Fully double deniable public key encryption method based on hidden location key encapsulation

Abstract

The application discloses a completely double-deniable public key encryption method based on hidden position key encapsulation. During encryption, a hidden position is randomly sampled, a shared key is generated by performing a key encapsulation operation based on a public key at the hidden position, a real message is encrypted based on the shared key, and valid subciphertext or random subciphertext obtained by encrypting an auxiliary message based on an auxiliary public key is generated at the remaining positions; during decryption, key decapsulation and padding validity detection are performed according to the arrangement order of the subciphertext, the real message is recovered during detection, and subsequent operations are stopped; during deniable interpretation, a fake random number is generated, so that the same ciphertext can be interpreted as a legal encryption result of the auxiliary message under the auxiliary public key. The application expands the supportable message space and reduces ciphertext overhead while maintaining complete double deniability.

Description

Technical Field

[0001] This invention belongs to the field of information processing technology, and further relates to a fully double-denied public-key encryption method based on hidden location key encapsulation in the field of information security technology. This invention can be applied to privacy-sensitive scenarios such as cloud storage services, anonymous messaging systems, secure instant messaging, and decentralized privacy social networks, for encrypting transmitted files or communication data, and simultaneously protecting the privacy of message content and communication recipients under duress. Background Technology

[0002] Repudiable encryption is designed to address coercion attacks. When parties are forced to disclose encrypted information, a plausible forged random number can be generated, causing the same ciphertext to be interpreted as a legitimate encryption result of another message, thus denying the true message and enhancing data privacy protection. However, existing repudiable encryption schemes primarily focus on achieving repudiation of message content. In many practical applications, the identity information of both parties, especially public key information, can still be leaked. While anonymity encryption can hide the recipient's public key to some extent, such technologies typically only focus on public key anonymity and lack support for repudiation of public key information. Furthermore, traditional repudiable encryption schemes often require the disclosure of the actual public key used during denial, potentially exposing the identity relationship between the communicating parties. Therefore, existing technologies struggle to simultaneously address the protection needs of both message content privacy and identity privacy.

[0003] To address the aforementioned issues, existing research has begun exploring repudiable encryption schemes that simultaneously target both message content and recipient information.

[0004] An et al. proposed fully double-deniable public-key encryption in their paper "Deny whatever you want: Dual-deniable public-key encryption" (PKC 2025), extending the deniability to recipient-related information and providing a new solution for simultaneously hiding message content and communication objects. However, this fully double-deniable public-key encryption scheme is built upon strong cryptographic primitives such as public-key encryption that can be simulated by the ciphertext, making it highly dependent on the underlying cryptographic primitives and resulting in a complex overall structure. Furthermore, its message encryption is limited by the plaintext space that can be simulated by the underlying ciphertext, limiting its support for long messages and easily leading to a significant increase in ciphertext length when supporting longer messages. Therefore, how to maintain full double-deniability while reducing the complexity of the scheme construction, improving support for long messages, and controlling the growth of ciphertext length remains a technical problem that needs further resolution in the current technology. Summary of the Invention

[0005] The purpose of this invention is to address the shortcomings of the existing technologies mentioned above by proposing a fully double-denied public-key encryption method based on hidden location key encapsulation. This method aims to solve the problems of existing technologies, such as strong reliance on high-overhead cryptographic primitives, complex overall structure, limited support for long messages, and a significant increase in ciphertext length when supporting longer messages.

[0006] To achieve the above objectives, the present invention adopts the following technical approach: The present invention generates a public key and a private key based on system public parameters; during encryption, a hidden position is randomly sampled, and a sub-ciphertext corresponding to the real message is generated at the hidden position; a valid sub-ciphertext is generated at a position after the hidden position, and a random sub-ciphertext is generated at a position before the hidden position; all sub-ciphertexts are then combined into a ciphertext; wherein, both the sub-ciphertext corresponding to the real message and the valid sub-ciphertext generate a shared key through a key encapsulation operation based on the public key, and the padded message is encrypted based on the shared key. During decryption, according to the order of the sub-ciphertexts in the ciphertext, a key decapsulation operation is performed on the current sub-ciphertext based on the private key to obtain the corresponding shared key; the padded message corresponding to the sub-ciphertext is recovered based on the shared key, and the padded validity is checked; if the padded message satisfies the padded processing rules, the real message is recovered and the operation on subsequent sub-ciphertexts is stopped. In the denial interpretation, the hidden position is obtained based on the random number used during encryption; the hidden position is modified to obtain a new hidden position; a forged random number is generated based on the new hidden position and the random number used during encryption, so that the same ciphertext can be interpreted as a legitimate encryption result of the corresponding auxiliary message under the auxiliary public key corresponding to the new hidden position, thereby achieving fully double-denializable public key encryption.

[0007] To achieve the above objectives, the specific implementation steps of the present invention include the following:

[0008] Step 1: Generate a public key and a private key based on the system's public parameters;

[0009] Step 2: Randomly sample the hidden position; generate a sub-ciphertext corresponding to the real message at the hidden position; generate a valid sub-ciphertext at the position after the hidden position, and generate a random sub-ciphertext at the position before the hidden position; combine all the sub-ciphertexts into a ciphertext.

[0010] Step 3: During decryption, according to the order of the sub-ciphertexts in the ciphertext, perform a key decapsulation operation on the current sub-ciphertext based on the private key to obtain the corresponding shared key; recover the padded message corresponding to the sub-ciphertext based on the shared key, and perform a padded validity check; if the padded message passes the padded validity check, recover the real message and stop the operation on subsequent sub-ciphertexts.

[0011] Step 4: When denying interpretation, obtain the hidden position based on the random number used during encryption; modify the hidden position to obtain a new hidden position; generate a forged random number based on the new hidden position and the random number used during encryption, so that the same ciphertext can be interpreted as a legitimate encryption result of the corresponding auxiliary message under the auxiliary public key corresponding to the new hidden position.

[0012] Furthermore, the steps for generating public and private keys based on system public parameters are as follows:

[0013] The first step is to execute the system parameter generation algorithm based on the system's security parameters and the total number of sub-ciphertexts to generate system common parameters;

[0014] The second step involves executing a key generation algorithm based on the system's public parameters to generate a public key and a private key.

[0015] Furthermore, generating the sub-ciphertext corresponding to the real message at the hidden location refers to: padding the real message; sampling random numbers to generate a first sub-ciphertext component, and performing a key encapsulation operation based on the public key to generate a shared key; encrypting the padded real message based on the shared key to generate a second sub-ciphertext component; and the first sub-ciphertext component and the second sub-ciphertext component constitute the sub-ciphertext corresponding to the real message.

[0016] Further, generating a valid sub-ciphertext at a position after the hidden position and generating a random sub-ciphertext at a position before the hidden position means: at a position after the hidden position, randomly selecting an auxiliary public key and an auxiliary message, padding the auxiliary message, sampling random numbers to generate a first sub-ciphertext component, and performing a key encapsulation operation based on the auxiliary public key to generate a shared key; encrypting the padded auxiliary message based on the shared key to generate a second sub-ciphertext component, thus obtaining a valid sub-ciphertext; and at a position before the hidden position, randomly generating a first sub-ciphertext component and a second sub-ciphertext component, thus obtaining a random sub-ciphertext.

[0017] Furthermore, the step of performing a key decapsulation operation on the current sub-ciphertext based on the private key to obtain the corresponding shared key means: performing a key decapsulation operation on the first sub-ciphertext component in the sub-ciphertext based on the private key to obtain the corresponding shared key.

[0018] Furthermore, the step of recovering the padded message corresponding to the sub-ciphertext based on the shared key and performing a padded validity check refers to: decrypting the second sub-ciphertext component in the sub-ciphertext based on the shared key to obtain the corresponding padded message; and determining whether the padded message meets the padded processing rules.

[0019] Furthermore, modifying the hidden position to obtain a new hidden position means determining the next position after the original hidden position as the new hidden position.

[0020] Furthermore, the step of generating a forged random number based on the new hidden location and the random number used during encryption is as follows:

[0021] The first step is to obtain the hidden position, the random number component corresponding to the hidden position, the random number component corresponding to the valid sub-ciphertext after the hidden position, the auxiliary public key and the auxiliary message, and the sub-ciphertext component corresponding to the random sub-ciphertext before the hidden position based on the random number used during encryption.

[0022] The second step is to re-encrypt the sub-ciphertext component corresponding to the hidden position based on the random number component corresponding to the hidden position.

[0023] The third step involves generating the forged random number based on the new hidden position, the sub-ciphertext component corresponding to the re-encrypted hidden position, the random number component corresponding to the valid sub-ciphertext after the hidden position, the auxiliary public key and auxiliary message, and the sub-ciphertext component corresponding to the random sub-ciphertext before the hidden position.

[0024] Compared with the prior art, the present invention has the following advantages:

[0025] First, this invention combines a hidden location mechanism with a key encapsulation mechanism. It generates a sub-ciphertext corresponding to the real message at the hidden location, a valid sub-ciphertext after the hidden location, and a random sub-ciphertext before the hidden location. Both the sub-ciphertext corresponding to the real message and the valid sub-ciphertext are used to generate a shared key through a key encapsulation operation based on the public key. The padded message is then encrypted using this shared key. This overcomes the shortcomings of existing technologies that directly generate sub-ciphertext based on other public-key encryption schemes, which suffer from strong reliance on high-overhead cryptographic primitives. This invention reduces direct calls to other public-key encryption algorithms, ensuring complete double deniability while reducing the complexity of scheme construction, decreasing reliance on high-overhead cryptographic primitives, and improving the simplicity of the scheme.

[0026] Second, the present invention uses a shared key to encrypt the padded message during the sub-ciphertext generation process, which overcomes the problems of complex overall structure, limited support for long messages, and significant increase in ciphertext length when supporting longer messages in the prior art. This allows the present invention to leverage the efficiency advantage of shared key encryption in processing long messages, thereby improving the support for large-scale bit string messages, reducing the ciphertext expansion rate, and further reducing ciphertext overhead while ensuring complete double deniability. Attached Figure Description

[0027] Figure 1This is a flowchart of the present invention. Detailed Implementation

[0028] The following is in conjunction with the appendix Figure 1 The implementation steps of the embodiments of the present invention will be described in further detail below.

[0029] Reference Figure 1 The fully double-denied public-key encryption method based on hidden location key encapsulation includes the following steps:

[0030] In an embodiment of the present invention, a system parameter generation algorithm The execution process is as follows: Input security parameters With integers Instantiate the Type-III bilinear group generator , obtain parameters Then select two hash functions. Then select a fill function that can be computed in polynomial time. Wherein, the fill function It is an invertible function, has a corresponding validity detection algorithm, and satisfies... The probability of a uniformly random string becoming a valid padding string is negligible; finally, output the common parameters. Unless otherwise specified, all algorithms below will be assumed to be... It is considered implicit input.

[0031] In an embodiment of the present invention, a key generation algorithm The execution process is as follows: random sampling ,set up Output the public and private key pair .

[0032] In embodiments of the present invention, a double-denial encryption algorithm The execution process is as follows: Input public key ,information With random numbers First, randomly sample the hidden locations. Then, for each Generate sub-ciphertext .when At that time, sampling And set the first sub-ciphertext component A shared key is generated by performing key encapsulation operations based on the public key pk. like ,sampling and set Generate the second sub-ciphertext component At this time, the position The ciphertext is used to carry the real message. .when At that time, sampling Then randomly sample the auxiliary public key. With auxiliary messages And set the first sub-ciphertext component And based on the auxiliary public key Perform key encapsulation operations to generate a shared key. Generate the second sub-ciphertext component At this time, the position The sub-ciphertext is used to carry auxiliary messages. and the corresponding auxiliary public key Related. When Random sampling At this time, position The ciphertext is a random ciphertext. Finally, output the ciphertext.

[0033] In an embodiment of the present invention, the decryption algorithm The execution process is as follows: Input With ciphertext According to the order of the sub-ciphertexts in the ciphertext, for Perform the following operations in sequence: Then determine Is it a fill function? Valid padding below. If If the padding is valid, then output... Then stop decryption; if no valid padding is found after scanning the entire sub-ciphertext sequence, output a decryption failure symbol. .

[0034] In an embodiment of the present invention, the denial interpretation algorithm The execution process is as follows: Input public key Real news Generate ciphertext The random number used at that time First, from the random number... Parse the hidden location ,Location The corresponding random number The random number corresponding to the valid ciphertext after the hidden position. auxiliary public key and auxiliary messages And the random sub-ciphertext before the hidden location Then let This is the new hidden location. Next, by... Recalculate position The corresponding ciphertext component, i.e. Finally, output the fake random number. This allows the same ciphertext to be interpreted as being located at the new hidden position. Corresponding auxiliary public key The following are the corresponding auxiliary messages The legitimate encryption result.

[0035] The invention will be further explained below with reference to performance analysis.

[0036] Table 1. Comparison of functional features between the present invention and An et al.'s fully double-repudiable public-key encryption scheme.

[0037]

[0038] The meanings of the abbreviations in Table 1 are as follows:

[0039] CSPKE stands for ciphertext-simulatable public key encryption;

[0040] HPKE stands for hidden-position key encapsulation;

[0041] Indicates safety parameters;

[0042] This indicates the number of sub-ciphertexts in a ciphertext.

[0043] Table 1 compares this invention with An et al.'s fully double-repudiable public-key encryption scheme in terms of underlying method, message space, double deniability, and level of deniability. The results show that this invention maintains... While maintaining double deniability, the message space is expanded to This significantly increases the scale of the supported message space and provides better overall performance.

[0044] To further illustrate the technical effects of the embodiments of the present invention, the embodiments of the present invention are compared and analyzed with the fully double-denied public-key encryption scheme of An et al. in terms of computational overhead, private key size, and ciphertext size. The comparison results are shown in Table 2.

[0045] Table 2. Efficiency Comparison of the Invention and An et al.'s Fully Double-Repudiable Public-Key Encryption Scheme

[0046]

[0047] The meanings of the abbreviations in Table 2 are as follows:

[0048] and These represent the plaintext lengths of An et al.'s fully double-denied public-key encryption scheme and the embodiments of this invention, respectively.

[0049] Indicates the number of ciphertexts;

[0050] This represents one exponentiation operation;

[0051] This represents a single multiplication operation;

[0052] This represents a single bilinear pair operation;

[0053] and Let represent the exponential space and cyclic group in the standard ElGamal scheme, respectively;

[0054] , , and These represent the bit lengths of the elements in these sets, respectively;

[0055] The output length of the filler function can be calculated in polynomial time.

[0056] As shown in Table 2, the embodiments of the present invention are compared with the existing fully double-repudiable public-key encryption scheme of An et al. in terms of computational overhead, private key size, and ciphertext size. The fully double-repudiable public-key encryption scheme of An et al. is based on the simulable ciphertext property of ElGamal. Although the overhead of the key generation stage in the embodiments of the present invention is the same as the comparison scheme, the computational overhead in the encryption, decryption, and repudiation stages no longer includes multiplicative factors. Therefore, it is highly competitive in terms of computational efficiency.

[0057] For ease of comparison, a 128-bit security level is uniformly adopted as the parameter setting: for the fully double-repudiated public-key encryption scheme of An et al., we take... , In this embodiment of the invention, the Type-III bilinear group is instantiated using the BLS12-381 curve, and in this case, under compressed representation, we have: , Therefore, in the same encryption Under the condition of bit messages, for example, At that time, the ciphertext size of the embodiment of the present invention It is also smaller than the compared scheme. Clearly, compared to the fully double-repudiable public-key encryption scheme of An et al., the embodiments of the present invention, while supporting longer messages, have better computational efficiency and a more compact ciphertext representation.

[0058] In summary, compared with the fully double-denial public-key encryption scheme of An et al., the embodiments of the present invention can support a larger message space without reducing the full double-denial security requirements, and exhibit better overall performance in terms of computational overhead and ciphertext overhead, thus having good prospects for practical application.

Claims

1. A fully double-denied public-key encryption method based on hidden location key encapsulation, characterized in that, The encryption method includes the following steps: Step 1: Generate a public key and a private key based on the system's public parameters; Step 2: Randomly sample the hidden position; generate a sub-ciphertext corresponding to the real message at the hidden position; generate a valid sub-ciphertext at the position after the hidden position, and generate a random sub-ciphertext at the position before the hidden position; combine all the sub-ciphertexts into a ciphertext. Step 3: During decryption, according to the order of the sub-ciphertexts in the ciphertext, perform a key decapsulation operation on the current sub-ciphertext based on the private key to obtain the corresponding shared key; recover the padded message corresponding to the sub-ciphertext based on the shared key, and perform a padded validity check; if the padded message passes the padded validity check, recover the real message and stop the operation on subsequent sub-ciphertexts. Step 4, when denying the explanation, the hidden location is obtained based on the random number used during encryption; The hidden position is modified to obtain a new hidden position; Based on the new hidden location and the random number used during encryption, a forged random number is generated, so that the same ciphertext can be interpreted as a legitimate encryption result of the corresponding auxiliary message under the auxiliary public key corresponding to the new hidden location.

2. The fully double-denied public-key encryption method according to claim 1, characterized in that, The steps in step 1 to generate public and private keys based on system public parameters are as follows: The first step is to execute the system parameter generation algorithm based on the system's security parameters and the total number of sub-ciphertexts to generate system common parameters; The second step involves executing a key generation algorithm based on the system's public parameters to generate a public key and a private key.

3. The fully double-denied public-key encryption method according to claim 1, characterized in that, In step 2, generating the sub-ciphertext corresponding to the real message at the hidden location refers to filling in the real message. The first sub-ciphertext component is generated by sampling random numbers, and a key encapsulation operation is performed based on the public key to generate a shared key; The real message after padding is encrypted based on the shared key to generate a second sub-ciphertext component; the first sub-ciphertext component and the second sub-ciphertext component constitute the sub-ciphertext corresponding to the real message.

4. The fully double-denied public-key encryption method according to claim 1, characterized in that, In step 2, generating a valid sub-ciphertext at a position after the hidden position and generating a random sub-ciphertext at a position before the hidden position means: at a position after the hidden position, randomly select an auxiliary public key and an auxiliary message, fill in the auxiliary message, sample a random number to generate the first sub-ciphertext component, and perform a key encapsulation operation based on the auxiliary public key to generate a shared key; The padded auxiliary message is encrypted based on the shared key to generate a second sub-ciphertext component, resulting in a valid sub-ciphertext. At a position before the hidden position, a first sub-ciphertext component and a second sub-ciphertext component are randomly generated to obtain a random sub-ciphertext.

5. The fully double-denied public-key encryption method according to claim 4, characterized in that, Step 3, which describes performing a key decapsulation operation on the current sub-ciphertext based on the private key to obtain the corresponding shared key, means performing a key decapsulation operation on the first sub-ciphertext component in the sub-ciphertext based on the private key to obtain the corresponding shared key.

6. The fully double-denied public-key encryption method according to claim 1, characterized in that, Step 3, which involves recovering the padded message corresponding to the sub-ciphertext based on the shared key and performing a padded validity check, refers to: decrypting the second sub-ciphertext component in the sub-ciphertext based on the shared key to obtain the corresponding padded message; and determining whether the padded message meets the padded processing rules.

7. The fully double-denied public-key encryption method according to claim 1, characterized in that, The step 4 of modifying the hidden position to obtain a new hidden position means that the position after the hidden position is determined as the new hidden position.

8. The fully double-denied public-key encryption method according to claim 1, characterized in that, The steps in step 4 for generating a fake random number based on the new hidden location and the random number used during encryption are as follows: The first step is to obtain the hidden position, the random number component corresponding to the hidden position, the random number component corresponding to the valid sub-ciphertext after the hidden position, the auxiliary public key and the auxiliary message, and the sub-ciphertext component corresponding to the random sub-ciphertext before the hidden position based on the random number used during encryption. The second step is to re-encrypt the sub-ciphertext component corresponding to the hidden position based on the random number component corresponding to the hidden position. The third step involves generating the forged random number based on the new hidden position, the sub-ciphertext component corresponding to the re-encrypted hidden position, the random number component corresponding to the valid sub-ciphertext after the hidden position, the auxiliary public key and auxiliary message, and the sub-ciphertext component corresponding to the random sub-ciphertext before the hidden position.

Images