基于SM9的撤销加密方案  

作　　者：赖建昌 黄欣沂 何德彪 陈立全 杨少军 LAI Jian-Chang;HUANG Xin-Yi;HE De-Biao;CHEN Li-Quan;YANG Shao-Jun(School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China;The Hong Kong University of Science and Technology(Guangzhou),Guangzhou 511455,China;School of Cyber Science and Engineering,Wuhan University,Wuhan 430073,China;School of Mathematics and Statistics,Fujian Normal University,Fuzhou 350117,China;Key Laboratory of Analytical Mathematics and Applications(Ministry of Education)(Fujian Normal University),Fuzhou 350117,China)

机构地区：[1]东南大学网络空间安全学院,江苏南京211189 [2]香港科技大学(广州),广东广州511455 [3]武汉大学国家网络安全学院,湖北武汉430073 [4]福建师范大学数学与统计学院,福建福州350117 [5]分析数学及应用教育部重点实验室(福建师范大学),福建福州350117

出　　处：《软件学报》2024年第12期5609-5620,共12页Journal of Software

基　　金：国家自然科学基金(62032005,U21A20466,U22B2026,62272104);东南大学新进教师科研启动项目(RF1028623200)。

摘　　要：撤销加密是一种反向的广播加密技术,加密算法的输入不是接收者集合而是撤销用户的集合,系统中所有不在撤销集合中的用户都可以正确解密密文,撤销集合中的所有用户合谋也无法获取加密数据的内容.与广播加密相比,撤销加密更适用于接收者为系统中大多数用户或需要撤销部分用户未来解密权限的场景.基于我国商用标识密码提出一个基于SM9的撤销加密方案,密文的长度是固定的,与撤销用户集合的大小无关.基于广义群模型中的困难假设,证明方案在随机谕言机模型下具有选择明文的安全性.最后,分析方案的性能对比结果可知,所提方案与目前基于身份的撤销加密方案在计算复杂度和存储复杂度方面相比性能相当.Revocation encryption is a negative analogue of broadcast encryption.Unlike broadcast encryption,the input to the encryption algorithm is not a receiver set,but a set of revoked users.All users who are not in the revocation set within the system can decrypt the ciphertext successfully.Users in the revocation set learn nothing about the encrypted data,even in collusion.Compared to broadcast encryption,revocation encryption is more suitable for scenarios where most of the users in the system are the intended recipients and when revoking decryption rights for certain users is required.This study proposes a revocation encryption scheme based on the Chinese identity-based encryption standard SM9.The ciphertext size in the proposed scheme remains constant,and it is independent of the size of the revocation set.Based on a complex assumption in the generic group model,the scheme is proven secure against CPA under the random oracle model.Finally,the performance of the scheme is analyzed,and the results indicate that its computational costs and storage overheads are comparable to the existing revocation encryption schemes.

关 键 词：撤销加密 SM9 广播加密 可证明安全 定长密文 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]