CN101291214A - A method, system and device for generating a group key - Google Patents

Abstract

In order to solve the problems such as large amount of calculation, more storage space occupation and higher requirements to band width in a group key negotiation method in the prior technology. The invention provides a method of generating a group of secret keys as well as a system and equipment carrying out the method, which belongs to the network communication field. The method comprises the steps that: group members forms a logic ring, system parameters are selected and each member and a neighboring member generate a secret key and an intermediate value shared by the two members and issue the intermediate value; secret keys of other members shared by two members are calculated according to all intermediate values received to generate a group of keys. The system comprises a logic ring forming module, a system parameter selecting module, a message receiving and transmitting module and a group key generating module. The equipment comprises a logic ring forming module, a system parameter selecting module, a D-H public key value calculating module, a shared key generating module, an intermediate value generating module, a message receiving and transmitting module and a group key generating module. The technology provided by the invention solves the problems in the prior technology and is easy to use.

Description

A method, system and device for generating a group key

technical field

The invention relates to the field of network communication, in particular to a method, system and equipment for generating a group key.

Background technique

The key to solve group communication security by using multi-party shared group key is the generation and distribution of the group key, which must be exclusive, that is, non-group members cannot obtain the group key. The existing group key management technologies can be divided into two categories: centralized management and distributed negotiation. Compared with the centralized management type, the distributed negotiation group key management technology is suitable for use in occasions where a central control node cannot or cannot be established, such as military Ad hoc networks, P2P networks, and confidential video conferences. The existing group key agreement schemes are all based on the discrete logarithm problem over finite fields. The Burmester-Desmedt scheme (BD scheme) is used as an example to illustrate. In this scheme, n represents the number of members in the group, and U represents Group member, SK represents the group key. Referring to Fig. 1, it is a flowchart of the Burmester-Desmedt group key agreement method in the prior art, and the Burmester-Desmedt group key agreement method is specifically as follows:

Step 101: Select system parameters. Let p, q be a large prime number, Z _p is a set composed of integers modulo p, g is an element in Z _p , and the order of g is q, q is the smallest positive integer of g ^q ≡ 1modp.

Step ₁₀₂ : A set of members { _{U 1} , U _{2 , .}

Step 103: Each member U _i randomly selects a number r _i from Z _p , and calculates $Z_i=g^{r_i}\mathrm{mod}p,$ and broadcast z _i to all group members;

Step 104: Each member U _i calculates $x_i={(z_{i+1}/z_{i-1})}^{r_i}\mathrm{mod}p,$ and broadcast X _i to all group members;

Step 105: Calculate the group key, each member U _i calculates the group key $\mathrm{SK}={\left(z_{i-1}\right)}^{{\mathrm{nr}}_i}\&Center\; Dot;x_i^{\mathrm{no}-1}\·x_{i+1}^{\mathrm{no}-2}{\&Center\; Dot;\·\&Center\; Dot;x}_{i-2}\mathrm{mod}p.$

Through the above steps, each member calculates the same result, that is, the group key $\mathrm{SK}=g^{r_1{r}_2+r_2{r}_3+\·\·\&Center\; Dot;+r_{\mathrm{no}}{r}_1}\mathrm{mod}p.$

The disadvantages of the Burmester-Desmedt group key agreement method are: large amount of calculation, resulting in slow processing speed; relatively large storage space; and high bandwidth requirements.

Contents of the invention

In order to solve the problems that the group key negotiation method in the prior art has a large amount of calculation, occupies a large storage space, and requires high bandwidth, the embodiments of the present invention provide a method, system and device for generating a group key.

A method of generating a group key, the method comprising:

The members in the group form a logical ring, and the members in the ring are represented by U _i , wherein, i=1, 2, ..., n, and the n is the total number of members in the group;

Select system parameters based on elliptic curves, the system parameters include: prime number q, set Z _p of the smallest non-negative remainder obtained by integer modulo q, and public base point P based on elliptic curves;

According to the Diffie-Hellman key agreement protocol on the elliptic curve and the system parameters, member U _i and member U _i-1 generate a pairwise shared key K _i-1,i , and member U _i+1 generates a pairwise shared key K i-1,i Key K _{i, i+1} ; and, when i=n, said i+1=1;

The member U _i generates an intermediate value according to the pairwise shared key K _i-1,i and the pairwise shared key K _i,i+1 , and broadcasts a group key carrying the intermediate value within the group Key negotiation message;

After the member U _i receives the group key negotiation message broadcast by all other members, it extracts the intermediate value, and calculates the pairwise shared secret between the other member and the next member of the other member according to the intermediate value. key;

Verify whether the pairwise shared key K _i,i+1 is equal to the pairwise shared key K _i+1,i , the verification is passed, and the member U _i generates a group key SK=K based on all pairwise shared keys _{1, 2} + K _{2, 3} + . . . + K _{n, 1} .

The embodiment of the present invention also provides a system for generating a group key, the system comprising:

A logic ring forming module is used to form a logical ring of members in the group, and the members in the ring are represented by U _i , wherein, i=1, 2, ..., n, and the n is the total number of members in the group;

A system parameter selection module for selecting system parameters based on elliptic curves;

A message sending and receiving module, configured to send and receive a group key negotiation message, where the group key negotiation message carries the D-H public key value and intermediate value generated by members in the logical ring composition module;

A group key generation module, configured to generate a group key according to the system parameters selected by the system parameter selection module and the D-H public key value and intermediate value in the group key negotiation message received from the message transceiver module.

The embodiment of the present invention also provides a device for generating a group key, and the device includes:

A logical ring forming module is used to form a logical ring with the equipment in the group, and the equipment is represented by U _i , wherein, i=1, 2, ..., n, and the n is the total number of equipment in the group;

A system parameter selection module, used for selecting system parameters based on elliptic curves after the logical ring composition module completes the logical ring composition;

The DH public key value calculation module is used to calculate the DH public key value according to the system parameters selected by the system parameter selection module, and send it to the device U _i-1 and the device U _i+1 through the message sending and receiving module;

The shared key generation module is used to generate pairwise shared keys K _i respectively according to the Diffie-Hellman key agreement protocol and the DH public key values of the device U _i-1 and the device U _i+1 received from the message sending and receiving module _{-1, i} and two shared keys K _{i, i+1} ;

An intermediate value generating module, configured to generate an intermediate value according to the pairwise shared keys K _{i-1, i} and K _{i, i+1} generated by the shared key generating module;

A message transceiver module, configured to send and receive a group key negotiation message, the group key negotiation message carrying the D-H public key value calculated by the D-H public key value calculation module or the intermediate value generated by the intermediate value generation module value;

A group key generation module, configured to generate a group key according to the system parameters selected by the system parameter selection module and the D-H public key value and intermediate value in the group key negotiation message received from the message transceiver module.

Compared with similar solutions, the solution provided by the embodiment of the present invention has the characteristics of fast calculation speed, small storage space occupation and low network bandwidth requirement when achieving the same security.

Description of drawings

Fig. 1 is the flowchart of the Burmester-Desmedt group key agreement method provided in the prior art;

Fig. 2 is a schematic diagram of a ring composed of n members U ₁ , U ₂ ,..., U _n provided in the prior art;

FIG. 3 is a flowchart of a method for generating a group key provided in Embodiment 1 of the present invention;

Fig. 4 is a schematic diagram of a logical ring composed of three members provided by Embodiment 1 of the present invention;

FIG. 5 is a schematic diagram of four members forming a logical ring provided by Embodiment 1 of the present invention;

6 is a flowchart of a method for generating a group key when a new member joins a group provided by Embodiment 2 of the present invention;

FIG. 7 is a flow chart of an authenticated method for generating a group key provided in Embodiment 4 of the present invention;

FIG. 8 is a schematic diagram of a system for generating a group key provided by Embodiment 5 of the present invention;

FIG. 9 is a schematic diagram of a device for generating a group key provided by Embodiment 6 of the present invention.

Detailed ways

The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments, but the present invention is not limited to the following embodiments.

Example 1

The embodiment of the present invention provides a method for generating a group key, the method is based on elliptic curve cryptography, here is a brief introduction to elliptic curve cryptography ECC (Elliptic Curves Cryptography, elliptic curve cryptography), which was developed in 1985 Independently proposed by Neal Koblitz and Victor Miller. This cryptographic system has the characteristics of high security performance, small amount of calculation, short key length, fast processing speed, small storage space occupation and low bandwidth requirement, so it has a wide application prospect in the security field. In recent years, elliptic curve cryptosystem has been adopted by such as ANSI (American National Standard Institute, American National Standards Institute), IEEE (Institute of Electrical and Electronics Engineers, American Institute of Electrical and Electronics Engineers), ISO (International Standardization Organization, International Organization for Standardization) and NIST ( National Institute of Standards and Technology, American National Institute of Standards and Technology) and other standardization organizations are included as standards.

In this embodiment, n represents the number of members in the group, U represents the group members, and SK represents the group key. Referring to Fig. 3, it is a flowchart of a method for generating a group key according to an embodiment of the present invention, and the specific steps of the method are as follows:

Step 301: A group of members U ₁ ,..., U _n form a logical ring. For example, when the system is initialized, a continuous serial number is assigned to all participants. This group of members forms a logical ring through these continuous serial numbers. See Figure 2 is a schematic diagram of a logical ring composed of group members.

Step 302: Select system parameters and perform system initialization. The specific process is as follows:

Let GF(p) be a finite field whose order is a prime number p, define an elliptic curve EC on this field: y ² =x ³ +αx+β(a,β∈GF(p), 4a ³ +27β ² ( modp)≠0; p is a large prime number above 190 bits). Then EC _p (a, β)={(x, y)|y ² =x ³ +ax+β(mod p)}∪O (O is the identity element) forms an Abelian group.

For a given ECC system, the point P∈EC _p (α, β) is taken as a public base point, and the order of P is a large prime number q (generally q≥120bits). Define G={O, P, 2P, . . . , (q-1)P}. It can be seen that G is a finite cyclic Abel group, and q is a cyclic period.

In addition, choose the hash function H: G→Z _q , Z _q is the set {0, 1, ..., q-1} of the smallest non-negative remainder obtained by integer modulo q.

Step 303: Each member U _i generates pairwise shared keys with the upper family U _i-1 and the lower family U _i+1 respectively.

Wherein, the generation process of the two-party DH key is based on the Diffie-Hellman key agreement protocol in the prior art, and the two-party DH negotiation process is introduced as follows:

Member A and member B are the two parties of the DH protocol. First, A randomly selects a number a from Z _q , sends aP to B, and B randomly selects a number b from Z _q , and sends bP to A;

Then, A computes a(bP), B computes b(aP), that is, A and B share the secret key abP. abP is called the DH key shared by A and B.

In this embodiment, each member U _i randomly selects a number r _i from Z _q , then calculates the DH public key value Xi ₌ r _i P, and sends the group key negotiation message carrying _Xi to his "upper Home" U _i-1 and "Next Home" U _i+1 ,

Each member U _i extracts Xi _-1 and Xi ₊₁ after receiving the group key negotiation message sent by the "upper family" and "lower family", and calculates K _{i-1, i} = r _i X _{i −1} =(x _{i-1, i} , y _{i-1, i} ), K _i,i+1 =r _i X _i+1 =(x _i,i+1 , y _i,i+1 ).

Step 304: Each member U _i multiplies the corresponding component of the DH key shared with the "upper family" by the corresponding component of the DH key shared with the "lower family", and then performs a modulo p operation to generate an intermediate value, and then broadcasts and carries Group key negotiation packets with intermediate values.

This step is specifically implemented as: U _i broadcasts Y _i = (z _{1, i} , z _{2, i} ) to other members, where z _{1, i} = x _{i-1, i} x _{i, i+1} mod p, z _{2 , i} = y _{i-1, i} y _{i, i+1} mod p.

Step 305: Each member U _i receives the group key negotiation message broadcast by all other members, extracts the intermediate value, and calculates the pairwise shared key of each other member and its "next family" according to the intermediate value, and then according to All pairwise shared keys generate a group key, which is the sum of the elliptic curve points of the two DH keys shared by each member and the next party.

The specific implementation of this step is: after each member U _i receives Y from all other members, calculate K _{i+l, i+l+1} = (x _{i+l, i+l+1} , y _{i+l , i+l+1} ), where $x_{i+l,i+l+1}=z_{1,i+l}{x}_{i+l-1,i+l}^{-1}\mathrm{mod}p,$ ${\mathrm{the\; y}}_{i+l,i+l+1}=z_{2,i+l}{\mathrm{the\; y}}_{i+l-1,i+l}^{-1}\mathrm{mod}p,$ Here l passes 1, 2, ..., n-1. Verify the equation first $K_{i,i-1}=K_{i-1,i}=(z_{1,i-1}{x}_{i-2,i-1}^{-1}\mathrm{mod}p,z_{2,i-1}{\mathrm{the\; y}}_{i-2,i-1}^{-1}\mathrm{mod}p)$ If it is true, verify the equation to check whether the received transmission packet has errors or whether it is sent by a non-member of the group. If it is true, calculate the group key SK, SK=K _{1, 2} + K _{2, 3} +... +K _{n, 1} , otherwise U _i declares that the negotiation fails.

Through the above-mentioned group key negotiation process, all members get the same group key result SK=(r ₁ r ₂ +r ₂ r ₃ +...+r _n r ₁ )P.

The negotiation process of the group key is described below by taking three and four members in the group as examples respectively.

Referring to FIG. 4 , it is a schematic diagram of three members forming a logical ring. The process of 3 members negotiating a group key:

(1) U ₁ randomly selects r ₁ ∈ Z _q , then U ₁ → U ₃ , U ₂ : X ₁ = r ₁ P, U ₂ randomly selects r ₂ ∈ Z _q , then U ₂ → U ₁ , U ₃ : X ₂ =r ₂ P, U ₃ randomly selects r ₃ ∈ Z _q , then U ₃ →U ₂ , U ₁ : X ₃ =r ₃ P.

(2) After receiving X ₃ and X ₂ , U ₁ calculates K ₃₁ = r ₁ X ₃ = (x ₃₁ , y ₃₁ ), K ₁₂ = r ₁ X ₂ = (x ₁₂ , y ₁₂ ), and z ₁₁ =x ₃₁ x ₁₂ modp, z ₂₁ =y ₃₁ y ₁₂ modp, broadcast Y ₁ =(z ₁₁ , z ₂₁ );

After receiving X ₁ and X ₃ , U ₂ calculates K ₁₂ = r ₂ X ₁ = (x ₁₂ , y ₁₂ ), K ₂₃ = r ₂ X ₃ = (x ₂₃ , y ₂₃ ), and z ₁₂ = x ₁₂ x ₂₃ modp, z ₂₂ = y ₁₂ y ₂₃ modp, broadcast Y ₂ = (z ₁₂ , z ₂₂ );

After receiving X ₂ and X ₁ , U ₃ calculates K ₂₃ = r ₃ X ₂ = (x ₂₃ , y ₂₃ ), K ₃₁ = r ₃ X ₁ = (x ₃₁ , y ₃₁ ), and z ₁₃ = x ₂₃ x ₃₁ modp, z ₂₃ =y ₂₃ y ₃₁ modp, broadcast Y ₃ =(z ₁₃ , z ₂₃ ).

(3) After receiving Y ₂ and Y ₃ , U ₁ calculates $K_{\mathrm{twenty\; three}}=(x_{\mathrm{twenty\; three}},{\mathrm{the\; y}}_{\mathrm{twenty\; three}})=(z_{12}{x}_{12}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}{\mathrm{the\; y}}_{12}^{-1}\mathrm{mod}p),$ U ₁ Verification $(z_{13}{x}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p)=r_1{x}_3,$ If established, calculate the key: SK=K ₁₂ +K ₂₃ +K ₃₁ , otherwise, the negotiation fails and the negotiation is stopped.

After U ₂ receives Y ₃ and Y ₁ , it calculates $K_{31}=(x_{31},{\mathrm{the\; y}}_{31})=(z_{13}{x}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p),$ _U2 authentication $(z_{11}{x}_{31}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; one}}{\mathrm{the\; y}}_{31}^{-1}\mathrm{mod}p)=r_2{x}_1,$ If established, the key is calculated: SK=K ₁₂ +K ₂₃ +K ₃₁ ; otherwise, the negotiation fails and the negotiation is stopped.

After receiving Y ₁ and Y ₂ , U ₃ calculates $K_{12}=(x_{12},{\mathrm{the\; y}}_{12})=(z_{11}{x}_{31}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; one}}{\mathrm{the\; y}}_{31}^{-1}\mathrm{mod}p)$ , _U3 verifies $(z_{12}{x}_{12}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}{\mathrm{the\; y}}_{12}^{-1}\mathrm{mod}p)=r_3{x}_2,$ If established, the key is calculated: SK=K ₁₂ +K ₂₃ +K ₃₁ ; otherwise, the negotiation fails and the negotiation is stopped.

The three members get the same group key SK=(r ₁ r ₂ +r ₂ r ₃ +r ₃ r ₁ )P.

Referring to FIG. 5 , it is a schematic diagram of four members forming a logical ring. The process of 4 members negotiating a group key:

(1) U1 randomly selects r ₁ ∈ Z _q , then U ₁ → U ₄ , U ₂ : X ₁ = r ₁ P, U ₂ randomly selects r ₂ ∈ Z _q , then U ₂ → U ₁ , U ₃ : X ₂ = r ₂ P, U ₃ randomly selects r ₃ ∈ Z _q , then U ₃ → U ₂ , U ₄ : X ₃ = r ₃ P, U ₄ randomly selects r ₄ ∈ Z _q , then U ₄ → U ₃ , U ₁ : X ₄ =r ₄ P.

(2) After receiving X ₄ and X ₂ , U ₁ calculates K ₄₁ = r ₁ X ₄ = (x ₄₁ , y ₄₁ ), K ₁₂ = r ₁ X ₂ = (x ₁₂ , y ₁₂ ), and z ₁₁ =x ₄₁ x ₁₂ modp, z ₂₁ =y ₄₁ y ₁₂ modp, broadcast Y ₁ =(z ₁₁ , z ₂₁ );

After receiving X ₁ and X ₃ , U ₂ calculates K ₁₂ = r ₂ X ₁ = (x ₁₂ , y ₁₂ ), K ₂₃ = r ₂ X ₃ = (x ₂₃ , y ₂₃ ), and z ₁₂ = x ₁₂ x ₂₃ modp, z ₂₂ = y ₁₂ y ₂₃ modp, broadcast Y ₂ = (z ₁₂ , z ₂₂ );

After receiving X ₂ and X ₄ , U ₃ calculates K ₂₃ = r ₃ X ₂ = (x ₂₃ , y ₂₃ ), K ₃₄ = r ₃ X ₄ = (x ₃₄ , y ₃₄ ), and z ₁₃ = x ₂₃ x ₃₄ modp, z ₂₃ =y ₂₃ y ₃₄ modp, broadcast Y ₃ =(z ₁₃ , z ₂₃ );

After receiving X ₃ and X ₁ , U ₄ calculates K ₃₄ = r ₄ X ₃ = (x ₃₄ , y ₃₄ ), K ₄₁ = r ₄ X ₁ = (x ₄₁ , y ₄₁ ), and z ₁₄ = x ₃₄ x ₄₁ modp, z ₂₄ =y ₃₄ y ₄₁ modp, broadcast Y ₄ =(z ₁₄ , z ₂₄ ).

(3) After U ₁ receives Y ₂ , Y ₃ , and Y ₄ , calculate $K_{\mathrm{twenty\; three}}=(x_{\mathrm{twenty\; three}},{\mathrm{the\; y}}_{\mathrm{twenty\; three}})=(z_{12}{x}_{12}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}{\mathrm{the\; y}}_{12}^{-1}\mathrm{mod}p),$ $K_{34}=(x_{34},{\mathrm{the\; y}}_{34})=(z_{13}{x}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p),$ U ₁ Verification $(z_{14}{x}_{34}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; four}}{\mathrm{the\; y}}_{34}^{-1}\mathrm{mod}p)=r_1{x}_4,$ If established, calculate the key: SK=K ₁₂ +K ₂₃ +K ₃₄ +K ₄₁ ; otherwise, the negotiation fails and the negotiation is stopped;

After U ₂ receives Y ₁ , Y ₃ , and Y ₄ , it calculates $K_{34}=(x_{34},{\mathrm{the\; y}}_{34})=(z_{13}{x}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p),$ $K_{41}=(x_{41},{\mathrm{the\; y}}_{41})=(z_{14}{x}_{34}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; four}}{\mathrm{the\; y}}_{34}^{-1}\mathrm{mod}p),$ _U2 authentication $(z_{11}{x}_{41}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; one}}{\mathrm{the\; y}}_{41}^{-1}\mathrm{mod}p)=r_2{x}_1,$ If established, calculate the key: SK=K ₁₂ +K ₂₃ +K ₃₄ +K ₄₁ ; otherwise, the negotiation fails and the negotiation is stopped;

After U ₃ receives Y ₄ , Y ₁ , and Y ₂ , it calculates $K_{41}=(x_{41},{\mathrm{the\; y}}_{41})=(z_{14}{x}_{34}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; four}}{\mathrm{the\; y}}_{34}^{-1}\mathrm{mod}p),$ $K_{12}=(x_{12},{\mathrm{the\; y}}_{12})=(z_{11}{x}_{41}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; one}}{\mathrm{the\; y}}_{41}^{-1}\mathrm{mod}p),$ _U3 verification $(z_{12}{x}_{12}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}{\mathrm{the\; y}}_{12}^{-1}\mathrm{mod}p)=r_3{x}_2,$ If established, calculate the key: SK=K ₁₂ +K ₂₃ +K ₃₄ +K ₄₁ ; otherwise, the negotiation fails and the negotiation is stopped;

After U ₄ receives Y ₁ , Y ₂ , and Y ₃ , it calculates $K_{12}=(x_{12},{\mathrm{the\; y}}_{12})=(z_{11}{x}_{41}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; one}}{\mathrm{the\; y}}_{41}^{-1}\mathrm{mod}p),$ $K_{\mathrm{twenty\; three}}=(x_{\mathrm{twenty\; three}},{\mathrm{the\; y}}_{\mathrm{twenty\; three}})=(z_{12}{x}_{12}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}{\mathrm{the\; y}}_{12}^{-1}\mathrm{mod}p),$ _U4 authentication $(z_{13}{x}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{-1}\mathrm{mod}p)=r_4{x}_3,$ If established, the key is calculated: SK=K ₁₂ +K ₂₃ +K ₃₄ +K ₄₁ ; otherwise, the negotiation fails and the negotiation is stopped.

Four members get the same group key SK=K ₁₂ +K ₂₃ +K ₃₄ +K ₄₁ =(r ₁ r ₂ +r ₂ r ₃ +r ₃ r ₄ +r ₄ r ₁ )P.

Example 2

This embodiment provides a group key negotiation method when a new member joins the group. This embodiment is based on Embodiment 1, assuming that the member group Σ={U ₁ ,..., U _n } has performed the basic negotiation provided by Embodiment 1, and obtained the shared group key seed r=H( SK)＝r ₁ r ₂ +r ₂ r ₃ +...r _i r _i+1 +...+r _n-1 r _n +r _n r ₁ , at this time member ∑′＝{U _n+1 ,..., U _n+m } need to join the group and share the new key with the members in ∑. U ₁ and U _n need to interact with the newly joined member Σ', and all group members (including other group members in Σ) can calculate a new group key.

Among them, m+2 members V _i form a logical ring, V ₁ =U ₁ , V ₂ =U _n , V _i =U _n+i-2 (3≤i≤m+2), see Figure 6, for A flowchart of a method for generating a group key when a new member joins the group. The specific steps to generate a group key when a new member joins the group are as follows:

Step 601: V _i (i=3, 4, ..., m+2) randomly selects a number r' _i from Z _q , V ₁ randomly selects a number r ₁ from Z _q , and calculates r' ₁ =r ₁ ·r, V ₂ randomly selects a number r ₂ from Z _q , and calculates r′ ₂ =r ₂ ·r.

Step 602: V _i (i=1, 2, ..., m+2) calculates the DH public key value X' _i =r' _i ·P, and sends X' ₁ to his "upper family" V _i-1 and "next home" V _i+1 , while V ₁ sends r ₁ ′ or member V ₂ sends r ₂ ′ to members U ₂ ,..., U _n-1 .

Step 603: After receiving X'i _-1 and X'i ₊₁ , V _i calculates the DH key K'i- _{1 , i} and the "downer" V _{i+ 1} ’s DH key K′ _{i, i+1} , multiply the first component of K′ _{i-1, i} by the first component of K′ _{i, i+1} and modulo p, and its value is recorded as z ′ _{1, i} , multiply the second component of K′ _{i-1, i} with the second component of K′ _{i, i+1} and do modulo p, its value is recorded as z′ _{2, i} , and then broadcast ( z' _{1, i} , z' _{2, i} ). The specific algorithm is as follows:

After receiving X′ _i-1 and X′ _i+1 , V _i calculates K′ _{i-1, i} = r′ _i X′ _i-1 = (x′ _i-1 , y′ _i-1 , i) , K' _{i, i+1} = (x' _{i, i+1} , y' _{i, i+1} ) = r' _i X' _i+1 , then V _i broadcasts Y' _i = (x' _{i-1 , i} x′ _{i, i+1} modp, y′ _{i-1, i} y′ _{i, i+1} modp)=(z′ _{1, i} , z′ _{2, i} ) (i takes 1, 2, . . . , m+2). Broadcasting makes U ₂ ,..., U _n-1 also get Y′ _i .

Step 604: After V _i receives V' _j (j passes 1, 2, ..., m+2, and j≠i), it calculates K' _{1, 2} , K' 2, ₃ , ..., K' _m+2,1 , and the sum of K' _1,2 , K' _2,3 , ..., K' _m+2,1 is the group key SK' _i . At the same time, members U ₂ and U _n-1 can calculate K′ _1,2 , K′ _2,3 ,…, K′ _m+2,1 in the same way as V ₁ or V ₂ after receiving Y′ _j , thus calculating the group Key SK' _i . The specific algorithm is as follows:

After V _i receives Y′ _j (j takes 1, 2, ..., m+2, and j≠I), calculate $K_{i+l,i+l+1}^{\′}=(z_{1,i+l}^{\′}{x}_{i+l-1,i+l}^{\′-1}\mathrm{mod}p,z_{2,i+l}^{\′}{\mathrm{the\; y}}_{i+l-1,i+l}^{\′-1}\mathrm{mod}p)=(x_{i+l,i+l+1}^{\′},{\mathrm{the\; y}}_{i+l,i+l+1}^{\′});$ At the same time, members U ₂ ,..., U _n-1 can calculate in the same way as V ₁ after receiving Y′ _j $K_{l+1,l+2}^{\′}=(z_{1,l+1}^{\′}{x}_{l,l+1}^{\′-1}\mathrm{mod}p,z_{2,l+1}^{\′}{\mathrm{the\; y}}_{l,l+1}^{\′-1}\mathrm{mod}p)=(x_{l+1,l+2}^{\′},{\mathrm{the\; y}}_{l+1,l+2}^{\′})$ (Where, 1, 2, . . . , m+1 are taken for the l pass).

V _i first verify the equality $K_{i,i-1}^{\′}=K_{i-1,i}^{\′}=(z_{1,i-1}^{\′}{x}_{i-2,i-1}^{\′-1}\mathrm{mod}p,z_{2,i-1}^{\′}{\mathrm{the\; y}}_{i-2,i-1}^{\′-1}\mathrm{mod}p)$ Whether it holds, members U ₂ ,..., U _n-1 can verify $K_{1,m+2}^{\′}=K_{m+\mathrm{2,1}}^{\′}=(z_{1,m+2}{x}_{m+1,m+2}^{\′-1}\mathrm{mod}p,z_{m+1,m+2}{\mathrm{the\; y}}_{m+1,m+2}^{\′-1}\mathrm{mod}p)$ Whether it is true, if both are true, calculate the group key SK′=K′ _1,2 +K′ _2,3 +…+K′ _m+2,1 .

Through the above steps, all members get the same group key SK'=(r' ₁ r' ₂ +r' ₂ r' ₃ +...+r' _m+2 r' ₁ )P.

An example is as follows: Assume that the member group Σ={U ₁ ,...,U ₅ } has performed basic negotiation and obtained the shared key seed r=H(SK), at this time member ∑′={U ₆ } need to join the group and share the new key with the members in ∑. Using the method provided in this embodiment, U ₁ and U ₅ need to interact with the newly joined member U ₆ , so that all group members can calculate a new group key. Here three members {V _i } form a logic ring, where V ₁ =U ₁ , V ₂ =U ₅ , V ₃ =U ₆ . After V ₁ , V ₂ and V ₃ form a logic ring, perform the following specific steps:

(1) V ₃ randomly selects a number r′ ₃ from Z _q , V ₁ randomly selects a number r ₁ from Z _q , calculates r′ ₁ = r ₁ ·r, V ₂ randomly selects a number from Z _q r ₂ , calculate r′ ₂ =r ₂ ·r;

Then V ₁ calculates X′ ₁ =r′ ₁ ·P and sends X′ ₁ to his “upper” V ₃ and “lower” V ₂ , V ₂ calculates X′ ₂ =r′ ₂ ·P, and Send X′ ₂ to his “upper home” V ₁ and “lower home” V ₃ , V ₃ calculates X′ ₃ = r′ ₃ ·P, and sends X′ ₃ to his “upper home” V ₂ and "Xia Jia" V ₁ ;

At the same time, V ₁ and V ₂ send r ₁ and X′ ₂ to U ₂ , . . . , U ₄ respectively.

(2) After receiving X′ ₃ and X′ ₂ , V ₁ calculates K′ ₃₁ =r′ ₁ X′ ₃ =(x′ ₃₁ , y′ ₃₁ ), K′ ₁₂ =r′ ₁ X′ ₂ =( x′ ₁₂ , y′ ₁₂ ), and z′ ₁₁ =x′ ₃₁ x′ ₁₂ modp, z′ ₂₁ =y′ ₃₁ y′ ₁₂ modp, broadcast Y′ ₁ =(z′ ₁₁ , z′ ₂₁ );

After receiving X′ ₁ and X′ ₃ , V ₂ calculates K′ ₁₂ = r′ ₂ X′ ₁ = (x′ ₁₂ , y′ ₁₂ ), K′ ₂₃ = r′ ₂ X′ ₃ = (x′ ₂₃ , y′ ₂₃ ), and z′ ₁₂ =x′ ₁₂ x′ ₂₃ modp, z′ ₂₂ =y′ ₁₂ y′ ₂₃ modp, broadcast Y′ ₂ =(z′ ₁₂ , z′ ₂₂ );

After receiving X′ ₂ and X′ ₁ , V ₃ calculates K′ ₂₃ = r′ ₃ X′ ₂ = (x′ ₂₃ , y′ ₂₃ ), K′ ₃₁ = r′ ₃ X′ ₁ = (x′ ₃₁ , y′ ₃₁ ), and z′ ₁₃ =x′ ₂₃ x′ ₃₁ modp, z′ ₂₃ =y′ ₂₃ y′ ₃₁ modp, broadcasting Y′ ₃ =(z′ ₁₃ , z′ ₂₃ ).

(3) After receiving Y′ ₂ and Y′ ₃ , V ₁ calculates $K_{\mathrm{twenty\; three}}^{\′}=(x_{\mathrm{twenty\; three}}^{\′},{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{\′})=(z_{12}^{\′}{x}_{12}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}^{\′}{\mathrm{the\; y}}_{12}^{\′-1}\mathrm{mod}p),$ V ₁ Verification $(z_{13}^{\′}{x}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}^{\′}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p)=r_1^{\′}{x}_3^{\′},$ If established, calculate the key: SK'=K' ₁₂ +K' ₂₃ +K'₃₁; otherwise, the negotiation fails and the negotiation is stopped;

After receiving Y′ ₃ and Y′ ₁ , V ₂ calculates $K_{31}^{\′}=(x_{31}^{\′},{\mathrm{the\; y}}_{31}^{\′})=(z_{13}^{\′}{x}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}^{\′}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p),$ _V2 Verification $(z_{11}^{\′}{x}_{31}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; one}}^{\′}{\mathrm{the\; y}}_{31}^{\′-1}\mathrm{mod}p)=r_2^{\′}{x}_1^{\′},$ If established, calculate the key: SK'=K' ₁₂ +K' ₂₃ +K'₃₁; otherwise, the negotiation fails and the negotiation is stopped;

After receiving Y′ ₁ and Y′ ₂ , V ₃ calculates $K_{12}^{\′}=(x_{12}^{\′},{\mathrm{the\; y}}_{12}^{\′})=(z_{11}^{\′}{x}_{31}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; one}}^{\′}{\mathrm{the\; y}}_{31}^{\′-1}\mathrm{mod}p),$ _U3 verification $(z_{12}^{\′}{x}_{12}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}^{\′}{\mathrm{the\; y}}_{12}^{\′-1}\mathrm{mod}p)=r_3^{\′}{x}_2^{\′},$ If established, calculate the key: SK'=K' ₁₂ +K' ₂₃ +K'₃₁; otherwise, the negotiation fails and the negotiation is stopped;

After U ₂ receives r ₁ , X′ ₂ , Y′ ₂ , and Y′ ₃ , it calculates K′ ₁₂ = rr ₁ X′ ₂ , $K_{\mathrm{twenty\; three}}^{\′}=(x_{\mathrm{twenty\; three}}^{\′},{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{\′})=(z_{12}^{\′}{x}_{12}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}^{\′}{\mathrm{the\; y}}_{12}^{\′-1}\mathrm{mod}p),$ $K_{31}^{\′}=(x_{31}^{\′},{\mathrm{the\; y}}_{31}^{\′})=(z_{13}^{\′}{x}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}^{\′}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p),$ From this, the group key is calculated: SK'=K' ₁₂ +K' ₂₃ +K'₃₁;

After receiving r ₁ , X′ ₂ , Y′ ₂ , and Y′ ₃ , U ₃ calculates K′ ₁₂ = rr ₁ X′ ₂ , $K_{\mathrm{twenty\; three}}^{\′}=(x_{\mathrm{twenty\; three}}^{\′},{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{\′})=(z_{12}^{\′}{x}_{12}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}^{\′}{\mathrm{the\; y}}_{12}^{\′-1}\mathrm{mod}p),$ $K_{31}^{\′}=(x_{31}^{\′},{\mathrm{the\; y}}_{31}^{\′})=(z_{13}^{\′}{x}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}^{\′}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p),$ From this the group key is calculated: SK'=K' ₁₂ +K' ₂₃ +K' ₃₁ .

After receiving r1, X′ ₂ , Y′ ₂ and Y′ ₃ , U ₄ calculates K′ ₁₂ =rr ₁ X′ ₂ , $K_{\mathrm{twenty\; three}}^{\′}=(x_{\mathrm{twenty\; three}}^{\′},{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{\′})=(z_{12}^{\′}{x}_{12}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; two}}^{\′}{\mathrm{the\; y}}_{12}^{\′-1}\mathrm{mod}p),$ $K_{31}^{\′}=(x_{31}^{\′},{\mathrm{the\; y}}_{31}^{\′})=(z_{13}^{\′}{x}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p,z_{\mathrm{twenty\; three}}^{\′}{\mathrm{the\; y}}_{\mathrm{twenty\; three}}^{\′-1}\mathrm{mod}p).$

From this the group key is calculated: SK'=K' ₁₂ +K' ₂₃ +K' ₃₁ .

Through the above method, all members get the same group key SK'=(r' ₁ r' ₂ +r' ₂ r' ₃ +r' ₃ r' ₁ )P.

Example 3

This embodiment provides a group key negotiation method when other members leave the group. This embodiment is based on Embodiment 1, assuming that members Σ={U ₁ ,..., U _n } have performed the basic negotiation provided by Embodiment 1, and there are k members at this time ${\mathrm{\Σ}}^{\′}=\{u_{j_1},...,u_{j_k}\}$ need to leave the group, the remaining group members ${\mathrm{\Σ}}^{\′\′}=\{u_1,\&Center\; Dot;\·\·,u_{j_1-1},u_{j_1+1},...,u_{j_k-1},u_{j_k+1},\·\·\·,u_{\mathrm{no}}\},$ In order to prevent the remaining members of the group from obtaining the group key of the group, some adjacent two members need to randomly select a number again. with the following steps:

First, the remaining group members ${\mathrm{\Σ}}^{\′\′}=\{u_1,\·\·\·,u_{j_1-1},u_{j_1+1},...,u_{j_k-1},u_{j_k+1},\·\·\·,u_{\mathrm{no}}\}$ The member U _i (i is an odd number) randomly selects a number r _i ′ from Z _q , and recalculates X _i =r′ _i P, ${\mathrm{\Σ}}^{\′\′}=\{u_1,\&Center\; Dot;\&Center\; Dot;\&Center\; Dot;,u_{j_1-1},u_{j_1+1},...,u_{j_k-1},u_{j_k+1},\·\&Center\; Dot;\·,u_{\mathrm{no}}\}$ Among the members U _i (i is an even number), take r′ _i =r _i .

Then, the remaining group members ${\mathrm{\Σ}}^{\′\′}=\{u_1,\&Center\; Dot;\&Center\; Dot;\&Center\; Dot;,u_{j_1-1},u_{j_1+1},...,u_{j_k-1},u_{j_k+1},\&Center\; Dot;\&Center\; Dot;\·,u_{\mathrm{no}}\}$ Rerun the group key negotiation method provided in Embodiment 1 to calculate a new shared group key.

Example 4

On the basis of the above embodiments, this embodiment can add a signature authentication mechanism to realize authenticated group key negotiation. This embodiment is described on the basis of Embodiment 1. After each member generates an intermediate value or a D-H public key value , and then sign the intermediate value or the D-H public key value, and send the signature result together with the group key negotiation message; after receiving the group key negotiation message, other members use the signature to verify whether the key negotiation message is correct.

Referring to FIG. 7 , it is a flow chart of an authenticated method for generating a group key. The method includes the following steps:

Step 701: Each member U _i randomly selects a number r _i from Z _q , then calculates the DH public key value X _i = r _i P and signature Sig(X _i ), and sends them together to the "upper family" U _{i -1} and the "next home" U _i+1 .

Step 702: After each member U _i receives X _i-1 from the "upper family" and X _i+1 from the "lower family", it first verifies the signatures Sig(X _i-1 ) and Sig(X _{i +1} ) is correct, and the verification is passed, then execute step 703, otherwise, execute step 708.

Step 703: Calculate K _{i-1, i} = r _i X _i-1 = (x _{i-1, i} , y _{i-1, i} ), K _{i, i+1} = r _i X _i+1 = (x _{i, i+1} , y _{i, i+1} ), then U _i broadcasts Y _i = (z _{1, i} , z _{2, i} ) and Sig(Y _i ) to other members, where z _{1, i} = x _{i -1, i} x _{i, i+1} modp, z _{2, i} = y _{i-1, i} y _i+1 modp.

Step 704: After each member U _i receives Y and Sig(Y) from all other members, it uses the signature Sig(Y) to verify whether Y is correct. After the verification is passed, execute step 705; otherwise, execute step 708.

Step 705: After the verification is passed, the member U _i calculates K _{i+l, i+l+1} = (x _{i+l, i+l+1} , y _{i+l, i+l+1} ), where $x_{i+l,i+l+1}=z_{1,i+l}{x}_{i+l-1,i+l}^{-1}\mathrm{mod}p,{\mathrm{the\; y}}_{i+l,i+l+1}=z_{2,i+l}{\mathrm{the\; y}}_{i+l-1,i+l}^{-1}\mathrm{mod}p,$ Here l passes 1, 2, ..., n-1.

Step 706: Member U _i verifies the equation $K_{i,i-1}=K_{i-1,i}=(z_{1,i-1}{x}_{i-2,i-1}^{-1}\mathrm{mod}p,z_{2,i-1}{\mathrm{the\; y}}_{i-2,i-1}^{-1}\mathrm{mod}p)$ Whether it is established, if established, go to step 707, otherwise go to step 708.

Step 707: The member U _i calculates the group key SK=K _1,2 +K _2,3 +...+K _n,1 .

Step 708: The member U _i announces that the negotiation fails.

Finally, all members get the same group key result SK=(r ₁ r ₂ +r ₂ r ₃ +...+r _n r ₁ )P.

The above signature scheme depends on the signature authentication mechanism adopted in the specific application environment, including but not limited to: IBE (Identity-based Encryption, identity-based encryption method, RSA signature, DSA (Digital Signature Algorithm, digital signature algorithm), ECDSA (Elliptic Curve Digital Signature Algorithm, Elliptic Curve Digital Signature Algorithm), HMAC (Hash Message Authentication Codes, Hash Information Verification Code) authentication mechanism, etc.

When the number of group members participating in the negotiation is large, the group members can be divided into n subgroups, which are recorded as group ₁ , group ₂ , ..., group _n , and the number of members in each subgroup is m ₁ , m ₂ , …, m _n , negotiated as follows:

m _i members in group _i (i=1, 2, ..., n) form a logical ring, perform the basic negotiation provided by Embodiment 1, and obtain the group key SK _i =(r _i , s _i );

group ₁ , group ₂ , ..., group _n constitute a logical ring, group _i (i=1, 2, ..., n) calculates Xi ₌ r _i P, performs the basic negotiation provided by embodiment 1, and negotiates the group key SK=K _1,2 +K _2,3 + . . . +K _n,1 .

Finally, all members get the same group key SK=(r ₁ r ₂ +r ₂ r ₃ +...+r _n r ₁ )P.

Example 5

Referring to FIG. 8 , it is a schematic diagram of a system for generating a group key. This embodiment also provides a system for generating a group key, including:

A logical ring forming module is used to form a logical ring by members in the group, and the members in the ring are represented by U _i , wherein, i=1, 2, ..., n, and the n is the total number of members in the group;

A system parameter selection module for selecting system parameters based on elliptic curves;

The message sending and receiving module is used to send and receive the group key negotiation message, and the group key negotiation message carries the D-H public key value and the intermediate value of the members in the logical ring composition module;

The group key generation module is used to generate the group key according to the system parameters selected by the system parameter selection module and the D-H public key value and the intermediate value in the group key negotiation message received from the message sending and receiving module.

Among them, the group key generation module specifically includes:

The shared key generation unit is used to generate pairwise shared keys K i-1,i of member U _i and member U _i-1 according to the Diffie-Hellman key agreement protocol and the system parameters selected by the system parameter selection module _{, and} generate The pairwise shared key K _{i,i+1 of} member U _i and member U i+1; and, when i=n, said i+1=1;

An intermediate value generating unit, configured to generate an intermediate value according to pairwise shared keys K _{i-1, i} and K _{i, i+1} generated by the shared key generating unit;

The shared key verification unit is used to verify whether the pairwise shared key K _{i, i+1} is equal to the pairwise shared key K _{i+1, i} , and if the verification is passed, notify the group key generation unit to generate a group key; otherwise, Notify the group key generating unit to stop generating the group key;

The group key generation unit is used to calculate the pairwise shared key between adjacent members according to the intermediate value after receiving the notification of generating the group key sent by the shared key verification unit, and generate a group key according to all pairwise shared keys. key;

When other members join or quit, the system also includes:

The group key seed generation module is used to operate the generated group key to generate the group key seed;

The group key update module is used for when a new member joins the group, according to the logical ring composition module, the new member and the original members _U1 and _Un form a new logical ring, which is generated by the group key seed generation module The group key seed of is used to generate a new group key through the group key generation module. Or, when a member withdraws from the group, the remaining members form a new logical ring, the members are represented by _Wi , i is a positive integer less than n, and the members are divided into odd members and even members according to the value of i; Odd members select a random number different from the original random number, so that the even members select the same random number as the original random number, and generate a new group key through the group key generation module.

In order to further improve the system, the system also includes:

The signature generation module is used to sign the D-H public key value and the intermediate value, and carry the signature in the group key negotiation message;

The signature verification module is configured to use the received signature to verify whether the group key negotiation message is correct after receiving the key negotiation message.

Example 6

Referring to Figure 9, this embodiment provides a device for generating a group key, including:

The logical ring forming module is used to form a logical ring with the equipment in the group, and this equipment is represented by U _i , wherein, i=1, 2, ..., n, n is the total number of equipment in the group;

The system parameter selection module is used for selecting the system parameters based on the elliptic curve after the logical ring composition module completes the logical ring composition;

The DH public key value calculation module is used to calculate the DH public key value according to the system parameters selected by the system parameter selection module, and send it to the device U _i-1 and the device U _i+1 through the message sending and receiving module;

The shared key generation module is used to generate pairwise shared keys K _i respectively according to the Diffie-Hellman key agreement protocol and the DH public key values of the device U _i-1 and the device U _i+1 received from the message sending and receiving module _{-1, i} and two shared keys K _{i, i+1} ;

The intermediate value generation module is used to generate an intermediate value according to the pairwise shared keys K _{i-1, i} and K _{i, i+1} generated by the shared key generation module;

The message sending and receiving module is used to send and receive the group key negotiation message, wherein the group key negotiation message carries the D-H public key value calculated by the D-H public key value calculation module or the intermediate value generated by the intermediate value generation module;

The group key generation module is used to generate the group key according to the system parameters selected by the system parameter selection module and the D-H public key value and the intermediate value in the group key negotiation message received from the message sending and receiving module.

When a new device joins the group or a device exits the group, the device also includes:

The group key update module is used to select the module according to the above system parameters, the D-H public key value calculation module, the shared key generation module, the intermediate value generation module and the information in the message sending and receiving module when the number of devices in the group changes Generate a new group key.

In order to ensure the validity and security of the information sent and received by the device, the device also includes:

The signature generation module is used to sign the D-H public key value calculated by the D-H public key value calculation module or the intermediate value generated by the intermediate value generation module, and carry the signature in the group key negotiation message;

The signature verification module is configured to use the signature to verify whether the group key negotiation message is correct after receiving the key negotiation message.

The above embodiment has:

1) Higher security performance: the computational complexity of the elliptic curve discrete logarithm problem is completely exponential at present, while RSA (RSA public key cryptosystem) is sub-exponential.

2) Small amount of calculation and fast processing speed: Under the same computing resource conditions, the elliptic curve system has faster processing speed than RSA and DSA (digital signature standard).

3) The storage space is small: the key length and system parameters of the elliptic curve system are much smaller than those of RSA and DSA. 160-bit ECC has the same security strength as 1024-bit RSA and DSA, and 210-bit ECC has the same security strength as 2048-bit RSA and DSA, which means it occupies much less storage space.

4) Low bandwidth requirements: For a given security level, ECC has smaller parameters than RSA and DSA. For higher security levels, the difference in parameter size is more pronounced. The benefit of smaller parameters is that the calculation speed is faster, the key is shorter and the key certificate is smaller, so the length of the signature and the length of the ciphertext are shorter.

In summary, elliptic curve cryptography can achieve higher security with less overhead (such as bandwidth, calculation, storage space, power consumption, etc.) and delay, and is especially suitable for situations where computing power and bandwidth are limited, such as Ad Secure communication in Hoc network environment, etc. Compared with similar solutions, it has the characteristics of fast calculation speed, small storage space occupation and low network bandwidth requirement when achieving the same security.

The technical solutions provided in the above embodiments can be realized by software, and the software can be stored in a computer-readable physical medium, such as a CD, a floppy disk or a hard disk.

The above-described embodiments are only preferred specific implementations of the present invention, and ordinary changes and replacements performed by those skilled in the art within the scope of the technical solution of the present invention should be included in the protection scope of the present invention.

Claims (18)

1. A method for generating a group key, characterized in that the method comprises: The members in the group form a logical ring, and the members in the ring are represented by U _i , wherein, i=1, 2, ..., n, and the n is the total number of members in the group; Select system parameters based on elliptic curves, the system parameters include: prime number q, the set Z _q of the smallest non-negative remainder obtained by integer modulo q, and the public base point P based on elliptic curves; According to the Diffie-Hellman key agreement algorithm on the elliptic curve and the system parameters, member U _i and member U _i-1 generate a pairwise shared key K _i-1,i , and member U _i+1 generates a pairwise shared key K i-1,i Key K _{i, i+1} ; and, when i=n, said i+1=1; The member U _i generates an intermediate value according to the pairwise shared key K _i-1,i and the pairwise shared key K _i,i+1 , and broadcasts a group key carrying the intermediate value within the group Key negotiation message; After the member U _i receives the group key negotiation message broadcast by all other members, it extracts the intermediate value, and calculates the pairwise shared secret between the other member and the next member of the other member according to the intermediate value. key; Verify whether the pairwise shared key K _i,i+1 is equal to the pairwise shared key K _i+1,i , the verification is passed, and the member U _i generates a group key SK=K based on all pairwise shared keys _{1, 2} + K _{2, 3} + . . . + K _{n, 1} . 2. The method for generating a group key according to claim 1, characterized in that, said member U _i and member U _i-1 generate pairwise shared keys K _i-1,i , and members U _i+1 The steps of generating pairwise shared keys K _{i, i+1} specifically include: The member U _i selects a random number r _i from the Z _q , calculates the DH public key value _Xi = r _i P, and sends a group key negotiation message carrying the DH public key value _Xi to the member U _{i -1} and member U _i+1 ; After the member U _i receives the group key negotiation message sent by the member U _i-1 , it extracts Xi _-1 and calculates K _{i-1, i} = r _i X _i-1 = (xi _{-1, i} , y _{i-1, i} ); After the member U _i receives the group key negotiation message sent by the member U _i+1 , it extracts X _i+1 and calculates K _i,i+1 =r _i X _i+1 =(xi _,i+1 , y _{i, i+1} ). 3. The method for generating a group key according to claim 1, wherein the member U _i is based on the pairwise shared key K _{i-1, i} and the pairwise shared key K _i, The steps for _i+1 to generate an intermediate value include: The member U _i multiplies the corresponding component of the pairwise shared key K _{i-1, i} by the corresponding component of the pairwise shared key K _{i, i+1} , and then moduloes the product to obtain The coordinate point after the modulus is used as the intermediate value. 4. The method for generating a group key according to claim 3, wherein the step of calculating the pairwise shared key between other members and the next member of the other members according to the intermediate value specifically comprises: Calculate K _{i+l, i+l+1} = (x _{i+l, i+l+1} , y _{i+l, i+l+1} ), the said l pass takes 1, 2, ..., n -1, said $x_{i+l,i+l+1}=z_{1,i+l}{x}_{i+l-1,i+l}^{-1}\mathrm{mod}p,$ said ${\mathrm{the\; y}}_{i+l,i+l+1}=z_{2,i+l}{\mathrm{the\; y}}_{i+l-1,i+l}^{-1}$ modp, the z _{1, i+l} and z _{2, i+l} are two components of the intermediate value. 5. The method for generating a group key according to any one of claims 1 to 4, wherein said member U _i generates a group key SK=K _1,2+ The steps of K _2,3 +...+K _{n, 1} specifically include: The member U _i performs elliptic curve point summation on each pairwise shared key to obtain the group key SK=K _1,2 +K _2,3 +...+K _n,1 . 6. The method for generating a group key according to claim 2, wherein the member U _i performs a hash operation on the generated group key to generate a group key seed r=r ₁ r ₂ +r ₂ r ₃ +...r _i r _i+1 +...+r _n-1 r _n +r _n r ₁ , when there are m new members joining the group, the m is a positive integer, the Methods also include: Forming the m new members, the member U ₁ and the member U _n into a new logical ring, the members in the new logical ring are denoted by V _i , and the i=1, 2, ..., m+ 2, wherein, V ₁ represents the member U ₁ , and V ₂ represents the member Un; The member V ₁ calculates r ₁ ′=r ₁ ·r according to the r ₁ and the r; said member V ₂ calculates r ₂ ′=r ₂ ·r according to said r ₂ and said r; Members V _i other than said members V ₁ , V ₂ select a random number r _i ′, Each member V _i generates a pairwise shared key with adjacent members according to the group key agreement protocol and the r _i ', generates a new intermediate value according to the pairwise shared key, and broadcasts the intermediate value value group key negotiation message; After each member V _i receives the group key negotiation messages of all other members in the new logical ring, it extracts the intermediate value and generates a new group key; At the same time, the member V ₁ sends the r ₁ ′ or the member V ₂ sends the r ₂ ′ to the member U _i , where _i =2, 3, ..., n- 1; if the member U _i receives r ₁ ′, generate a new group key according to the method that member V ₁ generates a new group key; if the member U _i receives r ₂ ′ , then generate a new group key according to the method of generating a new group key by the member _V2 . 7. The method for generating group keys as claimed in claim 1, wherein when m members withdraw from the group, the method further comprises: The remaining nm members form a new logical ring, and the members in the ring are represented by _Wi , i=1, 2, ..., nm, and the members _Wi reselect random numbers, according to the Diffie-Hellman key agreement agreement and the system parameters, generate a new pairwise shared key with adjacent members, and generate a new group key according to the new pairwise shared key. 8. The method for generating a group key as claimed in claim 7, wherein said member _Wi is divided into odd members and even members according to the value of i, and correspondingly, said member _Wi reselects the random number The specific steps are: The random number reselected by the odd member is different from the original random number, and the reselected random number by the even member is the original random number. 9. The method for generating a group key according to claim 1, further comprising: After the member U _i generates the intermediate value, it signs the intermediate value, and carries the signature in the group key negotiation message, and the member receiving the group key negotiation message uses the signature Verify whether the group key negotiation message is correct. 10. The method for generating a group key according to claim 2, further comprising: After the member U _i calculates the DH public key value X _i = _ri P, it signs the DH public key value, and carries the signature in the group key negotiation message, and receives the group key The members of the key negotiation message use the signature to verify whether the group key negotiation message is correct. 11. A system for generating group keys, characterized in that the system comprises: A logic ring forming module is used to form a logical ring of members in the group, and the members in the ring are represented by U _i , wherein, i=1, 2, ..., n, and the n is the total number of members in the group; A system parameter selection module for selecting system parameters based on elliptic curves; A message sending and receiving module, configured to send and receive a group key negotiation message, where the group key negotiation message carries the D-H public key value and intermediate value generated by members in the logical ring composition module; A group key generation module, configured to generate a group key according to the system parameters selected by the system parameter selection module and the D-H public key value and intermediate value in the group key negotiation message received from the message transceiver module. 12. The system for generating a group key as claimed in claim 11, wherein the group key generation module specifically comprises: A shared key generation unit, configured to generate pairwise shared keys K i-1,i of member U _i and member U _{i-1 according} to the Diffie-Hellman key agreement protocol and the system parameters selected by the system parameter selection module , generating pairwise shared keys K _{i,i+1 of member U i and member U i+1 ; and} , when i=n, said i+1=1; An intermediate value generation unit, configured to generate an intermediate value according to the pairwise shared keys K _{i-1, i} and K _{i, i+1} generated by the shared key generation unit; The shared key verification unit is used to verify whether the pairwise shared key K _{i, i+1} is equal to the pairwise shared key K _{i+1, i} , and if the verification is passed, notify the group key generation unit to generate a group key; Otherwise, notify the group key generating unit to stop generating the group key; The group key generation unit is configured to calculate the pairwise shared key between adjacent members according to the intermediate value after receiving the notification of generating the group key sent by the shared key verification unit, and calculate the pairwise shared key between adjacent members according to all pairwise shared keys. The key generates the group key. 13. The system for generating a group key as claimed in claim 11, wherein the system further comprises: The group key seed generation module is used to operate the generated group key to generate the group key seed; The group key update module is used for when a new member joins the group, according to the logical ring composition module, the new member forms a new logical ring with the member U ₁ and the U _n , and uses the group key The group key seed generated by the key seed generation module, and a new group key is generated by the group key generation module. 14. The system for generating a group key as claimed in claim 13, wherein the group key update module is also used for: When a member withdraws from the group, the remaining members form a new logical ring, the members are represented by _Wi , i is a positive integer less than n, and the members are divided into odd members and even members according to the value of i; Odd members select a random number different from the original random number, so that the even members select the same random number as the original random number, and generate a new group key through the group key generation module. 15. The method for generating a group key according to claim 11, wherein the system further comprises: A signature generation module, configured to sign the D-H public key value and the intermediate value, and carry the signature in the group key negotiation message; A signature verification module, configured to use the signature to verify whether the group key negotiation message is correct after receiving the key negotiation message. 16. A device for generating a group key, characterized in that the device comprises: A logical ring forming module is used to form a logical ring with the equipment in the group, and the equipment is represented by U _i , wherein, i=1, 2, ..., n, and the n is the total number of equipment in the group; A system parameter selection module, used for selecting system parameters based on elliptic curves after the logical ring composition module completes the logical ring composition; The DH public key value calculation module is used to calculate the DH public key value according to the system parameters selected by the system parameter selection module, and send it to the device U _i-1 and the device U _i+1 through the message sending and receiving module; The shared key generation module is used to generate pairwise shared keys K _i respectively according to the Diffie-Hellman key agreement protocol and the DH public key values of the device U _i-1 and the device U _i+1 received from the message sending and receiving module _{-1, i} and two shared keys K _{i, i+1} ; An intermediate value generating module, configured to generate an intermediate value according to the pairwise shared keys K _{i-1, i} and K _{i, i+1} generated by the shared key generating module; A message transceiver module, configured to send and receive a group key negotiation message, where the group key negotiation message carries the D-H public key value calculated by the D-H public key value calculation module or the intermediate value generated by the intermediate value generation module value; A group key generation module, configured to generate a group key according to the system parameters selected by the system parameter selection module and the D-H public key value and intermediate value in the group key negotiation message received from the message transceiver module. 17. The device for generating a group key according to claim 16, further comprising: The group key update module is used for when the number of devices in the group changes, according to the system parameter selection module, the D-H public key value calculation module, the shared key generation module, the intermediate value generation module and the message sending and receiving module information to generate a new group key. 18. The device for generating a group key according to claim 16, further comprising: A signature generation module, configured to sign the D-H public key value calculated by the D-H public key value calculation module or the intermediate value generated by the intermediate value generation module, and carry the signature in the group key negotiation message; A signature verification module, configured to use the signature to verify whether the group key negotiation message is correct after receiving the key negotiation message.

Images