CN109981614B - Data encryption method, data decryption method, data query method and data query device based on user group - Google Patents

Data encryption method, data decryption method, data query method and data query device based on user group Download PDF

Info

Publication number
CN109981614B
CN109981614B CN201910183443.1A CN201910183443A CN109981614B CN 109981614 B CN109981614 B CN 109981614B CN 201910183443 A CN201910183443 A CN 201910183443A CN 109981614 B CN109981614 B CN 109981614B
Authority
CN
China
Prior art keywords
user
ciphertext
group
public key
sender
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910183443.1A
Other languages
Chinese (zh)
Other versions
CN109981614A (en
Inventor
马莎
凌云浩
董家辉
黄琼
李西明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South China Agricultural University
Original Assignee
South China Agricultural University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South China Agricultural University filed Critical South China Agricultural University
Priority to CN201910183443.1A priority Critical patent/CN109981614B/en
Publication of CN109981614A publication Critical patent/CN109981614A/en
Application granted granted Critical
Publication of CN109981614B publication Critical patent/CN109981614B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/185Arrangements for providing special services to substations for broadcast or conference, e.g. multicast with management of multicast group membership
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The invention discloses a data encryption method, a data decryption method, a data query method, a data encryption device, a data decryption device, a data query device and a ciphertext database query system based on user groups, wherein the ciphertext database query system comprises a cloud server and at least one user group, each user group comprises a first user and at least two second users, the first user is a group manager, the second users are group members, and in each user group, a client of the first user and a client of the second user are respectively connected with the cloud server; the client of the second user comprises a data encryption device and a data decryption device; the cloud server comprises a data query device. The invention has a group mechanism which can limit the cloud server to compare the ciphertext for the group members; in addition, the invention can effectively resist off-line message recovery attack, remarkably improve the security and can be butted with most of current user name encryption code systems.

Description

Data encryption method, data decryption method, data query method and data query device based on user group
Technical Field
The invention relates to a data encryption method, a data decryption method, a data query method and a data query device based on a user group, and belongs to the field of data security.
Background
The development of cloud computing has led to the popularization of cloud database servers, and companies and individuals are becoming accustomed to storing data to a cloud server side, thereby reducing the overhead of local storage and maintenance. However, protection of the user privacy and data information by the cloud server is still careless, so that news about user information leakage is frequently seen.
The cryptographic technology for realizing data privacy protection under cloud computing is paid attention to, but the data is encrypted and then stored in a cloud database in a ciphertext mode, so that inconvenience is brought to data management. The traditional database management system is applied to a cloud computing environment, and data of a user are stored in a database in a ciphertext mode. If the user wants to perform query operation on the data, or all the ciphertext data are downloaded to the local and then decrypted, so that not only is the network overhead and the calculation overhead huge, but also the efficiency is very low; or the secret key is sent to the cloud server side, and the data is decrypted and inquired at the cloud server side, so that the cloud server side can acquire the plaintext information of the user, and potential safety hazards are caused to the user information. According to the patent literature (publication number: CN104468535A, published: 2015, 03, 25) a system and a method for ciphertext query and connection query suitable for a cloud environment are provided. According to the method, through bilinear mapping operation and modular exponentiation operation, equivalence test can be performed on the plaintext protected by the ciphertext under the condition that plaintext information is not leaked, and data protection and data management are well balanced. However, in the database query process, the authorized trapdoors of the ciphertext connection query must be obtained, if in the case of multiple connection queries, the management of multiple authorized trapdoors will burden the cloud server, and once the server obtains the authorized trapdoors of multiple users, the server can freely query the data tables of the users to obtain the information of interest, without the limitation of the users. In other words, multiple users cannot limit the server to only query between their ciphertexts. For example, user a and user B authorize the servers to query their ciphertext and send trapdoor a and trapdoor B to the servers, respectively, and user C and user D authorize the servers to query their ciphertext and also send trapdoor C and trapdoor D to the servers, respectively. At this time, the server can compare the ciphertext of the user A and the ciphertext of the user B, compare the ciphertext of the user C and the ciphertext of the user D, and do something beyond the expectation of the users, such as querying the ciphertext of the user A and the ciphertext of the user C by using the trapdoor A and the trapdoor C. This results in the server obtaining an authorization trapdoor corresponding to an attribute column or a tuple, and being able to continue to use the authorization trapdoor for comparison with other data, possibly resulting in leakage of user privacy. In addition, the generation mode of the ciphertext under the public key system is public, and the cloud server has the right to access the ciphertext of the user. When a given cloud server has a ciphertext C (the corresponding plaintext is set as M), the cloud server can arbitrarily generate the ciphertext C ' of the guess message M ', and then the comparison function of the ciphertext is utilized to compare whether C is equal to C '. Therefore, when the message space is small, the cloud server has the ability to install an offline message recovery attack by traversing the plaintext in the message space, thereby finding an M 'such that M' is M, and recovering the plaintext M hidden in the ciphertext C.
Disclosure of Invention
In view of the above, the present invention provides a data encryption method, a data decryption method, a data query method, a data encryption device, a data decryption device, a data query device and a ciphertext database query system based on a user group; the invention has a group mechanism which can limit the cloud server to only compare the ciphertext for the group members, in addition, the invention can effectively resist the off-line message recovery attack, obviously improve the security and can be butted with most of the current user name encryption code systems.
The first purpose of the invention is to provide a data encryption method based on a user group.
The second purpose of the invention is to provide a data decryption method based on the user group.
The third purpose of the invention is to provide a data query method based on the user group.
A fourth object of the present invention is to provide a data encryption apparatus based on a user group.
A fifth object of the present invention is to provide a data decryption apparatus based on a user group.
A sixth object of the present invention is to provide a data query apparatus based on a user group.
The seventh purpose of the invention is to provide a ciphertext database query system based on a user group.
The first purpose of the invention can be achieved by adopting the following technical scheme:
a data encryption method based on user groups, wherein the user groups have at least one, each user group comprises a first user and at least two second users, the first user is a group manager, the second users are group members, and each second user has a user public key thereof, the method comprises the following steps:
in each user group, the client of the second user sends the user public key of the second user to the client of the first user, so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user, and returns the group public key of the second user to the client of the second user;
in each user group, when the client of the second user is used as the client of the sender, a random number is generated, the user public key of the receiver in the second user is obtained, a ciphertext is generated according to the user public key of the receiver, the group public key of the sender, the user private key of the sender, the plaintext of the sender and the random number, and the ciphertext is transmitted to the cloud server, so that the cloud server stores the ciphertext in the ciphertext database.
Further, the generating a ciphertext according to the public key of the receiver, the group public key of the sender, the user private key of the sender, the plaintext of the sender, and the random number specifically includes:
let i be the sender and j be the receiver, according to the user public key pk of the receiver jj=gxjSender i's group public key gpki=gxisThe user private key sk of the sender iiCalling a logic operation part, a modular exponentiation part and a hash part to generate a ciphertext as follows:
Ci,j,1=gxis*r1,Ci,j,2=Mxi*r1,Ci,j,3=gr2,Ci,j,4=H(Ci,j,1||Ci,j,2||Ci,j,3||gxj*r2)⊕M||r1
where H (.) is a hash function, g is a system generator, r1And r2Is a random number.
The second purpose of the invention can be achieved by adopting the following technical scheme:
a data decryption method based on user groups, wherein the user groups have at least one, each user group comprises a first user and at least two second users, the first user is a group manager, the second users are group members, and each second user has a user public key thereof, the method comprises the following steps:
in each user group, the client of the second user sends the user public key of the second user to the client of the first user, so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user, and returns the group public key of the second user to the client of the second user;
in each user group, when the client of the second user is used as the client of the receiver, acquiring the ciphertext inquired from the ciphertext database of the cloud server, acquiring the group public key of the sender and the user public key of the sender in the second user, acquiring the plaintext of the sender according to the group public key of the sender, the user public key of the sender and the user private key of the receiver, judging whether the ciphertext meets a preset condition, and if so, outputting the plaintext.
Further, the obtaining of the plaintext of the sender according to the group public key of the sender, the user public key of the sender, and the user private key of the receiver specifically includes:
let the sender be i and the receiver be j, based on the group public key gpk of the sender ii=gxisSender i's user public key pki=gxiAnd the user private key sk of the receiver jjAnd (5) calling a logic operation part and a hash part, and calculating the plaintext of the sender according to the following formula:
M||r1=Ci,j,4⊕H(Ci,j,1||Ci,j,2||Ci,j,3||Ci,j,3 xj)
wherein, Ci,j,1、Ci,j,2、Ci,j,3And Ci,j,4Is the ciphertext of the ciphertext database.
Further, the meeting of the preset condition means that the following two equations are satisfied:
gxis*r1=Ci,j,1
e(g,Ci,j,2)=e(M,gxi)r1
wherein, Ci,j,1And Ci,j,2Is the ciphertext of the ciphertext database, and M is the plaintext of the sender.
The third purpose of the invention can be achieved by adopting the following technical scheme:
a data query method based on user groups, wherein the user groups have at least one, each user group comprises a first user and at least two second users, the first user is a group manager, the second users are group members, and each second user has a user public key and a group public key thereof, the method comprises the following steps:
the cloud server receives a ciphertext generated by a client of a sender in the second user, and stores the ciphertext in a ciphertext database;
the cloud server acquires a group of ciphertexts to be inquired submitted by a second user and a group of ciphertexts in the cipher text database;
the cloud server takes a first ciphertext value from the ciphertext to be queried and a second ciphertext value from a group of ciphertexts in the ciphertext database to form a first ciphertext pair;
the cloud server takes a second ciphertext value from the ciphertext to be queried and a first ciphertext value from a group of ciphertexts in the ciphertext database to form a second ciphertext pair;
and the cloud server judges whether the first ciphertext pair is equal to the second ciphertext pair, if so, the inquiry is successful, the successful ciphertext inquiry result is fed back to the second user, and if not, a group of ciphertexts is continuously taken down from the ciphertext database until all the ciphertexts are processed.
The fourth purpose of the invention can be achieved by adopting the following technical scheme:
a data encryption apparatus based on user groups, wherein each user group comprises at least one first user and at least two second users, the first user is a group administrator, the second users are group members, each second user has its own user public key, the apparatus is applied to a client of the second user in each user group, and the apparatus comprises:
the sending module is used for sending the user public key of the second user to the client of the first user so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user and returns the group public key of the second user to the client of the second user;
and the ciphertext generating module is used for generating a random number when the client serves as a sender, acquiring the user public key of a receiver in the second user, generating a ciphertext according to the user public key of the receiver, the group public key of the sender, the user private key of the sender, the plaintext of the sender and the random number, and transmitting the ciphertext to the cloud server so that the cloud server stores the ciphertext in the ciphertext database.
The fifth purpose of the invention can be achieved by adopting the following technical scheme:
a data decryption apparatus based on a user group, wherein the user group has at least one, each user group includes a first user and at least two second users, the first user is a group administrator, the second users are group members, each second user has its own user public key, the apparatus is applied to a client of the second user in each user group, and the apparatus comprises:
the sending module is used for sending the user public key of the second user to the client of the first user so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user and returns the group public key of the second user to the client of the second user;
and the plaintext output module is used for acquiring the ciphertext inquired from the ciphertext database of the cloud server when the plaintext output module is used as the client of the receiver, acquiring the group public key of the sender and the user public key of the sender in the second user, acquiring the plaintext of the sender according to the group public key of the sender, the user public key of the sender and the user private key of the receiver, judging whether the ciphertext meets a preset condition, and outputting the plaintext if the ciphertext meets the preset condition.
The sixth purpose of the invention can be achieved by adopting the following technical scheme:
a data query device based on user groups, wherein the user groups are at least one, each user group comprises a first user and at least two second users, the first user is a group manager, the second users are group members, each second user has own user public key and group public key, the device is applied to a cloud server, and the device comprises:
the storage module is used for receiving the ciphertext generated by the client of the sender in the second user and storing the ciphertext generated by the client of the sender in a ciphertext database;
the ciphertext acquisition module is used for acquiring a group of ciphertext to be queried submitted by a second user and a group of ciphertext in the ciphertext database;
the first ciphertext pair forming module is used for taking a first ciphertext value from a ciphertext to be queried and taking a second ciphertext value from a group of ciphertexts in the ciphertext database to form a first ciphertext pair;
the second ciphertext pair forming module is used for taking a second ciphertext value from the ciphertext to be queried and taking a first ciphertext value from a group of ciphertexts in the ciphertext database to form a second ciphertext pair;
and the judging module is used for judging whether the first ciphertext pair is equal to the second ciphertext pair, if so, the ciphertext is successfully inquired, the successful result of the ciphertext inquiry is fed back to the second user, and if not, a group of ciphertexts is continuously taken out from the ciphertext database until all the ciphertexts are processed.
The seventh purpose of the invention can be achieved by adopting the following technical scheme:
a ciphertext database query system based on a user group comprises a cloud server and at least one user group, wherein each user group comprises a first user and at least two second users, the first user is a group administrator, the second users are group members, each second user has a user public key and a group public key, and in each user group, a client of the first user and a client of each second user are respectively connected with the cloud server;
the client of the second user comprises the data encryption device and the data decryption device;
the cloud server comprises the data query device.
Compared with the prior art, the invention has the following beneficial effects:
the invention can establish at least one user group, the group administrator of each user group can authorize at least two users to enter the group, namely, corresponding group public keys are generated for at least two users, the data encryption is realized through the client of the user, and the ciphertext is stored in the ciphertext database of the cloud server, so that the users in the user group can be limited to inquire the ciphertext, the offline message recovery attack is resisted under a single server, the safety is obviously improved, and the method can be in butt joint with most of current user name encryption systems.
Drawings
Fig. 1 is a block diagram of a ciphertext database query system according to an embodiment of the present invention.
Fig. 2 is a flowchart of data encryption in the ciphertext database query system according to the embodiment of the present invention.
Fig. 3 is a flowchart of data decryption in the ciphertext database query system according to the embodiment of the present invention.
Fig. 4 is a flowchart of data query in the ciphertext database query system according to the embodiment of the present invention.
Fig. 5 is a block diagram of a data encryption apparatus in a client of a first user according to an embodiment of the present invention.
Fig. 6 is a block diagram of a data decryption apparatus in a client of a first user according to an embodiment of the present invention.
Fig. 7 is a block diagram of a data query device in a client of a first user according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples and drawings, but the present invention is not limited thereto.
Example (b):
as shown in fig. 1, the present embodiment provides a ciphertext database query system, which includes n clients and a cloud server, where the n clients are connected to each other, each client is used by one user, that is, there are n users (user 1, user 2, user 3 … …, user n, where n ≧ 2), and each client is connected to the cloud server.
Each client includes a first processor for performing various functions of the client and processing data and a first memory including a computer readable storage medium operable to store a computer program.
The cloud server includes a second processor for providing computing and control capabilities and a second memory including a non-volatile storage medium storing an operating system, a computer program, and a ciphertext database, and an internal memory providing an environment for the operating system and the computer program to run in the non-volatile storage medium.
The ciphertext database query system of the embodiment is specifically implemented as follows:
(1) user key generation process
Each client invokes the modular exponentiation component to generate a user key pair (pk) for user ii,ski)=(Xi=gxi,xi)。
(2) Group key generation process
The method comprises the steps of establishing at least one user group, namely a plurality of user groups can exist in the system, wherein each user group comprises a first user and at least two second users, the first user is a group manager, the second users are group members, a client of the first user needs to call a modular exponentiation component and a bilinear mapping component to generate a group key gsk, and each second user has a user public key pk.
(3) Group public key generation process for users
The client of the first user receives the user public key pk of the second user sent by the client of the second user, and generates the group public key of the second user according to the group public key and the user public key of the second user: gpki=Xi gsk=gxisAnd returned to the second user, at which point it isThe second user formally enters the group.
(4) Data encryption process
The data encryption process is implemented by a client of a second user, the second user needing encryption is a sender, and the client of the second user is the sender's client at this time, as shown in fig. 2, the method includes the following steps:
s201, generating a random number r1And r2
Specifically, the random number generation part is called to obtain the random number r1And r2
S202, obtaining a user public key pk of a receiver in the second usersjAccording to the public key pk of the recipient's userjSender's group public key gpkiThe sender's user private key skiPlaintext M of sender and random number r1And r2And generating a ciphertext.
Specifically, let i be the sender and j be the receiver. Using the public key pk of the user of recipient jj=gxjSender i's group public key gpki=gxisThe user private key sk of the sender iiCalling a logic operation part, a modular exponentiation part and a hash part to generate a ciphertext as follows:
Ci,j,1=gxis*r1,Ci,j,2=Mxi*r1,Ci,j,3=gr2,Ci,j,4=H(Ci,j,1||Ci,j,2||Ci,j,3||gxj*r2)⊕M||r1
where H (.) is a hash function, g is a system generator, r1And r2Is a random number.
And S203, transmitting the ciphertext to a cloud server so that the cloud server stores the ciphertext in a ciphertext database.
(5) Data decryption process
The data decryption process is implemented by a client of a second user, the second user needing decryption is a receiver, and the client of the second user is the client of the receiver, as shown in fig. 3, the method includes the following steps:
s301, acquiring a ciphertext inquired from a ciphertext database of the cloud server, and acquiring a group public key gpk of a sender in the second useriSender's public user key pkiAnd the user private key sk of the recipientjAccording to the sender's group public key gpkiSender's public user key pkiAnd the user private key sk of the recipientjAnd obtaining the plaintext of the sender.
Specifically, let i be the sender and j be the receiver. Using the group public key gpk of sender ii=gxisSender i's user public key pki=gxiAnd the user private key sk of the receiver jjAnd (5) calling a logic operation part and a hash part, and calculating the plaintext of the sender according to the following formula:
M||r1=Ci,j,4⊕H(Ci,j,1||Ci,j,2||Ci,j,3||Ci,j,3 xj)
s302, judging whether the ciphertext meets a preset condition.
Specifically, meeting the preset condition means that the following two equations hold:
gxis*r1=Ci,j,1
e(g,Ci,j,2)=e(M,gxi)r1
if the above equation is true, the plaintext M is output, otherwise ⊥ is output.
(6) Ciphertext query process
The ciphertext query process is implemented by the cloud server, and as shown in fig. 4, includes the following steps:
s401, obtaining a group of ciphertext to be queried submitted by a second user and a group of ciphertext in a ciphertext database.
Specifically, the ciphertext to be queried is (C)i,j,1,Ci,j,2,Ci,j,3,Ci,j,4) The set of ciphertexts of the cipher text database is (C)i’,j’,1,Ci’,j’,2,Ci’,j’,3,Ci’,j’,4)。
S402, a first ciphertext value is obtained from the ciphertext to be queried, and a second ciphertext value is obtained from a group of ciphertexts in the ciphertext database, so that a first ciphertext pair is formed.
Specifically, the first ciphertext pair is computed using the bilinear map component, which is denoted as e (C)i,j,1,Ci’,j’,2)。
S403, a second ciphertext value is obtained from the ciphertext to be queried, and a first ciphertext value is obtained from a group of ciphertexts in the ciphertext database to form a second ciphertext pair.
Specifically, the second ciphertext pair is computed using the bilinear map component, which is denoted as e (C)i’,j’,1,Ci,j,2)。
S404, judging whether the first ciphertext pair is equal to the second ciphertext pair, if so, successfully querying, feeding back a successful ciphertext query result to the second user, and if not, continuously taking down a group of ciphertexts from the ciphertext database until all the ciphertexts are processed.
Those skilled in the art will appreciate that all or part of the steps in the above embodiments may be implemented by a program to instruct associated hardware to perform the steps, and the corresponding program may be stored in a computer readable storage medium.
It should be noted that while the operations of the above-described embodiments are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Rather, the depicted steps may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
As can be understood from the above, the first processor in the client of the second user includes a data encryption device and a data decryption device, the data encryption device is used when the client of the second user is used as the client of the sender, the data decryption device is used when the client of the second user is used as the client of the receiver, and the second processor in the cloud server includes a data query device.
As shown in fig. 5, the data encryption apparatus includes a sending module 501 and a ciphertext generating module 502, where the sending module 501 and the ciphertext generating module 502 have the following specific functions:
the sending module 501 is configured to send the user public key of the second user to the client of the first user, so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user, and returns the group public key to the client of the second user;
the ciphertext generating module 502 is configured to generate a random number when the client is a sender, acquire a user public key of a receiver in the second user, generate a ciphertext according to the user public key of the receiver, the group public key of the sender, the user private key of the sender, the plaintext of the sender, and the random number, and transmit the ciphertext to the cloud server, so that the cloud server stores the ciphertext in the ciphertext database.
As shown in fig. 6, the data decryption apparatus includes a sending module 601 and a plaintext output module 602, and the sending module 601 and the plaintext output module 602 have the following specific functions:
the sending module 601 is configured to send the user public key of the second user to the client of the first user, so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user, and returns the group public key to the client of the second user;
the plaintext output module 602 is configured to, when serving as a client of a receiver, obtain a ciphertext queried from a ciphertext database of the cloud server, obtain a group public key of a sender in the second user and a user public key of the sender, obtain a plaintext of the sender according to the group public key of the sender, the user public key of the sender, and a user private key of the receiver, determine whether the ciphertext meets a preset condition, and output the plaintext if the ciphertext meets the preset condition.
As shown in fig. 7, the data query apparatus includes a storage module 701, a ciphertext acquisition module 702, a first ciphertext pair forming module 703, a second ciphertext pair forming module 704, and a determination module 705, where specific functions of each module are as follows:
the storage module 701 is configured to receive a ciphertext generated by a client of a sender in the second user, and store the ciphertext generated by the client of the sender in a ciphertext database.
The ciphertext obtaining module 702 is configured to obtain a group of ciphertext to be queried submitted by the second user and a group of ciphertext in the ciphertext database.
The first ciphertext pair forming module 703 is configured to obtain a first ciphertext value from a ciphertext to be queried, and obtain a second ciphertext value from a group of ciphertexts in the ciphertext database, so as to form a first ciphertext pair.
The second ciphertext pair forming module 704 is configured to obtain a second ciphertext value from the ciphertext to be queried, and obtain a first ciphertext value from a group of ciphertexts in the ciphertext database, so as to form a second ciphertext pair.
The determining module 705 is configured to determine whether the first ciphertext pair is equal to the second ciphertext pair, if so, the query is successful, and feed back a result of successful ciphertext query to the second user, and if not, continue to take a group of ciphertexts from the ciphertext database until all the ciphertexts are processed.
It should be noted that the apparatus provided in the foregoing embodiment is only illustrated by dividing the functional modules, and in practical applications, the above functions may be distributed by different functional modules as needed, that is, the internal structure is divided into different functional modules to complete all or part of the functions described above.
It will be understood that the terms "first," "second," and the like as used in the apparatus of the above embodiments may be used to describe various modules, but these modules are not limited by these terms, which are used only to distinguish one module from another.
In summary, the present invention can establish at least one user group, and the group administrator of each user group can authorize at least two users to enter the group, that is, generate corresponding group public keys for at least two users, implement data encryption through the client of the user, and store the ciphertext in the ciphertext database of the cloud server, so as to limit the users in the user group to query the ciphertext, resist offline message recovery attack under a single server, significantly improve security, and can be connected with most of current user name encryption systems.
The above description is only for the preferred embodiments of the present invention, but the protection scope of the present invention is not limited thereto, and any person skilled in the art can substitute or change the technical solution and the inventive concept of the present invention within the scope of the present invention.

Claims (6)

1. A data encryption method based on user groups is characterized in that at least one user group is provided, each user group comprises a first user and at least two second users, the first user is a group manager, the second users are group members, and each second user has a user public key of the second user, the method comprises the following steps:
in each user group, the client of the second user sends the user public key of the second user to the client of the first user, so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user, and returns the group public key of the second user to the client of the second user;
in each user group, when the client of the second user is used as the client of the sender, generating a random number, acquiring a user public key of a receiver in the second user, generating a ciphertext according to the user public key of the receiver, the group public key of the sender, the user private key of the sender, the plaintext of the sender and the random number, and transmitting the ciphertext to the cloud server so that the cloud server stores the ciphertext in a ciphertext database;
generating a ciphertext according to the public key of the receiver, the group public key of the sender, the user private key of the sender, the plaintext of the sender and the random number, specifically:
let i be the sender and j be the receiver, according to the user public key pk of the receiver jj=gxjSender i's group public key gpki=gxisThe user private key sk of the sender iiXi, plaintext M of sender i, and random number, calling a logic operation unit, and performing modular exponentiationA component and a hashing component that generate a ciphertext as follows:
Figure FDA0002371121220000011
where H (.) is a hash function, g is a system generator, r1And r2Is a random number.
2. A data decryption method based on user groups is characterized in that at least one user group is provided, each user group comprises a first user and at least two second users, the first user is a group manager, the second users are group members, and each second user has a user public key of the second user, the method comprises the following steps:
in each user group, the client of the second user sends the user public key of the second user to the client of the first user, so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user, and returns the group public key of the second user to the client of the second user;
in each user group, when a client of a second user is used as a client of a receiver, acquiring a ciphertext inquired from a ciphertext database of a cloud server, acquiring a group public key of a sender and a user public key of the sender in the second user, acquiring a plaintext of the sender according to the group public key of the sender, the user public key of the sender and a user private key of the receiver, judging whether the ciphertext meets a preset condition, and if so, outputting the plaintext;
the obtaining of the plaintext of the sender according to the group public key of the sender, the user public key of the sender and the user private key of the receiver specifically includes:
let the sender be i and the receiver be j, based on the group public key gpk of the sender ii=gxisSender i's user public key pki=gxiAnd the user private key sk of the receiver jjAnd (5) calling a logic operation part and a hash part, and calculating the plaintext of the sender according to the following formula:
Figure FDA0002371121220000021
wherein, Ci,j,1、Ci,j,2、Ci,j,3And Ci,j,4Is the ciphertext of the ciphertext database, M is the plaintext of the sender, r1H () is a hash function, which is a random number.
3. The data decryption method according to claim 2, wherein the predetermined condition is satisfied by the following two equations:
Figure FDA0002371121220000022
Figure FDA0002371121220000023
4. a data encryption apparatus based on user groups, wherein the user groups have at least one, each user group includes a first user and at least two second users, the first user is a group administrator, the second users are group members, each second user has its own user public key, the apparatus is applied to a client of the second user in each user group, and the apparatus includes:
the sending module is used for sending the user public key of the second user to the client of the first user so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user and returns the group public key of the second user to the client of the second user;
the ciphertext generating module is used for generating a random number when the ciphertext generating module is used as a client of a sender, acquiring a user public key of a receiver in a second user, generating a ciphertext according to the user public key of the receiver, a group public key of the sender, a user private key of the sender, a plaintext of the sender and the random number, and transmitting the ciphertext to the cloud server so that the cloud server stores the ciphertext in the ciphertext database;
generating a ciphertext according to the public key of the receiver, the group public key of the sender, the user private key of the sender, the plaintext of the sender and the random number, specifically:
let i be the sender and j be the receiver, according to the user public key pk of the receiver jj=gxjSender i's group public key gpki=gxisThe user private key sk of the sender iiCalling a logic operation part, a modular exponentiation part and a hash part to generate a ciphertext as follows:
Figure FDA0002371121220000024
where H (.) is a hash function, g is a system generator, r1And r2Is a random number.
5. A data decryption device based on user groups, wherein the user groups have at least one, each user group comprises a first user and at least two second users, the first user is a group administrator, the second users are group members, each second user has its own user public key, the device is applied to the client of the second user in each user group, and the device comprises:
the sending module is used for sending the user public key of the second user to the client of the first user so that the client of the first user generates a group public key of the second user for the second user according to the group public key and the user public key of the second user and returns the group public key of the second user to the client of the second user;
the plaintext output module is used for acquiring a ciphertext inquired from a ciphertext database of the cloud server when the plaintext output module serves as a client of a receiver, acquiring a group public key of a sender and a user public key of the sender in a second user, acquiring a plaintext of the sender according to the group public key of the sender, the user public key of the sender and a user private key of the receiver, judging whether the ciphertext meets a preset condition, and outputting the plaintext if the ciphertext meets the preset condition;
the obtaining of the plaintext of the sender according to the group public key of the sender, the user public key of the sender and the user private key of the receiver specifically includes:
let the sender be i and the receiver be j, based on the group public key gpk of the sender ii=gxisSender i's user public key pki=gxiAnd the user private key sk of the receiver jjAnd (5) calling a logic operation part and a hash part, and calculating the plaintext of the sender according to the following formula:
Figure FDA0002371121220000031
wherein, Ci,j,1、Ci,j,2、Ci,j,3And Ci,j,4Is the ciphertext of the ciphertext database, M is the plaintext of the sender, r1H () is a hash function, which is a random number.
6. A ciphertext database query system based on a user group is characterized by comprising a cloud server and at least one user group, wherein each user group comprises a first user and at least two second users, the first user is a group manager, the second users are group members, each second user has a user public key and a group public key, and in each user group, a client of the first user and a client of the second user are respectively connected with the cloud server;
the client of the second user comprises the data encryption device of claim 4 and the data decryption device of claim 5;
the cloud server comprises a data query device, and the data query device comprises:
the storage module is used for receiving the ciphertext generated by the client of the sender in the second user and storing the ciphertext generated by the client of the sender in a ciphertext database;
the ciphertext acquisition module is used for acquiring a group of ciphertext to be queried submitted by a second user and a group of ciphertext in the ciphertext database;
the first ciphertext pair forming module is used for taking a first ciphertext value from a ciphertext to be queried and taking a second ciphertext value from a group of ciphertexts in the ciphertext database to form a first ciphertext pair;
the second ciphertext pair forming module is used for taking a second ciphertext value from the ciphertext to be queried and taking a first ciphertext value from a group of ciphertexts in the ciphertext database to form a second ciphertext pair;
and the judging module is used for judging whether the first ciphertext pair is equal to the second ciphertext pair, if so, the ciphertext is successfully inquired, the successful result of the ciphertext inquiry is fed back to the second user, and if not, a group of ciphertexts is continuously taken out from the ciphertext database until all the ciphertexts are processed.
CN201910183443.1A 2019-03-12 2019-03-12 Data encryption method, data decryption method, data query method and data query device based on user group Active CN109981614B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910183443.1A CN109981614B (en) 2019-03-12 2019-03-12 Data encryption method, data decryption method, data query method and data query device based on user group

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910183443.1A CN109981614B (en) 2019-03-12 2019-03-12 Data encryption method, data decryption method, data query method and data query device based on user group

Publications (2)

Publication Number Publication Date
CN109981614A CN109981614A (en) 2019-07-05
CN109981614B true CN109981614B (en) 2020-04-17

Family

ID=67078493

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910183443.1A Active CN109981614B (en) 2019-03-12 2019-03-12 Data encryption method, data decryption method, data query method and data query device based on user group

Country Status (1)

Country Link
CN (1) CN109981614B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110474764B (en) * 2019-07-17 2021-03-26 华南农业大学 Ciphertext data set intersection calculation method, device, system, client, server and medium
CN112887089B (en) * 2021-01-25 2022-08-12 华南农业大学 Ciphertext similarity calculation method, device and system and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753683A (en) * 2015-04-08 2015-07-01 西安电子科技大学 Group signature method with efficient revocation in vehicle networking

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281377B (en) * 2013-05-31 2016-06-08 北京创世泰克科技股份有限公司 A kind of encrypt data storage and querying method of facing cloud
CN103795548B (en) * 2014-02-28 2018-11-30 Tcl集团股份有限公司 A kind of distributed data base system and its implementation based on group ranking algorithm
CN103957109B (en) * 2014-05-22 2017-07-11 武汉大学 A kind of cloud data-privacy protects safe re-encryption method
CN104468535B (en) * 2014-11-24 2017-09-29 华南农业大学 It is adapted to ciphertext storage and connection query system and the method for cloud environment
CN105049430B (en) * 2015-06-30 2018-04-20 河海大学 A kind of ciphertext policy ABE base encryption method with efficient user revocation
CN107332858B (en) * 2017-08-07 2020-08-28 深圳格隆汇信息科技有限公司 Cloud data storage method
CN108322447B (en) * 2018-01-05 2021-12-10 中电长城网际系统应用有限公司 Data sharing method and system under cloud environment, terminal and cloud server

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753683A (en) * 2015-04-08 2015-07-01 西安电子科技大学 Group signature method with efficient revocation in vehicle networking

Also Published As

Publication number Publication date
CN109981614A (en) 2019-07-05

Similar Documents

Publication Publication Date Title
CN110096899B (en) Data query method and device
Baek et al. Public key encryption with keyword search revisited
CN102176709B (en) Method and device with privacy protection function for data sharing and publishing
US7634085B1 (en) Identity-based-encryption system with partial attribute matching
JP6180177B2 (en) Encrypted data inquiry method and system capable of protecting privacy
US11405365B2 (en) Method and apparatus for effecting a data-based activity
US11374910B2 (en) Method and apparatus for effecting a data-based activity
US20090138698A1 (en) Method of searching encrypted data using inner product operation and terminal and server therefor
CN108199838B (en) Data protection method and device
WO2022155811A1 (en) Multi-receiver proxy re-encryption method and system, and electronic apparatus and storage medium
Tuo et al. An effective fuzzy keyword search scheme in cloud computing
CN109981614B (en) Data encryption method, data decryption method, data query method and data query device based on user group
US11637817B2 (en) Method and apparatus for effecting a data-based activity
Alornyo et al. Encrypted traffic analytic using identity based encryption with equality test for cloud computing
Chen et al. Witness-based searchable encryption with optimal overhead for cloud-edge computing
CN115412356A (en) Data query method, device, computer equipment and storage medium
Lv et al. Efficiently attribute-based access control for mobile cloud storage system
Maheswaran et al. Crypto-book: an architecture for privacy preserving online identities
CN114362912A (en) Identification password generation method based on distributed key center, electronic device and medium
CN109672525B (en) Searchable public key encryption method and system with forward index
CN108259172B (en) Ciphertext searching method in cloud storage system
Varnovsky et al. On the existence of provably secure cloud computing systems
Zhang et al. Oblivious multi-keyword search for secure cloud storage service
Ali et al. Security protocol of keys management system for transmission encrypted data
Tan A communication and computation‐efficient three‐party authenticated key agreement protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant