbers constructs an elliptic parameter according to the finite field, a master key is randomly selected to calculate a master public key, the key generation center selects a hash function, the master key is stored, public parameters are constructed, partial secret keys of a user are further generated, and a private key and a public key of the user are constructed;
step 2, dividing the original message into a plurality of sub-message blocks, constructing a salt tree, calculating commitment values of the sub-message blocks by combining root salt values generated by the salt tree, constructing a commitment binary tree, assigning values to leaf nodes of the commitment binary tree according to the commitment values of the sub-message blocks, and generating a signature of the original message by a signer according to the commitment binary tree;
step 3, extracting the signcryption person to execute a signcryption extraction algorithm, extracting the privacy message and executing signcryption operation;
step 4, the verifier executes the signcryption verification algorithm to return verification information;
step 3, extracting the signature sigma of the original message received by the signcryptorFThen, the root node value v is recalculated according to the method in the step 20At the same time, h is calculatedA=H1(IDA,RA,PA) And H ═ H3(v0,R,PKA);
IDAFor the identity of user A in an identity-based cryptographic environment, PAFor a generator, R, of user AAFor signing the key, hAFor A-based identity digest hash values, h is the generated hash value, v0For commitment of the binary tree root node value, R is a generator of G, PKAIs the public key of user A;
further verification of the equation, i.e., s (R + hP) ═ PA+RA+hAPpubIf the equation is not satisfied, stopping if the equation is not satisfied, otherwise, continuing to execute the following steps:
wherein, M '[ i ] represents the extracted sub-message with the number i, ext (i) represents the set of sub-message blocks i in the original message M contained in the sub-message set M', CEAS is a content extraction access structure, and i is the name of the sub-message block;
constructing ext (i) according to a Content Extraction Access Structure (CEAS); CEAS is a content extraction access control structure, ext (i) represents a set of sub-message blocks i in the original message M contained in the sub-message set M';
replacing M { M [1], M [2], …, M ' [ i ], …, M ' [ n ] } by M ═ { M [1], M [2], …, M [ i ], …, M [ n ] }, if i ∈ ext (i), then M ' [ i ] ═ M [ i ], indicating that the sub-message block was extracted; otherwise, M' [ i ] ═ c [ i ]; m '[ i ] represents the extracted sub-message with the number of i, M [ i ] represents the sub-message block with the original number of i, and ext (i) represents a set of sub-message blocks i in the original message M contained in the sub-message set M';
calculating EA=l(PA+RA+hAPpub),
Figure FDA0003581530370000011
l is the system master key, PAOne generator, R, for user AATo sign the key, hAAs identity ID based on AADigest hash value, PpubIs the system master public key, EAFor the encryption key, M' is the set of sub-messages, E is the encryption ciphertext, H4In order to be a function of the hash function,
Figure FDA0003581530370000021
is an exclusive or operation;
step 3.4, output and extraction signcryption sigmaEE, CEAS, E;
step 4, the verifier executes the signcryption verification algorithm to return verification information as follows:
the verifier receives the extracted signcryption sigmaEThen, the following operations are performed to verify the signcryption:
step 4.1, judging whether the ext (i) epsilon CEAS is established or not, and if not, terminating the algorithm; otherwise, carrying out the next step; ext (i) represents a set of sub-message blocks i in the original message M contained in a sub-message set M' [ i ], and CEAS is a content extraction access control structure;
step 4.2, calculate EB=s(xA+sA)(PA+RA+ R + h.P), decryption
Figure FDA0003581530370000022
s is the system partial key, xAIs the secret value of user A, sAPartial key D for user AAParameter of (A), PAOne generator, R, for user AAR is a generator of G, h is a hash value generated in the step 3, and P is a randomly selected prime number;
step 4.3, according to M' [ i ]]And ext (i) recovery v'0The method comprises the following specific steps: first, it is determined whether i ∈ ext (i) is true, and if so, M' [ i ] is restored]A value of (d); otherwise, keeping the original value unchanged; v 'is then calculated'0;M'[i]For the regenerated message, ext (i) represents the set of sub-message blocks i, v 'in the original message M contained in the set of sub-messages M'0A new commitment binary tree root node value is calculated;
step 4.4, calculate hA=H1(IDA,RA,PA) And H ═ H4(v0',R,PKA) While verifying the equation s (R + hP) ═ PA+RA+hAPpubIf yes, the signcryption verification is successful, otherwise, the signcryption verification fails; ID (identity)AFor the identity of user A in an identity-based encrypted environment, PAOne generator, R, for user AAFor the signing key, h is the regenerated hash value, v0For commitment of the binary tree root node value, R is a generator of G, PKAIs the public key of user A; h isAAs identity ID based on AADigest hash value, PpubIs the system master public key.
2. The certificateless content extraction signcryption method in support of privacy protection as claimed in claim 1, wherein:
step 1 the finite field is FpOf order pk
Step 1, the circular addition group with prime order is selected, and ellipse parameters are constructed according to a finite field as follows:
the key generation center selects a cyclic addition group G with the order of prime p, defining E/FpIs a finite field FpThe above elliptic curve, P is the generator of G, gets { Fp,E/FpG, P }, E represents an elliptic curve, E/FpDefining elliptic curve in finite field FpThe above step (1);
step 1 said randomly selecting master key to calculate master public key is:
key generation center random selection parameters
Figure FDA0003581530370000031
x is the main key, the main key x is kept secret, and the main public key P is obtained through calculationpub=xP,
Figure FDA0003581530370000032
An integer group of an arbitrary order;
step 1, the key generation center selects a hash function as follows:
Figure FDA0003581530370000033
H2:{0,1}*→G;H3:{0,1}*→G;
Figure FDA0003581530370000034
H1、H2、H3、H4sequentially representing a first collision-free hash function, a second collision-free hash function, a third collision-free hash function and a fourth collision-free hash functionThe Hig function, {0,1}*Representing a set of combinations of binary sequences of arbitrary bit length,
Figure FDA0003581530370000035
integer groups of order arbitrary, → representing set-to-group mappings;
the construction public parameters in the step 1 are as follows:
params={Fp,E/Fp,G,P,H1,H2,H3,H4}
the step 1 of generating the partial secret key of the user is as follows:
user A randomly selects parameters
Figure FDA0003581530370000036
Calculating P as a secret valueA=xAP, mixing PATo a key generation center, PAA generator for user A;
the key generation center generates a key by a system master key x and a generation element P of a user AAAnd a common parameter params ═ Fp,E/Fp,G,P,H1,H2,H3,H4Calculating to obtain a partial secret key D of the user AAThe method comprises the following steps:
key generation center random selection parameters
Figure FDA0003581530370000037
RA=rAP, calculate hA=H1(IDA,RA,PA) Wherein IDAFor the identity of user A in an identity-based cryptographic environment, RATo sign the key, PAGenerating element for user A;
the key generation center calculates sA=(rA+hAx) mod n, mod being a modulo operation, sAFor the parameters of the partial key of the user A, the partial key D of the user A is generated by combining the signing keyA={sA,RAAnd sending the data to the user A;
step 1, the private key and the public key of the user are constructed as follows:
user A combines the secret value x of user AAAnd a parameter s of a partial key of the user aAConstructing the private Key SK of user AAI.e. SKA=(xA,sA);
Constructing the public key PK of user AAI.e. PKA=(PA,RA);PAFor the generator of user A, RAIs the signing key of user a.
3. The certificateless content extraction signcryption method in support of privacy protection as claimed in claim 1, wherein:
step 2, dividing the original message into a plurality of sub-message blocks, specifically comprising:
M={M[1],M[2],…,M[i],…,M[n]}
wherein M is an original message, M [ i ] represents the ith sub-message block, n is the number of the sub-message blocks, and i belongs to [1, n ];
2, inputting a random value to the constructed salt tree, and obtaining a pseudorandom root salt value through a variable-length pseudorandom model to construct the salt tree;
step 2, the commitment value of the sub-message block is calculated by combining the sub-message block with the root salt value generated by the salt tree, and is as follows:
Figure FDA0003581530370000041
wherein C [ i ] represents the commitment value of the sub-message block, C represents the commitment algorithm, and generates the commitment value related to the message block, and the privacy of the message block M [ i ] can be effectively protected by using the commitment algorithm;
the specific way is that the message block M [ i ]]Corresponding and pseudo-random salt values
Figure FDA0003581530370000042
Binding, generating commitment values for sub-message blocks
Figure FDA0003581530370000043
The commitment value of a sub-message block is with respect to message M [ i]Is determined, the message M' is recalculated during the verification process [ i]Promise of (1)
Figure FDA0003581530370000044
By verifying c [ i ]]=c'[i]Whether the signature is valid or not can indicate the validity of the signature;
M[i]denotes the ith sub-message block, n is the number of sub-message blocks,
Figure FDA0003581530370000045
inrIndicates the message name, icRepresenting a sub-message block name;
step 2, constructing a commitment binary tree, and assigning values to leaf nodes of the commitment binary tree according to the commitment values of the sub message blocks as follows:
the number of the layers of the commitment binary tree is L;
the jth node of the kth layer is Vk,j,k∈[1,L],j∈[1,2k-1];
For the k-th leaf node, the total number of nodes is 2k-1(ii) a Will promise the value c [ i ]]To va[i]I.e. va[i]=c[i];
For k e [1, L-1]Nodes of a layer, every two sibling nodes being subjected to a hash function H2Calculating va=H2(va[i],va[i+1]) All v are obtainedaUntil the final root node value v is obtained0
Step 2, the signature of the original message generated by the signer according to the commitment binary tree is as follows:
step 2.1, random selection
Figure FDA0003581530370000051
As a master key of the system, it is,
Figure FDA0003581530370000052
randomly selecting a prime number P with k bits for an integer group with an arbitrary order, and calculating a parameter R which is l.P and is a generator of G;
step 2.2, calculating parameter H ═ H3(v0,R,PKA);H3Is a third collision-free hash function, v0To commit to a binary tree root node value, PKAIs the public key of user A;
step 2.3, judging whether gcd (l + h, n) is 1 or not through a greatest common divisor function, if yes, executing step 2.4, otherwise, returning to step 2.1; l is a system master key, h is a hash value generated in the step 2.2, and n is the number of message blocks;
step 2.4, calculate s ═ (l + h)-1(xA+sA) mod n; l is the system master key, h is the hash value generated in step 2.2, xAIs the secret value of user A, sAA parameter of a partial key for user a;
step 2.5, by combining the parameters CEAS, R, s, c [ i ]]i∈nConstructing the signature of the original message, outputting the signature sigmaF=(CEAS,R,s,c[i]i∈n);
CEAS is content extraction access control structure, R is generator of G, s is system partial key, c [ i ]]i∈nA set of commitment values for all message blocks;
the signer sends the original message and the signature of the original message to the signer who extracted the signcryption.
CN202010950341.0A 2020-09-11 2020-09-11 Certificateless content extraction signcryption method supporting privacy protection Active CN112152813B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010950341.0A CN112152813B (en) 2020-09-11 2020-09-11 Certificateless content extraction signcryption method supporting privacy protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010950341.0A CN112152813B (en) 2020-09-11 2020-09-11 Certificateless content extraction signcryption method supporting privacy protection

Publications (2)

Publication Number Publication Date
CN112152813A CN112152813A (en) 2020-12-29
CN112152813B true CN112152813B (en) 2022-06-07

Family

ID=73890128

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010950341.0A Active CN112152813B (en) 2020-09-11 2020-09-11 Certificateless content extraction signcryption method supporting privacy protection

Country Status (1)

Country Link
CN (1) CN112152813B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112597524B (en) * 2021-03-03 2021-05-18 支付宝(杭州)信息技术有限公司 Privacy intersection method and device
CN114124349B (en) * 2021-11-19 2024-04-09 北京数牍科技有限公司 Rapid decryption method for homomorphic encryption scheme
CN114285546B (en) * 2021-11-24 2023-12-12 淮阴工学院 Heterogeneous signcryption communication method applicable to vehicle-mounted ad hoc network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539425A (en) * 2014-12-25 2015-04-22 西北工业大学 Multi-receiver signcryption method based on multiple variables and multiple security properties
CN105024994A (en) * 2015-05-29 2015-11-04 西北工业大学 Secure certificateless hybrid signcryption method without pairing
CN110191469A (en) * 2019-06-19 2019-08-30 西南交通大学 A kind of wireless body area network group certifiede-mail protocol method based on certificate
CN110213042A (en) * 2019-05-09 2019-09-06 电子科技大学 A kind of cloud data duplicate removal method based on no certification agency re-encryption
CN110557248A (en) * 2019-07-19 2019-12-10 如般量子科技有限公司 Secret key updating method and system for resisting quantum computation signcryption based on certificateless cryptography

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9774610B2 (en) * 2015-07-28 2017-09-26 Futurewei Technologies, Inc. Certificateless data verification with revocable signatures

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539425A (en) * 2014-12-25 2015-04-22 西北工业大学 Multi-receiver signcryption method based on multiple variables and multiple security properties
CN105024994A (en) * 2015-05-29 2015-11-04 西北工业大学 Secure certificateless hybrid signcryption method without pairing
CN110213042A (en) * 2019-05-09 2019-09-06 电子科技大学 A kind of cloud data duplicate removal method based on no certification agency re-encryption
CN110191469A (en) * 2019-06-19 2019-08-30 西南交通大学 A kind of wireless body area network group certifiede-mail protocol method based on certificate
CN110557248A (en) * 2019-07-19 2019-12-10 如般量子科技有限公司 Secret key updating method and system for resisting quantum computation signcryption based on certificateless cryptography

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
《Certificateless Proxy Identity-Based Signcryption Scheme Without Bilinear Pairings》;QI Yanfeng etal;《TRUSTED COMPUTING AND INFORMATION SECURITY》;20131130;全文 *
基于双线性对的无证书聚合签密方案;刘建华等;《计算机应用》;20160610(第06期);全文 *
新的具有隐私保护功能的异构聚合签密方案;张玉磊等;《电子与信息学报》;20180903(第12期);全文 *

Also Published As

Publication number Publication date
CN112152813A (en) 2020-12-29

Similar Documents

Publication Publication Date Title
CN108989050B (en) Certificateless digital signature method
US7814326B2 (en) Signature schemes using bilinear mappings
CN105024994B (en) Without the safety to computing label decryption method is mixed without certificate
CN104539423B (en) A kind of implementation method without CertPubKey cipher system of no Bilinear map computing
Zhang et al. An efficient RSA-based certificateless signature scheme
CN102420691B (en) Certificate-based forward security signature method and system thereof
CN112152813B (en) Certificateless content extraction signcryption method supporting privacy protection
CN107566128A (en) A kind of two side's distribution SM9 digital signature generation methods and system
JP2005500740A (en) ID-based encryption and related cryptosystem systems and methods
CN110896351B (en) Identity-based digital signature method based on global hash
CN106936584B (en) Method for constructing certificateless public key cryptosystem
CN109951288B (en) Hierarchical signature method and system based on SM9 digital signature algorithm
CN111010276A (en) Multi-party combined SM9 key generation and ciphertext decryption method and medium
CN110855425A (en) Lightweight multiparty cooperative SM9 key generation and ciphertext decryption method and medium
CN111030801A (en) Multi-party distributed SM9 key generation and ciphertext decryption method and medium
Liao et al. Security analysis of a certificateless provable data possession scheme in cloud
CN115174056B (en) Chameleon signature generation method and chameleon signature generation device based on SM9 signature
CN112800482B (en) Identity-based online/offline security cloud storage auditing method
CN109412815B (en) Method and system for realizing cross-domain secure communication
CN115580408A (en) SM 9-based certificateless signature generation method and system
CN114844643A (en) Method for acquiring adapter signature based on bilinear mapping and electronic equipment
Prasad et al. Digital signatures
Hassouna et al. A Strongly Secure Certificateless Digital Signature Scheme in the Random Oracle Model.
Krzywiecki et al. Deniable key establishment resistance against eKCI attacks
CN115174052B (en) Adapter signature generation method and device based on SM9 signature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20201229

Assignee: Anhui Xiangshang Technology Service Co.,Ltd.

Assignor: SOUTH CENTRAL University FOR NATIONALITIES

Contract record no.: X2023980054625

Denomination of invention: A Certificate free Content Extraction Signcryption Method Supporting Privacy Protection

Granted publication date: 20220607

License type: Common License

Record date: 20240103

Application publication date: 20201229

Assignee: Anhui Xiangzhi Information Technology Co.,Ltd.

Assignor: SOUTH CENTRAL University FOR NATIONALITIES

Contract record no.: X2023980054624

Denomination of invention: A Certificate free Content Extraction Signcryption Method Supporting Privacy Protection

Granted publication date: 20220607

License type: Common License

Record date: 20240103

Application publication date: 20201229

Assignee: HEFEI MUZHI INFORMATION TECHNOLOGY CO.,LTD.

Assignor: SOUTH CENTRAL University FOR NATIONALITIES

Contract record no.: X2023980054622

Denomination of invention: A Certificate free Content Extraction Signcryption Method Supporting Privacy Protection

Granted publication date: 20220607

License type: Common License

Record date: 20240103

Application publication date: 20201229

Assignee: Anhui Terze Technology Co.,Ltd.

Assignor: SOUTH CENTRAL University FOR NATIONALITIES

Contract record no.: X2023980054620

Denomination of invention: A Certificate free Content Extraction Signcryption Method Supporting Privacy Protection

Granted publication date: 20220607

License type: Common License

Record date: 20240103