CN108632030B - CP-ABE-based fine-grained access control method - Google Patents
CP-ABE-based fine-grained access control method Download PDFInfo
- Publication number
- CN108632030B CN108632030B CN201810241576.5A CN201810241576A CN108632030B CN 108632030 B CN108632030 B CN 108632030B CN 201810241576 A CN201810241576 A CN 201810241576A CN 108632030 B CN108632030 B CN 108632030B
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- user
- decryption
- algorithm
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a CP-ABE-based efficient and safe fine-grained access control method, which relates to data safe storage and fine-grained access control in a cloud environment and is characterized in that an outsourcing strategy is adopted to reduce local computation and communication resource consumption, access structure updating and user attribute revocation in a ciphertext state are supported, data are always in a blinding state for a server in the scheme operation process, the data safety is protected while computing resources by the server, the data master right is clarified, and hidden operation of the server is prevented.
Description
Technical Field
The invention relates to the field of data access control in a cloud environment, in particular to a fine-grained access control method based on CP-ABE.
Background
Currently, data becomes the most valuable asset for individuals and enterprises, and the data assets and their management capabilities will determine the success or failure of enterprise competition and become the key for individual development. However, in big data and cloud computing environments, when personal data is stored remotely, where the stored data will be used, by whom it is not user-resolvable, data owners lose absolute control over their data, especially sensitive data, and problems with privacy disclosure and ownership of the data occur.
The user needs to make clear the data ownership, can determine the destination of the data and implement a fine-grained access control strategy on the data. Research shows that ciphertext policy attribute based encryption (CP-ABE) proposed in recent years realizes fine-grained access control on data thereof in a mode that a data owner formulates an access control policy, so that the data ownership can be well defined, the CP-ABE can realize encryption for all parties at one time instead of encryption for all parties at each time, only users meeting an access control structure attribute set can access the data, and the method has the characteristic of rich expression and can implement fine-grained access control on the encrypted data.
However, the CP-ABE method has the problems that in the operation process, the server can steal user data, the access control policy is difficult to update, the attribute revocation is difficult, and in the local encryption and decryption process, a large amount of computing and communication resources are consumed, so that the CP-ABE method is difficult to effectively work in small-scale micro devices and mobile devices.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a fine-grained access control method based on CP-ABE.
In order to solve the problems, the technical scheme provided by the invention is as follows:
a fine grain access control method based on CP-ABE comprises the following steps:
s1, initializing a system and generating parameters, wherein a trusted center TA runs a Setup (K) algorithm to initialize the system and generate the parameters, and the algorithm takes a security parameter K as input to generate a system public key Pk and a master key Mk;
s2, generating a private key, wherein the trusted center TA runs a KeyGen (Pk, Mk, A) algorithm, and generates a private key Sk for the user according to the user attribute set;
s3, encrypting data, wherein the trusted center TA runs an Encrypt (Pk, M, T) algorithm, encrypts the data for the data ciphertext M according to an access control strategy T formulated by a user, and generates a ciphertext CT with the access control strategy;
s4, generating a re-encryption key, wherein a data owner DO operates a ReKeyGen (Pk, T1, Sk) algorithm, and when an access control strategy formulated by a user is updated, a ciphertext re-encryption key Rk is generated for the user according to a user private key;
s5, encrypting the ciphertext, operating a ReEncrypt (Pk, CT, Rk) algorithm by the decryption service DS, and updating the ciphertext in a ciphertext state when an access control strategy formulated by a user is updated to generate a re-encrypted ciphertext CT 1;
s6, dividing a private key, wherein the data requester DR operates a DeyDiv (Pk, Sk) algorithm to divide a user private key to generate a ciphertext conversion private key SRk and a local decryption key Tk;
s7, data decryption, wherein a decryption service DS operates a decryption (Pk, CT, Sk) algorithm, judges whether a private key of a user meets an access control strategy formulated by the user when data are encrypted, decrypts the data for the user, outputs a plaintext M if the private key meets the access control strategy, and otherwise outputs a null;
and S8, attribute revocation, wherein an AttRevoke (CT, Sk) algorithm is operated to update the ciphertext and the private key of the user, when attribute revocation is sent, the private key can be directly updated by the user without revoked attribute, and the user with revoked attribute must request the trusted center TA to update the private key.
In the present invention, the system comprises:
and (3) a user layer: including the data owner and the data requestor. The data owner, namely a data file provider, defines an access control strategy of the data when uploading the data file, and is responsible for maintaining the data; the server determines whether the private key has the decryption authority to determine whether the data file can be used by the data requester.
Calculating a layer: including encryption service and decryption service, has greater computing power. The encryption service provides an encryption function for data and receives a data owner encryption request downward. The decryption service provides a data decryption function and receives requests from data requesters.
A storage layer: the storage service is provided, has larger storage capacity, and receives the storage request of the encryption service and the access request of the decryption service downwards.
The credible center: the trusted center performs system initialization and generates parameters of the system. The connection with the user layer is bidirectional connection, public parameters of a user layer system are provided, and a private key is generated for a user according to a user attribute set of the user layer; and the method is in one-way connection with the computing layer, and only provides system public parameters for the computing layer.
In the present invention, the initialization algorithm Setup (k) is run by the trusted center TA to perform system initialization and parameter generation. The algorithm takes a security parameter K as input and outputs a system master key Mk and a public key Pk, and the algorithm can configure an environment for system operation and generate the security parameter.
The private key generation algorithm KeyGen (Pk, Mk, a) is run by the trust center TA to generate an attribute private key for the user. The method comprises the steps of inputting a user attribute set A, and outputting an attribute private key SK related to the attribute set, wherein the algorithm can generate a unique private key for each legal user.
The encryption algorithm Encrypt (Pk, M, T) is run by the encryption service ES to Encrypt the plaintext. Inputting an access structure T and plaintext information M formulated by a public key Pk and DO, and outputting a ciphertext CT with an access control strategy, wherein the algorithm keeps the data information in a blinding state for a server while encrypting data by utilizing server computing resources.
The re-encryption key generation algorithm ReKeyGen (Pk, T1, Sk) is run by the data owner DO. Inputting the public key Pk, the new access control structure T1, and the user's current private key, the algorithm outputs the key Rk for ciphertext re-encryption, which is capable of generating the key for ciphertext re-encryption.
The re-encryption algorithm ReEncrypt (Pk, CT, Rk) is run by the decryption service DS. The algorithm takes the re-encryption key RK, the public key PK and the original ciphertext CT as output and outputs a re-encryption ciphertext CT 1. When the access structure is updated, the ciphertext encrypted under the access structure T may be directly converted into the ciphertext encrypted under the new access control structure T1.
The private key division algorithm KeyDiv (Pk, Sk) is executed by the user. The algorithm takes the public key Pk and the user private key Sk as input, outputs a ciphertext conversion key SRk and a local decryption key Tk related to the private key Sk, can split the private key, and ensures that the server cannot acquire the user private key.
The decryption algorithm Decrypt (Pk, CT, SK) is run by the decryption service DS to Decrypt the ciphertext. The algorithm takes a public key Pk, a ciphertext CT and a user private key SK as input, if the user private key meets the requirement of a ciphertext access control structure, plaintext information M is output, otherwise, the output is null, and in the decryption process, the algorithm utilizes server computing resources and can still keep the blinding state of data information to a server.
The attribute revocation algorithm AttrRevoke (CT, Sk) is used to update the ciphertext and the user private key when attribute revocation occurs. The algorithm takes a ciphertext CT and a user private key as input, outputs an updated ciphertext and the user private key { CT ', Sk' }, and can update the system in time when the attribute revocation occurs, so that the data security is ensured.
Further, the step S1 specifically includes:
s11, initializing a system and selecting a cyclic groupWherein the circulating groupIs a prime number P, and the generators are g1,g2Setting up a bilinear mapAnd selecting a hash function
S12, generating parameters, and running a Setup (k) algorithm by the trusted center TA, wherein the algorithm selects two safety parameters alpha, beta belonging to Z randomlyp,ZpGenerating the public key and the master key parameter of the system for the integer group with the order of p,
master key MK ═ β, g1 α) And is reserved for the credible center TA,
Further, the step S2 specifically includes:
the trusted center TA runs the KeyGen (Pk, Mk, A) algorithm, and the algorithm randomly selects r to be ZpLet the attribute set of the user be A, and for each attribute i ∈ A, randomly select ri∈ZpAnd a private key Sk is generated, the private key Sk is generated,
further, the step S3 specifically includes:
s31, the trusted center TA runs Encrypt (Pk, M, T) algorithm, and the data owner DO formulates an access structure T as T in the form of an access treeDO+TESWherein T isDoAccess structure, T, for user independent controlESIs an access control policy handled for the server, LDOAnd LESTo representTDOAnd TESSet of leaf nodes of, LTRepresenting a leaf node set of the access tree T, and adopting a sharer secret sharing scheme during encryption; for any node x in the access tree, its shared secret is qx(0)。
S32, the data owner DO randomly selects a1 st order polynomial q (x), calculates s as q (0), s1 as q (1), and s2 as q (2);
s33, the encryption service ES receives s1, T sent by the data owner DOESAnd calculate with s1 as the shared secret
S34, the data owner DO takes s2 as a shared secret to calculate And C ═ Me (g) is calculated for plaintext M and s ═ q (0)1,g2)αsAnd C ═ hs;
S35, the encryption service ES receives information (CT) sent by a data owner DODOC, C', joint CTESAnd (3) calculating a ciphertext:
s36, the encryption service ES sends the CT to a storage service, and the storage service stores the ciphertext information into a database.
Further, the step S4 specifically includes:
s41, the data owner DO runs a ReKeyGen (Pk, T1, Sk) algorithm, and the DO randomly selects theta epsilon to ZpUpdate the private key to
S43.DO combines two parts of information to calculate a re-encryption key RK:
further, the step S5 specifically includes:
s51, the decryption service DS runs a ReEncrypt (Pk, CT, Rk) algorithm to the original ciphertextPerforming recursive decryption and calculation
Wherein y is a leaf node in the access tree;
s52 recursively decrypts the non-leaf node x in the access tree, computing:
for the root node r, there is a ═ Fr=e(g1,g2)rs;
S55, calculating a re-encrypted ciphertext CT 1:
and S56, the user DO uploads the re-encrypted ciphertext CT1 to a decryption service, the decryption service further uploads the CT1 to a storage service, the CT is stored in the storage server, and the original ciphertext is updated to be the re-encrypted ciphertext.
Further, the step S6 specifically includes:
s61, the data requester DR runs KeyDiv (Pk, Sk) algorithm, and the DR randomly selects t e to ZpIn association with its private keyCalculating K ═ gt(α+r)/;
and S63, the DR calculates and stores the local decryption key Tk as t.
Further, the step S7 specifically includes:
s701, the decryption service DS operates a decryption (Pk, CT, SK) algorithm, and for ciphertext and DS, recursive decryption and calculation are carried out
Further, the step S7 further includes:
when the ciphertext is the original ciphertext, the decryption process is as follows:
s711. in this case, A ═ Fr=e(g1,g2)rs;
S712, calculating:
B=e(C′,K′)=e(hs,g1 t(α+r)/β)=e(g2 βs,g1 t(α+r)/β)=e(g1,g2)t(α+r)×s;
s713, the data requester DR receives the information,
{A,B,C}={e(g1,g2)rs,e(g1,g2)t(α+r)×s,Me(g1,g2)αs};
s714.dr uses Tk ═ t to perform local decryption, and calculates B ═ B1/Tk=e(g1,g2)(α+r)×s;
S715.DR carries out final decryption to obtain a data plaintext M:
when the ciphertext is the ciphertext with the updated access structure, the decryption process is as follows:
s721, wherein A is Fr=e(g1,g2)rλ;
S722, calculating:
s723. the data requester DR receives the information,
s724.DR uses Tk-t to decipher locally, and calculates B-B1/Tk==e(g1,g2)(α+r)λ;
S725.dr requests decryption C' h from the trusted centersCalculating NewC ═ C'1/β=(hs)1/β=g2 s;
S726.DR carries out final decryption, and data plaintext M is obtained:
further, in the step S8, when the attribute parameter is sent, the AttrRevoke (CT, Sk) algorithm is executed, and the algorithm execution process includes:
s81, the credible center TA randomly selects r to be Zp;
S83, the users without the revoked attribute receive the r value of the credible center and update the private key
S84. the user with the revoked attribute can not receive the r value of the credible center, and the user must request the credible center to update the private key and newly calculate the private key of the user Where S 'is the user' S updated set of attributes.
Compared with the prior art, the beneficial effects are: the CP-ABE-based fine-grained access control method provided by the invention can effectively solve the problems of user data leakage, difficulty in updating an access control strategy, difficulty in attribute revocation and the like of a server, can simultaneously solve the problem that a large amount of computing and communication resources are consumed in the local encryption and decryption process so that the local encryption and decryption process is difficult to effectively work in small and micro equipment and mobile equipment, realizes fine-grained access control on data, determines the data ownership so as to ensure the legal rights and interests of users, and is safe and efficient.
Drawings
FIG. 1 is a schematic diagram of the method of the present invention.
FIG. 2 is a diagram of a system model according to the present invention.
Fig. 3 is a diagram of an access control scheme of the present invention.
FIG. 4 is a flow chart of parameter generation according to the present invention.
FIG. 5 is a flow chart of the private key generation of the present invention.
FIG. 6 is a flow chart of data encryption generation according to the present invention.
Fig. 7 is a flowchart illustrating ciphertext access structure update according to the present invention.
FIG. 8 is a flowchart illustrating file decryption according to the present invention.
Fig. 9 is a flow chart of attribute revocation in accordance with the present invention.
Detailed Description
As shown in fig. 1 to 3, a fine grain access control method based on CP-ABE includes the following steps:
step 1: system initialization and parameter generation
Mainly configuring the operating environment of the system and generating key parameters required in the operating process of the system, combining the parameter generation flow chart of fig. 4, the trusted center TA starts the system to set and operate the Setup (k) algorithm, and selects the cycle groupWherein the circulating groupIs a prime number P, and the generators are g1,g2Setting bilinear mapping e:selectingA hash function of; and two safety parameters alpha, beta belonging to Z randomly selected by the algorithmpOutputting a public key and a master key of the system;
master key MK ═ β, g1 α) Reserved for TA;
Step 2: private key generation
The TA runs the KeyGen (Pk, Mk, a) algorithm to generate a private key for the user and passes the private key to the user over a secure channel. When the private key is generated specifically, in combination with the private key generation flow chart of fig. 5, the algorithm randomly selects r e to ZpLet the attribute set of the user be A, and for each attribute i ∈ A, randomly select ri∈ZpA private key, Sk, is generated and transmitted back to the user over the secure channel, wherein,
and step 3: file encryption
An Encrypt (Pk, M, T) encryption algorithm is operated in the file encryption process, and the main purpose is to keep the blinding state of data to a server while utilizing the computing power of the server so as to ensure the data ownership. The algorithm adopts a public key Pk, an access structure T and plaintext information M formulated by a data owner as input, and outputs a ciphertext CT related to the access structure T.
In the encryption process, in combination with the access tree of fig. 3 and the data encryption flowchart of fig. 6, the DO may set the access control structure T ═ T in the form of the access treeDO+TESTo reduce the amount of local computation, usually TDOHaving a part of the attributes, where T is selectedDOHaving only one attribute and being provided with LDOAnd LESRepresents TDOAnd TESSet of leaf nodes of, LTRepresenting a leaf node set of the access tree T, adopting a sharer secret sharing scheme, and aiming at any node x, q in the access treex(0) A secret value shared by node x. The algorithm mainly performs the following operations:
s31.do randomly selects a1 st order polynomial q (x), calculates s ═ q (0), s1 ═ q (1), s2 ═ q (2);
s32.DO Send s1, TES-to the encryption service ES;
s33.ES reception s1, TESRuns after, calculates CT with s1 as shared secretES:
S34, calculating CT by using S2 as shared secret by user DODO;
S35. additionally at the user side, for the plaintext information M, calculate C ═ Me (g)1,g2)αs(ii) a For shared secret s ═ q (0), calculate C ═ hs;
S36, user DO sends { CTDOC, C' } to ES;
s37.ES reception { CTDOC, C', V }, combining various information to generate a ciphertext CT:
and S38, the ES sends the CT to a storage service, and the storage service stores the ciphertext information into a database.
And 4, step 4: updating the cipher access structure, calculating the re-encryption key Rk, re-encrypting the cipher to generate the re-encrypted cipher CT1
In the practical application of the ciphertext policy attribute-based encryption algorithm, an access control policy formulated by DO (data access) is frequently changed, and in order to solve the problem, two solutions of agent updating and user updating are frequently used, but the agent updating always exposes data information to an agent, and the user updating computation resource is seriously consumed and requires real-time online. The invention provides a ciphertext access structure updating algorithm, and combines the advantages of updating at an agent and a user, so that only a re-encryption key RK needs to be calculated by a number owner, and the agent can use the key to convert a ciphertext encrypted under one access structure T into a re-encrypted ciphertext calculated under another new access control structure T1.
In conjunction with the ciphertext access structure update flow diagram of fig. 7, first DO runs ReKeyGen (Pk, T1, Sk) to calculate the re-encryption key Rk, and the algorithm execution includes private key conversion and re-encryption key calculation.
1, private key conversion:
randomly selecting theta to be ZpAssociating private keys of DO Updating the value of K toGenerating the translation private key SK' for DO:
2, calculating a re-encryption key:
combined hiding of the private key SK', resetting of the encryption key Wherein the content of the first and second substances,
the re-encryption key RK is:
3 ciphertext re-encryption
The ES runs the ReEncrypt (Pk, CT, Rk) algorithm to convert the ciphertext encrypted under the access structure T into the ciphertext encrypted under the new access control structure T1, for the original ciphertext:
the establishment process of the ciphertext re-encryption is as follows:
1) the agent recursively decrypts the access tree:
a. decryption of leaf nodes in the access tree:
b. decryption of non-leaf nodes in the access tree:
c. with recursive secrets, for the root node r of the access tree, there are: a ═ Fr=e(g1,g2)rs。
2) Calculating B ═ e (h) ═ K ═ C', K ═ e (h)s,g1 (α+r-θ)/β)=e(g1,g2)(α+r-θ)s;
3) Sending A and B back to the user, and carrying out the following operations:
a. user calculates B/a ═ e (g)1,g2)(α+r-θ)s/e(g1,g2)rs=e(g1,g2)(α-θ)s;
b. Computing NewC-Me (g) in conjunction with the C value of the original ciphertext containing the plaintext information1,g2)αs/e(g1,g2)(α-θ)s=Me(g1,g2)θs。
4) Calculating the re-encrypted ciphertext CT 1:
compared with the original ciphertext, the re-encrypted ciphertext CT1 adds one more item E-g1 θe(g1,g2)αλAnd updating the ciphertext as follows:
5) the user uploads the re-encrypted ciphertext CT1 to the decryption service, which further uploads CT1 to the storage service, where it is stored in the storage server, updating the original ciphertext to the re-encrypted ciphertext.
And 5: data decryption
A decryption algorithm of Decrypt (Pk, CT, SK) is operated in the data decryption process, and the main purpose is to keep the blinding state of data to a server while utilizing the computing power of the server so as to ensure the data ownership. In combination with the data decryption flowchart of fig. 8, the algorithm uses the public key Pk, the ciphertext CT and the user private key Sk as inputs, and outputs a data plaintext when the access requirement is met. The encryption process comprises three processes of private key division, ciphertext conversion and local decryption.
1) Private key division: the purpose of private key partitioning is mainly to secure the data so that the private key of the data requestor DR is hidden from the decryption service. In the process, a user executes a KeyDiv (Pk, Sk) algorithm, inputs a private key Sk of DR and a system public key Pk, and outputs a key SRk for ciphertext conversion and a key Tk for local decryption, specifically:
user randomly selects t ∈ ZpFederated user private keys Calculating D ═ gt(α+r)/βAnd generating a ciphertext transformation key Rk and a local decryption key TK, wherein:
2) Ciphertext conversion: the purpose of ciphertext conversion is to perform initial decryption of the ciphertext by using computing resources of the server. After receiving the decryption request and the cipher text conversion key SRk, the DS firstly requests a data cipher text to be decrypted from the storage service, and after receiving the data request, the storage service sends the requested cipher text CT back to the DS; the ciphertext may be the original ciphertext CT:
or ciphertext CT1 updated by the access structure:
during decryption, the DS firstly checks the matching between the attribute set and the access structure of the ciphertext, if the attribute set does not meet the requirement of the access structure, the ciphertext conversion process outputs the inverted value, if the attribute set meets the requirement of the access structure, the initial decryption process of the ciphertext is started, and L is setTRepresenting the leaf node set of the access tree T, the specific process is as follows:
a. partial decryption operation of leaf nodes, for arbitrary y ∈ LTDS calculates F from the received informationy:
b. partial decryption operation of non-leaf node x: for all children z, S of xxIs node x arbitrary KxThe set of child nodes, calling the algorithm first decrypts F of all the child nodes z of node xzThe nodes can be partially decrypted by the lagrange interpolation formula as follows, i ═ index (z), s in the access treex′={index(z):z∈SxAnd F is calculated by taking the delta as the Lagrange coefficientx,
c. Decryption operation for root node: from the above, when r is the root node of T, y ∈ L for each leaf nodeDO∪LESPAnd the non-leaf node is subjected to recursive calculation to obtain:
the values for the two classes of ciphertext a are: a1 ═ e (g)1,g2)rsAnd a2 ═ e (g)1,g2)rλ;
d. For two kinds of cryptographs, the value of B is respectively calculated by K 'in the public key and C' in the cryptograph as follows:
B1=e(C′,K′)=e(hs,g1 t(α+r)/β)=e(g2 βs,g1 t(α+r)/β)=e(g1,g2)t(α+r)×s
B2=e(C′,K′)=e(hλ,g1 t(α+r)/β)=e(g2 βs,g1 t(α+r)/β)=e(g1,g2)t(α+r)×λ
the ds sends the data back to the data requester DR, and for two types of ciphertexts, the data sent is as follows:
for the original ciphertext: { a1, B1, C } - { e (g)1,g2)rs,e(g1,g2)t(α+r)×s,Me(g1,g2)αs};
For the ciphertext with the updated access structure:
{A2,B2,C,E,C’}={e(g1,g2)rλ,e(g1,g2)t(α+r)×λ,Me(g1,g2)θs,g1 θe(g1,g2)αλ,hs}。
3) local decryption:
in the process, ciphertext conversion data returned by the local decryption key Tk and the DS are used as input, a data plaintext corresponding to the ciphertext is output, the algorithm execution process is divided into local decryption of an original ciphertext and local decryption of the ciphertext after the access structure is updated, in the decryption process, the number of data tuples returned by the DS is judged first, the type of returned data is judged, and corresponding decryption is carried out.
a. Local decryption of an original ciphertext: at this time, the data returned by the DR receiving DS is { a1, B1, C }, and the local decryption key Tk is first calculated as t for the data B1 And finally decrypting the data to obtain a data plaintext M:
b. and (3) decrypting the ciphertext after the access structure is updated: at this time, the data returned by the user receiving DS is { a2, B2, C, E, C' }, and the local decryption key Tk is first calculated as t for the data B
Then solve forThe user then requests decryption C' h from the trusted centersTrusted center TA calculates NewC ═ C'1/β=(hs)1/β=g2 sAnd returning to the user, finally performing final ciphertext decryption to obtain a data plaintext M:
step 6: attribute revocation
In the system operation process, the problem of attribute change inevitably occurs, and attribute revocation is involved. In combination with the attribute revocation flow chart of fig. 9, when a certain user in the system has attribute revocation, the trust center randomly selects r e to ZpAnd the r value is addedAnd sending the new requirement to the users with the attributes which are not revoked and the encryption service ES for updating the ciphertext and the private keys of the users.
1) When the encryption service ES receives a cipher text updating demand and a r value sent by the trusted center, the encryption service ES updates the cipher text
The updated ciphertext is calculated as:
2) the private key is updated by the user without the revoked attribute, and when the user without the revoked attribute receives the updating requirement and the r value sent by the trusted center, the private key is updated by the user without the revoked attribute The updated private key is calculated as:
3) the user of the revoked attribute updates the private key,
the user with the revoked attribute can not decrypt the ciphertext to obtain the data plaintext because the user does not receive the private key updating description and the r value and the ciphertext at the moment is updated, and the user with the revoked attribute can only decrypt the data by updating the private key of the user with the revoked attribute. At this time, the user needs to send a private key request to the trusted center again, and when the trusted center receives the private key request, the trusted center assumes that the attribute set of the user at this time is updated to be A', and the trusted center calculates the private key of the user to be
Finally, the method provided by the invention is subjected to security analysis and specific running time statistics.
Security analysis
In the present invention, the access control structure T is decomposed into: t ═ TDO+TES,TDOThe complexity of calculation and communication can be effectively reduced by containing fewer attributes according to TDOA first-order polynomial q (x) is randomly specified, and s is set to q (0), s1 is set to q (1), and s2 is set to q (2). ES can only be obtained during encryption (T)ESPS1), for any given first order polynomial, the secret component s is theoretically secure knowing only s1, according to a threshold secret sharing scheme.
For the safety of the algorithm, the ES, the DS and the SS are not credible, and can acquire corresponding information while executing a calculation task according to the algorithm. Assuming that ES, DS and SS carry out collusion attack, the following analysis is respectively carried out on the information acquisition situations:
MK=(β,gα) Reserved for TA;
as can be seen from the above table, the ES does not know the random number s for hiding the plaintext M, and the ES is in the blinding state for the ciphertext, and the ES does not know the access control structure set by the user, and cannot attempt decryption operation; for DS, a random number t is embedded in a hidden private key, and t is an index of a generator g, solving the private key of a user is equivalent to solving the problem of DLP difficulty, namely the private key of the user is also in a blinding state to DS, a server cannot or data content, and the privacy of data is protected, so that the algorithm is safe.
Run time statistics
The experiment is tested under a Ubuntu14.04LTS, a 3.8Gb memory, i5-4210M @2.6GHZ multiplied by 4, 16.8GB hard disk virtual machine.
Set the attribute set to 'ONE', 'TWO', 'tree', access structure to ((ONE and tree) and (TWO OR FOUR)), plaintext using random selection, updated access structure to (ONE and (TWO OR FOUR)), run the above algorithm with runtime statistics as follows.
TABLE 2 running time table for each algorithm
SetUp | KeyGen | Encryption | ReKeyGen | ReEncryption | KeyDiv | Ciphertext transformation | Local decryption | |
Second of | 0.03875 | 0.04463 | 0.05158 | 0.05514 | 0.05521 | 0.00140 | 0.04292 | 0.00175 |
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.
Claims (8)
1. A fine grain access control method based on CP-ABE is characterized by comprising the following steps:
s1, initializing a system and generating parameters, wherein a trusted center TA runs a Setup (K) algorithm to initialize the system and generate the parameters, and the algorithm takes a security parameter K as input to generate a system public key Pk and a master key Mk;
s2, generating a private key, wherein the trusted center TA runs a KeyGen (Pk, Mk, A) algorithm, and generates a private key Sk for the user according to the user attribute set A;
s3, encrypting data, wherein the trusted center TA runs an Encrypt (Pk, M, T) algorithm, encrypts the data for the data ciphertext M according to an access control strategy T formulated by a user, and generates a ciphertext CT with the access control strategy;
s4, generating a re-encryption key, wherein a data owner DO operates a ReKeyGen (Pk, T1, Sk) algorithm, and when an access control strategy formulated by a user is updated, a ciphertext re-encryption key Rk is generated for the user according to a user private key; the method specifically comprises the following steps:
s41, the data owner DO operates a ReKeyGen (Pk, T1, Sk) algorithm, and T1 is a new access control structure; DO randomly selects theta ∈ ZpUpdate the private key to
S43.DO combines two parts of information to calculate a re-encryption key RK:
s5, encrypting the ciphertext, operating a ReEncrypt (Pk, CT, Rk) algorithm by the decryption service DS, and updating the ciphertext in a ciphertext state when an access control strategy formulated by a user is updated to generate a re-encrypted ciphertext CT 1; the method specifically comprises the following steps:
s51, the decryption service DS runs a ReEncrypt (Pk, CT, Rk) algorithm to the original ciphertextPerforming recursive decryption, calculating:
wherein y is a leaf node in the access tree;
s52, carrying out recursive decryption on the non-leaf node x in the access tree, and calculating:
for the root node r, there is a ═ Fr=e(g1,g2)rs;
S53, calculating:
s54, the data owner DO receives the information { A, B } sent by the DS and calculates New C:
s55, calculating a re-encrypted ciphertext CT 1:
s56, the user uploads the re-encrypted ciphertext CT1 to a decryption service, the decryption service further uploads the CT1 to a storage service, the CT is stored in a storage server, and the original ciphertext is updated to be the re-encrypted ciphertext;
s6, dividing a private key, wherein the data requester DR operates a DeyDiv (Pk, Sk) algorithm to divide a user private key to generate a ciphertext conversion private key SRk and a local decryption key Tk;
s7, data decryption, wherein a decryption service DS operates a decryption (Pk, CT, Sk) algorithm, judges whether a private key of a user meets an access control strategy formulated by the user when data are encrypted, decrypts the data for the user, outputs a plaintext M if the private key meets the access control strategy, and otherwise outputs a null;
and S8, attribute revocation, wherein an AttRevoke (CT, Sk) algorithm is operated to update the ciphertext and the private key of the user, when attribute revocation is sent, the private key can be directly updated by the user without revoked attribute, and the user with revoked attribute must request the trusted center TA to update the private key.
2. The fine grain access control method based on CP-ABE as claimed in claim 1, wherein said step S1 specifically includes:
s11, initializing a system and selecting a cyclic groupWherein the circulating groupIs a prime number P, and the generators are g1,g2Selecting a hash functionThe hash function mainly simulates a random database and sets bilinear mapping
S12, generating parameters, and running a Setup (k) algorithm by the trusted center TA, wherein the algorithm selects two safety parameters alpha, beta belonging to Z randomlypWherein Z ispFor integer groups of order p, the system generates public key and master key parameters,
master key MK ═ β, g1 α) And is reserved for the credible center TA,
3. The fine grain access control method based on CP-ABE as claimed in claim 2, wherein said step S2 specifically includes:
the trusted center TA runs the KeyGen (Pk, Mk, A) algorithm, and the algorithm randomly selects r to be ZpLet the attribute set of the user be A, and for each attribute i ∈ A, randomly select ri∈ZpAnd a private key Sk is generated, the private key Sk is generated,
4. the fine grain access control method based on CP-ABE as claimed in claim 3, wherein said step S3 specifically includes:
s31, the trusted center TA runs Encrypt (Pk, M, T) algorithm, and the data owner DO formulates an access structure T as T in the form of an access treeDO+TESWherein T isDOAccess structure, T, for user independent controlESIs an access control policy handled for the server, LDOAnd LESRepresents TDOAnd TESSet of leaf nodes of, LTA set of leaf nodes representing an access tree T;
s32, the data owner DO randomly selects a1 st order polynomial q (x), calculates s as q (0), s1 as q (1), and s2 as q (2);
s33, the encryption service ES receives s1, T sent by the data owner DOESWith s1 as the shared secret, the shared secret value for any node x in the access tree is qx(0) And calculate
S34, the data owner DO takes s2 as a shared secret to calculate And C ═ Me (g) is calculated for plaintext M and s ═ q (0)1,g2)αsAnd C ═ hs;
S35, the encryption service ES receives information (CT) sent by a data owner DODOC, C', joint CTESAnd (3) calculating a ciphertext:
s36, the encryption service ES sends the CT to a storage service, and the storage service stores the ciphertext information into a database.
5. The fine grain access control method based on CP-ABE as claimed in claim 4, wherein said step S6 specifically includes:
s61, the data requester DR runs KeyDiv (Pk, Sk) algorithm, and the DR randomly selects t e to ZpIn association with its private keyCalculating K ═ gt(α+r)/β;
and S63, the DR calculates and stores the local decryption key Tk as t.
6. The fine grain access control method based on CP-ABE as claimed in claim 5, wherein said step S7 specifically includes:
s701, the decryption service DS operates a decryption (Pk, CT, SK) algorithm, and for the ciphertext and the DS, recursive decryption is carried out, and calculation is carried out:
s702, carrying out recursive decryption on the non-leaf node x in the access tree, and calculating:
7. the fine grain CP-ABE based access control method according to claim 6, wherein said step S7 further comprises:
when the ciphertext is the original ciphertext, the decryption process is as follows:
s711. in this case, A ═ Fr=e(g1,g2)rs;
S712, calculating B ═ e (C ', K') ═ e (h)s,g1 t(α+r)/β)=e(g2 βs,g1 t(α+r)/β)=e(g1,g2)t(α+r)×s;
S713, the data requester DR receives the information,
{A,B,C}={e(g1,g2)rs,e(g1,g2)t(α+r)×s,Me(g1,g2)αs};
s714.dr uses Tk ═ t to perform local decryption, and calculates B ═ B1/Tk=e(g1,g2)(α+r)×s;
S715.DR carries out final decryption to obtain a data plaintext M:
when the ciphertext is the ciphertext with the updated access structure, the decryption process is as follows:
s721, wherein A is Fr=e(g1,g2)rλ;
S722, calculating B ═ e (C ', K') ═ e (h)λ,g1 t(α+r)/β)=e(g2 βs,g1 t(α+r)/β)=e(g1,g2)t(α+r)×λ;
S723. the data requester DR receives the information,
{A,B,C,E,C’}=
{e(g1,g2)rλ,e(g1,g2)t(α+r)×λ,Me(g1,g2)θs,g1 θe(g1,g2)αλ,hs};
s724.DR uses Tk-t to decipher locally, and calculates B-B1/Tk==e(g1,g2)(α+r)λ;
S725.dr requests decryption C' h from the trusted centersCalculating NewC ═ C'1/β=(hs)1/β=g2 s;
S726.DR carries out final decryption, and data plaintext M is obtained:
8. the fine grain CP-ABE based access control method of claim 7, wherein in step S8, when sending the attribute parameters, the AttrRevoke (CT, Sk) algorithm is executed, and the algorithm execution process includes:
s81, the credible center TA randomly selects r to be Zp;
S83, the users without the revoked attribute receive the r value of the credible center and update the private key
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810241576.5A CN108632030B (en) | 2018-03-22 | 2018-03-22 | CP-ABE-based fine-grained access control method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810241576.5A CN108632030B (en) | 2018-03-22 | 2018-03-22 | CP-ABE-based fine-grained access control method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108632030A CN108632030A (en) | 2018-10-09 |
CN108632030B true CN108632030B (en) | 2020-11-27 |
Family
ID=63696287
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810241576.5A Active CN108632030B (en) | 2018-03-22 | 2018-03-22 | CP-ABE-based fine-grained access control method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108632030B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109617855B (en) * | 2018-10-25 | 2020-10-09 | 深圳技术大学(筹) | File sharing method, device, equipment and medium based on CP-ABE layered access control |
CN111756524A (en) * | 2019-03-26 | 2020-10-09 | 深圳市网安计算机安全检测技术有限公司 | Dynamic group key generation method and device, computer equipment and storage medium |
CN110348187A (en) * | 2019-05-30 | 2019-10-18 | 北京邮电大学 | The method for secret protection and device of CP-ABE and random response fusion |
CN110278078B (en) * | 2019-06-17 | 2022-03-22 | 矩阵元技术(深圳)有限公司 | Data processing method, device and system |
CN110855613A (en) * | 2019-10-12 | 2020-02-28 | 湖南大学 | Outsourcing revocation method and system in attribute-based encryption system |
CN111177744B (en) * | 2019-12-07 | 2022-02-11 | 杭州电子科技大学 | Access control strategy storage and matching method based on binary tree |
CN114362924A (en) * | 2020-09-29 | 2022-04-15 | 湖南大学 | CP-ABE-based system and method for supporting flexible revocation and verifiable ciphertext authorization |
CN112699395B (en) * | 2021-01-14 | 2023-06-06 | 暨南大学 | Attribute-based anonymous authentication method capable of chasing responsibility for fine-grained access control |
CN113343258B (en) * | 2021-06-09 | 2023-03-31 | 哈尔滨学院 | Attribute-based agent re-encryption method applicable to lattice-based ciphertext strategy shared by body test result cloud |
CN114205379A (en) * | 2021-11-26 | 2022-03-18 | 江苏大学 | CP-ABE outsourcing decryption result reusing method based on NDN |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103179114A (en) * | 2013-03-15 | 2013-06-26 | 华中科技大学 | Fine-grained access control method for data in cloud storage |
CN105991278A (en) * | 2016-07-11 | 2016-10-05 | 河北省科学院应用数学研究所 | Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption) |
CN106059759A (en) * | 2016-07-11 | 2016-10-26 | 河北省科学院应用数学研究所 | Architecture method for CP-ABE (Ciphertext-Policy Attribute-Based Encryption) ciphertext access control |
WO2017076705A1 (en) * | 2015-11-03 | 2017-05-11 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method of encryption based on the attributes comprising a pre-calculation phase |
CN106878322A (en) * | 2017-03-10 | 2017-06-20 | 北京科技大学 | A kind of encryption and decryption method of the fixed length ciphertext based on attribute and key |
CN107070652A (en) * | 2017-04-24 | 2017-08-18 | 湖南科技学院 | A kind of anti-tamper car networking method for secret protection of ciphertext based on CP ABE and system |
CN107634830A (en) * | 2017-09-13 | 2018-01-26 | 中国人民解放军信息工程大学 | The revocable attribute base encryption method of server- aided, apparatus and system |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160241399A1 (en) * | 2013-03-15 | 2016-08-18 | Arizona Board Of Regents On Behalf Of Arizona State University | Efficient Privacy-Preserving Ciphertext-Policy Attribute Based Encryption and Broadcast Encryption |
US9495545B2 (en) * | 2014-11-13 | 2016-11-15 | Sap Se | Automatically generate attributes and access policies for securely processing outsourced audit data using attribute-based encryption |
US9894043B2 (en) * | 2015-09-30 | 2018-02-13 | Raytheon Bbn Technologies Corp. | Cryptographically secure cross-domain information sharing |
-
2018
- 2018-03-22 CN CN201810241576.5A patent/CN108632030B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103179114A (en) * | 2013-03-15 | 2013-06-26 | 华中科技大学 | Fine-grained access control method for data in cloud storage |
WO2017076705A1 (en) * | 2015-11-03 | 2017-05-11 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method of encryption based on the attributes comprising a pre-calculation phase |
CN105991278A (en) * | 2016-07-11 | 2016-10-05 | 河北省科学院应用数学研究所 | Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption) |
CN106059759A (en) * | 2016-07-11 | 2016-10-26 | 河北省科学院应用数学研究所 | Architecture method for CP-ABE (Ciphertext-Policy Attribute-Based Encryption) ciphertext access control |
CN106878322A (en) * | 2017-03-10 | 2017-06-20 | 北京科技大学 | A kind of encryption and decryption method of the fixed length ciphertext based on attribute and key |
CN107070652A (en) * | 2017-04-24 | 2017-08-18 | 湖南科技学院 | A kind of anti-tamper car networking method for secret protection of ciphertext based on CP ABE and system |
CN107634830A (en) * | 2017-09-13 | 2018-01-26 | 中国人民解放军信息工程大学 | The revocable attribute base encryption method of server- aided, apparatus and system |
Non-Patent Citations (1)
Title |
---|
云环境下基于CP_ABE的访问控制方法研究;赵嘉旭;《中国优秀硕士学位论文期刊》;20180115;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN108632030A (en) | 2018-10-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108632030B (en) | CP-ABE-based fine-grained access control method | |
Li et al. | User collusion avoidance CP-ABE with efficient attribute revocation for cloud storage | |
Liang et al. | Searchable attribute-based mechanism with efficient data sharing for secure cloud storage | |
Li et al. | A lightweight secure data sharing scheme for mobile cloud computing | |
Zhou et al. | Achieving secure role-based access control on encrypted data in cloud storage | |
CN110636500A (en) | Access control system and method supporting cross-domain data sharing and wireless communication system | |
CN106375346B (en) | Data guard method based on condition broadcast agent re-encryption under a kind of cloud environment | |
WO2016197680A1 (en) | Access control system for cloud storage service platform and access control method therefor | |
Li et al. | Two-factor data access control with efficient revocation for multi-authority cloud storage systems | |
CN108200181B (en) | Cloud storage oriented revocable attribute-based encryption system and method | |
Zhou et al. | Privacy-preserved access control for cloud computing | |
CN110247767B (en) | Revocable attribute-based outsourcing encryption method in fog calculation | |
Ming et al. | An efficient attribute based encryption scheme with revocation for outsourced data sharing control | |
CN104320393B (en) | The controllable efficient attribute base proxy re-encryption method of re-encryption | |
Ali et al. | A fully distributed hierarchical attribute-based encryption scheme | |
CN108111540A (en) | The hierarchical access control system and method for data sharing are supported in a kind of cloud storage | |
Xu et al. | Multi-authority proxy re-encryption based on CPABE for cloud storage systems | |
Liu et al. | Hierarchical attribute-set based encryption for scalable, flexible and fine-grained access control in cloud computing | |
CN113411323B (en) | Medical record data access control system and method based on attribute encryption | |
Xia et al. | Attribute-based access control scheme with efficient revocation in cloud computing | |
Ming et al. | Efficient revocable multi-authority attribute-based encryption for cloud storage | |
CN105933345A (en) | Verifiable outsourcing attribute-based encryption method based on linear secret sharing | |
Liu et al. | Dynamic attribute-based access control in cloud storage systems | |
Yuan et al. | Fine-grained access control for big data based on CP-ABE in cloud computing | |
Hong et al. | A key-insulated CP-ABE with key exposure accountability for secure data sharing in the cloud |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220829 Address after: 510665 No. 235, Gaotang Road, Tianhe District, Guangzhou City, Guangdong Province (Location: Room 307) (Cannot be used as a workshop) (Office only) Patentee after: Guangdong Wuyi Information Technology Co.,Ltd. Address before: 510275 No. 135 West Xingang Road, Guangzhou, Guangdong, Haizhuqu District Patentee before: SUN YAT-SEN University |
|
TR01 | Transfer of patent right |