Fully sender non-repudiation public key encryption method based on hidden location key encapsulation
By using hidden location key encapsulation technology, the problems of high-overhead cryptographic primitive dependence and complex nested structures in existing technologies are solved, and efficient, fully sender-repudiable public key encryption is achieved in large-scale data scenarios, improving message capacity and ciphertext compactness.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIAN UNIV OF POSTS & TELECOMM
- Filing Date
- 2026-04-27
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technologies for constructing fully sender-repudiable public-key encryption schemes suffer from high-overhead cryptographic primitive dependencies, complex nested structures, and difficulties in balancing message capacity and ciphertext expansion, making it difficult to achieve efficient fully sender-repudiable encryption in large-scale data scenarios.
A method based on hidden location key encapsulation is adopted. The hidden location is determined by randomly sampling binary vectors to generate sub-ciphertext corresponding to the real message. Valid or random sub-ciphertext is generated in other locations. The padded message is encrypted using a shared key, reducing the reliance on high-overhead cryptographic primitives and improving the balance between message capacity and ciphertext expansion.
While ensuring complete sender repudiation, the complexity of scheme construction is reduced, the ability to support large-scale messages is improved, the ciphertext overhead is reduced, and the computational efficiency and ciphertext compactness are enhanced.
Smart Images

Figure CN122247743A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of information processing technology, and further relates to a fully sender-repudiable public-key encryption method based on hidden location key encapsulation within the field of information security technology. This invention can be used to encrypt transmitted files in various privacy-sensitive scenarios such as electronic voting, electronic auctions, cloud storage services, and asynchronous messaging systems. Background Technology
[0002] In secure communication systems, privacy can still be compromised even after ciphertext has been sent, as the communicating parties may be coerced into revealing their internal states or temporary secrets. This demonstrates that while traditional encryption techniques can resist external eavesdropping and ensure message confidentiality, they are ill-equipped to handle coercive attacks targeting the communicating parties themselves. To address this deficiency, Canetti et al. proposed Deniable Encryption (DE). This primitive allows the sender to generate pseudo-random numbers using a denial algorithm, or allows the receiver to generate a forged key using a denial algorithm, thus enabling the same ciphertext to be reasonably interpreted as the encrypted result of another message. Thanks to this property, the true message can remain confidential even under duress.
[0003] Canetti et al. first proposed a fully sender-repudiable public-key encryption method in their paper "Deniable Encryption" (CRYPTO 1997). This method only supports single-bit messages, and the detection probability can only reach the inverse polynomial level, while also suffering from a large ciphertext inflation problem.
[0004] In their paper "How to Use Indistinguishability Obfuscation: Deniable Encryption, and More" (STOC 2014), Sahai and Waters proposed a fully sender-repudiable public-key encryption method constructed using indistinguishability obfuscation (iO), which reduces the detection probability to a negligible level. However, this scheme is highly dependent on iO and still only supports single-bit messages, thus suffering from shortcomings in both implementation complexity and practical efficiency.
[0005] Cao et al. and An et al., in their papers "New Practical Public-Key Deniable Encryption" (ICICS 2020) and "Deniable Cryptosystems: Simpler Constructions and Achieving Leakage Resilience" (ESORICS 2023), respectively, attempted to expand message capacity and optimize ciphertext density. While these schemes alleviated the message space constraints of earlier schemes to some extent, they still inherited the structural overhead from the underlying public-key primitives. Therefore, the ciphertext inflation problem remains prominent in large-scale data scenarios.
[0006] While existing schemes have made some progress in sender-repudiation capabilities, they still suffer from problems such as high-overhead reliance on cryptographic primitives, complex structures, limited message space, and significant ciphertext expansion, making it difficult to balance implementation efficiency and message capacity. Therefore, how to construct an efficient, fully sender-repudiation public-key encryption scheme that supports a larger message space while maintaining full sender-repudiation remains an unsolved problem in current technology. Summary of the Invention
[0007] The purpose of this invention is to address the shortcomings of the existing technologies by proposing a fully sender-repudiable public-key encryption method based on hidden location key encapsulation. This method aims to solve the problems of high-overhead cryptographic primitive dependence, complex nested structures, and the difficulty in balancing message capacity and ciphertext expansion in the existing technologies.
[0008] To achieve the above objectives, the present invention adopts the following technical approach: The present invention generates a public key and a private key based on system public parameters; during encryption, a binary vector is randomly sampled, and a hidden position is obtained based on the binary vector. A sub-ciphertext corresponding to the real message is generated at the hidden position, and valid sub-ciphertexts or random sub-ciphertexts are generated at the remaining positions other than the hidden position. All sub-ciphertexts are then combined into a ciphertext. Specifically, when generating the sub-ciphertext corresponding to the real message at the hidden position, and when generating valid sub-ciphertexts at the remaining positions other than the hidden position, a shared key is generated by performing a key encapsulation operation based on the public key. The padded message is then encrypted based on the shared key to reduce reliance on high-overhead cryptographic primitives and to balance message capacity with ciphertext expansion. During decryption, a key decapsulation operation is performed on each sub-ciphertext based on the private key to obtain each shared key. The padded message corresponding to each sub-ciphertext is then recovered based on the shared key. The padded message is then checked for padded validity, generating the binary vector. The hidden position is obtained based on the binary vector, and the real message is recovered based on the padded message corresponding to the hidden position. In the denial interpretation, a corresponding binary vector and a hidden position are obtained based on the random number used during encryption. The binary vector is modified, and a new hidden position is obtained based on the modified binary vector. A forged random number is generated based on the new hidden position and the random number used during encryption, so that the same ciphertext can be interpreted as a legitimate encryption result of the message corresponding to the new hidden position, thereby achieving complete sender-denyable public key encryption.
[0009] To achieve the above objectives, the specific implementation steps of the present invention include the following:
[0010] Step 1: Generate a public key and a private key based on the system's public parameters;
[0011] Step 2: During encryption, a binary vector is randomly sampled, and the hidden position is obtained based on the binary vector; a sub-ciphertext corresponding to the real message is generated at the hidden position; valid sub-ciphertext or random sub-ciphertext is generated at the remaining positions other than the hidden position; all sub-ciphertexts are combined into ciphertext.
[0012] Step 3: During decryption, perform key decapsulation operation on each sub-ciphertext based on the private key to obtain each shared key; recover the padded message corresponding to each sub-ciphertext based on the shared key; perform padding validity detection on the recovered padded message to generate the binary vector; obtain the hidden position based on the binary vector, and recover the real message based on the padded message corresponding to the hidden position.
[0013] Step 4, when denying interpretation, obtain the corresponding binary vector and hidden position based on the random number used during encryption; modify the binary vector and obtain the new hidden position based on the modified binary vector; generate a forged random number based on the new hidden position and the random number used during encryption, so that the same ciphertext can be interpreted as a legitimate encryption result of the message corresponding to the new hidden position.
[0014] Furthermore, the steps for generating public and private keys based on system public parameters are as follows:
[0015] The first step is to execute the system parameter generation algorithm based on the system's security parameters and the total number of sub-ciphertexts to generate system common parameters;
[0016] The second step involves executing a key generation algorithm based on the system's public parameters to generate a public key and a private key.
[0017] Furthermore, the step of obtaining the hidden position based on the binary vector is as follows:
[0018] The first step is to randomly sample a binary vector whose length corresponds to the total number of sub-ciphertexts;
[0019] The second step is to calculate the Hamming weight of the binary vector, convert the binary vector into its corresponding decimal representation, calculate the modulo operation result of the decimal representation with the Hamming weight and add 1 to obtain the target index value;
[0020] The third step is to select the positions with a value of 1 in the target index value in the binary vector from left to right as the hidden positions.
[0021] Furthermore, generating the sub-ciphertext corresponding to the real message at the hidden location refers to: padding the real message; sampling random numbers to generate a first sub-ciphertext component, and performing a key encapsulation operation based on the public key to generate a shared key; encrypting the padded real message based on the shared key to generate a second sub-ciphertext component; and the first sub-ciphertext component and the second sub-ciphertext component constitute the sub-ciphertext corresponding to the real message.
[0022] Furthermore, generating valid sub-ciphertext or random sub-ciphertext at positions other than the hidden position means: when the binary vector is 1 at the corresponding position, an auxiliary message is randomly selected and padded, a random number is sampled to generate a first sub-ciphertext component, and a key encapsulation operation is performed based on the public key to generate a shared key; the padded auxiliary message is encrypted based on the shared key to generate a second sub-ciphertext component, thus obtaining the valid sub-ciphertext corresponding to the auxiliary message; when the binary vector is 0 at the corresponding position, the first and second sub-ciphertext components are randomly generated to obtain random sub-ciphertext.
[0023] Furthermore, the step of performing key decapsulation operation on each sub-ciphertext based on the private key to obtain each shared key means: for the first sub-ciphertext component in each sub-ciphertext, performing key decapsulation operation based on the private key to generate the corresponding shared key.
[0024] Furthermore, the step of recovering the padded message corresponding to each sub-ciphertext based on each shared key means: decrypting the second sub-ciphertext component in each sub-ciphertext based on the corresponding shared key to obtain the padded message corresponding to that sub-ciphertext.
[0025] Furthermore, the step of performing a padding validity check on the recovered padded message to generate the binary vector means: performing a padding validity check on the recovered padded message; when the padded message passes the padding validity check, determining that the binary vector has a value of 1 at the corresponding position; when the padded message fails the padding validity check, determining that the binary vector has a value of 0 at the corresponding position, thus obtaining the binary vector.
[0026] Furthermore, modifying the binary vector means changing the value corresponding to the hidden position in the binary vector from 1 to 0 to obtain the modified binary vector.
[0027] Furthermore, the step of generating a forged random number based on the new hidden location and the random number used during encryption is as follows:
[0028] The first step is to obtain the binary vector, the random number component corresponding to the hidden position, the random number component corresponding to each valid sub-ciphertext except for the hidden position, the auxiliary message, and the sub-ciphertext component corresponding to each random sub-ciphertext based on the random number used during encryption.
[0029] The second step is to re-encrypt the sub-ciphertext component corresponding to the hidden position based on the random number component corresponding to the hidden position.
[0030] The third step involves generating the forged random number based on the modified binary vector, the new hidden position, the sub-ciphertext component corresponding to the recalculated hidden position, the random number component corresponding to each valid sub-ciphertext excluding the hidden position, the auxiliary message, and the sub-ciphertext component corresponding to each random sub-ciphertext.
[0031] Compared with the prior art, the present invention has the following advantages:
[0032] First, this invention combines a hidden location mechanism with a key encapsulation mechanism. The hidden location is determined using a randomly sampled binary vector. At the hidden location and other locations where the bit is 1, a shared key is generated by performing a key encapsulation operation based on the public key. The padded message is then encrypted using this shared key. For locations where the bit is 0, a sub-ciphertext is randomly generated. This overcomes the high-overhead cipher primitive dependency inherent in existing technologies that directly generate sub-ciphertext based on other public-key encryption schemes. This invention reduces direct calls to other public-key encryption algorithms, ensuring complete sender repudiation while lowering the complexity of the scheme construction, reducing reliance on high-overhead cipher primitives, and improving the scheme's simplicity.
[0033] Second, the present invention uses a shared key to encrypt the padded message during the sub-ciphertext generation process, which can leverage the efficiency advantage of shared key encryption in processing long messages, avoid the bottleneck problem of complex nested structures and difficulty in balancing message capacity and ciphertext expansion in existing technologies, thus improving the present invention's support for large-scale bit string messages, reducing the ciphertext expansion rate, and further reducing ciphertext overhead while ensuring complete sender denial. Attached Figure Description
[0034] Figure 1 This is a flowchart of the present invention. Detailed Implementation
[0035] The following is in conjunction with the appendix Figure 1 The implementation steps of the embodiments of the present invention will be described in further detail below.
[0036] In an embodiment of the present invention, a system parameter generation algorithm The execution process is as follows: Input security parameters Total number of encrypted messages Instantiate the Type-III bilinear group generator , obtain parameters Then select two hash functions. Then select a fill function that can be computed in polynomial time. Wherein, the fill function It is an invertible function, has a corresponding validity detection algorithm, and satisfies... The probability of a uniformly random string becoming a valid padding string is negligible; finally, output the common parameters. Unless otherwise specified, all algorithms below will be assumed to be... It is considered implicit input.
[0037] In an embodiment of the present invention, a key generation algorithm The execution process is as follows: random sampling ,set up Output the public and private key pair .
[0038] In embodiments of the present invention, to facilitate the explanation of how the hidden position is determined during the encryption process, the relevant symbols are explained as follows: For binary vectors with a Hamming weight greater than or equal to 1... ,remember Let be the Hamming weight of the binary vector, denoted as For the binary vector The corresponding decimal representation; for any ,remember For the binary vector From left to right, the middle A position index with a value of 1.
[0039] In embodiments of the present invention, the sender-deniable encryption algorithm is described. The execution process is as follows: Input public key Real news and random numbers First, randomly sample a binary vector with a Hamming weight greater than 1. And calculate the hidden location. Then, for each Generate sub-ciphertext pairs .when ,sampling And set the first sub-ciphertext component Based on public key Perform key encapsulation operations to generate a shared key. Generate the second sub-ciphertext component when and ,sampling With random auxiliary messages And set the first sub-ciphertext component And based on public key Perform key encapsulation operations to generate a shared key. Generate the second sub-ciphertext component when Then random sampling Finally, the ciphertext is output.
[0040] In an embodiment of the present invention, the decryption algorithm The execution process is as follows: Input and ciphertext For each First calculate Then determine Is it a fill function? If the following is a valid fill, then set it to... and Otherwise, set After obtaining the binary vector Then, the hidden location is further calculated. And output message .
[0041] In an embodiment of the present invention, the denial interpretation algorithm The execution process is as follows: Input public key Real news Generate ciphertext The random number used at that time First, from the random number... Parse the binary vector Hidden location random number at location Random numbers corresponding to all other valid sub-ciphertexts and auxiliary messages and all random sub-ciphertexts Then calculate the hidden location. Define the modified binary vector To be from Set as The resulting vector is then used to further calculate the new hidden position. Next, by Recalculate position The true ciphertext on, that is Finally, output a fake random number. This allows the same ciphertext to be interpreted as referring to the new hidden location. Corresponding message The legitimate encryption result.
[0042] The invention will be further explained below with reference to performance analysis.
[0043] For ease of comparison, the fully sender-rejected schemes of the prior art involved in Tables 1 and 2 are uniformly described as follows:
[0044] The sender scheme published by Canetti et al. (Deniable encryption, CRYPTO 1997);
[0045] Sahai et al. published the sender scheme (How to use indistinguishabilityobfuscation: deniable encryption, and more, STOC 2014).
[0046] The two-way scheme published by Canetti et al. (Fully deniable interactive encryption, CRYPTO 2020).
[0047] Cao et al.'s publicly available sender scheme (New practical public-key deniable encryption, ICICS 2020).
[0048] An et al. published a sender scheme (Deniable cryptosystems: Simpler constructions and achieving leakage resilience, ESORICS 2023).
[0049] Table 1. Comparison of functional features between the present invention and existing fully sender-repudiable public-key encryption schemes.
[0050]
[0051] The abbreviations in Table 1 represent the full English names as follows:
[0052] TS stands for translucent set;
[0053] iO stands for indistinguishability obfuscation;
[0054] PKE-CD stands for public key encryption with controlled decryption;
[0055] CSPKE stands for ciphertext-simulatable public key encryption;
[0056] HPKE stands for hidden-position key encapsulation; Indicates safety parameters;
[0057] This indicates the number of sub-ciphertexts in a ciphertext.
[0058] Table 1 compares this invention with existing fully repudiable public-key encryption schemes in terms of underlying methods, message space, repudiation types, and repudiation levels. Except for the Canetti et al. two-way scheme, which further achieves repudiation between the sender and receiver, most existing schemes only support sender repudiation. While the Sahai et al. sender scheme and the Canetti et al. two-way scheme achieve negligible detection probabilities, both rely on I / O, thus limiting their practical applicability. Furthermore, the Canetti et al. sender scheme, the Sahai et al. sender scheme, and the Canetti et al. two-way scheme only support highly restricted message spaces. In contrast, the sender schemes of Cao et al. and An et al. maintain... While maintaining deniability, it expands the message space to and Building upon this, embodiments of the present invention, while maintaining the same level of deniability, further extend the message space to...
[0059] In summary, this invention significantly improves the scale of the supported message space while maintaining the level of deniability, and has better overall performance.
[0060] To further illustrate the technical effects of the embodiments of the present invention, the present invention compares and analyzes the embodiments of the present invention with two representative existing schemes from three aspects: computational overhead, private key size, and ciphertext size. The results are shown in Table 2.
[0061] Table 2. Efficiency Comparison of the Embodiments of the Present Invention with Existing Fully Sender-Deniable Public-Key Encryption Schemes
[0062]
[0063] The physical concepts represented by the letters in Table 2 are as follows:
[0064] , and These represent the plaintext lengths of the sending schemes by Cao et al., An et al., and the embodiments of the present invention, respectively.
[0065] Indicates the number of ciphertexts;
[0066] This represents one exponentiation operation;
[0067] This represents a single multiplication operation;
[0068] This represents a discrete logarithmic correlation operation;
[0069] This represents a single division operation;
[0070] This represents a single bilinear pair operation;
[0071] Represents the RSA modulus;
[0072] and Let represent the exponential space and cyclic group in the standard ElGamal scheme, respectively;
[0073] , , and These represent the bit lengths of the elements in these sets, respectively;
[0074] The output length of the filler function can be calculated in polynomial time.
[0075] As shown in Table 2, the embodiments of the present invention are compared with two representative existing sender-repudiable public-key encryption schemes in terms of computational overhead, private key size, and ciphertext size. The sender-repudiation scheme of An et al. is based on the simulable ciphertext property of ElGamal. The embodiments of the present invention have the same overhead as the sender-repudiation scheme of An et al. in the key generation stage, and lower than that of the sender-repudiation scheme of Cao et al.; in the encryption, decryption, and repudiation stages, the embodiments of the present invention require respectively... , and This operation, compared to the sender schemes of Cao et al. and An et al., avoids the factor-based operation. and The additional overhead incurred makes it highly competitive in terms of computational efficiency.
[0076] For ease of comparison, a 128-bit security level is uniformly used as the parameter setting: for the Cao et al. sender scheme, the RSA modulus length is set to 3072 bits; for the An et al. sender scheme, the value is set to... , In this embodiment of the invention, the Type-III bilinear group is instantiated using the BLS12-381 curve, and in this case, under compressed representation, we have , Therefore, in the same encryption Under the condition of bit messages, for example At that time, the ciphertext size of the embodiment of the present invention It is also smaller than the compared scheme. Therefore, it can be seen that the embodiments of the present invention, while supporting longer messages, have better computational efficiency and a more compact ciphertext representation.
[0077] In summary, compared with existing sender-repudiable public-key encryption schemes, the embodiments of the present invention can support a larger message space without reducing the security requirements of full sender-repudiation, and exhibit better overall performance in terms of computational overhead and ciphertext overhead, thus having good prospects for practical application.
Claims
1. A fully sender-repudiable public-key encryption method based on hidden location key encapsulation, characterized in that, The encryption method includes the following steps: Step 1: Generate a public key and a private key based on the system's public parameters; Step 2: During encryption, a binary vector is randomly sampled, and the hidden position is obtained based on the binary vector; a sub-ciphertext corresponding to the real message is generated at the hidden position; valid sub-ciphertext or random sub-ciphertext is generated at the remaining positions other than the hidden position; all sub-ciphertexts are combined into ciphertext. Step 3: During decryption, perform key decapsulation operation on each sub-ciphertext based on the private key to obtain each shared key; and recover the padded message corresponding to each sub-ciphertext based on the shared keys. The restored padded message is subjected to a padded validity check to generate the binary vector; the hidden position is obtained based on the binary vector, and the real message is restored based on the padded message corresponding to the hidden position; Step 4, during the denial interpretation, the corresponding binary vector and hidden position are obtained based on the random number used during encryption; The binary vector is modified, and the new hidden position is obtained based on the modified binary vector; A forged random number is generated based on the new hidden location and the random number used during encryption, so that the same ciphertext can be interpreted as a legitimate encryption result of the message corresponding to the new hidden location.
2. The fully sender-repudiable public-key encryption method according to claim 1, characterized in that, The steps in step 1 to generate public and private keys based on system public parameters are as follows: The first step is to execute the system parameter generation algorithm based on the system's security parameters and the total number of sub-ciphertexts to generate system common parameters; The second step involves executing a key generation algorithm based on the system's public parameters to generate a public key and a private key.
3. The fully sender-repudiable public-key encryption method according to claim 1, characterized in that, The steps in step 2 to obtain the hidden position based on the binary vector are as follows: The first step is to randomly sample a binary vector whose length corresponds to the total number of sub-ciphertexts; The second step is to calculate the Hamming weight of the binary vector, convert the binary vector into its corresponding decimal representation, calculate the modulo operation result of the decimal representation with the Hamming weight and add 1 to obtain the target index value; The third step is to select the positions with a value of 1 in the target index value in the binary vector from left to right as the hidden positions.
4. The fully sender-repudiable public-key encryption method according to claim 1, characterized in that, In step 2, generating the sub-ciphertext corresponding to the real message at the hidden location refers to filling in the real message. The first sub-ciphertext component is generated by sampling random numbers, and a key encapsulation operation is performed based on the public key to generate a shared key; The real message after padding is encrypted based on the shared key to generate a second sub-ciphertext component; the first sub-ciphertext component and the second sub-ciphertext component constitute the sub-ciphertext corresponding to the real message.
5. The fully sender-repudiable public-key encryption method according to claim 1, characterized in that, In step 2, generating valid sub-ciphertext or random sub-ciphertext at positions other than the hidden position means that when the binary vector is 1 at the corresponding position, an auxiliary message is randomly selected and filled, a random number is sampled to generate the first sub-ciphertext component, and a key encapsulation operation is performed based on the public key to generate a shared key. The padded auxiliary message is encrypted based on the shared key to generate a second sub-ciphertext component, thus obtaining the valid sub-ciphertext corresponding to the auxiliary message; when the value of the binary vector at the corresponding position is 0, the first sub-ciphertext component and the second sub-ciphertext component are randomly generated to obtain a random sub-ciphertext.
6. The fully sender-repudiable public-key encryption method according to claim 5, characterized in that, Step 3, which describes performing key decapsulation operations on each sub-ciphertext based on the private key to obtain each shared key, means: for the first sub-ciphertext component in each sub-ciphertext, performing key decapsulation operations based on the private key to generate the corresponding shared key.
7. The fully sender-repudiable public-key encryption method according to claim 5, characterized in that, Step 3, which involves recovering the padded message corresponding to each sub-ciphertext based on the shared keys, means: decrypting the second sub-ciphertext component in each sub-ciphertext based on the corresponding shared key to obtain the padded message corresponding to that sub-ciphertext.
8. The fully sender-repudiable public-key encryption method according to claim 1, characterized in that, Step 3, which involves performing a padding validity check on the recovered padded message and generating the binary vector, means: performing a padding validity check on the recovered padded message; when the padded message passes the padding validity check, determining that the binary vector has a value of 1 at the corresponding position; when the padded message fails the padding validity check, determining that the binary vector has a value of 0 at the corresponding position, thus obtaining the binary vector.
9. The fully sender-repudiable public-key encryption method according to claim 1, characterized in that, The modification of the binary vector in step 4 refers to changing the value corresponding to the hidden position in the binary vector from 1 to 0, thus obtaining the modified binary vector.
10. The fully sender-repudiable public-key encryption method according to claim 1, characterized in that, The steps in step 4 for generating a fake random number based on the new hidden location and the random number used during encryption are as follows: The first step is to obtain the binary vector, the random number component corresponding to the hidden position, the random number component corresponding to each valid sub-ciphertext except for the hidden position, the auxiliary message, and the sub-ciphertext component corresponding to each random sub-ciphertext based on the random number used during encryption. The second step is to re-encrypt the sub-ciphertext component corresponding to the hidden position based on the random number component corresponding to the hidden position. The third step involves generating the forged random number based on the modified binary vector, the new hidden position, the sub-ciphertext component corresponding to the hidden position obtained by re-encryption, the random number component corresponding to each valid sub-ciphertext excluding the hidden position, the auxiliary message, and the sub-ciphertext component corresponding to each random sub-ciphertext.