国家自然科学基金(61902191, 62032005, 61972294, 61972094, 61932016); 江苏省自然科学基金(BK20190696); 福建省科技厅科学基金(2020J02016); 山东省重点研发计划(2020CXGC010115)
选择密文安全模型能有效刻画主动攻击, 更接近现实环境. 现有抵抗选择密文攻击的密码算法以国外算法为主, 缺乏我国自主设计且能抵抗选择密文攻击的密码算法. 虽然实现选择密文安全存在通用转化方法, 代价是同时增加计算开销和通信开销. 基于国密SM9标识加密算法, 提出一种具有选择密文安全的标识广播加密方案. 方案的设计继承了SM9标识加密算法结构, 用户密钥和密文的大小都是固定的, 其中用户密钥由一个群元素组成, 密文由3个元素组成, 与实际参与加密的接收者数量无关. 借助随机谕言器, 基于 GDDHE困难问题可证明方案满足CCA安全. 加密算法的设计引入虚设标识, 通过该标识可成功回复密文解密询问, 实现CCA的安全性. 分析表明, 所提方案与现有高效标识广播加密方案在计算效率和存储效率上相当.
The chosen-ciphertext attack (CCA) security model can effectively figure active attacks in reality. The existing cryptosystems against CCA are mainly designed by foreign countries, and China is lack of its CCA secure cryptosystems. Although there are general transformation approaches to achieving CCA security, they lead to an increase in both computational overhead and communication overhead. Based on the SM9 encryption algorithm, this study proposes an identity-based broadcast encryption scheme with CCA security. The design is derived from the SM9, and the size of the private key and ciphertext is constant and independent of the number of receivers chosen in the data encryption phase. Specifically, the private key includes one element, and the ciphertext is composed of three elements. If the GDDHE assumption holds, the study proves that the proposed scheme has selective CCA security under the random oracle model. In order to achieve CCA security, a dummy identity is introduced in designing the encryption algorithm, and the identity can be used to answer the decryption query successfully. Analysis shows that the proposed scheme is comparable to the existing efficient identity-based broadcast encryption schemes in terms of computational efficiency and storage efficiency.