CN107294701B - Multidimensional ciphertext interval query device and method with efficient key management - Google Patents

Multidimensional ciphertext interval query device and method with efficient key management Download PDF

Info

Publication number
CN107294701B
CN107294701B CN201710543080.9A CN201710543080A CN107294701B CN 107294701 B CN107294701 B CN 107294701B CN 201710543080 A CN201710543080 A CN 201710543080A CN 107294701 B CN107294701 B CN 107294701B
Authority
CN
China
Prior art keywords
data
ciphertext
key
module
key management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710543080.9A
Other languages
Chinese (zh)
Other versions
CN107294701A (en
Inventor
杨睿康
马建峰
伍祁应
苗银宾
王祥宇
张凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201710543080.9A priority Critical patent/CN107294701B/en
Publication of CN107294701A publication Critical patent/CN107294701A/en
Application granted granted Critical
Publication of CN107294701B publication Critical patent/CN107294701B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

A multidimensional cipher text interval query device with efficient key management and a query method belong to the technical field of information security, the device comprises a data encryption module, a key management module and a cipher text retrieval module, wherein the data encryption module encrypts by using a global private key according to a search request to generate a trapdoor and a cipher text range, the cipher text retrieval module matches according to the trapdoor and a cipher text index to obtain a correlation value, and then judges whether the correlation value of data is in the cipher text query range or not, the cipher text index is established by the data encryption module according to the global private key, when the correlation value of the data is in the cipher text query range, the cipher text retrieval module sends a corresponding cipher text to a data user, sends the corresponding cipher text and a data user identity to the key management module, the key management module calculates a decryption key according to the retrieved data and the data user identity, and sends the decryption key to the data user, the method and the device realize the multi-dimensional interval query of the ciphertext and provide the ciphertext query device with rich query experience.

Description

Multidimensional ciphertext interval query device and method with efficient key management
Technical Field
The invention belongs to the technical field of information security, relates to a multidimensional ciphertext interval query technology and a key management technology, and particularly relates to a multidimensional ciphertext interval query device and a multidimensional ciphertext interval query method with efficient key management.
Background
With the development of the information age, data is in explosive growth, and how to store and manage mass data becomes a concern of people. Due to the advantages of a convenient storage access mode, a flexible charging mode and the like, more and more enterprises and individuals outsource the storage and the calculation of the local data to a third-party cloud server to reduce the storage and the maintenance burden of the local data. However, the plaintext data stored on the cloud server may be subjected to malicious attacks, which may cause sensitive information to be leaked, so that cloud computing has a great potential safety hazard. Although encryption before outsourcing of data can guarantee the security of the data, two problems are brought about. On one hand, the traditional encryption method can cause that the ciphertext stored on the cloud server cannot be retrieved, and the method that a data user completely downloads the ciphertext to the local for decryption in order to obtain the interested document wastes a large amount of calculation and bandwidth resources; on the other hand, to ensure the security of data, different data users encrypt different types of data by using different keys, thereby bringing about complex massive key management problems, such as: how to quickly locate a decryption key required by a data user in a massive key, how to efficiently revoke the key for the data user losing the data access authority, and the like.
At present, the traditional searchable encryption technology with key management enables a data user to search keywords and quickly locate interested documents; and storing the data user and the key by utilizing the hash table, so that the data user can quickly locate the key. However, the existing technology cannot provide rich query experience of the traditional plaintext search engine, such as multidimensional interval query and the like. Meanwhile, the hash table structure can bring greater storage and calculation complexity to the management of massive keys, and further, how to efficiently revoke keys for data users who lose access rights becomes a new problem in key management in view of the situation that some data users need to leave dynamically in practical application.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a multidimensional ciphertext interval query device with efficient key management and a query method.
The invention is realized by the following technical scheme:
a multidimensional ciphertext interval query device with efficient key management, comprising: the system comprises a data encryption module, a key management module and a ciphertext retrieval module;
the data encryption module is used for encrypting according to the search request by using a global private key to generate a trapdoor and a ciphertext range and sending the trapdoor and the ciphertext range to the ciphertext retrieval module, and the global private key is generated by initializing the data encryption module according to data sent by a data user;
the ciphertext retrieval module is used for matching according to the trapdoor and the ciphertext index to obtain a correlation value, judging whether the correlation value of the data is in a ciphertext query range or not, wherein the ciphertext index is established by the data encryption module according to a global private key, and when the correlation value of the data is in the ciphertext query range, the ciphertext retrieval module sends a corresponding ciphertext to a data user and sends the corresponding ciphertext and the identity of the data user to the key management module;
and the key management module calculates a decryption key according to the corresponding ciphertext and the data user identity and sends the decryption key to the data user.
Optionally, the data encryption module is further configured to generate a global private key according to the uploaded data and the user authorization list through initialization, establish a ciphertext index for the plaintext data through the global private key, encrypt the plaintext data according to a symmetric key set to generate a ciphertext, where the symmetric key set is generated by the key management module according to the data and the data user authorization list;
optionally, the key management module is further configured to establish a symmetric key hash tree and a key state hash tree according to the data and data user authorization list, and generate a symmetric key set.
Optionally, the key management module is further configured to update the authorized data user list information and the key state hash tree according to the identity information of the revoked data user, and recalculate the symmetric key set according to the symmetric key hash tree.
Optionally, the data encryption module is further configured to re-encrypt the data according to the symmetric key set recalculated by the key management module to generate a ciphertext.
The invention provides a query method of any multidimensional ciphertext interval query device with efficient key management, which comprises the following steps:
the data encryption module encrypts by using a global private key according to the search request to generate a trapdoor and a ciphertext range and sends the trapdoor and the ciphertext range to the ciphertext retrieval module;
the ciphertext retrieval module is used for matching according to the trapdoor and the ciphertext index to obtain a correlation value, judging whether the correlation value of the data is in a ciphertext query range, if so, sending the corresponding ciphertext to the user, and sending the corresponding ciphertext and the identity of the data user to the key management module;
and the key management module calculates a decryption key according to the corresponding ciphertext and the data user identity and sends the decryption key to the user.
Optionally, before the data encryption module encrypts, according to the search request, by using the global private key to generate the trapdoor and the ciphertext range, and sends the trapdoor and the ciphertext range to the ciphertext retrieval module, the method further includes:
the data encryption module is used for initializing according to the uploaded data and the user authorization list to generate a global private key, establishing a ciphertext index for plaintext data through the global private key, and calling a ciphertext retrieval module to execute ciphertext uploading operation;
the key management module establishes a symmetric key hash tree and a key state hash tree according to the data and data user authorization list to generate a symmetric key set;
and the data encryption module encrypts plaintext data according to the symmetric key set to generate a ciphertext, and calls the ciphertext retrieval module to execute ciphertext and ciphertext index uploading operation.
Optionally, the method further includes the key management module updating the authorized data user list information and the key state hash tree according to the identity information of the revoked data user, and recalculating the symmetric key set according to the symmetric key hash tree.
Optionally, the method further includes that the data management module re-encrypts the data to generate a ciphertext according to the symmetric key set recalculated by the key management module.
Compared with the prior art, the invention has the following beneficial technical effects:
the data encryption module encrypts by using a global private key according to a search request to generate a trapdoor and a ciphertext range, the ciphertext retrieval module matches the trapdoor and a ciphertext index to obtain a correlation value, and then judges whether the correlation value of the data is in the ciphertext query range, the ciphertext index is established by the data encryption module according to the global private key, when the correlation value of the data is in the ciphertext query range, the ciphertext retrieval module sends a corresponding ciphertext to a data user, the corresponding ciphertext and the identity of the data user are sent to the key management module, the key management module calculates a decryption key according to the retrieved data and the identity of the data user, and sends the decryption key to the data user, so that the multidimensional interval query of the ciphertext is realized, and the ciphertext query device with rich query experience is provided;
furthermore, the key management module establishes a symmetric key hash tree and a key state hash tree according to the data and data user authorization list to generate a symmetric key set, and the symmetric key hash tree is established symmetrically, so that the required decryption key can be positioned quickly, and the ciphertext retrieval efficiency is improved;
furthermore, when the data user needs to leave dynamically, the key management module updates the authorized data user list information and the key state hash tree according to the identity information of the revoked data user, recalculates the symmetric key set according to the symmetric key hash tree, and the data encryption module re-encrypts the data according to the symmetric key set recalculated by the key management module to generate a ciphertext.
Drawings
Fig. 1 is a schematic diagram of a multidimensional ciphertext interval query apparatus with efficient key management according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a data encryption module according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a key management module according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a ciphertext retrieval module according to an embodiment of the present invention;
fig. 5 is a flowchart of a multidimensional ciphertext interval query method with efficient key management according to an embodiment of the present invention;
fig. 6 is a flowchart of another multidimensional ciphertext interval query method with efficient key management according to an embodiment of the present invention.
Detailed Description
The present invention will now be described in further detail with reference to specific examples, which are intended to be illustrative, but not limiting, of the invention.
As shown in fig. 1, the apparatus includes: the system comprises a data encryption module, a key management module and a ciphertext retrieval module;
the data user calls a data encryption module to execute data and data user authorization list uploading operation; the data encryption module initializes the data sent by the data user to generate a global private key, and establishes a ciphertext index for the plaintext data by using the global private key; the data encryption module calls the key management module to execute data related information and data user authorization list uploading operation; the data encryption module encrypts plaintext data by using a symmetric key set returned by the key management module to generate a ciphertext; the data encryption module calls the ciphertext retrieval module to execute ciphertext and ciphertext index uploading operation; the data user calls a data encryption module to execute the query request uploading operation; the data encryption module encrypts by using a global private key according to a query request sent by a data user to generate a trapdoor and a ciphertext range; and the data encryption module calls the ciphertext retrieval module to execute the trapdoor and ciphertext range uploading operation.
The key management module establishes a symmetric key hash tree and a key state hash tree according to the data related information and the data user authorization list sent by the data encryption module, so as to realize the storage and management of a symmetric key set; the key management module calculates a decryption key by using a symmetric key Hash tree according to the returned ciphertext and the identity of the data user, which are sent by the ciphertext retrieval module, and sends the decryption key to the data user; the data user calls a key management module to execute the cancelled data user identity information uploading operation; and the key management module updates the authorized data user list information and the key state hash tree according to the revoked data user identity information sent by the data user, then recalculates the symmetric key set by using the symmetric key hash tree and calls the data encryption module to re-encrypt the plaintext data to generate a ciphertext.
The ciphertext retrieval module firstly matches the trapdoor and the index to obtain a correlation value according to the trapdoor and the ciphertext range sent by the data encryption module, then judges whether the correlation value of the data is in the ciphertext query range, if so, returns the corresponding ciphertext to a data user, otherwise, discards the data; and the ciphertext retrieval module calls the key management module to execute the uploading operation of returning the ciphertext and the user identity.
The data encryption module and the key management module can be deployed in a credible private cloud server, and the ciphertext retrieval module can be deployed in a public cloud server.
As shown in fig. 5, the query method of any multidimensional ciphertext interval query device with efficient key management according to the embodiment of the present invention includes:
step 101, a data encryption module encrypts by using a global private key according to a search request to generate a trapdoor and a ciphertext range, and sends the trapdoor and the ciphertext range to a ciphertext retrieval module;
102, the ciphertext retrieval module performs matching according to the trapdoor and the ciphertext index to obtain a correlation value, judges whether the correlation value of the data is in a ciphertext query range, and if the correlation value is in the ciphertext query range, the ciphertext retrieval module sends a corresponding ciphertext to a user and sends the corresponding ciphertext and the identity of the data user to a key management module;
and 103, calculating a decryption key by the key management module according to the corresponding ciphertext and the data user identity, and sending the decryption key to the user.
As shown in fig. 6, before the data encryption module encrypts the search request by using the global private key to generate the trapdoor and the ciphertext range, and sends the trapdoor and the ciphertext range to the ciphertext retrieval module, the method further includes:
104, initializing the data encryption module according to the uploaded data and a user authorization list to generate a global private key, establishing a ciphertext index for plaintext data through the global private key, and calling a ciphertext retrieval module by the data encryption module to execute ciphertext uploading operation;
105, the key management module establishes a symmetric key hash tree and a key state hash tree according to the data and data user authorization list to generate a symmetric key set;
and 106, encrypting the plaintext data to generate a ciphertext by the data encryption module according to the symmetric key set, and calling the ciphertext retrieval module by the data encryption module to execute a ciphertext uploading operation.
When the data user needs to leave dynamically, the key management module updates the authorized data user list information and the key state hash tree according to the identity information of the revoked data user, and recalculates the symmetric key set according to the symmetric key hash tree; and the data management module re-encrypts the data according to the symmetric key set recalculated by the key management module to generate a ciphertext.
Preferably, the workflow of the multidimensional ciphertext interval query device with efficient key management provided by the embodiment of the present invention is as follows:
and the data user calls the data encryption module to execute data and data user authorization list uploading operation.
The data encryption module initializes the data sent by the data user to generate a global private key, and establishes a ciphertext index for the plaintext data by using the global private key; and the data encryption module calls the ciphertext retrieval module to execute ciphertext index uploading operation.
And the key management module establishes a symmetric key hash tree and a key state hash tree according to the data set related information and the data user authorization list sent by the data encryption module, so as to realize the storage and management of the symmetric key set.
The data encryption module encrypts different data by adopting an AES algorithm according to the symmetric key set returned by the key management module to generate a ciphertext; and the data encryption module calls the ciphertext retrieval module to execute ciphertext uploading operation.
The data user calls a data encryption module to execute the query request uploading operation; the data encryption module encrypts by using a global private key according to the query request to generate a trapdoor and a ciphertext range; and the data encryption module calls the ciphertext retrieval module to execute the trapdoor and ciphertext range uploading operation.
The ciphertext retrieval module firstly matches the trapdoor and the index to obtain a correlation value according to the trapdoor and the ciphertext range sent by the data encryption module, then judges whether the correlation value of the data is in the ciphertext query range, if so, returns the corresponding ciphertext to a data user, otherwise, discards the data; and the ciphertext retrieval module calls the key management module to execute the returned ciphertext uploading operation.
And the key management module calculates a decryption key by using the symmetric key Hash tree according to the returned ciphertext and the identity of the data user, which are sent by the ciphertext retrieval module, and sends the decryption key to the data user.
When the data user needs to leave dynamically, the work flow is as follows:
the key management module updates authorized data user list information and a key state hash tree according to the revoked data user identity information sent by the data user, and then recalculates a symmetric key set by using the symmetric key hash tree;
and the data encryption module executes ciphertext updating operation according to the ciphertext list to be updated and the corresponding key sent by the key management module.
Fig. 2 is a schematic diagram of a data encryption module according to an embodiment of the present invention, where the data encryption module is specifically implemented as follows:
the data owner calls the data encryption module to execute data and data user authorization list uploading operation; the data encryption module performs initialization to generate a global private key, wherein the global private key is a triple (M)1,M2S), where M)1Is a first random invertible matrix, M2Is a second random invertible matrix, S is a randomly selected vector; establishing a plaintext index according to the data; splitting data into two parts, i.e. using a random vector S in the global private keyFirst data vector d1And a second data vector d2Then, the first random reversible matrix M in the global private key is utilized1And a second random invertible matrix M2Respectively for the first data vector d1And a second data vector d2And encrypting to obtain the ciphertext index.
The data encryption module calls the key management module, and sends the related information of the data set and the data user authorization list to the key management module; the data encryption module encrypts different data by using an AES algorithm by using a symmetric key set returned by the key management module to generate a ciphertext;
the data encryption module calls the ciphertext retrieval module to execute ciphertext and ciphertext index uploading operation;
a data user calls a data encryption module to execute a query request uploading operation, wherein the query request comprises a query vector Q and a query range vector R; the data encryption module divides the query vector Q into two parts by using a random vector S in the global private key according to the query vector Q, namely a first query vector Q1And a second query vector Q2Then, the first random reversible matrix M in the global private key is utilized1And a second random invertible matrix M2Respectively to the first query vector Q1And a second query vector Q2Encrypting to obtain a trapdoor;
and the data encryption module calls the ciphertext retrieval module to negotiate a session key with the ciphertext retrieval module, encrypts the query range vector R by adopting an AES algorithm to obtain a ciphertext range, and executes the trap door and ciphertext range uploading operation.
Fig. 3 is a schematic diagram of a key management module according to an embodiment of the present invention, where the key management module is specifically implemented as follows:
the key management module establishes a symmetric key hash tree and a key state hash tree according to the related information of the data set and the data user authorization list sent by the data encryption module, so as to realize efficient storage and management of the symmetric key; wherein the symmetric key hash tree is as follows: each symmetric key set is managed by a Hash tree with keys, key values corresponding to root nodes of the Hash tree are set as root keys, and symmetric key values of each child node are calculated by using key values of father nodes; the key state hash tree refers to: the Hash tree records the state values of the nodes to perform key revocation management on the nodes, wherein the initial value of the state is 0;
the key management module calculates the symmetric key value of each child node by using the root key and the parent node key value according to the returned ciphertext and the identity of the data user sent by the ciphertext retrieval module and the symmetric key hash tree, namely calculates the key value K corresponding to the y node in the x layer in the hash treex,y:Kx,y=H(Kparent,x||y||*Sx,y) In which K isparentIs Kx,yA key corresponding to the parent node of (a), which is a known key; h is a set {0, 1}*Medium element maps to {0, 1}256Wherein {0, 1}*Represents a set of bit strings of arbitrary length, {0, 1}256Is a bit string set with length of 256, | | represents the series operation, x | | | y is to ensure that the keys are different from each other, Sx,yIs the revocation status value of the node, at Sx,yThe pre-increase and decrease' is to avoid the problem that the direct concatenation may cause two keys to be identical;
the data owner calls the key management module to execute the cancelled data user information uploading operation;
and the key management module updates the authorized data user list information and the key state hash tree according to the revoked data user identity information sent by the data user, and accumulates 1 the key revocation state values of the corresponding nodes in the key state hash tree to indicate that the node has performed revocation once. And calculating the symmetric key value of each child node by using the root key and the parent node key value according to the symmetric key Hash tree, then recalculating the symmetric key set and calling the data encryption module to update the ciphertext, wherein the data user with the revoked authority cannot decrypt the ciphertext by using the old symmetric key.
Fig. 4 is a schematic diagram of a ciphertext retrieval module according to an embodiment of the present invention, where the ciphertext retrieval module is specifically implemented as follows:
the ciphertext retrieval module firstly decrypts the query range by using a key negotiated with the data encryption module according to the trapdoor and the ciphertext range sent by the data encryption module; then, matching is carried out by utilizing the trapdoor and the index to obtain a correlation value, whether the correlation value of the data is in a query range or not is judged, if so, the corresponding ciphertext is returned to the data user, the corresponding ciphertext and the identity of the data user are sent to the key management module, and if not, the data are discarded; and the ciphertext retrieval module calls the key management module to execute the result ciphertext and data user identity uploading operation.
The above description is only one specific example of the present invention and should not be construed as limiting the invention in any way. It will be apparent to those skilled in the art that modifications and improvements of the algorithm can be made without departing from the principle and structure of the invention, but those modifications and improvements based on the algorithm of the invention are within the scope of the claims of the invention.

Claims (4)

1. An inquiry method applied to a multidimensional ciphertext interval inquiry device with efficient key management is characterized in that the inquiry device comprises: the system comprises a data encryption module, a key management module and a ciphertext retrieval module;
the data encryption module is used for encrypting according to the search request by using a global private key to generate a trapdoor and a ciphertext range and sending the trapdoor and the ciphertext range to the ciphertext retrieval module, and the global private key is generated by initializing the data encryption module according to data sent by a data user;
the ciphertext retrieval module is used for matching according to the trapdoor and the ciphertext index to obtain a correlation value, judging whether the correlation value of the data is in a ciphertext query range or not, wherein the ciphertext index is established by the data encryption module according to a global private key, and when the correlation value of the data is in the ciphertext query range, the ciphertext retrieval module sends a corresponding ciphertext to a data user and sends the corresponding ciphertext and the identity of the data user to the key management module;
the key management module calculates a decryption key according to the corresponding ciphertext and the data user identity and sends the decryption key to the data user;
the query method comprises the following steps:
the data encryption module encrypts by using a global private key according to the search request to generate a trapdoor and a ciphertext range and sends the trapdoor and the ciphertext range to the ciphertext retrieval module;
the ciphertext retrieval module is used for matching according to the trapdoor and the ciphertext index to obtain a correlation value, judging whether the correlation value of the data is in a ciphertext query range, if so, sending the corresponding ciphertext to the data user, and sending the corresponding ciphertext and the data user identity to the key management module;
the key management module calculates a decryption key according to the corresponding ciphertext and the data user identity and sends the decryption key to the data user;
before the data encryption module encrypts the data according to the search request by using the global private key to generate the trapdoor and the ciphertext range and sends the trapdoor and the ciphertext range to the ciphertext retrieval module, the method further comprises the following steps:
the data encryption module generates a global private key according to data initialization sent by a data user, a ciphertext index is established for plaintext data through the global private key, and the data encryption module calls the ciphertext retrieval module to execute ciphertext uploading operation;
the key management module establishes a symmetric key hash tree and a key state hash tree according to the data set information and the data user authorization list sent by the data encryption module to generate a symmetric key set;
the data encryption module encrypts plaintext data according to the symmetric key set to generate a ciphertext, and the data encryption module calls the ciphertext retrieval module to execute ciphertext and ciphertext index uploading operation;
the key management module updates the data user authorization list information and the key state hash tree according to the identity information of the revoked data user, and recalculates the symmetric key set according to the symmetric key hash tree;
the data encryption module is also used for initializing according to the uploaded data and the data user authorization list to generate a global private key, establishing a ciphertext index for the plaintext data through the global private key, encrypting the plaintext data according to a symmetric key set to generate a ciphertext, and the symmetric key set is generated by the key management module according to the data and the data user authorization list.
2. The query method as claimed in claim 1, wherein the key management module is further configured to create a symmetric key hash tree and a key state hash tree according to the data set information and the data user authorization list sent by the data encryption module, so as to generate a symmetric key set.
3. The method as claimed in claim 1, wherein the key management module is further configured to update the data user authorization list information and the key status hash tree according to the identity information of the revoked data user, and recalculate the symmetric key set according to the symmetric key hash tree.
4. The method as claimed in claim 3, wherein the data encryption module is further configured to re-encrypt the data to generate the ciphertext according to the symmetric key set recalculated by the key management module.
CN201710543080.9A 2017-07-05 2017-07-05 Multidimensional ciphertext interval query device and method with efficient key management Active CN107294701B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710543080.9A CN107294701B (en) 2017-07-05 2017-07-05 Multidimensional ciphertext interval query device and method with efficient key management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710543080.9A CN107294701B (en) 2017-07-05 2017-07-05 Multidimensional ciphertext interval query device and method with efficient key management

Publications (2)

Publication Number Publication Date
CN107294701A CN107294701A (en) 2017-10-24
CN107294701B true CN107294701B (en) 2021-05-18

Family

ID=60100193

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710543080.9A Active CN107294701B (en) 2017-07-05 2017-07-05 Multidimensional ciphertext interval query device and method with efficient key management

Country Status (1)

Country Link
CN (1) CN107294701B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110096899B (en) * 2019-04-29 2023-06-23 腾讯科技(深圳)有限公司 Data query method and device
CN113098691B (en) * 2021-03-25 2021-11-23 北京百度网讯科技有限公司 Digital signature method, signature information verification method, related device and electronic equipment
CN113158087A (en) * 2021-04-09 2021-07-23 深圳前海微众银行股份有限公司 Query method and device for space text
CN117494174B (en) * 2023-12-28 2024-03-29 北京遥感设备研究所 Multidimensional data encryption range query method and device, storage medium and electronic equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187425A (en) * 2015-09-02 2015-12-23 南京理工大学紫金学院 Certificate-free threshold decryption method for security of cloud calculation communication system
CN105592100A (en) * 2016-01-26 2016-05-18 西安电子科技大学 Government services cloud access control method based on attribute encryption
CN106209774A (en) * 2016-06-24 2016-12-07 西安电子科技大学 The cloud service outsourcing access right control method obscured based on undistinguishable
CN106302449A (en) * 2016-08-15 2017-01-04 中国科学院信息工程研究所 A kind of ciphertext storage cloud service method open with searching ciphertext and system
CN106559422A (en) * 2016-11-10 2017-04-05 西安电子科技大学 Multidimensional ciphertext interval query method based on key agreement
CN106599719A (en) * 2016-12-12 2017-04-26 西安电子科技大学 Ciphertext retrieval method supporting efficient key management
CN106850216A (en) * 2017-03-31 2017-06-13 西安电子科技大学 A kind of key revocation method of key management tree in cloud database

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130085491A (en) * 2011-12-09 2013-07-30 한국전자통신연구원 Multi-user searchable encryption system with index validation and tracing and method thereof

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187425A (en) * 2015-09-02 2015-12-23 南京理工大学紫金学院 Certificate-free threshold decryption method for security of cloud calculation communication system
CN105592100A (en) * 2016-01-26 2016-05-18 西安电子科技大学 Government services cloud access control method based on attribute encryption
CN106209774A (en) * 2016-06-24 2016-12-07 西安电子科技大学 The cloud service outsourcing access right control method obscured based on undistinguishable
CN106302449A (en) * 2016-08-15 2017-01-04 中国科学院信息工程研究所 A kind of ciphertext storage cloud service method open with searching ciphertext and system
CN106559422A (en) * 2016-11-10 2017-04-05 西安电子科技大学 Multidimensional ciphertext interval query method based on key agreement
CN106599719A (en) * 2016-12-12 2017-04-26 西安电子科技大学 Ciphertext retrieval method supporting efficient key management
CN106850216A (en) * 2017-03-31 2017-06-13 西安电子科技大学 A kind of key revocation method of key management tree in cloud database

Also Published As

Publication number Publication date
CN107294701A (en) 2017-10-24

Similar Documents

Publication Publication Date Title
CN110224986B (en) Efficient searchable access control method based on hidden policy CP-ABE
CN108494768B (en) Ciphertext searching method and system supporting access control
EP3375129B1 (en) Method for re-keying an encrypted data file
CN108768951B (en) Data encryption and retrieval method for protecting file privacy in cloud environment
Salam et al. Implementation of searchable symmetric encryption for privacy-preserving keyword search on cloud storage
CN109493017B (en) Trusted outsourcing storage method based on block chain
CN107294701B (en) Multidimensional ciphertext interval query device and method with efficient key management
CN112989375B (en) Hierarchical optimization encryption lossless privacy protection method
JP2010061103A (en) Method, device and system for fast searchable encryption
CN108632385B (en) Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure
CN114826703A (en) Block chain-based data search fine-grained access control method and system
Lee et al. A secure index management scheme for providing data sharing in cloud storage
CN114417073B (en) Neighbor node query method and device of encryption graph and electronic equipment
Ma et al. CP-ABE-based secure and verifiable data deletion in cloud
KR101140576B1 (en) Multi?user search system and method of encrypted document
US20240015014A1 (en) Dynamic and verifiable searchable encryption method and system based on updatable encryption and blockchain
Yan et al. Secure and efficient big data deduplication in fog computing
CN108920968B (en) File searchable encryption method based on connection keywords
CN116663046A (en) Private data sharing and retrieving method, system and equipment based on blockchain
CN114640458B (en) Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment
WO2019178792A1 (en) Ciphertext search method and system supporting access control
KR101232385B1 (en) Searchable Symmetric Encryption Method and System
CN109582818B (en) Music library cloud retrieval method based on searchable encryption
CN110851850A (en) Searchable encryption system based on general circuit access structure
Passricha et al. A secure deduplication scheme for encrypted data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant