CN109214201A

CN109214201A - A kind of data sharing method, terminal device and computer readable storage medium

Info

Publication number: CN109214201A
Application number: CN201811025481.6A
Authority: CN
Inventors: 王翼
Original assignee: Ping An Technology Shenzhen Co Ltd
Current assignee: Ping An Technology Shenzhen Co Ltd
Priority date: 2018-08-31
Filing date: 2018-08-31
Publication date: 2019-01-15
Anticipated expiration: 2038-08-31
Also published as: CN109214201B

Abstract

This application discloses a kind of data sharing method, terminal device and computer readable storage medium, it is applied to asymmetric encryption field, wherein data sharing method includes: acquisition clear data, and the attribute of clear data includes that operation and/or can decrypt；Clear data is encrypted according to the attribute of clear data, generate can decrypt and can operation encryption data, can operation encryption data, or the encryption data that can be decrypted；Encryption data is sent to server, so that server saves encryption data.The application encrypts clear data according to the attribute of clear data, then the encryption data obtained after clear data encryption is sent to server, so that server saves the encryption data, while so that other users can also obtain the encryption data from server, also assure the safety of data, and the data access authority of different users is limited, then this application provides a kind of efficient data sharing methods.

Description

A kind of data sharing method, terminal device and computer readable storage medium

Technical field

This application involves field of information security technology more particularly to a kind of data sharing methods, terminal device and computer Readable storage medium storing program for executing.

Background technique

Cloud computing model can provide service on demand, and access configurable computing resource sharing anywhere or anytime by network Pond, shared pool include network, storage, server, services and applications etc..But while cloud computing can reduce management at Originally, rapidly configuration provides and release resource, many users still dare not be using this calculating modes, the reason is that cloud computing is friendship It is carried out by third party, the safety of the data of cloud computing is unable to get guarantee.Cloud computing bring safety problem mainly has void Quasi-ization safety, application be safe, identity information safety and data safety etc..With popularizing for cloud computing, cloud is stored largely User sensitive information and business datum, once leaking data, may cause irreparable damage to user.

Then for the safety for guaranteeing data, user first encrypts data, then uploads the encryption to cloud again Data afterwards.Since the secret key of decryption is taken care of by user, which, can not be by other than it can be decrypted by user Other users are used, to ensure that the safety of data.

After data are encrypted, although the safety of data is ensured, encryption data can not be by other users institute It uses, then when there is other users to need using encryption data, distributes secret key, but this one by one by the owner of encryption data The method of sample is cumbersome and time consuming, so that the use of encryption data and sharing efficiency reduce.

Summary of the invention

The embodiment of the present application provides a kind of data sharing method, and the efficiency of data sharing can be improved.

In a first aspect, the embodiment of the present application provides a kind of data sharing method, which includes:

Obtain clear data, the attribute of the clear data includes that operation and/or can decrypt；

The clear data is encrypted according to the attribute of the clear data, generate can decrypt and can operation encryption Data, can operation encryption data, or the encryption data that can be decrypted；

The encryption data is sent to server, so that the server saves the encryption data.

With reference to first aspect, in the first implementation of first aspect, the attribute according to the clear data The clear data is encrypted, the encryption data that can be decrypted is generated, comprising:

It is random to generate the first secret key pair, first secret key pair if the attribute of the clear data can be decrypted described in being Including the first private spoon and the first public spoon；

The computations based on policy attribute are carried out to the clear data using the described first public spoon, can be solved described in generation Close encryption data, the policy attribute describe the decryption rule of the encryption data.

With reference to first aspect, in second of implementation of first aspect, the attribute according to the clear data The clear data is encrypted, generate can operation encryption data, comprising:

If the attribute of the clear data be it is described can operation, it is random to generate the second secret key pair, second secret key pair Including the second private spoon and the second public spoon；

Full homomorphic cryptography carried out to the clear data using the described second public spoon, described in generation can operation encryption number According to.

With reference to first aspect, in the third implementation of first aspect, the attribute according to the clear data The clear data is encrypted, generate can decrypt and can operation encryption data, comprising:

If the attribute of the clear data include it is described can operation and it is described decrypt, it is random generate the first secret key pair and Second secret key pair, first secret key pair include the first private spoon and the first public spoon, second secret key pair include the second private spoon and Second public spoon；

The computations based on policy attribute are carried out to the clear data using the described first public spoon, are obtained described The encryption data that can be decrypted；

It carries out the full homomorphic cryptography to the encryption data encrypted using the described second public spoon to calculate, described in generation Can decrypt and can operation encryption data.

The first implementation with reference to first aspect, in the 4th kind of implementation of first aspect, the generation institute After stating the encryption data that can be decrypted, further includes:

Obtain the described first private spoon；

The computations based on policy attribute are carried out to the described first private spoon, obtain private spoon ciphertext；

The private spoon ciphertext is sent to the server, so that the server saves the private spoon ciphertext.

The third implementation with reference to first aspect, in the 5th kind of implementation of first aspect, the generation institute Stating can decrypt and can be after the encryption data of operation, further includes:

Obtain the described first private spoon and the second private spoon；

The described first private spoon and the second private spoon are combined, third private spoon is obtained；

The computations based on policy attribute are carried out to the third private spoon, obtain private spoon ciphertext；

The first implementation with reference to first aspect, it is described to utilize institute in the 6th kind of implementation of first aspect It states the first public spoon and the computations based on policy attribute is carried out to the clear data, comprising:

Property set is received by display touch screen, the property set includes at least one attribute；

Attribute access control strategy is formulated according to the property set；

Obtain the first public spoon in the attribute access control strategy and first secret key pair；

The clear data is encrypted using the described first public spoon and the attribute access control strategy.

Second aspect, the embodiment of the present application provide a kind of terminal device, which includes for executing above-mentioned The unit of the data sharing method of one side, the terminal device include:

Acquiring unit, for obtaining clear data, the attribute of the clear data includes that operation and/or can decrypt；Add Close unit, for being encrypted according to the attribute of the clear data to the clear data, generating can be decrypted and can operation Encryption data, can operation encryption data, or the encryption data that can be decrypted；Transmission unit, described in being sent to server Encryption data, so that the server saves the encryption data.

In conjunction with second aspect, in the first implementation of second aspect:

The terminal device further includes generation unit, if the attribute for the clear data can be decrypted to be described, with Machine generates the first secret key pair, and first secret key pair includes the first private spoon and the first public spoon；

The encryption unit, specifically for being carried out the clear data based on policy attribute using the described first public spoon Computations, the encryption data that can be decrypted described in generation, the policy attribute describe the decryption rule of the encryption data.

In conjunction with second aspect, in second of implementation of second aspect:

The terminal device further includes generation unit, if the attribute for the clear data be it is described can operation, with Machine generates the second secret key pair, and second secret key pair includes the second private spoon and the second public spoon；

The encryption unit is specifically used for carrying out full homomorphic cryptography to the clear data using the described second public spoon, raw At it is described can operation encryption data.

In conjunction with second aspect, in the third implementation of second aspect:

The terminal device further includes generation unit, if the attribute of the clear data include it is described can operation and it is described can Decryption, then generate the first secret key pair and the second secret key pair at random, and first secret key pair includes the first private spoon and the first public spoon, institute Stating the second secret key pair includes the second private spoon and the second public spoon；

The encryption unit is specifically used for belonging to using the described first public spoon is described to clear data progress based on strategy Property computations, obtain the encryption data that can be decrypted；Using the described second public spoon to the encryption data encrypted The full homomorphic cryptography is carried out to calculate, can be decrypted described in generation and can operation encryption data.

In conjunction with the first implementation of second aspect, in the 4th kind of implementation of second aspect:

The acquiring unit is also used to obtain the described first private spoon；

The encryption unit is also used to carry out the computations based on policy attribute to the described first private spoon, obtain Private spoon ciphertext；

The transmission unit is also used to send the private spoon ciphertext to the server, so that the server saves institute State private spoon ciphertext.

In conjunction with the third implementation of second aspect, in the 5th kind of implementation of second aspect:

The acquiring unit, for obtaining the described first private spoon and the second private spoon；

The terminal device further includes assembled unit, for combining the described first private spoon and the second private spoon, obtains the Three private spoons；

The encryption unit is also used to carry out the third private spoon computations based on policy attribute, obtain Private spoon ciphertext；

In conjunction with the first implementation of second aspect, in the 6th kind of implementation of second aspect:

The terminal device further includes receiving unit, for receiving property set, the property set packet by display touch screen Containing at least one attribute；It further include formulating unit, for formulating attribute access control strategy according to the property set；

The acquiring unit is also used to obtain the first public affairs in the attribute access control strategy and first secret key pair Spoon；

The encryption unit is also used to using the described first public spoon and the attribute access control strategy to the plaintext number According to being encrypted.

The third aspect, the embodiment of the present application provide another terminal device, including processor, communication interface, input are set Standby, output equipment and memory, the processor, communication interface, input equipment, output equipment and memory are connected with each other, In, the memory is used to store the computer program for supporting terminal device to execute above-mentioned data sharing method, the computer Program includes program instruction, and the processor is configured for calling described program instruction, to execute above-mentioned first aspect extremely The data sharing method that any one of first aspect is realized.

Fourth aspect, the embodiment of the present application provide a kind of computer readable storage medium, the computer storage medium It is stored with computer program, the computer program includes program instruction, and described program instruction is when being executed by processor, to hold The above-mentioned first aspect of row to first aspect any one data sharing method realized.

The application takes clear data different computations according to the difference of the attribute of clear data, so that in plain text It can be decrypted by other users operation and/or by trusted users after data encryption, thus to the data access of different users Permission is limited, and the encryption data obtained after clear data encryption is then sent to server again, so that server is protected The encryption data is deposited, so that other users can also obtain the encryption data from server.To which the application utilizes credible the Tripartite efficiently solves the problems such as excessive terminal device load capacity, key distribution and administrative burden, and gives by data sharing The operating right of other users is also effectively limited while other users, it is ensured that data are in incomplete credible cloud environment Under safety.Therefore this application provides a kind of efficient data sharing methods.

Detailed description of the invention

Technical solution in ord to more clearly illustrate embodiments of the present application, below will be to needed in embodiment description Attached drawing is briefly described.

Fig. 1 is a kind of schematic flow diagram of data sharing method provided by the embodiments of the present application；

Fig. 2 is a kind of schematic flow diagram for data sharing method that another embodiment of the application provides；

Fig. 3 is a kind of schematic diagram of access control tree provided by the present application；

Fig. 4 is a kind of schematic block diagram of terminal device provided by the embodiments of the present application；

Fig. 5 is a kind of structural diagram of terminal device provided by the embodiments of the present application.

Specific embodiment

Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description.

It should be appreciated that ought use in this specification and in the appended claims, term " includes " and "comprising" instruction Described feature, entirety, step, operation, the presence of element and/or component, but one or more of the other feature, whole is not precluded Body, step, operation, the presence or addition of element, component and/or its set.

It is also understood that mesh of the term used in this present specification merely for the sake of description specific embodiment And be not intended to limit the application.As present specification and it is used in the attached claims, unless on Other situations are hereafter clearly indicated, otherwise " one " of singular, "one" and "the" are intended to include plural form.

It will be further appreciated that the term "and/or" used in present specification and the appended claims is Refer to any combination and all possible combinations of one or more of associated item listed, and including these combinations.

As used in this specification and in the appended claims, term " if " can be according to context quilt Be construed to " when ... " or " once " or " in response to determination " or " in response to detecting ".Similarly, phrase " if it is determined that " or " if detecting [described condition or event] " can be interpreted to mean according to context " once it is determined that " or " in response to true It is fixed " or " once detecting [described condition or event] " or " in response to detecting [described condition or event] ".

In the specific implementation, terminal device described in the embodiment of the present application is including but not limited to such as with the sensitive table of touch Mobile phone, laptop computer or the tablet computer in face (for example, touch-screen display and/or touch tablet) etc it is other Portable device.It is to be further understood that in certain embodiments, equipment is not portable communication device, but has and touch The desktop computer of sensing surface (for example, touch-screen display and/or touch tablet).

In following discussion, the terminal device including display and touch sensitive surface is described.However, should manage Solution, terminal device may include that one or more of the other physical User of such as physical keyboard, mouse and/or control-rod connects Jaws equipment.

Terminal device supports various application programs, such as one of the following or multiple: drawing application program, demonstration application Program, word-processing application, website creation application program, disk imprinting application program, spreadsheet applications, game are answered With program, telephony application, videoconference application, email application, instant messaging applications, forging Application program, photo management application program, digital camera application program, digital camera application program, WWW are supported in refining (WEB, World Wide Web) viewer applications, digital music player application and/or video frequency player is answered Use program.

At least one of such as touch sensitive surface can be used in the various application programs that can be executed on the terminal device Public physical user-interface device.It can adjust and/or change among applications and/or in corresponding application programs and touch The corresponding information shown in the one or more functions and terminal device of sensing surface.In this way, the public physics of terminal device Framework (for example, touch sensitive surface) can be supported various using journey with user interface intuitive and transparent for a user Sequence.

Also need, server described in the embodiment of the present application can be traditional server, large memory system, Desktop computer, laptop, tablet computer, palm PC, smart phone, portable digital player, smartwatch and Intelligent bracelet etc., the application are without limitation.

It is that the embodiment of the present application provides a kind of schematic flow diagram of data sharing method, data as shown in the figure are total referring to Fig. 1 Enjoy method can include:

101: obtaining clear data, the attribute of clear data includes that operation and/or can decrypt.

In the embodiment of the present application, the clear data for needing to encrypt first is obtained, wherein clear data refers to not encrypting Character perhaps the concrete form such as sets of bits has such as text, bit stream, bitmap, digitized voice or digitized view Frequency image etc., and any terminal device can be bright by directly reading this in the case where clear data not being decrypted Literary data just know the content of the clear data.

It should be noted that above-mentioned clear data has been divided into three classes according to its attribute, if the attribute of above-mentioned clear data For can operation, then it represents that above-mentioned clear data in an encrypted state can be by other users operation, but cannot be used by other Family decryption；If the attribute of above-mentioned clear data is that can decrypt, then it represents that can be by can credit after the encryption of above-mentioned clear data Family decryption；If the attribute of above-mentioned clear data includes that operation and can decrypt, then it represents that above-mentioned clear data can encrypt In the state of by other users operation, and can be decrypted by trusted users.

102: according to the attribute of above-mentioned clear data above-mentioned clear data being encrypted, generating can decrypt and can operation Encryption data, can operation encryption data, or the encryption data that can be decrypted.

In the embodiment of the present application, difference is taken to above-mentioned clear data according to the difference of the attribute of above-mentioned clear data Computations, specifically, if the attribute of above-mentioned clear data be it is above-mentioned can operation, full homomorphism is carried out to above-mentioned clear data Encryption, obtain can operation encryption data；If the attribute of above-mentioned clear data be it is above-mentioned decrypt, to above-mentioned clear data into Computations of the row based on policy attribute, obtain the encryption data that can be decrypted；If the attribute of above-mentioned clear data include it is above-mentioned can Operation and it is above-mentioned decrypt, then successively above-mentioned clear data is carried out based on the computations of policy attribute and full homomorphic cryptography Calculate, obtain can decrypting and can operation encryption data.

More particularly, it can be decrypted if the attribute of above-mentioned clear data is, it is random to generate the first secret key pair, the first secret key To including the first private spoon and the first public spoon；The computations based on policy attribute are carried out to clear data using the first public spoon, it is raw At the encryption data that can be decrypted, wherein policy attribute describes the decryption rule of encryption data, and illustrating allows to encryption data The user being decrypted a variety of combinations of attributes.If the attribute of clear data be can operation, it is random to generate the second secret key pair, Second secret key pair includes the second private spoon and the second public spoon；Full homomorphic cryptography calculating is carried out to clear data using the second public spoon, it is raw At can operation encryption data.If the attribute of clear data includes that operation and can decrypt, it is random generate the first secret key pair and Second secret key pair, the first secret key pair include the first private spoon and the first public spoon, and the second secret key pair includes the second private spoon and the second public spoon； The computations based on policy attribute are carried out to clear data using the first public spoon, obtain the encryption data that can be decrypted；Utilize Two public spoons carry out full homomorphic cryptography calculating to the encryption data that can be decrypted, generate can decrypt and can operation encryption data.

It should be noted that above-mentioned secret key pair was obtained by secret key generating algorithm, wherein the public spoon in secret key pair and Private spoon is one-to-one.Public spoon and private spoon are not fixed, as soon as private spoon in two secret keys, then another is public Spoon, the secret key for being intended only as public spoon can be known by other people, and opposite, private spoon cannot be known by other people, can only be by user Oneself know.Specifically, could only be decrypted with corresponding private cipher key if encrypted with public-key cryptography to data；Such as Fruit is encrypted with private cipher key pair data, then could only be decrypted with corresponding public-key cryptography.Wherein, secret key generating algorithm Including KeyGen secret key generating algorithm etc..

If the attribute of above-mentioned clear data be it is above-mentioned can operation, full homomorphic cryptography is carried out to above-mentioned clear data.Specifically , above-mentioned full homomorphic cryptography calculates the important privacy information progress homomorphic cryptography referred to user, and key only has data institute The person of having knows that cloud service provider and other users can not all obtain, to ensure that the safety of data.Due to homomorphic cryptography The isomorphism of mode, other users can directly carry out the business datum of arithmetic operation oneself beyond the clouds, and operation result is with ciphertext Mode store beyond the clouds, to provide more convenient calculating for user, ensure that data can in the case where not being decrypted To be handled by other users, and make in the case where data are encrypted state to data handled as a result, not added in data The result handled in the state of close data is consistent.Then, user does not need to distribute secret key to other users, still Other users can also be allowed to handle data, treatment process will not reveal any clear content.And the result decompressed after handling With the result indifference reprocessed after decompression.

For example, full homomorphic cryptography is carried out to ciphertext 1 and obtains ciphertext 2, is i.e. other users can not solved in ciphertext 2 Data processing is carried out to ciphertext 2 in the case where close, the result handled is carried out by other users again after being extracted with ciphertext 2 The result of data processing is identical.

Further for example, then existing clear data A, clear data B and complete homomorphic encryption algorithm f distinguish Full homomorphic cryptography is carried out to A and B and calculates f (A)=A' and f (B)=B', obtains encryption data A' and encryption data B', except this it Outside, decryption function f can be passed through to encryption data A' and encryption data B'^-1It is calculated to be decrypted, and retrieves plaintext number According to A and clear data B.If carrying out operation A'+B'=C' to encryption data A' and encryption data B', encryption data C' is obtained, Then f will be obtained by encryption data C' being decrypted again^-1(C')=A+B, it can be seen that full homomorphism is carried out to clear data and is added It carries out processing after close calculating and directly carries out processing to clear data to be the same, but if carrying out clear data non-complete same If the computations of state Encryption Algorithm and non-homomorphic encryption algorithm, it is general that the result decrypted after operation is carried out to encryption data It is the skimble-skamble messy code of a pile.Then full homomorphic cryptography calculating is carried out to clear data, data rights and number may be implemented According to the separation of ownership, while can prevent leaking data, to allow processing of the untrusted user to data, and utilize Cloud service improves the computing capability of terminal device.

It needs, if above-mentioned homomorphic algorithm meets f (A)+f (B)=f (A+B), this kind of homomorphic algorithm meets addition Homomorphism；If above-mentioned homomorphic algorithm meets f (A) × f (B)=f (A × B), this kind of homomorphic algorithm meets multiplicative homomorphic.Then such as The above-mentioned homomorphic algorithm of fruit only meets additive homomorphism, then can only just carry out signed magnitude arithmetic(al)；Then if above-mentioned homomorphic algorithm is only full Sufficient multiplicative homomorphic then can only just carry out multiplication and division operation；If above-mentioned homomorphic algorithm meets additive homomorphism and multiplicative homomorphic simultaneously, Then it is known as full homomorphic cryptography.Data are encrypted using full homomorphic algorithm, progress is any more after can permit data encryption Kind operation (such as addition subtraction multiplication and division, polynomial evaluation, index, logarithm and trigonometric function etc.).Wherein, additive homomorphism algorithm for example has Additive homomorphism Paillier algorithm, multiplicative homomorphic algorithm for example have multiplicative homomorphic (RSA, Rivest-Shamir-Adleman) calculation Method, full homomorphic algorithm have for example full homomorphism Gentry algorithm.

It should also be noted that, full homomorphic encryption algorithm further includes secret key generating algorithm, Encryption Algorithm, decipherment algorithm and close Literary computational algorithm, wherein secret key generating algorithm is for private needed for generating public spoon and decrypting process needed for ciphering process Spoon, even cryptogram computation public affairs spoon, the secret key generating algorithm for example have KeyGen algorithm etc.；And Encryption Algorithm is used for in plain text Data are encrypted, and encryption data is obtained, and Encryption Algorithm for example has Enc algorithm；Decipherment algorithm is for solving encryption data It is close, clear data is obtained, which for example has Dec algorithm；Cryptogram computation algorithm refers to that other users can use The algorithm that cryptogram computation formula to carry out encryption data operation is stated, which for example has Evaluate algorithm, lead to Evaluate algorithm is crossed, other users can carry out the calculating of any power function to encryption data, but will not reveal again simultaneously Data.

If the attribute of above-mentioned clear data is decrypted to be above-mentioned, above-mentioned clear data added based on policy attribute Close calculating.Specifically, the computations based on policy attribute be worth be using based on policy attribute encryption technology come to above stating clearly Literary data are encrypted, and should be a kind of based on policy attribute encryption technology based on trusted third party's ciphertext policy ABE encryption technology Cloud storage secret sharing, can only be accessed by trusted users using the clear data of the encryption technology, and clear data is all Person does not need to carry out the work such as key distribution to trusted users yet, it is only necessary to for trusted users formulation access control policy tree come Model access rights.Then whenever having user to request access to encryption data, the attribute information of the user is just subjected to attribute Match, operation is decrypted in the enough secret keys of user's ability that only attribute information meets access control tree, so that encrypted plaintext It can be shared with trusted users, so that encrypted clear data can be decrypted in not all user, only Encrypted clear data could be decrypted in trusted users, it is achieved that effectively realizing access control function.

It should also be noted that, the above-mentioned attribute to user carry out matching refer to obtain encryption data based on access The access control tree of strategy, then matches the attribute of user with the attribute of leaf node, the user if successful match The secret value of leaf node can be obtained, the secret value of non-leaf nodes is then retrodicted out using the secret value of leaf node, directly To the secret value for solving root node, then the encryption data is decrypted using the secret value of the root node, so that possessing Encryption data could be decrypted in the user for meeting the attribute of the leaf node of predetermined number.Wherein, access control tree is used for Concealed encrypted key.

For example, the access control tree based on access strategy as shown in Figure 3, before constructing the access control tree first Obtain access strategy, the i.e. attribute of the trusted users of the available clear data of owner's setting section of clear data, example Such as, there are attribute 1, attribute 2, attribute 3, attribute 4, attribute 5 and attribute 6, wherein access strategy is that attribute at least meets (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 4 "), or (" attribute 4 " and " attribute 5 "), or (" attribute 4 " and " attribute 6 "), or The user of (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 5 ") (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 6 ") is Trusted users, in addition to this, other users do not have access authority, construct access control tree thus according to above-mentioned access strategy, As shown in figure 3,6 leaf nodes respectively indicate 6 attributes, non-leaf nodes illustrates data access, and person needs to meet the n omicronn-leaf Several child nodes can just be considered possessing access authority under child node, such as the threshold value 2/3 of non-leaf nodes illustrates that this is non- There are 3 leaf nodes under leaf node, wherein the attribute that data access person needs to meet at least two non-leaf nodes could quilt It is considered to possess access authority.Then data access person need to meet the number for the attribute at least needing to meet represented by this thresholding When, this node secret value can be decrypted.

After constructing access control tree, the secret value of each node in the access control tree is assigned.It assigns first One secret value of root node, then generates a multinomial, such as visit shown in Fig. 3 according to the threshold value of the root node at random Ask control tree, the threshold value of root node is 2/3, and in being randomly generated a multinomial, enabling the polynomial highest number is root 2 in the threshold value of node subtract 1, therefore the highest number of root node is 1, such as F (x)=5+3x, constant term 5 therein are The secret value of root node, the secret value are to need the secret number saved.In addition, the child node of root node is successively marked from left to right 1,2 and 3 are denoted as, is then brought into 1,2 and 3 in multinomial F (x) respectively, obtained value is respectively three son sections of root node The secret value of point, such as then the first left child node " 3/3 " of root node is labeled as 1, is transmitted to the secret value of " 3/3 " node Node for F (1)=5+3*1, intermediate " attribute 4 " is marked as 2, and then root node is transmitted to the secret value of the node of " attribute 4 " For F (2)=5+3*2=11, then leftmost child node " 1/2 " is marked as 3 in the child node of root node, and root node is transmitted to The secret value of " 1/2 " node is F (3)=5+3*3=14.Likewise, " 3/3 " node and " 1/2 " node are receiving father node After the value transmitted, generate random number polynomial in the manner described above, set the value that father node transmits for constant term, furthermore also according to Aforesaid way generates new secret value and it is transmitted to child node.For leaf node, after receiving the secret value of father node, Secret value is encrypted with the attribute of this leaf node, then it is above-mentioned by the attribute of the attribute of user and leaf node into Row matching refers to using the attribute of user the encryption data of the secret value is decrypted, if the attribute of user with should The attribute of leaf node is consistent, then the user can be with the encryption data of the secret value of the successful decryption leaf node, to obtain The secret value of the leaf node.

When decryption, user decrypts the secret value of the leaf node of access control tree using the attribute of oneself, Then the secret value of father node will be solved according to the secret value of the leaf node, if such as attribute 1, attribute 2 and attribute 3 it is secret Close value is respectively 19,44 and 83, then illustrating father node, there are three point, (1,19), (2,44) for transmitting the multinomial of secret value (3,83), and the polynomial constant term is the secret value of the father node, can be found out thus according to these three points multinomial The constant term of formula solves the secret value of father node, to solve the non-leaf of entire access control tree along these lines The secret value of node.

If the attribute of above-mentioned clear data include it is above-mentioned can operation and it is above-mentioned decrypt, successively to above-mentioned clear data into Computations and full homomorphic cryptography of the row based on policy attribute calculate.Specifically, above-mentioned successively carry out based on plan clear data Computations and full the homomorphic cryptography calculating of slightly attribute, which refer to, carries out above-mentioned clear data based on the encryption of policy attribute Calculation obtains the first encryption data, the first encryption data is then carried out full homomorphic cryptography again, the second encryption data is calculated, in It is to enable second encryption data for above-mentioned encryption data, to complete the entire ciphering process to above-mentioned clear data.Pass through elder generation Computations based on policy attribute are carried out to clear data afterwards and full homomorphic cryptography calculates, realizing allows any user to adding While ciphertext data carries out calculation process, attribute can also allow for meet the user of access strategy using secret key come to encryption data It is decrypted.

Further, above-mentioned to carry out the computations based on policy attribute to clear data specific: being touched by display Screen receives property set, and property set includes at least one attribute；Attribute access control strategy is formulated according to property set；Attribute is obtained to visit Ask the first public spoon in control strategy and the first secret key pair；Using the first public spoon and attribute access control strategy to clear data into Row encryption.

In the embodiment of the present application, it holds high office showing device first to receive multiple attributes of user's selection, multiple attribute is closed Connection gets up, and forms property set, and above-mentioned access control policy is constructed according to property set, then carries out to above-mentioned clear data When computations based on policy attribute, obtain the first public spoon and attribute access control strategy first, then using this One public spoon and attribute access strategy encrypt clear data.

For example, above-mentioned constructed in access control policy, such as property set according to property set includes 6 elements, That is attribute 1, attribute 2, attribute 3, attribute 4, attribute 5 and attribute 6, in property set comprising (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 4 "), (" attribute 4 " and " attribute 5 "), (" attribute 4 " and " attribute 6 "), (" attribute 1 ", " attribute 2 ", " attribute 3 " and " belong to Property 5 ") and (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 6 ") element combinations, can be constructed thus according to the property set Access control policy as shown in Figure 3.

It should be noted that the system that the first public spoon is terminal device generates at random, attribute access strategy accesses control System tree, for example, 6 leaf nodes of access control tree as shown in Figure 3 respectively indicate attribute 1, attribute 2, attribute 3, belong to Property 4, attribute 5 and attribute 6, as shown in figure 3,6 leaf nodes respectively indicate 6 attributes, non-leaf nodes illustrates that data are visited The person of asking, which needs to meet several child nodes under the non-leaf nodes, can just be considered possessing access authority, such as the door of non-leaf nodes Limit value 2/3 illustrates there are 3 leaf nodes under the non-leaf nodes, wherein data access person needs to meet at least two n omicronn-leaf The attribute of child node just can be considered as possessing access authority.Then data access person need to meet minimum need represented by this thresholding When the number for the attribute to be met, this node secret value can be decrypted.Wherein, as shown in figure 3, access strategy is attribute At least meet (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 4 "), or (" attribute 4 " and " attribute 5 "), or (" attribute 4 " and " attribute 6 "), or (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 5 ") (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 6 ") user is trusted users, and in addition to this, other users do not have access authority.

It should be noted that the above process apply equally to attribute be can decrypt and can operation clear data encryption Process, specifically, to attribute be can decrypt and can the clear data of operation carry out the computations based on policy attribute when, Same execute receives property set above by display touch screen；Attribute access control strategy is formulated according to property set；Obtain attribute The first public spoon in access control policy and the first secret key pair；Using the first public spoon and attribute access control strategy to clear data The process encrypted.Details are not described herein again it is above-mentioned to attribute be can decrypt and can operation clear data carry out based on strategy belong to The process of the computations of property.

Further, before receiving property set above by display touch screen, with visual on above-mentioned display touch screen The mode for changing figure shows at least one attribute；Receive display touch screen in the case where choosing operation, determination choose At least one attribute during operation is selected；Together by least one Attribute Association, above-mentioned property set is formed, then completed logical Cross the operation that display touch screen receives property set.

In the embodiment of the present application, terminal device shows multiple categories checked and selected for user on a display screen Property, then user can choose operation by click, pressing and/or sliding etc. to select the attribute for carrying out to clear data Collection, which includes at least one attribute for allowing the user of the decryption to encryption data.

As can be seen that data owner can modify and select property set, so that selection can solve encryption data Close user, the Control granularity of data can be greatly increased by then passing through the embodiment of the present application, to can carry out to encryption data The user of decryption has carried out effective control and screening, then further improves the data sharing method of the embodiment of the present application Efficiency and practicability.

103: above-mentioned encryption data is sent to server, so that server saves above-mentioned encryption data.

In the embodiment of the present application, after terminal device encrypts above-mentioned clear data, which is sent To server, so that the server saves the encryption data, then other users can directly obtain encryption on the server Data, and do not have to directly ask for the owner of data.

Further, it can be decrypted if the attribute of above-mentioned clear data is, which is carried out based on policy attribute Computations, after obtaining the encryption data that can be decrypted, obtain the above-mentioned first private spoon；First private spoon belonged to based on strategy The computations of property, obtain private spoon ciphertext；Private spoon ciphertext is sent to server, so that server saves private spoon ciphertext.

In the embodiment of the present application, it can be decrypted if the attribute of above-mentioned clear data is, illustrate that the clear data carries out The encryption data obtained after computations based on policy attribute can be decrypted by trusted users using secret key.Then If user is to successfully be decrypted the encryption data, other than user needs to meet the property policy of the encryption data, It also needs to use secret key simultaneously.Then when the attribute of above-mentioned clear data is that can decrypt, then terminal device obtains the encryption The private spoon of data, and the computations based on policy attribute are carried out to the private spoon, the private that then will be obtained after private spoon encryption Spoon ciphertext is sent to server, allows server generation to save.Then other users are first when encryption data is decrypted Private spoon ciphertext is first obtained, then the private spoon ciphertext is decrypted to obtain the private spoon of encryption data, finally recycles the private spoon right Encryption data is decrypted.

Then the embodiment of the present application carries out the encryption based on policy attribute by the private spoon of the encryption data to encryption data It calculates, to increase the decryption difficulty of above-mentioned encryption data, so that encryption data is other than itself is encrypted, for decrypting this The private spoon of encryption data also encrypts, so that the data to user are added to double insurance, so that the private spoon of encryption data can only be by The decryption of first trusted users, and encryption data can only be decrypted by the second trusted users, wherein the first trusted users can including second The quantity of credit household, the first trusted users are more than or equal to the second trusted users, thus in the embodiment of the present application, Ke Yijian The access control tree for changing encryption data, a part of attribute description that will allow to access the user of the encryption data are close in above-mentioned private spoon In the access control tree of text, such as above-mentioned ciphertext private spoon can only be accessed by Ms, and above-mentioned encryption data can only be accessed by student, in It is actually to integrate the encryption data to be accessed by schoolgirl.It then include " Ms " and " student " two compared to building For the access control tree of a attribute, two access control trees for separately including " Ms " and " student " of building are more simple, especially It is when how extremely complex the attribute of access control tree is very using method described in the embodiment of the present application, Ke Yi great The big complexity for reducing access control tree, can also data encrypting and deciphering significantly speed.

It should be noted that after sending the private spoon ciphertext of the encryption data and encryption data to server, by this plus Ciphertext data associates with the private spoon ciphertext of the encryption data, so that server is after getting the encryption data, it can To get the private spoon ciphertext of the encryption data in the server according to the encryption data.

Further, if the attribute of above-mentioned clear data be can decrypt and can operation, which is based on Full homomorphic cryptography calculating is carried out again after the computations of policy attribute, obtain can decrypting and can after the encryption data of operation, Obtain the first private spoon and the second private spoon；The private spoon of combination first and the second private spoon, obtain third private spoon；Third private spoon is based on The computations of policy attribute obtain private spoon ciphertext；Private spoon ciphertext is sent to server, so that the server saves above-mentioned private spoon Ciphertext.

In the embodiment of the present application, if the attribute of clear data be can decrypt and can operation, as long as including in clear data It can decrypt, then illustrate that the clear data successively carries out obtaining after computations and the calculating of full homomorphic cryptography based on policy attribute Encryption data can be decrypted by trusted users using secret key.If then user is to successfully carrying out the encryption data Decryption, one side user need the second private spoon can just unlock can decrypt and can operation encryption data first layer encryption, from And the encryption data that can be decrypted is obtained, on the other hand, user also meets except the property policy for the encryption data that can be decrypted, also needs To use the first secret key simultaneously.Then when the attribute of above-mentioned clear data be can decrypt and can operation when, obtaining this can solve It is close and can operation encryption data the first private spoon and the second private spoon, and the first private spoon and the second private spoon are combined, Obtain third private spoon, so that the embodiment of the present application carries out the computations based on policy attribute to the third private spoon, and by this The private spoon ciphertext obtained after three private spoon encryptions is sent to server, allows server generation to save.Then other users are to adding When ciphertext data is decrypted, private spoon ciphertext is obtained first, and then being decrypted to obtain to the private spoon ciphertext can decrypt and can The third private spoon of the encryption data of operation tears third private spoon open then according to the rule of combination of the first private spoon and the second private spoon Separate, be back-calculated to obtain the first private spoon and the second private spoon, finally recycle the second private spoon and the first private spoon successively to can decrypt and Can the encryption data of operation be decrypted, to obtain clear data, wherein the rule of combination of the first private spoon and the second private spoon has Sequence combines or combined crosswise, and sequence combination refers to for the head of the first private spoon or tail being connected with the tail of the second private spoon or head, To form a column sequence, combined crosswise is referred to the sequence crossover between the first private spoon and the second private spoon according to presetting digit capacity It combines, such as the first private spoon is divided into first a part and the one or two part, the second private spoon is divided into second a part With the two or two part, then carry out group according to first a part, second a part, the one or two part and the sequence of the two or two part It closes.

It should be noted that if the attribute of above-mentioned clear data includes to carry out when can decrypting to above-mentioned civilized data After computations based on policy attribute obtain the first encryption data, the private spoon that above-mentioned terminal device obtains is for decrypting this The private spoon of the first of first encryption data；If the attribute of above-mentioned clear data other than it can decrypt, also comprising can operation, then upper It states and carries out full homomorphic cryptography again on the basis of the first encryption data the second encryption data is calculated, then above-mentioned terminal device obtains Taking private spoon includes the first private spoon for decrypting the first encryption data, and the second private spoon for decrypting the second encryption data.

The terminal device of the embodiment of the present application is different to take clear data according to the difference of the attribute of clear data Computations, so that can be decrypted by other users operation and/or by trusted users after clear data encryption, thus to difference The data access authority of user limit, specifically, if the attribute of above-mentioned clear data be it is above-mentioned can operation, to above-mentioned Clear data carries out full homomorphic cryptography, allows other users to carry out calculation process to encryption data, but cannot be to encryption number According to being decrypted, wherein other users to encryption data carry out calculation process refer to other users the encryption data not by Under decrypted state, the operation such as specific algebraic operation can be carried out to the encryption data, retrieves and compares, and make in encryption number According to processed in an encrypted state as a result, processed result is consistent after being decrypted with encryption data；If above-mentioned plaintext number According to attribute be it is above-mentioned decrypt, then the computations based on policy attribute are carried out to above-mentioned clear data, so that attribute meets The user of access strategy is decrypted using secret key pair encryption data；If the attribute of above-mentioned clear data include it is above-mentioned can operation and It is above-mentioned to decrypt, then computations and the calculating of full homomorphic cryptography based on policy attribute successively are carried out to above-mentioned clear data, made While calculation process can be carried out to encryption data by obtaining other users, the user that can also allow for attribute to meet access strategy makes It is decrypted with secret key pair encryption data.To which the application can limit the data access authority of different users, so The encryption data obtained after clear data encryption is sent to server by terminal device afterwards, so that server saves the encryption number According to so that other users can also obtain the encryption data from server.To which the application utilizes trusted third party effectively Solve that terminal device load capacity is excessive, key distribution and the problems such as administrative burden, and by data sharing to other users Also effectively limit the operating right of other users simultaneously, it is ensured that safety of the data under incomplete credible cloud environment Property.Therefore this application provides a kind of efficient data sharing methods.

Referring to fig. 2, it is that another embodiment of the application provides a kind of schematic flow diagram of data sharing method, counts as shown in the figure According to sharing method can include:

201: obtaining clear data, the attribute of clear data includes that operation and/or can decrypt.

202: if the attribute of above-mentioned clear data is that can decrypt, random to generate the first secret key pair, the first secret key pair includes First private spoon and the first public spoon.

In embodiments of the present invention, it can be decrypted if the attribute of above-mentioned clear data is, system generates the first secret key at random Right, the first secret key pair includes the first private spoon and the first public spoon.

203: property set being received by display touch screen, property set includes at least one attribute.

In embodiments of the present invention, receive display touch screen in the case where choosing operation, determination choose operation At least one attribute in selected；Together by least one Attribute Association, above-mentioned property set is formed, then completed by aobvious Show that touch screen receives the operation of property set.

Further, before receiving property set above by display touch screen, with visual on above-mentioned display touch screen The mode for changing figure shows at least one attribute.

204: attribute access control strategy is formulated according to above-mentioned property set.

In embodiments of the present invention, since above-mentioned property set contains multiple attributes, multiple attribute is to be allowed to adding The attribute for the user that ciphertext data is decrypted then executes attribute access control strategy, the category on the basis of above-mentioned property set Property access control policy contains can be to the combinations of attributes for the different user of encryption data being decrypted.

205: obtaining the first public spoon in above-mentioned attribute access control strategy and above-mentioned first secret key pair.

206: above-mentioned clear data being encrypted using the above-mentioned first public spoon and above-mentioned attribute access control strategy, is generated The encryption data that can be decrypted.

In embodiments of the present invention, clear data is carried out using the above-mentioned first public spoon and above-mentioned attribute access control strategy Encryption generates the encryption data that can be decrypted.

For example, 6 leaf nodes of access control tree as shown in Figure 3 respectively indicate attribute 1, attribute 2, attribute 3, attribute 4, attribute 5 and attribute 6, as shown in figure 3,6 leaf nodes respectively indicate 6 attributes, non-leaf nodes illustrates number Needing to meet several child nodes under the non-leaf nodes according to visitor can just be considered possessing access authority, such as non-leaf nodes Threshold value 2/3 illustrate there are 3 leaf nodes under the non-leaf nodes, wherein data access person needs to meet at least two The attribute of non-leaf nodes just can be considered as possessing access authority.Then data access person need to meet represented by this thresholding most When the number for the attribute for needing to meet less, this node secret value can be decrypted.Wherein, as shown in figure 3, access strategy is Attribute at least meets (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 4 "), or (" attribute 4 " and " attribute 5 "), or (" attribute 4 " and " attribute 6 "), or (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 5 ") (" attribute 1 ", " attribute 2 ", " attribute 3 " and " attribute 6 ") user be trusted users, in addition to this, other users do not have access authority.

207: obtaining the above-mentioned first private spoon, and the computations based on policy attribute are carried out to the above-mentioned first private spoon, obtain Private spoon ciphertext.

In embodiments of the present invention, encryption data is obtained in addition to carrying out the Encryption Algorithm based on policy attribute to clear data Except, can also the encryption based on policy attribute be carried out to the first private spoon for the encryption data to be decrypted, then obtain Private spoon ciphertext after encryption.

208: send the above-mentioned encryption data decrypted and above-mentioned private spoon ciphertext to server so that server save this can The encryption data of decryption and the private spoon ciphertext.

In the embodiment of the present application, terminal device sends above-mentioned encryption data and private spoon ciphertext to server, so that service Device saves the encryption data and private spoon ciphertext, and then other users can directly obtain the encryption data from server and should The private spoon ciphertext of encryption data, to private spoon ciphertext be decrypted to obtain private spoon and then using the private spoon to encryption data into Row decryption.

It should also be noted that, if the attribute of above-mentioned clear data includes when can decrypt, to above-mentioned civilized data into After computations of the row based on policy attribute obtain the first encryption data, the private spoon that above-mentioned terminal device obtains is for decrypting The private spoon of the first of first encryption data；If the attribute of above-mentioned clear data other than it can decrypt, also comprising can operation, then exist Full homomorphic cryptography is carried out on the basis of above-mentioned first encryption data again, the second encryption data is calculated, then above-mentioned terminal device Obtaining private spoon includes the first private spoon for decrypting the first encryption data, and the second private for decrypting the second encryption data Spoon.

The embodiment of the present application carries out the computations based on policy attribute by the private spoon of the encryption data to encryption data, To increase the decryption difficulty of above-mentioned encryption data, so that encryption data is other than itself is encrypted, for decrypting the encryption The private spoon of data also encrypts, and is equivalent to the double insurance of data safety.Since the private spoon of encryption data and encryption data all uses Computations based on policy attribute, so that the private spoon of encryption data can only be decrypted by the first trusted users, and encrypt Data can only be decrypted by the second trusted users, wherein the first trusted users include the second trusted users, the number of the first trusted users Amount is more than or equal to the second trusted users, in the embodiment of the present application, can simplify and carry out encryption data based on plan The access control tree slightly taken in the computations of attribute, a part of attribute for the user for allowing to access the encryption data is retouched It states and private spoon ciphertext is carried out in the access control tree taken in the computations based on policy attribute above-mentioned, such as is above-mentioned close Literary private spoon can only be accessed by Ms, and above-mentioned encryption data can only be accessed by student, then integrate the actually encryption data It can only be accessed by schoolgirl.Then for compared to building comprising the access control tree of " Ms " and " student " two attributes, structure Build that the access control tree that two separately include " Ms " and " student " is more simple, especially the attribute of access control tree very Using method described in the embodiment of the present application when mostly extremely complex, the complexity of access control tree can be greatly reduced, Can also significantly high data encrypting and deciphering speed, generally speaking the application further improves the data in third party device Safety and shared efficiency.

It should be noted that tending to emphasize the difference between each embodiment to the description of each embodiment above Place, same or similar place can refer to mutually, for sake of simplicity, repeats no more herein.

The embodiment of the present application also provides a kind of terminal device, which is used to execute any one of aforementioned data sharing The unit of method.It specifically, referring to fig. 4, is a kind of schematic block diagram of terminal device provided by the embodiments of the present application.The present embodiment Terminal device include: acquiring unit 410, encryption unit 420 and transmission unit 430.

Acquiring unit 410, for obtaining clear data, the attribute of clear data includes that operation and/or can decrypt；Encryption Unit 420, for being encrypted according to the attribute of clear data to clear data, generate can decrypt and can operation encryption number According to, can operation encryption data, or the encryption data that can be decrypted；Transmission unit 430, for sending encryption number to server According to so that server saves encryption data.

Further, above-mentioned terminal device further includes generation unit 440, if the attribute for clear data is that can decrypt, The first secret key pair is then generated at random, and the first secret key pair includes the first private spoon and the first public spoon；Above-mentioned encryption unit 420, it is specific to use In carrying out the computations based on policy attribute to clear data using the first public spoon, the encryption data that can be decrypted, strategy are generated The decryption rule of attribute description encryption data.

Further, above-mentioned terminal device further includes generation unit 440, if for clear data attribute be can operation, The second secret key pair is then generated at random, and the second secret key pair includes the second private spoon and the second public spoon；Above-mentioned encryption unit 420, it is specific to use In carrying out full homomorphic cryptography to clear data using the second public spoon, generate can operation encryption data.

Further, above-mentioned terminal device further includes generation unit 440, if the attribute of clear data includes can operation and can Decryption then generates the first secret key pair and the second secret key pair at random, and the first secret key pair includes the first private spoon and the first public spoon, and second is close Spoon is to including the second private spoon and the second public spoon；Above-mentioned encryption unit 420 is specifically used for carrying out clear data using the first public spoon Computations based on policy attribute obtain the encryption data that can be decrypted；Using the second public spoon to the encryption data that can be encrypted into The full homomorphic cryptography of row calculates, generate can decrypt and can operation encryption data.

Further, above-mentioned acquiring unit 410 is also used to obtain the first private spoon；Above-mentioned encryption unit 420, is also used to pair First private spoon carries out the computations based on policy attribute, obtains private spoon ciphertext；Above-mentioned transmission unit 430, is also used to service Device sends private spoon ciphertext, so that server saves private spoon ciphertext.

Further, above-mentioned acquiring unit 410, for obtaining the first private spoon and the second private spoon；Above-mentioned terminal device also wraps Assembled unit 450 is included, for combining the first private spoon and the second private spoon, obtains third private spoon；Above-mentioned encryption unit 420, is also used to Computations based on policy attribute are carried out to third private spoon, obtain private spoon ciphertext；Above-mentioned transmission unit 430, is also used to clothes Business device sends private spoon ciphertext, so that server saves private spoon ciphertext.

Further, above-mentioned terminal device further includes receiving unit 460, for receiving property set by display touch screen, Property set includes at least one attribute；It further include formulating unit 470, for formulating attribute access control strategy according to property set； Above-mentioned acquiring unit 410 is also used to obtain the first public spoon in attribute access control strategy and the first secret key pair；Above-mentioned encryption list Member 420 is also used to encrypt clear data using the first public spoon and attribute access control strategy.

The embodiment of the present application determines whether the clear data allows to be transported by other terminal devices according to the attribute of clear data It calculates and/or whether allows to be decrypted by other terminal devices, then encryption unit is using different encryption methods come to different attribute Clear data encrypted, the encryption data that encrypting plaintext data obtain is sent to third-party service again by transmission unit Device, so that third-party server saves the encryption data, so that other terminal devices can also be from third-party server Then middle acquisition encryption data carries out operation or decryption etc. to different encryption datas.To which the embodiment of the present application utilizes Trusted third party efficiently solves that terminal device load capacity is excessive, key distribution and the problems such as administrative burden, and by data The operating right of other users is also effectively limited while sharing to other users, ensure that data in incomplete credible cloud Safety under environment.Therefore this application provides a kind of efficient data sharing methods.

It is a kind of terminal device schematic block diagram that another embodiment of the application provides referring to Fig. 5.This implementation as shown in the figure Terminal device in example may include: one or more processors 510, communication interface 520, input equipment 530, output equipment 540 and memory 550.Above-mentioned processor 510, communication interface 520 and memory 550 are connected by bus 560.Communication interface 520 carry out data interaction for terminal device and other terminal devices, and memory 550 is for storing computer program, computer Program includes program instruction, and processor 510 is used to execute the program instruction of the storage of memory 550.

Processor 510, for executing the function of acquiring unit 410, for obtaining clear data, the attribute packet of clear data Including operation and/or can decrypt；It is also used to execute the function of encryption unit 420, for the attribute according to clear data in plain text Data are encrypted, generate can decrypt and can operation encryption data, can operation encryption data, or the encryption number that can be decrypted According to.

Communication interface 520, for executing the function of transmission unit 430, for sending encryption data to server, so that clothes Business device saves encryption data.

Further, processor 510 is also used to execute the function of generation unit 440, if the attribute for clear data is It can decrypt, then generate the first secret key pair at random, the first secret key pair includes the first private spoon and the first public spoon；Also particularly useful for utilizing the One public spoon carries out the computations based on policy attribute to clear data, generates the encryption data that can be decrypted, policy attribute description The decryption rule of encryption data.

Further, processor 510 is also used to execute the function of generation unit 440, if the attribute for clear data is Can operation, then generate the second secret key pair at random, the second secret key pair includes the second private spoon and the second public spoon；Also particularly useful for utilizing the Two public spoons carry out full homomorphic cryptography to clear data, generate can operation encryption data.

Further, processor 510 is also used to execute the function of generation unit 440, if the attribute of clear data includes can It operation and can decrypt, then generate the first secret key pair and the second secret key pair at random, the first secret key pair includes that the first private spoon and first are public Spoon, the second secret key pair include the second private spoon and the second public spoon；Clear data is based on also particularly useful for using the first public spoon The computations of policy attribute obtain the encryption data that can be decrypted；The encryption data that can be encrypted is carried out using the second public spoon complete Homomorphic cryptography calculate, generate can decrypt and can operation encryption data.

Further, processor 510 is also used to obtain the first private spoon；It is also used to carry out based on policy attribute the first private spoon Computations, obtain private spoon ciphertext；

Correspondingly, communication interface 520, is also used to send private spoon ciphertext to server, so that server saves private spoon ciphertext.

Further, processor 510 are also used to obtain the first private spoon and the second private spoon；It is also used to execute assembled unit 450 Function obtain third private spoon for combining the first private spoon and the second private spoon；It is also used to carry out third private spoon to belong to based on strategy The computations of property, obtain private spoon ciphertext.

Further, above-mentioned terminal device further includes that input equipment 530 is used for for executing the function of receiving unit 460 Property set is received by display touch screen, property set includes at least one attribute.

Correspondingly, processor 520 is also used to execute the function of formulating unit 470, visited for formulating attribute according to property set Ask control strategy；It is also used to obtain the first public spoon in attribute access control strategy and the first secret key pair；It is also used to utilize first Public spoon and attribute access control strategy encrypt clear data.

It should be appreciated that in the embodiment of the present application, alleged processor 510 can be central processing unit (Central Processing Unit, CPU), which can also be other general processors, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic Device, discrete gate or transistor logic, discrete hardware components etc..General processor can be microprocessor or this at Reason device is also possible to any conventional processor etc..

The memory 550 may include read-only memory and random access memory, and to processor 510 provide instruction and Data.The a part of of memory 550 can also include nonvolatile RAM.For example, memory 550 can also be deposited Store up the information of device type.

In the specific implementation, the application reality can be performed in processor 510 and communication interface 520 described in the embodiment of the present application Implementation described in the first embodiment and second embodiment of the data sharing method of example offer is provided, this Shen also can be performed Please terminal device described in embodiment implementation, details are not described herein.

A kind of computer readable storage medium is provided in another embodiment of the application, computer readable storage medium is deposited Computer program is contained, computer program includes program instruction, and program instruction is executed by processor.

Computer readable storage medium can be the internal storage unit of the terminal device of aforementioned any embodiment, such as eventually The hard disk or memory of end equipment.Computer readable storage medium is also possible to the External memory equipment of terminal device, such as terminal The plug-in type hard disk being equipped in equipment, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card) etc..Further, computer readable storage medium can also both include eventually The internal storage unit of end equipment also includes External memory equipment.Computer readable storage medium for store computer program with And other programs and data needed for terminal device.Computer readable storage medium can be also used for temporarily storing and export Or the data that will be exported.

Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware With the interchangeability of software, each exemplary composition and step are generally described according to function in the above description.This A little functions are implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Specially Industry technical staff can realize described function to each specific application using different data sharing method, but this Kind is realized it is not considered that exceeding scope of the present application.

It is apparent to those skilled in the art that for convenience of description and succinctly, the end of foregoing description The specific work process of end equipment and unit, can be with reference to the corresponding process in aforementioned data sharing method embodiment, herein not It repeats again.

In several embodiments provided herein, it should be understood that disclosed terminal device and data sharing side Method may be implemented in other ways.For example, the apparatus embodiments described above are merely exemplary, for example, unit Division, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or group Part can be combined or can be integrated into another system, or some features can be ignored or not executed.In addition, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit It closes or communicates to connect, be also possible to electricity, mechanical or other forms connections.

Unit may or may not be physically separated as illustrated by the separation member, shown as a unit Component may or may not be physical unit, it can and it is in one place, or may be distributed over multiple networks On unit.It can select some or all of unit therein according to the actual needs to realize the mesh of the embodiment of the present application scheme 's.

It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit It is that each unit physically exists alone, is also possible to two or more units and is integrated in one unit.It is above-mentioned integrated Unit both can take the form of hardware realization, can also realize in the form of software functional units.

It, can if integrated unit is realized in the form of SFU software functional unit and when sold or used as an independent product To be stored in a computer readable storage medium.Based on this understanding, the technical solution of the application substantially or Say that all or part of the part that contributes to existing technology or the technical solution can embody in the form of software products Out, which is stored in a storage medium, including some instructions are used so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment data sharing method of the application Portion or part steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can store journey The medium of sequence code.

Claims

1. a kind of data sharing method characterized by comprising

The clear data is encrypted according to the attribute of the clear data, generate can decrypt and can operation encryption number According to, can operation encryption data, or the encryption data that can be decrypted；

2. data sharing method according to claim 1, which is characterized in that the attribute pair according to the clear data The clear data is encrypted, and the encryption data that can be decrypted is generated, comprising:

Random to generate the first secret key pair if the attribute of the clear data can be decrypted described in being, first secret key pair includes First private spoon and the first public spoon；

The computations based on policy attribute are carried out to the clear data using the described first public spoon, can be decrypted described in generation Encryption data, the policy attribute describe the decryption rule of the encryption data.

3. data sharing method according to claim 1, which is characterized in that the attribute pair according to the clear data The clear data is encrypted, generate can operation encryption data, comprising:

If the attribute of the clear data be it is described can operation, random to generate the second secret key pair, second secret key pair includes Second private spoon and the second public spoon；

Full homomorphic cryptography calculating carried out to the clear data using the described second public spoon, described in generation can operation encryption number According to.

4. data sharing method according to claim 1, which is characterized in that the attribute pair according to the clear data The clear data is encrypted, generate can decrypt and can operation encryption data, comprising:

If the attribute of the clear data include it is described can operation and it is described decrypt, it is random to generate the first secret key pair and second Secret key pair, first secret key pair include the first private spoon and the first public spoon, and second secret key pair includes the second private spoon and second Public spoon；

Using the described first public spoon the computations based on policy attribute are carried out to the clear data, obtains described to decrypt Encryption data；

Full homomorphic cryptography calculating is carried out to the encryption data decrypted using the described second public spoon, can be decrypted described in generation and Can operation encryption data.

5. data sharing method according to claim 2, which is characterized in that the encryption data that can be decrypted described in the generation Later, further includes:

Obtain the described first private spoon；

6. data sharing method according to claim 4, which is characterized in that can decrypt described in the generation and can operation After encryption data, further includes:

Obtain the described first private spoon and the second private spoon；

7. data sharing method according to claim 2, which is characterized in that it is described using the described first public spoon to being stated clearly Literary data carry out the computations based on policy attribute, comprising:

8. a kind of terminal device, which is characterized in that including for executing such as method as claimed in any one of claims 1 to 7 Unit.

9. a kind of terminal device, which is characterized in that including processor, communication interface, input equipment, output equipment and memory, The processor, communication interface, input equipment, output equipment and memory are connected with each other, wherein the communication interface be used for Other terminal devices carry out data interaction, and for the memory for storing computer program, the computer program includes program Instruction, the processor is configured for calling described program instruction, to execute such as the described in any item numbers of claim 1-7 According to sharing method.

10. a kind of computer readable storage medium, which is characterized in that the computer storage medium is stored with computer program, The computer program includes program instruction, and described program instruction makes the processor execute such as right when being executed by a processor It is required that the described in any item data sharing methods of 1-7.