摘要: |
广播加密允许数据拥有者通过不安全的公开信道将数据安全地发送给一组指定的用户, 只有组内用户(授权用户)利用自身私钥才能正确解密密文, 恢复出明文数据, 不在组内的用户(非授权用户)即使合谋也无法获取数据内容。标识加密是一种非对称加密体制, 可利用能够唯一标识用户身份的任意字符串作为用户的公钥, 消除了传统公钥体制中用于绑定用户公钥的证书。匿名标识广播加密不仅能充分继承标识加密的优点实现多用户数据的安全共享, 而且能有效保护接收者的身份信息。本文以国产商用标识密码算法SM9为基础, 采用多项式技术构造了首个基于SM9的匿名广播加密方案。方案具有与SM9加密算法相同的私钥生成算法, 用户私钥由一个群元素组成。方案的密文由(n+3)个元素组成, 与接收者数量(n)线性相关, 解密仅包含一次双线性对计算。基于q类型的GDDHE困难假设, 在随机谕言器模型中证明方案在静态选择明文攻击下具有不可区分的安全性且满足接收者匿名性。比较分析表明本文方案的计算开销和通信代价与现有高效匿名标识广播加密方案是可比的。最后, 对方案进行编程实验, 在相同安全级别下, 本文方案对比其他方案具有较优的密文长度, 实验结果表明本文方案是可行的。 |
关键词: 广播加密 SM9 匿名性 选择明文安全 |
DOI:10.19363/J.cnki.cn10-1380/tn.2023.11.02 |
投稿时间:2022-03-24修订日期:2022-05-13 |
基金项目:本课题得到国家自然科学基金 (No. 61902191, No. 62032005, No. 61972294, No. 61972094)、江苏省自然科学基金(No. BK20190696)、福建省科技厅科学基金(No. 2020J02016)、山东省重点研发计划(No. 2020CXGC010115)、深圳市科技研发资金(No. JSGG20201102170000002)、广东省重点领域研发计划(No. 2020B1111410001)资助。 |
|
Anonymous Broadcast Encryption Based on SM9 |
CUI yan,HUANG Xinyi,LAI Jianchang,HE Debiao,CHENG Zhaohui |
College of Computer and Cyber Security, Fujian Normal University, Fuzhou 350007, China;School of Cyber Science and Engineering, Wuhan University, Wuhan 430072 China;Olym Information Security Technology Ltd., Shenzhen 518000 China |
Abstract: |
Broadcast encryption allows a data owner to share a data with a group of designated users simultaneously by generating a single ciphertext via an insecure public channel. Every one listening to the public channel can download the ciphertext. But only the chosen users are able to decrypt the ciphertext successfully and then recover the plaintext. While users who are not in the group, namely the unauthorized users, learn nothing about the broadcast message even they collude. Identity-based encryption is a special asymmetric encryption system, in which the public key of a user can be any string that can uniquely identify his/her identity. It efficiently eliminates the certificate appeared in the traditional public key cryptosystem which is used to guarantee the validity of user's public key. Anonymous identity-based broadcast encryption inherits the merit of identity-based encryption and broadcast encryption. It not only can securely share data with multiple users, but also can protect the privacy of receivers. In this paper, we proposed the first anonymous identity-based broadcast encryption scheme based on the Chinese standard SM9 by using the technology of polynomials. The user private key generation is the same as the SM9 identity encryption algorithm, which consists of one group element. The size of the ciphertext is linear in the number of receivers for one encryption. More precisely, it contains n+3 elements. The decryption includes one pairing operation only. Based on q type GDDHE assumptions, we prove that the proposed scheme is secure against selective identity and chosen-plaintext attacks and satisfies anonymity of receivers in the random oracle model. The theoretical analysis shows that the proposed scheme is comparable to the existing efficient anonymous identity-based broadcast encryption schemes in terms of the computational cost and communication overhead. Finally, we demonstrate our proposed scheme by programming. The demonstration shows that in the same security level, our proposed scheme has shorter ciphertext length and is feasible. |
Key words: broadcast encryption SM9 anonymity CPA |