选择密文安全的基于身份的广播加密方案  被引量：7

作　　者：刘潇[1] 刘巍然[1] 伍前红[1] 刘建伟[1] 

机构地区：[1]北京航空航天大学电子信息工程学院,北京100191

出　　处：《密码学报》2015年第1期66-76,共11页Journal of Cryptologic Research

基　　金：国家重点基础研究发展项目(973计划)(2012CB315905);国家自然科学基金项目(61272501;61370190;61173154)

摘　　要：本文提出一种基于身份的广播加密方案,证明方案在适应性选择密文攻击下的语义安全性.与现有Delerablée基于身份的广播加密方案相比,Delerablée方案仅证明选择明文安全性,本文的方案仅额外引入一个哈希函数即获得选择密文安全性.方案改进了基于身份加密中的Boyen-Mei-Waters方法,该方法可将选择明文安全的(l+1)-层次基于身份的加密方案转换为选择密文安全的l-层次基于身份的加密方案.与之对比,本文在广播身份集合中增加一个虚拟用户而非一个层用户.加密时,加密算法计算与接收用户集合相关部分的哈希值,并将其看作虚拟用户的身份,从而进行广播.解密时,解密算法重新计算此哈希值,并利用密文内部的关联特性验证广播数据的有效性,以此获得选择密文安全性.在随机预言机模型中,基于通用指数Diffie-Hellman确定性假设,证明了新方案的选择密文安全性.本文的构造紧致且高效,适宜在实际安全通信系统中使用.We propose an Identity-Based Broadcast Encryption scheme with semantic security against adaptively chosen ciphertext attacks. Compared with the IBBE scheme proposed by Delerablée which is only chosen plaintext secure, the cost of our chosen ciphertext secure scheme is only an extra regular hash. This scheme improves the Boyen-Mei-Waters approach from CPA-secure(l+1)-Hierarchical Identity Based Encryption((l+1)-HIBE) to CCA2-secure l-HIBE, our approach only adds an on-the-fly dummy identity, instead of a hierarchy of identities, in the broadcast identity set. When performing encryption, the encryption algorithm computes the hash value of the ciphertext components that are independent of the broadcast identity set. It treats the hashed result as the on-the-fly dummy identity and adds it into the broadcast set. When performing decryption, the decryption algorithm re-computes the hash result, and verifies the validity of the ciphertext by leveraging the built-in verification mechanism, thus achieving chosen ciphertext security. We formally prove the CCA security of the new scheme under the general decision Diffie-Hellman exponent assumption in the random oracle model. Our construction is compact and efficient, and therefore is suitable to be applied in practice.

关 键 词：基于身份的广播加密 选择密文安全 

分 类 号：TN918.4[电子电信—通信与信息系统]