标准模型下格上基于身份的门限解密方案

吴立强; 杨晓元; 张敏情

doi:10.7544/issn1000-1239.2018.20180446

标准模型下格上基于身份的门限解密方案

¹(武警部队网络与信息安全保密重点实验室(武警工程大学) 西安 710086)
²(网络信息安全教育部重点实验室(西安电子科技大学) 西安 710071) (latticewj@163.com)

基金项目: 国家自然科学基金项目(U1636114,61572521,61772550)；武警工程大学基础研究项目(WJY201523)

详细信息

中图分类号: TP391
计量
- 文章访问数: 942
- HTML全文浏览量: 1
- PDF下载量: 355
出版历程
- 发布日期: 2018-09-30

Identity-Based Threshold Decryption Scheme from Lattices under the Standard Model

¹(Key Laboratory of Network and Information Security (Engineering University of Chinese Armed Police Force), Xi’an 710086)
²(Key Laboratory of Computer Network and Information Security(Xi Dian University), Ministry of Education, Xi’an 710071)

摘要

摘要: 基于身份的门限解密体制(identity-based threshold decryption, IBTD)是将秘密共享方法和基于身份加密算法有效结合.在(t,N)门限解密方案中，N个解密服务器共享用户私钥，当解密时，至少需要t个服务器参与并计算相应解密份额，才能正确恢复出明文.然而，少于t个或更少的服务器无法获取关于明文的任何信息.目前现存的格上IBTD方案都是在随机预言模型下证明的，主要方法是对服从高斯分布的私钥直接分割.针对该问题，构造了一种非交互的IBTD方案，采用拉格朗日秘密分割方法对一个公共向量进行拆分，每个解密服务器得到各自的特征向量，通过用户的私有陷门，对特征向量进行原像抽样，得到私钥份额，有效隐藏了用户完整私钥，提高方案的安全性.在解密份额验证时，采用离散对数问题的难解性，实现了可公开验证性.在解密份额组合时，通过公共向量分割合并和解密份额分割合并之间运算的同态性，保证解密的正确性.在标准模型下，将该方案的安全性规约为判定性LWE(learning with errors)困难假设，证明了其满足IND-sID-CPA安全.
- 基于身份的门限解密 /
- 格 /
- 标准模型 /
- 可公开验证性 /
- 非交互性
Abstract: The identity-based threshold decryption (IBTD) system combines the secret sharing method with the identity-based encryption mechanism. In a (t, N) IBTD system, N decryption servers share the private key corresponding to a user’s identity. When to decrypt, at least t servers are required to participate in and calculate their corresponding decryption shares. However, less than t or fewer servers are unable to obtain any information about the plaintext. At present, the existing IBTD schemes from lattices are constructed under the random model, and the main method is to divide the private key statistically close to a Gauss distribution directly. This paper constructs a non-interactive IBTD scheme. A public vector is split using the Lagrange secret partition method, and each decryption server obtains its respective characteristic vector. Each private key share is obtained by sampling the pre-image of the characteristic vectors through the private trapdoor function for each decryption server. The user’s complete private key is effectively hidden and the security of the scheme is improved. The difficulty of the discrete logarithm problem is used to realize the verifiability of decryption share. The correctness of the decryption share is guaranteed by the homomorphism of the operations between the common vector and the private key shares. The IND-sID-CPA security for the proposed scheme is proved based on the decisional learning with errors (LWE) hardness assumption under the standard model.
- identity-based threshold decryption /
- lattice /
- standard model /
- publicly verfication /
- non-interactivity