CN106127075A - The encryption method of can search for based on secret protection under a kind of cloud storage environment - Google Patents
The encryption method of can search for based on secret protection under a kind of cloud storage environment Download PDFInfo
- Publication number
- CN106127075A CN106127075A CN201610472300.9A CN201610472300A CN106127075A CN 106127075 A CN106127075 A CN 106127075A CN 201610472300 A CN201610472300 A CN 201610472300A CN 106127075 A CN106127075 A CN 106127075A
- Authority
- CN
- China
- Prior art keywords
- document
- data
- search
- index
- ibs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The invention discloses the encryption method of can search for based on secret protection under a kind of cloud storage environment, make L={li| 1≤i≤card (L) } represent IBS SSE system model in all of card (L) plant user identity type, each data consumer belongs to one of which identity type, 1≤x≤card (L);For document F, if document owner specifies the identity type of the data consumer of addressable document F to belong to the set that radix is xThen by the h of Bloom Filter independent hash function HASH={H1,H2,...HhWillIn x element map in the bit string vector P of a length of q, P is the access control policy being bound to document F;When certain data consumer want access F time, access control executor by Bloom Filter, judge according to P whether identity type l of this data consumer belongs to sets of authorizationsIf belonging to, the match is successful, is not belonging to then that it fails to match.The present invention solves existing symmetry and can search for encipherment scheme and be difficult to be applicable to efficiently and safely multi-source data user model and conduct interviews the problem controlled for diversiform data user.
Description
Technical field
The present invention relates to the encryption method of can search for based on secret protection under a kind of cloud storage environment.
Background technology
Along with the increase of the network bandwidth and popularizing of mobile Internet, motility and economy that cloud storage is good are inhaled
Draw the individual sight with enterprise, allowed them that local complicated data management system is contracted out to cloud.Cloud storage has become as cloud
Calculate one of widest application, the user of the application of public cloud storage such as Dropbox, Google Drive, Kingsoft fast disk, micro-dish
Quantity is skyrocketed through (wherein the number of users of Dropbox has broken through 500,000,000), Eucalyptus, 3A Cloud, minicloud etc.
Platform the most provides the safety privately owned cloud of office for increasing enterprise.Cloud storage user can utilize in different places
Different terminals (such as desktop computer, notebook computer, panel computer, smart mobile phone etc.) accesses data, and cloud storage is that these set
Standby data sharing provides a kind of optimal solution.
But, due to data ownership and the separation of administrative power, the hidden danger of some data safety is emerged in large numbers the most therewith, cloud user
Distrust to cloud storage service provider has become cloud storage at the important restriction factor promoted on way.In cloud storage pattern
Under, the data of user (include that government and the financial data of company, the medical information of individual, mail, photograph album, financial transaction etc. are quick
Sense data) completely it is managed by cloud service provider (Cloud Service Provider, CSP) and is stored.CSP can obtain
Take, search for user and be stored in the sensitive data in high in the clouds;Due to the system failure, CSP may lose the data of user;Assailant also may be used
The data that can obtain user by attacking the server of CSP cause information leakage.These potential safety hazards make the safety of cloud storage
Property becomes a problem that can not be ignored.
In order to protect data-privacy, before uploading the data to CSP, it is necessary to by data owner, it is encrypted.
But, this makes the data based on plaintext keyword search that some are traditional use service to be normally carried out undoubtedly.There is one
Solution is to download all data and decipher in this locality, will produce huge bandwidth cost yet with in cloud system, should
Scheme is the most unpractiaca.Furthermore, put aside for the time being alleviating locally stored administrative burden, if can not be conveniently and efficiently
Search for, utilize and share data, then storing data into high in the clouds will be nonsensical.Therefore, for adding Miyun Data Mining
Effective percentage and ensure that the encipherment scheme that can search for of its personal secrets can not be ignored and extremely have realistic meaning.In view of cloud
Hold potential a large number of users and outsourcing data, meet simultaneously privacy, system availability, extensibility and high efficiency will
Asking, this research topic will be extremely difficult, the most challenging.
The cipher text searching system typically possessing privacy protection function includes data owner, data consumer and CSP tri-
Individual participant.The cryptographic algorithm generally using AES (Advanced Encryption Standard) etc carrys out encryption data, adopts
Security Index is generated with the special encipherment scheme that can search for.Can search for encipherment scheme and mainly include two classes: be based on symmetric key
Can search for encrypting (Searchable Symmetric Encryption, SSE) and based on unsymmetrical key can search for is encrypted
(Searchable Asymmetric Encryption, SAE).
It is that data owner shares indiscriminate key with data consumer that symmetry can search for the basic model of encipherment scheme.
Single key word be can search for encryption would generally set up one encryption can search for index, server is hidden index content,
Unless server has obtained the suitable trapdoor generated by key.This kind of scheme is proposed first by Song et al., and they are with a kind of
The special each word in double-decker encryption method encrypted document one by one, need to travel through whole document during search ciphertext and confirm
Whether there is required key word, search efficiency is that comparison is low thus.Afterwards, Goh, Chang and Curtmola et al.
For SSE give deeper into security definitions.The scheme that Goh proposes uses pseudo-random function (Pseudorandom
Function) and Bloom Filter (Bloom Filter) be each document build a Security Index, search time with literary composition
Gear number amount is directly proportional, but the correctness that the error caused due to Bloom Filter makes Search Results is the most complete.Chang
Et al. and Curtmola et al. almost to propose employing pseudo random techniques in the same time be that key word generates index, raw for user
Become the scheme of inquiry request, improve search efficiency, but the renewal of data is supported deficiency by scheme, need very big amount of calculation to carry out more
Newly, in some instances it may even be possible to reconstruct all indexes.Afterwards, Kamara et al. proposes the cipher text retrieval method that can support that document updates.
Wang et al. have studied the keyword search problem supporting safe ranking, utilizes reverse indexing (Inverted Index) and order-preserving
Key word frequency in encryption (Order Preserving Encryption) technology secrecy document, according to keyword frequency sorts
Search Results rather than return indiscriminate result.Recently, the one that Naveed et al. proposes is based on blind storage (Blind
Storage) can search for encipherment scheme and can be greatly promoted search efficiency of mechanism, it is often more important that, the utilization of blind storage makes
The search pattern (Access Pattern) of data consumer is hidden, and this is that overwhelming majority existing program cannot realize.
Artificial each document index building such as Cao vector, is used matrix encryption and is added by the size of vector inner product value after inquiry
The multi-key word search of ciphertext data, and front n the document in Query Result is returned, but owing to all documents need to be traveled through, search
Efficiency and searching accuracy are relatively low.
The asymmetric basic model that can search for encipherment scheme is that any people holding public keys can write and is stored in
The data of server, but the authorized user only holding private key can carry out cipher text searching.Boneh et al. first proposed based on non-
Symmetric key can search for encipherment scheme, SAE is improved by rear Abdalla et al..Followed by, Boolean key word inquiry,
Subset inquiry, range query etc. can search for encryption technology to be occurred in succession.Kerschbaum et al. proposes Identity-based encryption
Asymmetric can search for encryption technology.Lin et al. decreases inevitable two-wire in unsymmetrical key can search for encipherment scheme
The use of property pair, it is proposed that support single keyword search, be applicable to the cipher text searching scheme that network is discerned.Hwang et al. carries
Go out to meet can search for encipherment scheme and allowing server to pass through user list control of fixed keyword (non-free) union inquiry
Search permission processed, the program is applicable to the multi-user scene under corporate environment, and regrettably extensibility is relatively low, when reply is big
During amount user, efficiency will decline to a great extent.Li et al. uses predicate encryption to propose to meet multi-user scene delegatable asymmetric
Can search for encipherment scheme, but in the program, the inquiry request of data consumer need to be generated by trusted third party, inefficient.
Sun et al. proposes a kind of mandate based on attribute encryption technology first and can search for encipherment scheme, and data owner uses access
Control strategy generates index, and the user attributes only implied when the trapdoor of data consumer meets the access that index is comprised
During the key word that strategy and this index are searched for corresponding to user, destination document could be accessed.The program is supported single simultaneously
Key word and the union search of fixing multi-key word, extensibility is stronger.
In summary, it is higher that existing symmetry can search for encryption technology efficiency, can meet freely inquiring about multi-key word,
But due to the Authentication theory of symmetric cryptography, traditional based on symmetric key realization can search for encrypts scarcely support complexity
Multi-user scene, huge at number of users and have that to access the motility exposed in the case of demand for control relatively low with extensibility
Problem, result in its application situation limitation.Relatively, the asymmetric encryption technology that can search for is more suitable for the multiplex of complexity
Family model, and Bilinear map (Bilinear Paring) can be utilized to calculate the range data being represented as keyword vector
Realize the ciphertext scope of data function of search that symmetric cryptography is generally difficult to support, exactly because but also Bilinear map can not be kept away
The use exempted from, result in the problem that search efficiency is low, and major part scheme cannot meet freely inquiring about of multi-key word, also in addition
Have impact on the actual application of such scheme.Sum it up, existing research lack " many data owners-many data consumers " this
Complex query condition, ciphertext data are updated and access the support controlled, or realize cost simultaneously under one complicated user model
Too high, efficiency is on the low side with availability.
Summary of the invention
The technical problem to be solved is, not enough for prior art, it is provided that under a kind of cloud storage environment based on
Secret protection can search for encryption method.
For solving above-mentioned technical problem, the technical solution adopted in the present invention is: based on privacy under a kind of cloud storage environment
That protects can search for encryption method, and it is as follows that the method mainly realizes process: makes L={li| 1≤i≤card (L) } represent IBS-
In the system model of SSE, all of card (L) plants user identity type, and card (L) represents the radix of set L;Each data make
User belongs to one of which identity type, 1≤x≤card (L);For document F, if document owner specifies addressable document
The identity type of the data consumer of F belongs to the set that radix is xThen by the h of Bloom Filter independent Kazakhstan
Uncommon function HASH={H1,H2,...HhWillIn x element map in the bit string vector P of a length of q, P is and is bound to
The access control policy of document F, P writes index document with the identifier of F and is stored in IBS-SSE system model;When certain
When individual data consumer wants to access F, the executor that access controls is after getting the relevant index document of F, by Broome mistake
Filter, judge according to P whether identity type l of this data consumer belongs to sets of authorizationsIf belonging to, the match is successful, does not belongs to
In then it fails to match.
The generation process of access control policy P includes: initially set up the bit string vector P of an a length of q, and by bit string to
Amount everybody value of P is initialized as 0;For either elementUtilize each function in hash function group HASH
One a pair liCarry out Hash and obtain h Hash Round Robin data partition H1(li), H2(li) ... Hh(li), update cloth Shandong according to this h address
Nurse filter vector, makes the value of these positions of Bloom Filter vector be changed by 0 and is set to 1, finally return that the Bu Lu being updated successfully
Nurse filter vector is as access control policy;
Access the process that implements controlling to mate to include: firstly generate integer number flag=0, for the identity of visitor
Type l, utilizes a pair identity type of each function 1 in hash function group HASH carry out Hash and obtain h Hash Round Robin data partition H1
(l), H2(l) ... Hh(l);One by one check vector P in by these allocation indexs to place value, if value is 1, then flag+=1;If
Value is 0, then it fails to match.Finally, if flag=h, then the match is successful.
DocumentComprise document identifier ID, document properties combined arrangementWith document common content f, literary composition
Shelves combinations of attributesDimension be designated as Dim=n+m,It is made up of Dim Attribute domain and each genus
Property territory all comprises a property value, wherein rkRepresent scope generic attribute RkProperty value, wyThen represent key word generic attribute WyGenus
Property value;Order | Rk| represent RkTerritory all possible property value number, | Wy| represent WyField all possible property value number, that
In collection of document FILE, make Α be all document properties combination set, then the radix of Α be card (Α)=| R1|×|
R2|×...×|Rn|×|W1|×|W2|×...×|Wm|;Wherein, 1≤k≤n;1≤y≤n.
The detailed process obtaining index document relevant for F includes:
1) the access trapdoor from data user is being receivedQ retouches
State the data search condition of data consumer, whereinDescribe data consumer to target literary composition
The different requirements of each attribute thresholding of shelves, UID then indicates the identity of access requestor, specifically, DRDescribe a model
Enclosing the requirement of the value of generic attribute, it can be a numerical value or a numerical range;And DWDescribe a key word generic
The requirement of the value of property, it can be any number of key word.When data consumer is with [rx1,rx2](rx1≤rx2) defined attribute
Field RxTime,Utilize order preserving transformation function X pairMake conversion and can obtain its encrypted formWhen data consumer is with z key definition attribute field WxTime,Utilize universe pseudo-random function Ψ pairIt is encrypted and can obtain its encrypted formAfter), accessing the executor CA controlled can inquire about in two-dimensional polling list according to Q
Qualified index document identifier (IID) s, and by all corresponding tuple (addr) s combination producing subsets
By SQThe data block total number indexed is designated as sizeQ;When the scope generic attribute territory condition in QAt least
During one non-NULL, select the attribute R that given range codomain is minimummin, 1≤min≤n;CA is according to given minimum value scope
R is pressed in locationminThe two-dimensional polling list T of sequenceminIn meetTuple, recycling
Carry out the coupling of other Attribute domains;When the scope generic attribute territory condition in QDuring all skies, the most directly
UtilizeThe tuple of arbitrary table in two-dimensional polling list collection T is mated;
2) S is drawnQAfter, CA selects a random number τ and generates a pseudorandom integer ordered series of numbers V ← Γ (τ), before V
β·sizeQIndividual different integer array becomes pseudorandom subsetVQIt is to operate the mixed of preparation for accessing of access trapdoor Q
Confuse subset;Γ is PRNG;nB=α bmax;α and β is spreading factor and the confounding factors of IBS respectively, bmaxIt is
Array B is available for the number of data blocks upper limit of storage.
3) CA will be by SQAnd VQThis locality is upset and be jointly downloaded to the data block indexed, and utilizes
Deciphering is by SQThe data block that indexes also recovers and indexes document accordingly;B [i] is the i-th data block in B, and B is containing nB
=α bmaxThe array of individual data block;Φ is pseudo-random function, KΦIt is the key for Φ, viIt it is the version of i-th data block
Number,I.e. utilize Φ and KΦTo character string (vi| | i) make pseudo-random process.
4) after recovering the index document that identifier is (IID) s, CA travels through terminal list FS according to (IID) s, if
FS exists to certain part index document more newly requested, the most first it is updated, remove this request, then will update after rope
Quotation shelves are as indexing document accordingly;
5) when needing to add new index document, first check whether index document identifier to be added is present in T
In, if existing, then perform write operation;If not existing, adding the most in the steps below and indexing document:
5a) will index document sets IND, number of data blocks upper limit bmax, two-dimensional polling list collection T and KIBSAs input, by rope
Draw every part of index document I in document sets INDiIt is split as sizeiIndividual data block, as index document IiTotal byte length
lengthiWhen can not be divided exactly by ω, front lengthi/ ω data block size is ω, last size data block less than ω
Being filled to ω by 0s, all data blocks all comprise two head fields, and one of them is responsible for recording IIDi, another is then responsible for record
IiVersion number vi, viIt is initialized as 0;
5b) making B is containing nB=α bmaxData blocks all in B are also initialized as 0s, to IND by the array of individual data block
In each index document Ii, with σ=IIDiFor seed, generate an integer Number Sequence S ← Γ (σ), from the beginning of sequence S
Select sizeiIndividual different integer number, and guarantee that the data block in the B indexed by these integer numbers is sky;With
Represent before being generated by σ and PRNG ΓIndividual integer number, creates a pseudorandom subsetSi=Λ
[σ,sizei];
5c) will be by I by ascending orderiThe size splitiIndividual data block writes by SiData block in the B indexed, these
Data block is marked as non-NULL;
5d) by two-dimensional polling list collection T with IiThe addr of corresponding tupleiField is updated to Si;
Pseudo-random function Φ 5e) is utilized all data blocks in B to be encrypted.
Compared with prior art, the had the beneficial effect that present invention of the present invention solves existing symmetry and can search for adding
Close scheme is difficult to the problem simultaneously supporting any multidimensional keyword query with the complex conditions search of range query;Solve
Existing symmetry can search for encipherment scheme and is difficult to be applicable to multi-source data user model efficiently and safely and make for diversiform data
User conduct interviews control problem.
Accompanying drawing explanation
Fig. 1 is that the data of one embodiment of the invention upload model;
Fig. 2 is data search (access) model of one embodiment of the invention;
Fig. 3 is index storage model different from IBS for BS;
Fig. 4 is the IBS scheme of the present invention key operation flow process in the data search stage;
Fig. 5 is for when attribute dimensions is fixed, and data set sets up index experimental result picture;
Fig. 6 is when initiating searching request with same inquiry trapdoor Q, the computing cost that index obtains and data set size
Relation;
Fig. 7 is when the attribute dimensions of data set document is fixed as Dim=9, with different trapdoor Q1、Q2With Q3To difference
Calculating time overhead when the data set of size scans for;
Fig. 8, for when data set attribute dimension is Dim=9, updates portion index document in a secondary index obtains operation
Required time overhead accounts for the proportion that index obtains the overhead of operation;
Fig. 9 illustrates and completes once to access the time controlling coupling under the data set of different attribute dimension and data volume;
Figure 10 illustrates the pass calculated between time overhead and data set attribute dimension and data volume adding a document
System.
Detailed description of the invention
The system model of IBS-SSE is made up of four entities: data owner, data consumer, authority central authority CA
And cloud service provider CSP, Fig. 1 and Fig. 2 respectively show the data of the program and upload model and data search (access) mould
Type.IBS-SSE mainly by IBS-SSE.Setup, IBS-SSE.IndexGen, IBS-SSE.Enc, IBS-SSE.Trapdoor,
IBS-SSE.Search, IBS-SSE.Dec and IBS-SSE.AddUser, eight polynomial time algorithms of IBS-SSE.AddDoc
Composition.In order to realize complex conditions search and user access control under multi-source data user model efficiently and safely simultaneously, this
Invention design also have employed two key technologies in these main algorithm: indexes blind storage IBS (Index Blind
Storage) and the relevant user identity access control method of ciphertext, first the present invention will introduce both key technologies, then explain
State the algorithm definition of IBS-SSE.
1.IBS memory mechanism
IBS is affected by the inspiration of blind memory mechanism BS, and for index document, the storage management design of non-document itself, causes
Power provides answering including any multidimensional keyword query and range query in the encipherment scheme that can search for for setting up based on IBS
The encryption memory mechanism of miscellaneous conditional search.For realizing this target, the present invention realizes details to the framework of BS with algorithm and carries out
Amendment, have employed a series of pseudo-random function, and introduce realized by MySQL two-dimensional polling list set T, access trapdoor Q, mixed
Confuse factor-beta and terminal list FS.IBS be made up of three polynomial time algorithms running on CA end (scheme former from BS is different,
In order to adapt to the complicated user model of " multiple-owner-multi-user " in enterprise-class environment, in IBS, these algorithms main
Execution side and related parameter choosing side are changed to the client of authority central authority CA by the client of data owner itself, by
CA end is to set up index from the possessory data of many data are unified and process the data search request from many data consumers,
Fig. 3 illustrates index storage models different for BS from IBS.
IBS.KeyGen (λ):
Safety coefficient λ as input, is exported key K for pseudo-random function PRF by key scheduleΦ, for universe pseudo-with
Machine function FD-PRF exports key KΨ.Finally export KIBS=(KΦ, KΨ) and by KIBSIt is stored in CA client.
IBS.Initial(IND,bmax,T,KIBS):
Initialization algorithm will index document sets IND, number of data blocks upper limit bmax, two-dimensional polling list collection T and KIBSAs defeated
Enter.By every part of index document I in index document sets INDiIt is split as sizeiIndividual data block, the size of each data block is
ω, sizeiComputational methods as follows:
As index document IiTotal byte length lengthiWhen can not be divided exactly by ω, front lengthi/ ω data block size
For ω, last size data block less than ω is filled to ω by 0s.All data blocks all comprise two head fields, Qi Zhongyi
Individual responsible record IIDi, another is then responsible for record IiVersion number vi, viIt is initialized as 0.
Making B is containing nB=α bmaxData blocks all in B are also initialized as 0s by the array of individual data block.To in IND
Each index document IiOperation below performing:
(1) with σ=IIDiFor seed, generate a sufficiently long integer Number Sequence S ← Γ (σ), from the beginning of sequence S
Select sizeiIndividual different integer number, and guarantee that the data block in the B indexed by these integer numbers is sky.With
Represent before being generated by σ and PRNG ΓIndividual such integer number, creates a pseudorandom subsetSi
=Λ [σ, sizei]。
(2) will be by I by ascending orderiThe size splitiIndividual data block writes by SiData block in the B indexed, these
Block is marked as non-NULL.
(3) by two-dimensional polling list collection T with IiThe addr of corresponding tupleiField is updated to Si。
Afterwards, CA utilizes pseudo-random function Φ all data blocks in B to be encrypted, and is sent extremely by the B after encryption
CSP.For the i-th data block in B, its encrypted form is
IBS.Access(Q,op,T,KIBS):
Data access algorithm will access trapdoor Q, operating instruction symbol op, two-dimensional polling list collection T and KIBSAs input.?
All document function op ∈ in read, write, alter, delete}, write operation write, amendment operation alter and deletion
Operation delete is all attached in read operation read by time delay laziness update method, to slow down the operation burden of CA.
(1) receiving from data user'sAfterwards, CA can root
In two-dimensional polling list, qualified (IID) s is inquired about and by all corresponding (addr) s combination producing subsets according to QCan be by SQThe data block total number indexed is designated as sizeQ.Specifically, when the scope generic attribute territory condition in QAt least during a non-NULL, select the attribute R that given range codomain is minimummin(1≤min≤n), due to TminIn
Tuple is according to property valueBy ascending order arrangement, CA can be according to given minimum value scopeQuickly position TminIn
MeetTuple, then on the premise of decreasing tuple query context, recycling
Carry out the coupling of other Attribute domains;When the scope generic attribute territory condition in QDuring all skies, the most directly
UtilizeThe tuple of arbitrary table in T is mated.The matching operation in this stage is mainly complete by MySQL
Become.
(2) S is being drawnQAfter, CA selects a random number τ and generates a sufficiently long pseudorandom integer ordered series of numbers V ← Γ
(τ).Front β size with VQIndividual different integer array becomes pseudorandom subsetVQIt it is the access operation for trapdoor Q
Prepare obscures subset.
(3) CA will be by SQAnd VQThis locality is upset and be jointly downloaded to the data block indexed, and utilizes
Deciphering is by SQThe data block that indexes also recovers and indexes document accordingly.
(4) after recovering the index document that identifier is (IID) s, CA can travel through terminal list FS according to (IID) s.
If FS exists to certain part index document more newly requested, the most first it is updated, remove this request, then will update after
Index document puts in ensuing task.To IiWrite operation write in can encounter two kinds of situations:
If I after (a) renewali' number of data blocks sizei' with update before consistent, data that CA only need to be written into
datanewWrite IiLast data block, make IiAll data block version number vi=vi+ 1, then encrypt these data blocks
And return B to complete to update with obscuring block together foldback.
If I after (b) renewali' number of data blocks sizei' more than update beforeCA then needs to calculate subsetFetch by S at BnewThe empty data block indexed and (β-1) (sizei'-
sizei) individual obfuscated data block (SnewGeneration method see IBS.Initial step 1).By SwenWith SiMerge and obtain Si'=Si∨
Snew, I will be belonged to after the encryption completing the write of data, the renewal of version number and data blocki' data block together with obscuring block
Together foldback returns B.Finally, by IiAddr in TiField is updated to Si'。
Amendment operation alter and deletion action delete realize step and write operation write is basically identical, difference
It is the difference (data block contents 0s is replaced and is labeled as sky by deletion action) of update content.Fig. 4 illustrates IBS scheme and exists
The key operation flow process in this stage of data search.
It addition, when needing to add new index document, only need to first check index document identifier to be added the most
It is present in T.If existing, then perform write operation write;If not existing, then the step pressing IBS.Initial adds index literary composition
Shelves can (when it should be noted that execution initialization algorithm, B be in this locality, and adds document I the most againiTime B be stored in CSP,
Now need to calculate S ← Γ (IIDi) and from S, determine a length of sizeiSubsetWith a length of
α·sizeiSubsetDownload from B byThe data block of index goes back to this locality, then by data pair to be added
By SiThe block of index covers).
2. the user identity access control method that ciphertext is relevant
Can relate to the data consumer of different identity type in system design based on IBS-SSE, data owner has
Weigh and specify access control policy for its document.The present invention designs the relevant user identity of an easy Ciphertext policy for this and accesses
Control method, the method is mainly with Bloom Filter (Bloom Filter) for the core realized.Make L={li|1≤i≤
Card (L) } represent IBS-SSE system model in all of card (L) plant user identity type, each data consumer all belongs to
In one of which identity type.For document F, if document owner specifies the identity class of the data consumer of addressable the document
Type belongs to the set that radix is x (1≤x≤card (L))Then by the h of Bloom Filter independent hash function
HASH={H1,H2,...HhWillIn x element map in the bit string vector P of a length of q, P is and is bound to document F's
Access control policy, will write index document with the identifier of F and is stored in IBS.When certain data consumer wants to access F
Time, the executor CA that access controls, after operation IBS.Access gets the relevant index document of F, can be filtered by Broome
Device, judge according to P whether identity type l of this data consumer belongs to sets of authorizationsIf belonging to, the match is successful, is not belonging to
Then it fails to match.The generation of access control policy P and access control the concrete methods of realizing of coupling respectively such as algorithm 1, algorithm 2 institute
Show:
3.IBS-SSE scheme
Dynamic symmetry can search for encipherment scheme IBS-SSE and is mainly made up of, by them following 8 polynomial time algorithms
Interact with blind destination server.This programme uses the blind memory mechanism IBS of index to be indexed the storage and management of document, logical
Cross it and realize the search of complex conditions.
IBS-SSE.Setup: run on CA end.Using security parameter as input, defeated for cryptographic primitive all in scheme
Go out key KSSE;Create user list, for existing subscriber's distributing user ID and formulate identity type.
IBS-SSE.IndexGen: run on CA end.By a collection of document and Qi Nei all possible document properties group
Cooperation, for inputting, for every part of document distribution document identifier and generates access by the user identity access control method that ciphertext is relevant
Control strategy;Generate index document sets merging and process index document with IBS.Initial algorithm initialization IBS mechanism.
IBS-SSE.Enc: CA end or user side may be run on.The document that need to add is encrypted and sends to CSP;
The identifier of the document, document properties and access control policy are sent to CA to update index (when running on user side simultaneously
Time).
IBS-SSE.Trapdoor: run on user side.Visitor utilizes search condition and my identity to generate search and falls into
Q is also sent to CA by door Q.
IBS-SSE.Search: run on CA end.CA runs IBS.Access algorithm to obtain and search condition after receiving Q
Corresponding index document, and carry out authorizing coupling, final requirement to visitor's identity and destination document according to access control method
CSP returns the destination document that the match is successful.
IBS-SSE.Dec: run on user side.Using ciphertext as input, decipher and restore document in plain text.
IBS-SSE.AddUser: run on CA end.First check for new user the most existed with in user list, if nothing,
Then for its distributing user ID specify identity type.
IBS-SSE.AddDoc: run on user side and CA end.Wherein user side is responsible for encryption and uploads new document, and will
The new identifier of document, document properties and access control policy inform CA;CA end is responsible for indexing according to gained information updating.
Compare existing symmetry and can search for encipherment scheme, first, the invention provides and include any multidimensional keyword query
With range query in interior complex conditions search, improve the defect that existing scheme search condition is single;Second, ensureing search
The while of with other key operations high efficiency, present the enhanced scalability of reply mass data;3rd, it is possible to be applicable to
The complicated applications model of " many data owners-many data consumers ", it is ensured that data content, search trapdoor and user identity
Privacy, hiding data accesses access module, and allows data owner to specify access delegated strategy.
The advantage proving this technology here mainly by functional contrast and experimental data.Test and running Windows7
Realizing on the notebook computer of operating system, outfit Intel Core i5-3210M processor and 4G internal memory, code is by Java language
Speech, sql like language and storehouse of increasing income are write, and wherein Crypto++ is applied to block cipher (AES) and impact resistance hash function
(SHA256) realization.
Table 1 gives the BSTORE-SSE that the IBS-SSE scheme of present invention proposition, Naveed et al. propose[11]Scheme and
The EMRS scheme that Li et al. proposes[56]Between functional contrast.These three scheme is all based on the design of blind memory mechanism.
BSTORE-SSE conceals access module by the utilization of blind storage, but the program only allows single keyword search, therefore difficult
With diversified search need in satisfied actual application.On the basis of BSTORE-SSE, EMRS achieves the row of multi-key word
Name search and access control, but the program all cannot meet the application feelings of many data owners (i.e. multiple data origin) with the former
Border.Having drawn the elite of Naveed et al. scheme, IBS-SSE scheme proposed by the invention not only conceals access mould to CSP
Formula, also achieves the complex conditions search including any multidimensional keyword query and range query.Additionally, with IBS-SSE
The EMRM system set up can be flexibly applied to the user model of " multiple-owner-multi-user ", and provides solution dissimilar
The requirements for access of user and the access control method of privacy requirements.
Table 1
Followed by experimental result, just index foundation, search access and document and add three parts and IBS-SSE is commented
Estimate.In an experiment: make α=β=4 to ensure that IBS mechanism the most occupied number of data blocks in array B is less than nBThe situation of/4
Lower unexpected probability p stoppederr≤2-40;Make function number h=7 of hash function group HASH, to ensure at card (L)=3
Minimum with the probability of miscarriage of justice of Bloom Filter in access control method in the case of vector a length of 32 of P.Experiment is respectively
The data set that document properties dimension is Dim=3, Dim=6, Dim=9 is carried out, and takes respectively from this three classes data set
The subset of 128MB, 256MB, 512MB, 1G, 2G carrys out survey calculation expense, makes nB=2 × 104。
1. index is set up:
The performance measurement of index establishment stage covers in IBS-SSE.IndexGen algorithm and generates (containing step except indexing in plain text
Suddenly all operations outside (1)), mainly includes indexing document name and IBS.Initial algorithm (includes indexing piecemeal, two dimension
Inquiry table write and encryption of blocks of data).The index generation performance generating with can search for encipherment scheme of index is unrelated in plain text, and institute
The work of other correlational studyes is had all to give tacit consent to this operation of ignorance.In this stage, index document name is the most less, time complexity
For O (card (Α)), only with data set attribute combined number (i.e. index document number) linear correlation;IBS.Initial(IND,
T,KIBS) occupying major part computing cost, its time complexity can be designated as O (card (Α)+nB), only with data set attribute group
Close number card (Α) and length n of BBRelevant, and unrelated with the data volume of data set.Fig. 5 demonstrates this point: card (Α)
It is doubled and redoubled with the increase of document properties dimension Dim, the increase linear increase of personal attendant card (Α) when index is set up;Work as card
(Α) certain and time data set varies in size, it is basically identical that duration set up in index, as it can be seen, as Dim=6, index is set up
Required time maintains essentially between 13s~15s.Visible, when attribute dimensions is fixed, this programme can be with a length of time stable
Different magnitude data sets set up index.
2. search accesses:
Search dial-tone stage mainly comprises index acquisition and access controls two primary operational and (notes the most only considering
The operation of Situation-1, because the document acquisition operation in Situation-2 is unrelated with the search performance that the present invention pays close attention to,
And its time overhead is the most negligible).
Index obtains the search reduction (containing updating) of generation and the index including trapdoor in operation: the former is by IBS-
SSE.Trapdoor completes, and time complexity is O (Dim), and the latter is mainly completed by IBS.Access algorithm, and both of which is not counted
According to collection size impact.Fig. 6 illustrates when initiating to search with same inquiry trapdoor Q (containing multidimensional keyword query and range query condition)
During rope request, the computing cost that index obtains is unrelated with data set size, is affected the most little by attribute dimensions.It addition, with regard to this
Bright known, the experimental result of encipherment scheme is can search for about the complex conditions supporting any multidimensional keyword query and range query
Extremely limited, that comparing function is similar APKS scheme, when Dim=9 and index number are consistent, APKS needs 42s to complete rope
Draw and search for and IBS-SSE only needs 0.5s (and IBS-SSE has also counted trapdoor generation, index reduction and the expense updated).Therefore,
When Q fixes, this programme shown when searching for the data set of different pieces of information amount size and attribute dimensions enhanced scalability and
Efficientibility.
Fig. 7 illustrates when the attribute dimensions of data set document is fixed as Dim=9, with different trapdoor Q1、Q2With Q3Right
Calculating time overhead when different size of data set scans for, is wherein described in Q1, Q2And Q3Search condition respectively
For: During as it can be seen, data set varies in size when search condition is certain, rope
The time overhead drawing acquisition is basically identical;When search condition is different, data set size is identical, the time overhead that index obtains
Also about 0.5s is maintained.Therefore, when attribute dimensions is fixed, this programme can be with stable efficiency in different size of data
Search is completed according to different Q on collection.
Due to the time delay laziness update method used in IBS.Access, the index acquisition stage also needs to undertake index upgrade
Computing cost.In this programme, index upgrade is time-consumingly grown and is only asked number relevant to pending corresponding renewal.Fig. 8 shows
When data set attribute dimension is Dim=9, in a secondary index obtains operation, updates portion index document (add a line number
According to) needed for time overhead account for index and obtain the proportion of overhead of operation, it is seen that update operation accounting seldom and not with data
Collection size variation, the time overhead obtained substantially without impact index.
Reduction index document after, document need by access control method complete authorize coupling.Fig. 9 illustrates and is not belonging to together
Property dimension and data volume data set under complete once to access the time controlling coupling, total divided by coupling document by mating total duration
Number gained, consumed computing cost is almost in 0, negligible.
3. document adds:
When adding a document F to data setnewTime, the data side of uploading needs for FnewDistribution FIDnew, generate be used for updating
The trapdoor of requestAnd formulate access delegated strategy P by access control methodnew, CA needs content to be updated is write FS
List, required amount of calculation data volume with data set own is unrelated.Figure 10 illustrate the calculating time overhead adding a document with
Relation between data set attribute dimension and data volume, it is seen that it is time-consuming not by the shadow of the size of data set own that document adds operation
Ring, affected by attribute dimensions the most little, be substantially maintained near 0.2s.
Symmetry based on the design of IBS memory mechanism can search for encipherment scheme IBS-SSE and can be combined sql like language by Java language
Completion code realizes.In case of target storage document is for electronic health record data set FILE, the document of composition FILETopology example as shown in table 1, can present with the file format of xml, whereinIt is to share
Content, f represents case history content,Represent case history property content;It is the private identity information of document owner, the only owner
I and the data consumer authorized could conduct interviews under specific security mechanism.Α is all possible attribute in FILE
CombinationSet,By Dim=n+m, Dim dimension attribute territory is constituted and each Attribute domain all wraps altogether
Containing a property value.Wherein rxRepresent scope generic attribute RxProperty value, scope generic attribute generally refers to such as " age ", " day
Phase " etc. the Numeric Attributes that can arrange in order of property value;wxThen represent key word generic attribute WxProperty value, key word generic
Property generally refers to such as the character type attribute such as " sex ", " position ".The attribute dimensions of F can spread, hereinafter simplify statement,
F is made to be made up of three-dimensional properties territory, then temporarilyWherein r is the property value of Attribute domain R (representing " age "), w1And w2
It is respectively Attribute domain W1(representing " sex ") and Attribute domain W2The property value of (representing " disease type "), now card (Α)=| R |
×|W1|×|W2|。
Table 1
From the point of view of the identity of data access person with data access purpose, at IBS-SSE.Trapdoor, IBS-
To there are two kinds of data access situations in the SSE.Search scheduling algorithm stage: make the Situation-1 person U that represents data accessiFor going out
Individual or mechanism according to ad hoc inquiry conditional search data is needed rather than the situation of data owner, order in just cause
Situation-2 represents data access person UiFor data owner or the authorized situation directly obtaining data person.IBS-
The detailed description of the invention of SSE main algorithm is as follows:
IBS-SSE.Setup (λ):
At system establishment stage, CA is using safety coefficient λ as input.
(1) utilize Crypto++ storehouse of increasing income, for system, the cryptographic primitive used is generated key KSSE=KIBS。
(2) creating user list UL according to known users set, list length is designated as | UL |.I-th node generation in UL
Table user Ui=< UIDi,UNi,BIi,TSi,εi>, wherein UIDiIt is set as UiID, UNiFor UiUser name, BIiBag
Include UiEssential information (including name, age, address, contact method, work etc.), TSiIt is at UiGenerate every time and upload new
The timetable of document, εiIt is belonging to UiRandom factor.UIDiBy to UiUnique identification card number idiMake universe impact resistance
Connecting with l after hash conversion Η generation, mode is as follows:
si←H(idi) (1)
UIDi=< si| | l > (2)
siIt is idiReformulations (this sentences a length of | si| string representation), l ∈ L be mark UiUser identity class
The character of type.
(3) by < UIDi,TSi,εi> it is sent to user Ui。
UIDiUsing as user's identification in systems and encryption and decryption privacy of user identity dataKey, it is only
Can be by UiI holds (certain CA also needs to preserve portion).In actual applications, UIDiCan be identified by scanning and make
With, if conditions permit, the available bio information such as fingerprint or iris is as siReplace idiGenerate UIDi, strengthen safety with this
Property.
IBS-SSE.IndexGen (FILE, Α):
Index generating algorithm is by the set FILE combinations of attributes all possible with it of document FSet Α as input,
Operation below performing:
(1) it is every a document Fj∈ FILE generates document identifier FID in the following mannerj:
Wherein UID is FjPossessory ID, t is FjThe generation time, ε is the random factor that document owner is exclusive.
Meanwhile, according to FjThe access rights that the owner specifies for it, are generated by the user identity access control method that ciphertext is relevant and visit
Ask strategy Pj, PjIt it is the bit string vector of 32.
(2) being that FILE initializes and set up index collection of document IND and two-dimensional polling list T, algorithm 3 describes to be set up
Journey:
For arbitraryCreate portion index document Ii.WillIt is designated as meeting document propertiesAll literary compositions
The set of shelves identifier.T={Tj| 1≤j≤card (Α) } it is one and will be used for indexing the 3 row × card (Α) of document searching
The two-dimensional polling list collection of row, often row tuple both corresponds to a index document Ii, it is represented byWherein wrap
Containing IiIdentifier IIDi, jth scope generic attribute thresholding after order preserving transformationAnd record is by IiSplit by form
Data block character string addr of address in IBSi(being initialized as sky).T is reduced to T={T} herein, and its tuple is designated asAll tuples are according to ErSize by ascending order arrange.
(3) IBS.Initial (IND, T, K are runIBS) to initialize IBS.
(4) the index collection of document IND being stored into IBS sends to CSP and takes care of in CA local by T.Due at this programme
Middle CSP is only responsible for uploading download work and not performing calculating task, and therefore CSP end can be directly by cloud storages such as such as Dropbox
Application realizes.
IBS-SSE.Enc (FILE):
Encrypting stage is with collection of document FILE for input.To arbitrary documentAdd by following subregion
Close mode is encrypted:
After willSend and be stored in CSP.
To shareable dataWith privacy of identities dataThe method carrying out subregion encryption is protection user's body
Part privacy also meets the requirements for access of dissimilar user and lays a good foundation.Calculate it addition, be used here traditional symmetric cryptography
Method AES carrys out encrypted document, it is also possible to use more complicated encryption mechanism (such as BS) to seek higher safety neatly.
IBS-SSE.Trapdoor ():
(1) in Situation-1, UiSearch trapdoor should be submitted to CAWherein
Describe UiThe different of attribute thresholding each to destination document require (i.e. querying condition), UIDiThen indicate UiIdentity.Require emphasis
, in order to ensure the accurate description to different attribute territory,Pattern of the input must be fixing, but describe then can be very
Flexibly.Specifically, UiCan be that scope generic attribute specifies a numerical value or a numerical range (such as to would indicate that the D at ageR
It is set to " 5 " or " 1~5 "), when data consumer is to Attribute domain RxSearch condition beTime, utilize
Order preserving transformation function X is to DRMake conversion and can obtain its encrypted formCan be to close
Keyword generic attribute specifies any number of key word (such as to would indicate that disease typeBe set to " catch a cold, fever, cough " or
" hypoglycemia "), when data consumer is with z key definition attribute field WxTime,Utilize universe
Pseudo-random function Ψ is to DWIt is encrypted and can obtain its encrypted formIf it is right
Certain attribute field is without particular/special requirement, it is allowed to property value is empty.If the value of each attribute field is sky, then destination document is whole
Individual set.
(2) in Situation-2, data owner UiDestination document can be known by subscription client local information
FID.Specifically, UID is i.e. utilizedi、TSiIn generation time t and εiCalculate FID.
IBS-SSE.Search(Q,T,KIBS):
(1) in Situation-1, CA will receive from UiSearch trapdoor Q after run IBS.Access, use SQL
Inquire about, obtain with Q described in index document corresponding to search condition decipher reduction.Then, CA can be controlled by access
Method processed is to UIDiMake to access mandate coupling with (FID, the P) s that own comprised in index document, and finally request is returned at CSP
Return the ciphertext block data of the identified document of FID that the match is successful.
(2) in Situation-2, UiDirectly can return the ciphertext block data of destination document to CSP request according to FID.
IBS-SSE.Dec (C):
Decipherment algorithm is with ciphertextAs input, UiCan pass throughObtain shared with the portion in F
Point.Only data owner can pass through with authorized personObtain privacy of identities part.
IBS-SSE.AddUser (s', l', UN', BI', TS'):
After receiving the request adding a new user, first check in user list UL according to s' and the most there is this use
Family.If nothing, CA then distributes UID for new user|UL|+1=<s'| | l'>, and by U|UL|+1=< UID|UL+1|,UN',BI',TS',ε'>
It is linked into UL, | UL |=| UL |+1.It then informs new user is with < UID|UL+1|,TS',ε'>。
IBS-SSE.AddDoc(Fnew):
(1) first, the data side of uploading performs Enc algorithm and by the F after encryptionnewIt is uploaded to CSP.Meanwhile, F is sentnew's
Document identifier, the trapdoor describing its attribute and owner's identity and access control policyTo CA
End.
(2) CA need to check FnewThe owner whether be present in user list UL, if nothing, then then first carry out
AddUser algorithm.
(3) CA calls in good timeAlgorithm is to complete the renewal of relative index document.
In the present invention, the assignment of relevant parameter symbol is described as follows shown in table:
Claims (4)
1. the encryption method of can search for based on secret protection under a cloud storage environment, it is characterised in that the method mainly realizes
Process is as follows: make L={li| 1≤i≤card (L) } represent IBS-SSE system model in all of card (L) plant user's body
Part type, card (L) represents user identity type liThe radix of set L, each data consumer belongs to one of which body
Part type;For document F, if it is x that document owner specifies the identity type of the data consumer of addressable document F to belong to radix
SetThen by the h of Bloom Filter independent hash function HASH={H1,H2,...HhWillIn x
Element maps in the bit string vector P of a length of q, and P is the access control policy being bound to document F, and P is with the identifier one of F
Play write index document and be stored in IBS-SSE system model;When certain data consumer wants to access F, access holding of control
Passerby is after getting the relevant index document of F, by Bloom Filter, the identity class that judges this data consumer according to P
Whether type l belongs to sets of authorizationsIf belonging to, the match is successful, is not belonging to then that it fails to match;1≤x≤card(L).
The encryption method of can search for based on secret protection under cloud storage environment the most according to claim 1, it is characterised in that
The generation process of access control policy P includes: initially set up the bit string vector P of an a length of q, and bit string vector P is every
Value be initialized as 0;For either elementUtilize each function in hash function group HASH one a pair
liCarry out Hash and obtain h Hash Round Robin data partition H1(li), H2(li) ... Hh(li), update Broome according to this h address and filter
Device vector, makes the value of these positions of Bloom Filter vector be changed by 0 and is set to 1, finally return that the Broome being updated successfully filters
Device vector is as access control policy;
Access the process that implements controlling to mate to include: firstly generate integer number flag=0, for the identity type of visitor
L, utilizes a pair identity type of each function 1 in hash function group HASH carry out Hash and obtain h Hash Round Robin data partition H1(l),
H2(l) ... Hh(l);One by one check vector P in by these allocation indexs to place value, if value is 1, then flag+=1;If value is
0, then it fails to match.Finally, if flag=h, then the match is successful.
The encryption method of can search for based on secret protection under cloud storage environment the most according to claim 1, it is characterised in that
DocumentComprise document identifier ID, document properties combined arrangementWith document common content f, document properties
CombinationDimension be designated as Dim=n+m,It is made up of Dim Attribute domain and each Attribute domain is equal
Comprise property value, wherein a rkRepresent scope generic attribute RkProperty value, wyThen represent key word generic attribute WyProperty value;
Order | Rk| represent RkTerritory all possible property value number, | Wy| represent WyField all possible property value number, then at literary composition
Shelves set FILE in, make A be all document properties combination set, then the radix of A be card (A)=| R1|×|R2|×...×
|Rn|×|W1|×|W2|×...×|Wm|;Wherein, 1≤k≤n;1≤y≤m.
The encryption method of can search for based on secret protection under cloud storage environment the most according to claim 1, it is characterised in that
The detailed process obtaining index document relevant for F includes:
1) the access trapdoor from data user is being receivedQ describes data
The data search condition of user, whereinDescribe data consumer to each attribute of destination document
The different requirements of thresholding, UID then indicates the identity of access requestor, specifically, DRDescribe the value to a scope generic attribute
Requirement;DWDescribe the requirement of value to a key word generic attribute;When data consumer is with [rx1,rx2],rx1≤rx2Definition belongs to
Property field RxTime,Utilize order preserving transformation function X pairConvert to obtain its encrypted formWhen data consumer is with z key definition attribute field WxTime,
Utilize universe pseudo-random function Ψ pairIt is encrypted to obtain its encrypted form
Afterwards, access the executor CA controlled and can inquire about qualified index document identifier (IID) in two-dimensional polling list according to Q
S, and by all corresponding tuple (addr) s combination producing subsetsBy SQThe data block total number indexed is designated as
sizeQ, nB=α bmax;α is the spreading factor of IBS, bmaxBeing the number of data blocks upper limit being available for storage in array B, B is for containing
nB=α bmaxThe array of individual data block;When the scope generic attribute territory condition in QAt least one non-
Time empty, select the attribute R that given range codomain is minimummin, 1≤min≤n;CA is according to given minimum value scopeLocation
By RminThe two-dimensional polling list T of sequenceminIn meetTuple, recyclingCarry out
The coupling of other Attribute domains;When the scope generic attribute territory condition in QDuring all skies, then directly utilizeThe tuple of arbitrary table in two-dimensional polling list collection T is mated;
2) CA selects a random number τ and generates a pseudorandom integer ordered series of numbers V ← Γ (τ), with the front β size of VQIndividual difference
Integer array become pseudorandom subsetVQBe for access trapdoor Q access operation prepare obscure subset;Γ is pseudo-
Random number generator;β is the confounding factors of IBS;
3) CA will be by SQAnd VQThis locality is upset and be jointly downloaded to the data block indexed, and utilizes
Deciphering is by SQThe data block that indexes also recovers and indexes document accordingly;B [i] is the i-th data block in B;Φ be pseudo-with
Machine function, KΦIt is the key for Φ, viIt is the version number of i-th data block,I.e. utilize Φ and KΦTo character string
(vi| | i) make pseudo-random process;
4) after recovering the index document that identifier is (IID) s, CA travels through terminal list FS according to (IID) s, if in FS
Exist to certain part index document more newly requested, the most first it is updated, remove this request, then will update after index literary composition
Shelves are as indexing document accordingly;
5) when needing to add new index document, first check whether index document identifier to be added is present in T, if
Exist, then perform write operation;If not existing, adding the most in the steps below and indexing document:
5a) will index document sets IND, number of data blocks upper limit bmax, two-dimensional polling list collection T and KIBSAs input, will index literary composition
Every part of index document I in shelves collection INDiIt is split as sizeiIndividual data block, as index document IiTotal byte length lengthiNo
When can be divided exactly by ω, front lengthi/ ω data block size is ω, and last size data block less than ω is filled by 0s
To ω, all data blocks all comprise two head fields, and one of them is responsible for recording IIDi, another is then responsible for record IiVersion
Number vi, viIt is initialized as 0;
5b) data blocks all in B are initialized as 0s, to each index document I in INDi, IIDiFor index document IiID,
With σ=IIDiFor seed, generate an integer Number Sequence S ← Γ (σ), from the beginning of sequence S, select sizeiIndividual different whole
Type number, and guarantee that the data block in the B indexed by these integer numbers is sky;WithRepresent raw by σ and pseudo random number
Before the Γ that grows up to be a useful person generatesIndividual integer number, creates a pseudorandom subsetSi=Λ [σ, sizei];
5c) will be by I by ascending orderiThe size splitiIndividual data block writes by SiData block in the B indexed, these data
Block is marked as non-NULL;
5d) by two-dimensional polling list collection T with IiThe addr of corresponding tupleiField is updated to Si;
Pseudo-random function Φ 5e) is utilized all data blocks in B to be encrypted.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610472300.9A CN106127075B (en) | 2016-06-27 | 2016-06-27 | Encryption method can search for based on secret protection under a kind of cloud storage environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610472300.9A CN106127075B (en) | 2016-06-27 | 2016-06-27 | Encryption method can search for based on secret protection under a kind of cloud storage environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106127075A true CN106127075A (en) | 2016-11-16 |
CN106127075B CN106127075B (en) | 2019-11-08 |
Family
ID=57269235
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610472300.9A Active CN106127075B (en) | 2016-06-27 | 2016-06-27 | Encryption method can search for based on secret protection under a kind of cloud storage environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106127075B (en) |
Cited By (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106685636A (en) * | 2017-03-22 | 2017-05-17 | 电子科技大学 | Frequency analysis method combined with data locality features |
CN106778352A (en) * | 2017-01-13 | 2017-05-31 | 广西师范大学 | Collection Value Data and the multi-source method for secret protection of community network data aggregate issue |
CN106789039A (en) * | 2017-01-25 | 2017-05-31 | 武汉大学 | A kind of storage method of confidential data |
CN106874379A (en) * | 2017-01-05 | 2017-06-20 | 中国科学院软件研究所 | A kind of multidimensional interval search method and system towards ciphertext cloud storage |
CN107046548A (en) * | 2017-05-22 | 2017-08-15 | 东莞理工学院 | A kind of packet filtering method under secret protection |
CN107273467A (en) * | 2017-06-06 | 2017-10-20 | 南京搜文信息技术有限公司 | A kind of Security Index structure and its building method for supporting to can search for encryption |
CN107342857A (en) * | 2017-07-04 | 2017-11-10 | 微鲸科技有限公司 | Group technology and device |
CN107454059A (en) * | 2017-07-05 | 2017-12-08 | 广东工业大学 | Search encryption method based on stream cipher under a kind of cloud storage condition |
CN107889068A (en) * | 2017-12-11 | 2018-04-06 | 成都欧督系统科技有限公司 | Message broadcast controlling method based on radio communication |
CN107908732A (en) * | 2017-11-14 | 2018-04-13 | 北京恺思睿思信息技术有限公司 | A kind of mutually isolated multi-source big data convergence analysis method and system |
CN109002729A (en) * | 2018-07-09 | 2018-12-14 | 福建省农村信用社联合社 | A kind of customer privacy data managing method based on financial block chain |
CN109088719A (en) * | 2018-08-14 | 2018-12-25 | 重庆第二师范学院 | Outsourced database multi-key word can verify that cipher text searching method, data processing system |
CN109829320A (en) * | 2019-01-14 | 2019-05-31 | 珠海天燕科技有限公司 | A kind for the treatment of method and apparatus of information |
CN109933586A (en) * | 2019-02-26 | 2019-06-25 | 符安文 | A kind of management method optimizing location index based on block chain |
CN109951443A (en) * | 2019-01-28 | 2019-06-28 | 湖北工业大学 | The set intersection calculation method and system of secret protection under a kind of cloud environment |
CN110210249A (en) * | 2019-06-13 | 2019-09-06 | 上海富数科技有限公司 | The system and method for track query function of hideing are realized based on data obfuscation |
CN110765469A (en) * | 2019-09-12 | 2020-02-07 | 华中科技大学 | Efficient and robust dynamic searchable symmetric encryption method and system |
CN111339555A (en) * | 2020-02-17 | 2020-06-26 | 腾讯科技(深圳)有限公司 | Data processing method and device, electronic equipment and storage medium |
CN111506918A (en) * | 2020-04-09 | 2020-08-07 | 南京邮电大学 | Mobile track privacy protection matching method based on Bloom filter |
CN111680062A (en) * | 2020-05-15 | 2020-09-18 | 江西师范大学 | Safe multi-target data object query method and storage medium |
CN111711671A (en) * | 2020-06-01 | 2020-09-25 | 深圳华中科技大学研究院 | Cloud storage method for efficient ciphertext file updating based on blind storage |
CN111930688A (en) * | 2020-09-23 | 2020-11-13 | 西南石油大学 | Method and device for searching secret data of multi-keyword query in cloud server |
CN112084397A (en) * | 2020-07-14 | 2020-12-15 | 山东中创软件商用中间件股份有限公司 | Filter registration method, device, equipment and readable storage medium |
CN112257096A (en) * | 2020-11-23 | 2021-01-22 | 中电万维信息技术有限责任公司 | Searching method for cloud storage ciphertext encrypted data |
CN112287368A (en) * | 2020-10-29 | 2021-01-29 | 重庆大学 | Cloud storage searchable encryption method based on-grid attribute base |
CN112307149A (en) * | 2020-10-30 | 2021-02-02 | 陕西师范大学 | Spatial data range query method with access mode protection |
CN112598138A (en) * | 2020-12-22 | 2021-04-02 | 百度在线网络技术(北京)有限公司 | Data processing method and device, federal learning system and electronic equipment |
CN112804050A (en) * | 2021-04-14 | 2021-05-14 | 湖南大学 | Multi-source data query system and method |
CN113452706A (en) * | 2021-06-28 | 2021-09-28 | 长沙学院 | Attribute encryption method and system supporting numerical attribute comparison access strategy |
CN113468575A (en) * | 2021-07-22 | 2021-10-01 | 东北大学 | Dense-state streaming data retrieval system and method supporting access mode hiding |
CN113489699A (en) * | 2021-06-25 | 2021-10-08 | 北京电子科技学院 | Arithmetic coding-based order-preserving encryption system and method |
CN114124883A (en) * | 2021-10-12 | 2022-03-01 | 鸬鹚科技(深圳)有限公司 | Data access method and device based on cloud storage address, computer equipment and medium |
CN117494174A (en) * | 2023-12-28 | 2024-02-02 | 北京遥感设备研究所 | Multidimensional data encryption range query method and device, storage medium and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103345526A (en) * | 2013-07-22 | 2013-10-09 | 武汉大学 | Efficient privacy protection encrypted message querying method in cloud environment |
CN103973668A (en) * | 2014-03-27 | 2014-08-06 | 温州大学 | Server-side personal privacy data protecting method in network information system |
CN104780161A (en) * | 2015-03-23 | 2015-07-15 | 南京邮电大学 | Searchable encryption method supporting multiple users in cloud storage |
CN105069358A (en) * | 2015-07-13 | 2015-11-18 | 西安理工大学 | Keyword searchable encryption method based on Bloom filter with storage structure |
-
2016
- 2016-06-27 CN CN201610472300.9A patent/CN106127075B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103345526A (en) * | 2013-07-22 | 2013-10-09 | 武汉大学 | Efficient privacy protection encrypted message querying method in cloud environment |
CN103973668A (en) * | 2014-03-27 | 2014-08-06 | 温州大学 | Server-side personal privacy data protecting method in network information system |
CN104780161A (en) * | 2015-03-23 | 2015-07-15 | 南京邮电大学 | Searchable encryption method supporting multiple users in cloud storage |
CN105069358A (en) * | 2015-07-13 | 2015-11-18 | 西安理工大学 | Keyword searchable encryption method based on Bloom filter with storage structure |
Non-Patent Citations (1)
Title |
---|
张朋: "云计算中用户数据隐私保护关键技术的研究与应用", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (53)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106874379B (en) * | 2017-01-05 | 2021-01-12 | 中国科学院软件研究所 | Ciphertext cloud storage-oriented multi-dimensional interval retrieval method and system |
CN106874379A (en) * | 2017-01-05 | 2017-06-20 | 中国科学院软件研究所 | A kind of multidimensional interval search method and system towards ciphertext cloud storage |
CN106778352A (en) * | 2017-01-13 | 2017-05-31 | 广西师范大学 | Collection Value Data and the multi-source method for secret protection of community network data aggregate issue |
CN106778352B (en) * | 2017-01-13 | 2020-04-07 | 广西师范大学 | Multisource privacy protection method for combined release of set value data and social network data |
CN106789039A (en) * | 2017-01-25 | 2017-05-31 | 武汉大学 | A kind of storage method of confidential data |
CN106789039B (en) * | 2017-01-25 | 2020-12-08 | 武汉大学 | Method for storing secret data |
CN106685636A (en) * | 2017-03-22 | 2017-05-17 | 电子科技大学 | Frequency analysis method combined with data locality features |
CN107046548A (en) * | 2017-05-22 | 2017-08-15 | 东莞理工学院 | A kind of packet filtering method under secret protection |
CN107046548B (en) * | 2017-05-22 | 2020-04-28 | 东莞理工学院 | Data packet filtering method under privacy protection |
CN107273467A (en) * | 2017-06-06 | 2017-10-20 | 南京搜文信息技术有限公司 | A kind of Security Index structure and its building method for supporting to can search for encryption |
CN107342857A (en) * | 2017-07-04 | 2017-11-10 | 微鲸科技有限公司 | Group technology and device |
CN107342857B (en) * | 2017-07-04 | 2020-06-23 | 微鲸科技有限公司 | Grouping method and device |
CN107454059A (en) * | 2017-07-05 | 2017-12-08 | 广东工业大学 | Search encryption method based on stream cipher under a kind of cloud storage condition |
CN107454059B (en) * | 2017-07-05 | 2020-07-17 | 广东工业大学 | Search encryption method based on sequence cipher in cloud storage environment |
CN107908732A (en) * | 2017-11-14 | 2018-04-13 | 北京恺思睿思信息技术有限公司 | A kind of mutually isolated multi-source big data convergence analysis method and system |
CN107908732B (en) * | 2017-11-14 | 2020-02-07 | 北京恺思睿思信息技术有限公司 | Mutually isolated multi-source big data fusion analysis method and system |
CN107889068A (en) * | 2017-12-11 | 2018-04-06 | 成都欧督系统科技有限公司 | Message broadcast controlling method based on radio communication |
CN109002729A (en) * | 2018-07-09 | 2018-12-14 | 福建省农村信用社联合社 | A kind of customer privacy data managing method based on financial block chain |
CN109002729B (en) * | 2018-07-09 | 2021-11-23 | 福建省农村信用社联合社 | Client privacy data management method based on financial block chain |
CN109088719A (en) * | 2018-08-14 | 2018-12-25 | 重庆第二师范学院 | Outsourced database multi-key word can verify that cipher text searching method, data processing system |
CN109829320A (en) * | 2019-01-14 | 2019-05-31 | 珠海天燕科技有限公司 | A kind for the treatment of method and apparatus of information |
CN109829320B (en) * | 2019-01-14 | 2020-12-11 | 珠海天燕科技有限公司 | Information processing method and device |
CN109951443A (en) * | 2019-01-28 | 2019-06-28 | 湖北工业大学 | The set intersection calculation method and system of secret protection under a kind of cloud environment |
CN109933586A (en) * | 2019-02-26 | 2019-06-25 | 符安文 | A kind of management method optimizing location index based on block chain |
CN110210249A (en) * | 2019-06-13 | 2019-09-06 | 上海富数科技有限公司 | The system and method for track query function of hideing are realized based on data obfuscation |
CN110765469B (en) * | 2019-09-12 | 2021-04-20 | 华中科技大学 | Efficient and robust dynamic searchable symmetric encryption method and system |
CN110765469A (en) * | 2019-09-12 | 2020-02-07 | 华中科技大学 | Efficient and robust dynamic searchable symmetric encryption method and system |
CN111339555B (en) * | 2020-02-17 | 2024-01-12 | 腾讯科技(深圳)有限公司 | Data processing method, device, electronic equipment and storage medium |
CN111339555A (en) * | 2020-02-17 | 2020-06-26 | 腾讯科技(深圳)有限公司 | Data processing method and device, electronic equipment and storage medium |
CN111506918A (en) * | 2020-04-09 | 2020-08-07 | 南京邮电大学 | Mobile track privacy protection matching method based on Bloom filter |
CN111680062A (en) * | 2020-05-15 | 2020-09-18 | 江西师范大学 | Safe multi-target data object query method and storage medium |
CN111680062B (en) * | 2020-05-15 | 2021-05-25 | 江西师范大学 | Safe multi-target data object query method and storage medium |
CN111711671A (en) * | 2020-06-01 | 2020-09-25 | 深圳华中科技大学研究院 | Cloud storage method for efficient ciphertext file updating based on blind storage |
CN112084397B (en) * | 2020-07-14 | 2023-12-05 | 山东中创软件商用中间件股份有限公司 | Filter registration method, device, equipment and readable storage medium |
CN112084397A (en) * | 2020-07-14 | 2020-12-15 | 山东中创软件商用中间件股份有限公司 | Filter registration method, device, equipment and readable storage medium |
CN111930688A (en) * | 2020-09-23 | 2020-11-13 | 西南石油大学 | Method and device for searching secret data of multi-keyword query in cloud server |
CN111930688B (en) * | 2020-09-23 | 2021-01-08 | 西南石油大学 | Method and device for searching secret data of multi-keyword query in cloud server |
CN112287368B (en) * | 2020-10-29 | 2024-02-13 | 重庆大学 | Cloud storage searchable encryption method based on lattice attribute base |
CN112287368A (en) * | 2020-10-29 | 2021-01-29 | 重庆大学 | Cloud storage searchable encryption method based on-grid attribute base |
CN112307149A (en) * | 2020-10-30 | 2021-02-02 | 陕西师范大学 | Spatial data range query method with access mode protection |
CN112257096A (en) * | 2020-11-23 | 2021-01-22 | 中电万维信息技术有限责任公司 | Searching method for cloud storage ciphertext encrypted data |
CN112598138A (en) * | 2020-12-22 | 2021-04-02 | 百度在线网络技术(北京)有限公司 | Data processing method and device, federal learning system and electronic equipment |
CN112804050A (en) * | 2021-04-14 | 2021-05-14 | 湖南大学 | Multi-source data query system and method |
CN112804050B (en) * | 2021-04-14 | 2021-07-02 | 湖南大学 | Multi-source data query system and method |
CN113489699A (en) * | 2021-06-25 | 2021-10-08 | 北京电子科技学院 | Arithmetic coding-based order-preserving encryption system and method |
CN113452706A (en) * | 2021-06-28 | 2021-09-28 | 长沙学院 | Attribute encryption method and system supporting numerical attribute comparison access strategy |
CN113452706B (en) * | 2021-06-28 | 2022-05-03 | 长沙学院 | Attribute encryption method and system supporting numerical attribute comparison access strategy |
CN113468575A (en) * | 2021-07-22 | 2021-10-01 | 东北大学 | Dense-state streaming data retrieval system and method supporting access mode hiding |
CN113468575B (en) * | 2021-07-22 | 2023-09-19 | 东北大学 | System and method for retrieving encrypted streaming data supporting access mode hiding |
CN114124883B (en) * | 2021-10-12 | 2023-09-12 | 鸬鹚科技(深圳)有限公司 | Data access method and device based on cloud storage address, computer equipment and medium |
CN114124883A (en) * | 2021-10-12 | 2022-03-01 | 鸬鹚科技(深圳)有限公司 | Data access method and device based on cloud storage address, computer equipment and medium |
CN117494174A (en) * | 2023-12-28 | 2024-02-02 | 北京遥感设备研究所 | Multidimensional data encryption range query method and device, storage medium and electronic equipment |
CN117494174B (en) * | 2023-12-28 | 2024-03-29 | 北京遥感设备研究所 | Multidimensional data encryption range query method and device, storage medium and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN106127075B (en) | 2019-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106127075B (en) | Encryption method can search for based on secret protection under a kind of cloud storage environment | |
CN104021157B (en) | Keyword in cloud storage based on Bilinear map can search for encryption method | |
CN105024802B (en) | Multi-user's multi-key word based on Bilinear map can search for encryption method in cloud storage | |
US8745370B2 (en) | Secure sharing of data along supply chains | |
CN104363215B (en) | A kind of encryption method and system based on attribute | |
CN108418681A (en) | A kind of searching ciphertext system and method based on attribute for supporting proxy re-encryption | |
CN112765650A (en) | Attribute-based searchable encryption block chain medical data sharing method | |
CN107634829A (en) | Encrypted electronic medical records system and encryption method can search for based on attribute | |
CN104780161A (en) | Searchable encryption method supporting multiple users in cloud storage | |
CN105049196B (en) | The encryption method that multiple keywords of designated position can search in cloud storage | |
CN105100083B (en) | A kind of secret protection and support user's revocation based on encryption attribute method and system | |
CN108833393A (en) | A kind of revocable data sharing method calculated based on mist | |
CN108062485A (en) | A kind of fuzzy keyword searching method of multi-service oriented device multi-user | |
CN105915520A (en) | File storage and searching method based on public key searchable encryption, and storage system | |
CN102916954A (en) | Attribute-based encryption cloud computing safety access control method | |
CN106203146A (en) | A kind of big data safety management system | |
US7930560B2 (en) | Personal information management system, personal information management program, and personal information protecting method | |
CN109784931A (en) | A kind of querying method of the Data Query Platform based on block chain | |
CN107948146A (en) | A kind of connection keyword retrieval method based on encryption attribute in mixed cloud | |
CN106452735A (en) | Outsourcing attribute encryption method supporting attribute cancellation | |
CN102945356B (en) | The access control method of search engine under cloud environment and system | |
CN110166466A (en) | It is a kind of efficiently the multi-user of renewal authority to can search for encryption method and system | |
CN106326666A (en) | Health record information management service system | |
CN108038128A (en) | A kind of search method, system, terminal device and storage medium for encrypting file | |
CN108021677A (en) | The control method of cloud computing distributed search engine |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |