IBBE-基于身份广播加密
2007年,Cécile Delerablée 基于双线性群(Bilinear Group)构造了第一个IBBE方案,Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys。IBBE结合了身份基加密(Identity-Based Encryption, IBE)和广播加密(Broadcast Encryption, BE)的特性。IBBE 允许一个消息被加密并发送给一个特定的身份集合,而不是只能被一个特定的单一实体解密。IBBE的方案细节:
-
(
P
K
,
M
S
K
)
←
S
e
t
u
p
(
λ
,
m
)
(PK,MSK)\leftarrow \mathrm{Setup}(\lambda,m)
(PK,MSK)←Setup(λ,m)。生成一个满足安全常数
λ
∈
N
\lambda \in N
λ∈N 的双线性群
B
=
(
p
,
G
1
,
G
2
,
G
T
,
e
)
\mathcal{B}=(p,\mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T,e)
B=(p,G1,G2,GT,e)。两个生成元
g
∈
G
1
,
h
∈
G
2
g\in \mathbb{G}_1, h \in \mathbb{G}_2
g∈G1,h∈G2,随机选择一个秘密值
γ
←
Z
p
\gamma \leftarrow Z_p
γ←Zp,并选择一个安全的哈希函数
H
:
{
0
,
1
}
→
Z
p
H: \{0,1\} \rightarrow Z_p
H:{0,1}→Zp。主私钥为
M
S
K
=
(
g
,
γ
)
MSK = (g,\gamma)
MSK=(g,γ),公钥为
P
K
=
(
w
,
v
,
h
,
h
γ
,
.
.
.
,
h
γ
m
)
=
(
g
γ
,
e
(
g
,
h
)
,
h
,
h
γ
,
.
.
.
,
h
γ
m
)
PK = (w,v,h,h^\gamma,...,h^{\gamma^m})=(g^{\gamma},e(g,h),h,h^\gamma,...,h^{\gamma^m})
PK=(w,v,h,hγ,...,hγm)=(gγ,e(g,h),h,hγ,...,hγm)
M S K = ( g , γ ) , P K = ( w , v , h , h γ , . . . , h γ m ) = ( g γ , e ( g , h ) , h , h γ , . . . , h γ m ) MSK = (g,\gamma),PK = (w,v,h,h^\gamma,...,h^{\gamma^m})=(g^{\gamma},e(g,h),h,h^\gamma,...,h^{\gamma^m}) MSK=(g,γ),PK=(w,v,h,hγ,...,hγm)=(gγ,e(g,h),h,hγ,...,hγm) -
(
S
K
I
D
)
←
E
x
t
r
a
c
t
(
M
S
K
,
I
D
)
(SK_{ID})\leftarrow \mathrm{Extract}(MSK,ID)
(SKID)←Extract(MSK,ID)。给定
M
S
K
=
(
g
,
γ
)
MSK = (g,\gamma)
MSK=(g,γ),用户的
I
D
ID
ID,输出私钥
s
k
I
D
sk_{ID}
skID:
s k I D = g 1 γ + H ( I D ) sk_{ID}=g^{\frac{1}{\gamma+H(ID)}} skID=gγ+H(ID)1 -
(
C
T
,
K
)
←
E
n
c
r
y
p
t
(
P
K
,
S
)
(CT,K) \leftarrow \mathrm{Encrypt}(PK,S)
(CT,K)←Encrypt(PK,S)。假设
S
=
{
I
D
j
}
j
=
1
s
S=\{ID_j\}_{j=1}^{s}
S={IDj}j=1s,
s
≤
m
s \le m
s≤m,
P
K
=
{
w
,
v
,
h
,
h
γ
,
.
.
,
h
γ
m
}
PK = \{w,v,h,h^\gamma,..,h^{\gamma^m}\}
PK={w,v,h,hγ,..,hγm},broadcaster 随机选择
k
←
Z
p
k\leftarrow Z_p
k←Zp,计算密文为
C
1
=
ω
−
k
,
C
2
=
h
k
⋅
∏
i
=
1
s
(
γ
+
H
(
I
D
i
)
)
C_1 = \omega^{-k},C_2=h^{k\cdot\prod_{i=1}^{s}(\gamma+H(ID_i))}
C1=ω−k,C2=hk⋅∏i=1s(γ+H(IDi)),
C
T
=
(
C
1
,
C
2
)
CT=(C_1,C_2)
CT=(C1,C2) 封装的会话密钥为
K
=
v
k
K=v^k
K=vk。
C 1 = ω − k , C 2 = h k ⋅ ∏ i = 1 s ( γ + H ( I D i ) ) , K = v k C_1 = \omega^{-k},C_2=h^{k\cdot\prod_{i=1}^{s}(\gamma+H(ID_i))},K=v^k C1=ω−k,C2=hk⋅∏i=1s(γ+H(IDi)),K=vk -
K
←
D
e
c
r
y
p
t
(
S
,
I
D
i
,
s
k
I
D
i
,
C
T
,
P
K
)
K\leftarrow \mathrm{Decrypt}(S,ID_i,sk_{ID_i},CT,PK)
K←Decrypt(S,IDi,skIDi,CT,PK),用户使用其身份
I
D
i
ID_i
IDi 以及对应的私钥
s
k
I
D
i
=
g
1
γ
+
H
(
I
D
i
)
sk_{ID_i}=g^{\frac{1}{\gamma+H(ID_i)}}
skIDi=gγ+H(IDi)1,其中
I
D
i
∈
S
ID_i\in S
IDi∈S 计算:
K = ( e ( C 1 , h p i , S ( γ ) ) ⋅ e ( s k I D i , C 2 ) ) 1 ∏ j = 1 , j ≠ i s H ( I D j ) K=(e(C_1,h^{p_i,S}(\gamma))\cdot e(sk_{ID_i},C_2))^{\frac{1}{\prod_{j=1,j\ne i}^{s}H(ID_j)}} K=(e(C1,hpi,S(γ))⋅e(skIDi,C2))∏j=1,j=isH(IDj)1
其中:
p i , S ( γ ) = 1 γ ⋅ ( ∏ j = 1 , j ≠ i s ( γ + H ( I D j ) ) − ∏ j = 1 , j ≠ i s H ( I D j ) ) p_{i,S}(\gamma)=\frac{1}{\gamma}\cdot (\prod_{j=1,j\ne i}^{s}(\gamma+H(ID_{j}))-\prod_{j=1,j\ne i}^{s}H(ID_j)) pi,S(γ)=γ1⋅(j=1,j=i∏s(γ+H(IDj))−j=1,j=i∏sH(IDj))
正确性:
K ′ = e ( C 1 , h p i , S ( γ ) ) ⋅ e ( s k I D i , C 2 ) = e ( g − k ⋅ γ , h p i , S ( γ ) ) ⋅ e ( g 1 γ + H ( I D i ) , h k ⋅ ∏ j = 1 s ( γ + H ( I D j ) ) ) K'=e(C_1,h^{p_{i,S}(\gamma)})\cdot e(sk_{ID_i},C_2)=e(g^{-k\cdot\gamma},h^{p_{i,S}(\gamma)})\cdot e(g^{\frac{1}{\gamma+H(ID_i)}},h^{k\cdot \prod_{j=1}^{s}(\gamma+H(ID_j))}) K′=e(C1,hpi,S(γ))⋅e(skIDi,C2)=e(g−k⋅γ,hpi,S(γ))⋅e(gγ+H(IDi)1,hk⋅∏j=1s(γ+H(IDj)))
K ′ = e ( g , h ) − k ⋅ ( ∏ j = 1 , j ≠ i ( γ + H ( I D j ) ) − ∏ j = 1 , j ≠ i s H ( I D j ) ) ⋅ e ( g , h ) k ⋅ ∏ j = 1 , j ≠ i s ( γ + H ( I D j ) ) K'=e(g,h)^{-k\cdot(\prod_{j=1,j\ne i}(\gamma+H(ID_j))-\prod_{j=1,j\ne i}^{s}H(ID_j))}\cdot e(g,h)^{k\cdot \prod_{j=1,j\ne i}^{s}(\gamma+H(ID_j))} K′=e(g,h)−k⋅(∏j=1,j=i(γ+H(IDj))−∏j=1,j=isH(IDj))⋅e(g,h)k⋅∏j=1,j=is(γ+H(IDj))
K ′ = e ( g , h ) k ∏ j = 1 , j ≠ i s H ( I D j ) = K ∏ j = 1 , j ≠ i s H ( I D j ) K'=e(g,h)^{k\prod_{j=1,j\ne i}^s H(ID_j)}=K^{\prod_{j=1,j\ne i}^s H(ID_j)} K′=e(g,h)k∏j=1,j=isH(IDj)=K∏j=1,j=isH(IDj)
那么, K = K ′ 1 ∏ j = 1 , j ≠ i s H ( I D j ) K=K'^{\frac{1}{\prod_{j=1,j\ne i}^sH(ID_j)}} K=K′∏j=1,j=isH(IDj)1