CN110222081B - Data ciphertext query method based on fine-grained sequencing in multi-user environment - Google Patents

Data ciphertext query method based on fine-grained sequencing in multi-user environment Download PDF

Info

Publication number
CN110222081B
CN110222081B CN201910493925.7A CN201910493925A CN110222081B CN 110222081 B CN110222081 B CN 110222081B CN 201910493925 A CN201910493925 A CN 201910493925A CN 110222081 B CN110222081 B CN 110222081B
Authority
CN
China
Prior art keywords
query
user
key
electronic document
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910493925.7A
Other languages
Chinese (zh)
Other versions
CN110222081A (en
Inventor
苗银宾
童秋云
马建峰
李颖莹
王祥宇
马卓然
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201910493925.7A priority Critical patent/CN110222081B/en
Publication of CN110222081A publication Critical patent/CN110222081A/en
Application granted granted Critical
Publication of CN110222081B publication Critical patent/CN110222081B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2457Query processing with adaptation to user needs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data ciphertext query method based on fine-grained sequencing in a multi-user environment, which comprises the following concrete implementation steps: 1. generating a target data matrix with an access structure; 2. setting a master key and a symmetric key; 3. encrypting the target data matrix; 4. generating a target query vector for binding the access role; 5. generating different trap door generation keys and re-encryption keys for each inquiry user; 6. encrypting the target query vector; 7. carrying out re-encryption on the intermediate trapdoor of the query request; 8. inquiring the ciphertext; 9. decrypting the returned ciphertext; 10. the revoked querying user is deleted. The invention realizes the high-efficiency fine-grained access control, multi-keyword sequencing query and query user cancellation operation of the multi-query user on the data ciphertext received by the cloud server.

Description

Data ciphertext query method based on fine-grained sequencing in multi-user environment
Technical Field
The invention belongs to the technical field of communication, and further relates to a data ciphertext query method based on fine-grained sequencing in a multi-user environment in the technical field of information security. The method and the system can be used for performing fine-grained access control and multi-keyword sequencing query on the data ciphertext received by the cloud server by a plurality of query users in the cloud storage background, and support the cancel operation of the query users.
Background
With the development of cloud storage technology, more and more users outsource heavy data storage and management work to "honest but curious" cloud servers. In order to ensure that user data is not leaked in the storage and retrieval processes, generally, a user needs to encrypt data before outsourced data, however, all characteristics of plaintext are hidden by the traditional encryption technology, so that ciphertext search cannot be realized by the traditional search mechanism based on plaintext. When users want to obtain interesting data, they can only download the ciphertext from the cloud to the local for decryption, which undoubtedly causes waste of bandwidth and computing resources and risks of privacy disclosure. Based on this situation, there have been retrieval techniques regarding data ciphertext, but these techniques have had corresponding problems in ciphertext data retrieval applications.
The patent document "a searchable encryption method supporting multiple users in cloud storage" applied by the Nanjing post and telecommunications university discloses a searchable encryption method for fine-grained access right control in a multi-query user environment (patent application No. 201510128817.1, publication No. CN 104780161A). In the method, a data owner creates a key index linked list by taking a key in a file as a header node, adds the file containing the key to the key index linked list, then creates a permission linked list for each file, and adds a user authorized to access the file to the permission linked list of the corresponding file to finish authorization; a user encrypts the query keyword into a trapdoor by using a symmetric searchable encryption key; when receiving a trapdoor sent by a user, a server firstly inquires whether the user exists in a user table, if not, the user is refused to provide retrieval, otherwise, the server retrieves a keyword index according to the uploaded trapdoor, if the corresponding keyword is not matched, an error prompt is returned, otherwise, the server continuously inquires whether the user exists in an authority linked list of each file in the keyword index linked list, and adds the file with the user in the authority linked list into a retrieval result; when the user is revoked, the data owner directly deletes the user information from the user table. The method has the following defects: only single keyword search is supported, the query requirements of users cannot be completely expressed, and returned query results contain a plurality of documents which are not interested by the query users, so that bandwidth and computing resources are wasted.
The patent document of south China university of science and engineering, "a high-efficiency verifiable multi-keyword ranking searchable encryption method supporting preference search and logic search" (patent application No. 201810169347.7, publication No. CN108388807A), discloses a multi-keyword ranking search method based on a symmetric searchable encryption technology in a multi-query user environment. In the method, a data owner abstracts the content and the related weight of a document by using a vector space model and TF-IDF, and encrypts the abstracted result by using a symmetric searchable encryption key; inquiring a searchable encryption key generated by a user shared data owner, and generating a trapdoor according to the inquiry; and when receiving the trapdoor, the cloud server executes the safe inner product operation and sorts the ciphertext documents according to the correlation scores. The method has the following defects: the granularity of the access right owned by each authorized inquiry user is too coarse, and the authorized inquiry users all have access to the whole outsourced data set, so that sensitive information in the outsourced data set is known by the inquiry users who do not have access right, and the privacy protection of the sensitive data is not facilitated. Secondly, the method does not support the operation of canceling the inquiry user, and limits the application of the searchable encryption technology in practice.
The patent document 'a multi-keyword searchable encryption method supporting numerical attribute comparison' (patent application number 201711332607.X, publication number CN108156140A) applied by the university of siegan electronic technology discloses a multi-keyword ciphertext retrieval method for realizing fine-grained access control based on attributes in a multi-query user environment. In the method, a third-party trusted entity generates a private key according to an attribute set of a query user; the data owner establishes an index for each document by using the access control structure and the keyword set; a query user generates a trapdoor by using a private key and a query keyword set; after receiving the trapdoor and the coded attribute set, the cloud server verifies whether the attribute set of the query user meets the access control structure, if not, the operation is terminated, otherwise, the cloud server matches the trapdoor with the ciphertext index set, and the successfully matched ciphertext set is sent to the query user. The method has the following defects: based on the asymmetric encryption technology, multi-keyword ciphertext retrieval and fine-grained access control are realized, the calculation cost is high, and the query efficiency is influenced.
Disclosure of Invention
The invention aims to provide a data ciphertext query method based on fine-grained sequencing in a multi-user environment aiming at the defects of the prior art. The method supports efficient cancellation operation of the query users in a multi-query-user environment, and achieves fine-grained access control and data ciphertext query of multi-keyword sequencing under a symmetric searchable encryption technology.
The idea for realizing the purpose of the invention is that a target data matrix with access is generated based on a hash function and a role polynomial, and the target data matrix is encrypted by using a master key to obtain a corresponding outsourced electronic document index; generating different trap door generation keys and re-encryption keys for different inquiry users; generating a target query vector bound with the access role, and encrypting the target query vector by utilizing the trapdoor generation to obtain an intermediate trapdoor; re-encrypting the intermediate trapdoor by using a re-encryption key to obtain a target trapdoor, calculating the score of each outsourced electronic document by using the trapdoor and the outsourced electronic document index, screening out all ciphertexts with the scores larger than or equal to a threshold value, sorting the screened ciphertexts from large to small according to the scores, and returning the sorting result to the corresponding inquiry user; when the user cancels, the cloud server deletes the identity of the cancelled inquiry user and the corresponding re-encryption key from the user key mapping set.
The method comprises the following specific steps:
(1) generating a target data matrix with an access structure:
(1a) converting each outsourced electronic document into an intermediate data matrix by using a text matrixing method;
(1b) selecting Y elements from the residual class rings of the modulo p after 0 is removed to form an access role set, wherein the value of Y is equal to the total number of the query user classes;
(1c) selecting all access roles which have access to the electronic document from the access role set for each outsourced electronic document as roots to construct a role polynomial;
(1d) adding terms with coefficients of 0 and power exponents less than or equal to Y so that the number of terms of each angular polynomial expansion is Y + 1;
(1e) arranging the items of each angle polynomial expansion according to the ascending order of power indexes, and expanding the arranged coefficients to the tail of each column of a middle data matrix corresponding to the corresponding outsourcing electronic document to obtain a target data matrix;
(2) setting a master key and a symmetric key:
(2a) randomly generating a binary vector with the same dimension as the row number of the target data matrix and two reversible matrixes with the same order as the row number of the target data matrix, and forming a master key by the binary vector and the two reversible matrixes;
(2b) generating a symmetric key of a symmetric encryption algorithm;
(2c) sending the master key to the data owner, and reserving the symmetric key;
(3) encrypting the target data matrix:
(3a) splitting a target data matrix corresponding to each outsourced electronic document into two random matrices by using a data matrix splitting method, and taking the two random matrices as two sub-matrices of the corresponding outsourced electronic document;
(3b) transposing two reversible matrixes in the main key, and multiplying the transposed two reversible matrixes with two sub-matrixes of each outsourced electronic document to form a corresponding outsourced electronic document index;
(3c) encrypting each outsourcing electronic document by using a symmetric key to obtain a ciphertext;
(3d) packaging and sending all outsourced electronic document indexes and ciphertexts to a cloud server;
(3f) selecting an access role from the access role set for the inquiry user according to the identity of each inquiry user, and sending each access role to the selected inquiry user through a secure channel;
(4) generating a target query vector for binding the access role:
(4a) extracting all keywords from a query request submitted by a query user by using a text keyword extraction algorithm to form a query keyword set;
(4b) expanding a query keyword set into a target keyword set containing d keywords by adding keywords which are not contained in an outsourced electronic document set, wherein d is the total number of the keywords which can be input by a query user at most;
(4c) mapping each keyword in the target keyword set to a modulo p residual class ring after 0 is removed by utilizing a Hash function;
(4d) taking the hash values of all keywords in the target keyword set as roots, and constructing a query polynomial;
(4e) arranging coefficients of the terms of the query polynomial expansion in the order of increasing power exponent to form an intermediate query vector;
(4f) expanding the power of 0-Y of the owned access role to the tail of the intermediate query vector to obtain a target query vector;
(5) different trapdoor generation keys and re-encryption keys are generated for each querying user:
(5a) randomly generating two reversible matrixes with the same order number as the row number of the target data matrix for each inquiry user, and forming the two generated reversible matrixes and the binary vector in the master key into a trapdoor generation key of the corresponding inquiry user;
(5b) performing inversion operation on two reversible matrixes in the trap door generation key of each inquiry user, and multiplying the two inverted reversible matrixes with two reversible matrixes in the main key respectively to form a re-encryption key of the corresponding inquiry user;
(5c) sending each trapdoor generation key to a corresponding inquiry user;
(5d) sending the identities of all the query users and the corresponding re-encryption keys to a cloud server in pairs;
(5f) adding the received identity of the query user and the corresponding re-encryption key in pairs into a user key mapping set of which the initial state is an empty set;
(6) encrypting the target query vector:
(6a) splitting a target query vector into two random vectors by using a query vector splitting method, and taking the two random vectors as two sub-vectors of a corresponding query request;
(6b) performing inversion operation on two reversible matrixes in the trap door generation key, and multiplying the two inverted reversible matrixes with two sub-vectors of the query request respectively to form an intermediate trap door of the query request;
(6c) submitting the intermediate trapdoor of the query request, the identity of the corresponding query user and N to a cloud server, wherein N is a positive integer in an interval [1, u ], and u represents the total number of keywords in the query keyword set;
(7) carrying out re-encryption on the intermediate trap door:
(7a) finding out a corresponding re-encryption key from the user key mapping set according to the identity submitted by the inquiring user;
(7b) performing inversion operation on the two reversible matrixes in the re-encryption key, and multiplying the two inverted reversible matrixes with the two subvectors in the intermediate trapdoor of the query request respectively to form a target trapdoor of the query request;
(8) and (5) inquiring the ciphertext:
(8a) transposing two matrixes in each outsourced electronic document index, multiplying the transposed two matrixes by two vectors in the target trapdoor respectively, and adding the two multiplication results to obtain the attribute vector of the corresponding outsourced electronic document;
(8b) taking the number of '0' in the attribute vector of each outsourced electronic document as the score of the corresponding outsourced electronic document;
(8c) screening all ciphertexts larger than or equal to N from the scores of all outsourced electronic documents, and sequencing all screened ciphertexts from large to small according to the scores;
(8d) sending the sequenced cipher texts to a third-party trusted key management system;
(9) decrypting the returned ciphertext:
(9a) decrypting the ciphertext received by the third-party trusted key management system by using the symmetric key to obtain a plaintext corresponding to each ciphertext;
(9b) sending the decrypted plaintext to a corresponding inquiring user;
(10) delete revoked querying users:
(10a) sending a notification for inquiring user revocation to a cloud server;
(10b) and deleting the identity of the revoked inquiry user and the corresponding re-encryption key from the user key mapping set according to the notification sent by the third-party trusted key management system.
Compared with the prior art, the invention has the following advantages:
firstly, because the invention converts each outsourced electronic document into the intermediate data matrix by using a text matrixing method, the invention overcomes the defects that the prior art only supports single keyword search, can not completely express the query requirement of the user, and the returned query result contains a plurality of documents which are not interested by the query user, thereby wasting bandwidth and computing resources, so that the invention supports multi-keyword sequencing query, can better express the query requirement of the query user, has high probability of querying the interested documents by the query user, and saves bandwidth and computing resources.
Secondly, because the invention generates the target data matrix with the access structure and the target query vector binding the access role, and generates different trapdoor generation keys and re-encryption keys for each query user, the defects that the granularity of the access right owned by each authorized query user is too coarse, the query user revocation operation is not supported, and the application of the searchable encryption technology in practice is limited in the prior art are overcome, so that the invention supports fine-grained access control and query user revocation operation, ensures that sensitive data can be accessed only by the query user with the access right, is beneficial to the privacy protection of outsourced electronic documents, and is beneficial to the application of the searchable encryption method in practice.
Thirdly, because the invention encrypts the target data matrix and the target query vector, the invention overcomes the problems of large calculation cost and influence on query efficiency in the prior art for realizing multi-keyword ciphertext retrieval and fine-grained access control based on the asymmetric encryption technology, so that the invention not only realizes data ciphertext query based on the symmetric encryption technology, but also has the advantages of small calculation cost and high query efficiency.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The invention is further described below with reference to fig. 1.
Step 1, generating a target data matrix with an access structure.
And converting each outsourced electronic document into an intermediate data matrix by using a text matrixing method.
The text matrixing method comprises the following steps:
step 1, extracting all keywords from the outsourced electronic document by using a text keyword extraction algorithm, wherein the text keyword extraction algorithm is as follows: any one of a TextRank algorithm, a TF-IDF algorithm and a RAKE algorithm;
generating a (d +1) x n-order empty matrix, wherein d represents the total number of the most input keywords of the query user, and n represents the total number of the keywords in the outsourced electronic document;
step 3, mapping each keyword in the outsourced electronic document to a modulo-p residual class ring after 0 is removed by utilizing a Hash function, wherein p represents a prime number, and the value of the prime number is greater than the total number of the keywords in the outsourced electronic document set;
and 4, respectively calculating the 0-d power of the hash value of each keyword in the outsourced electronic document, and sequentially filling each power of the hash value into each row of the empty matrix to obtain an intermediate data matrix.
In an embodiment of the invention, the electronic document f is outsourced from the ithiExtract all the key words
Figure BDA0002087944090000061
The ith outsourced electronic document fiCorresponding intermediate data matrix DiThe following were used:
Figure BDA0002087944090000062
wherein, wi,1Represents the 1 st keyword in the ith outsourced electronic document, i is 1,2 …, m represents the total number of electronic documents in the outsourced electronic document set, n represents the total number of electronic documents in the outsourced electronic document setiIndicates the total number of keywords in the ith outsourced electronic document, hs(. h) represents the hash function that maps each keyword into modulo p remaining class rings after 0 removal, and d represents the total number of keywords that the query user can input at most.
From the remaining ring class modulo p after 0 has been removed
Figure BDA0002087944090000071
Selecting Y elements to form access role set
Figure BDA0002087944090000072
Wherein the value of Y is equal to the total number of the query user categories,
Figure BDA0002087944090000073
j=1,2,…,Y。
from access to a collection of roles
Figure BDA0002087944090000074
And selecting all access roles which have access to the electronic document as roots for each outsourced electronic document to construct a role polynomial.
Terms having a coefficient of 0 and a power exponent less than or equal to Y are added such that the number of terms of each angular polynomial expansion is Y + 1.
In an embodiment of the invention, the ith outsourced electronic document fiThe angle polynomial of (a) is as follows:
Figure BDA0002087944090000075
wherein, giA role polynomial representing the ith outsourced electronic document, i ═ 1,2 …, m, m representing the total number of electronic documents in the outsourced electronic document set, ajRepresents the j access role in the access role set, j is 1,2, …, Y, Y has the value equal to the number of the inquiry user categories,
Figure BDA0002087944090000076
representing a set of all access roles that have access to the ith outsourced electronic document,
Figure BDA0002087944090000077
coefficient of j-th item of angle polynomial expansion for representing ith outsourced electronic document, and setting polynomial giThe highest degree of (d) is δiWhen delta isiWhen the number < Y is less than the predetermined value,
Figure BDA0002087944090000078
δi<j≤Y。
arranging the items of each angle polynomial expansion according to the ascending order of power exponent, and expanding the arranged coefficients to the tail of each column of the intermediate data matrix corresponding to the corresponding outsourcing electronic document to obtain the target data matrix.
In an embodiment of the invention, the ith outsourced electronic document fiCorresponding target data matrix
Figure BDA0002087944090000079
The following were used:
Figure BDA00020879440900000710
and 2, setting a master key and a symmetric key.
Randomly generating a binary vector S with the same dimension as the row number of the target data matrix and two reversible matrixes { M) with the same order number as the row number of the target data matrix1,M2And combining the binary vector and two reversible matrixes to form a master key msk ═ M1,M2,S}。
A symmetric key for a symmetric encryption algorithm is generated.
The symmetric encryption algorithm is as follows: any one of an advanced encryption algorithm, a data encryption standard algorithm, and an international data encryption algorithm.
The master key msk is sent to the data owner, and the symmetric key is reserved.
And 3, encrypting the target data matrix.
And splitting a target data matrix corresponding to each outsourced electronic document into two random matrixes by using a data matrix splitting method, and taking the two random matrixes as two sub-matrixes of the corresponding outsourced electronic document.
The data matrix splitting method comprises the following steps:
step 1, generating two random matrixes with the same type as a target data matrix;
step 2, selecting an arbitrary unselected element value from the binary vector in the master key;
step 3, judging whether the value of the selected element is 0, if so, executing the fourth step, otherwise, executing the fifth step;
step 4, assigning the element value corresponding to the selected element in each column of the target data matrix to the element corresponding to the selected element in the corresponding column of the first random matrix and the second random matrix;
and 5, randomly selecting R random numbers in the interval (0,1), respectively assigning to the element corresponding to the selected element in each column of the first random matrix, subtracting the random numbers from the element value corresponding to the selected element in the corresponding column of the target data matrix, and assigning the difference to the element corresponding to the selected element in the corresponding column of the second random matrix, wherein the value of R is equal to the column number of the target data matrix.
In the embodiment of the invention, the ith outsourced electronic document f is setiCorresponding target data matrix
Figure BDA0002087944090000081
Binary vector S ═ 01 in master key msk, target data matrix
Figure BDA0002087944090000082
The first random matrix and the second random matrix are respectively
Figure BDA0002087944090000083
Due to S < 1 >]Is equal to 0, so
Figure BDA0002087944090000084
Due to S2]1, so
Figure BDA0002087944090000085
Wherein r isk(k is 1,2,3) is a random number in the interval (0,1), and thus
Figure BDA0002087944090000086
And performing transposition operation on the two reversible matrixes in the main key, and multiplying the two reversed reversible matrixes with the two sub-matrixes of each outsourced electronic document respectively to form a corresponding outsourced electronic document index.
In an embodiment of the present invention, the ith outsourced electronic document is indexed as
Figure BDA0002087944090000091
Wherein the content of the first and second substances,
Figure BDA0002087944090000092
two sub-matrices representing the ith outsourced electronic document, and T represents the transpose operation.
And encrypting each outsourcing electronic document by using the symmetric key to obtain a ciphertext.
And packaging and sending all outsourced electronic document indexes and ciphertexts to a cloud server.
And selecting an access role from the access role set for the inquiry user according to the identity of each inquiry user, and sending each access role to the selected inquiry user through a secure channel.
And 4, generating a target query vector for binding the access role.
And extracting all keywords from the query request submitted by the query user by using a text keyword extraction algorithm to form a query keyword set.
The text keyword extraction algorithm is as follows: the TextRank algorithm, the TF-IDF algorithm and the RAKE algorithm.
The query keyword set is expanded to a target keyword set containing d keywords by adding keywords not in the outsourced electronic document set, wherein d queries the total number of keywords that the user can input at most.
In the embodiment of the invention, the query keyword set of the tth query user is
Figure BDA0002087944090000093
The target keyword set is
Figure BDA0002087944090000094
t ═ 1,2, …, O, indicates the total number of unrevoked querying users.
Mapping each keyword in the target keyword set to a modulo p residual class ring after 0 removal by utilizing a Hash function
Figure BDA0002087944090000095
In (1).
And taking the hash values of all keywords in the target keyword set as roots to construct a query polynomial.
In the embodiment of the invention, the query polynomial h of the tth query usertThe following were used:
ht=(v-hs(w1′))×…×(v-hs(wd′))
=b0+b1v+…+bdvd.
and (4) arranging coefficients of the terms of the query polynomial expansion in the ascending order of power exponentials to form an intermediate query vector.
In the embodiment of the invention, the intermediate query vector of the tth query user is Qt=(b0 b1 … bd)。
And expanding the power of 0-Y of the owned access role to the tail of the intermediate query vector to obtain the target query vector.
In the embodiment of the invention, the owned state of the tth inquiry user is setAccess role atThen its target query vector is
Figure BDA0002087944090000101
And 5, generating different trapdoor generation keys and re-encryption keys for each inquiry user.
And randomly generating two reversible matrixes with the same order number as the row number of the target data matrix for each inquiry user, and forming the two generated reversible matrixes and the binary vector S in the master key into the trapdoor generation key of the corresponding inquiry user.
And performing inversion operation on the two reversible matrixes in the trap door generation key of each inquiry user, and multiplying the two inverted reversible matrixes with the two reversible matrixes in the master key respectively to form a re-encryption key of the corresponding inquiry user.
In the embodiment of the invention, the trapdoor generation key of the tth query user is skt={At,1,Bt,1S, the re-encryption key is rkt={At,2,Bt,2In which { A }t,1,Bt,1Expressing that two reversible matrixes with the same order number as the row number of the target data matrix are randomly generated for the t-th query user,
Figure BDA0002087944090000102
-1 represents the inversion operation.
And sending each trapdoor generation key to a corresponding inquiry user.
And sending the identities of all the query users and the corresponding re-encryption keys to the cloud server in pairs.
And adding the received identity of the query user and the corresponding re-encryption key pair to the user key mapping set of which the initial state is an empty set.
And 6, encrypting the target query vector.
And splitting the target query vector into two random vectors by using a query vector splitting method, and taking the two random vectors as two sub-vectors of the corresponding query request.
The steps of the query vector splitting method are as follows:
step 1, generating two random vectors with the same dimensionality as a target query vector;
step 2, selecting an arbitrary unselected element value from the binary vector in the searchable encryption key;
step 3, judging whether the value of the selected element is 0, if so, executing the fourth step, otherwise, executing the fifth step;
step 4, randomly selecting a random number on the interval (0,1), assigning the random number to the element at the position corresponding to the first random vector, subtracting the random number from the element value corresponding to the selected element in the target query vector, and assigning the difference value to the element corresponding to the selected element in the second random vector;
and 5, assigning the element value corresponding to the selected element in the target query vector to the element corresponding to the selected element in the first random vector and the second random vector.
In the embodiment of the invention, the target query vector of the tth query user is set as
Figure BDA0002087944090000103
The binary vector S in the master key is (01), the target query vector
Figure BDA0002087944090000104
The first random vector and the second random vector are respectively
Figure BDA0002087944090000105
Due to S < 1 >]Is equal to 0, so
Figure BDA0002087944090000111
Due to S2]1, so
Figure BDA0002087944090000112
In which ξ 11Is a random number in the interval (0,1), and therefore
Figure BDA0002087944090000113
And performing inversion operation on the two reversible matrixes in the trap door generation key, and multiplying the two inverted reversible matrixes with the two sub-vectors of the query request respectively to form the intermediate trap door of the query request.
In the embodiment of the invention, the intermediate trap door of the tth query user is
Figure BDA0002087944090000114
Wherein the content of the first and second substances,
Figure BDA0002087944090000115
two sub-vectors representing the query request of the tth querying user.
And submitting the intermediate trapdoor of the query request, the identity of the corresponding query user and N to the cloud server, wherein N is a positive integer in an interval [1, u ], and u represents the total number of the keywords in the query keyword set.
And 7, carrying out re-encryption on the intermediate trapdoor of the query request.
And finding out the corresponding re-encryption key from the user key mapping set according to the identity submitted by the inquiring user.
In the embodiment of the invention, after the tth inquiry user submits the identity, the cloud server finds the re-encryption key rk of the inquiry usert
And performing inversion operation on the two reversible matrixes in the re-encryption key, and multiplying the two inverted reversible matrixes with the two subvectors in the intermediate trapdoor of the query request respectively to form the target trapdoor of the query request.
In the embodiment of the invention, the target trap door of the tth query user
Figure BDA0002087944090000116
The following were used:
Figure BDA0002087944090000117
and 8, inquiring the ciphertext.
And performing transposition operation on the two matrixes in each outsourced electronic document index, multiplying the two transposed matrixes by the two vectors in the target trapdoor respectively, and adding the two multiplication results to obtain the attribute vector of the corresponding outsourced electronic document.
In the embodiment of the invention, the ith outsourced electronic document f is inquired by the tth inquiry useriAttribute vector Z ofi,tThe following were used:
Figure BDA0002087944090000118
where,. represents the inner product operation.
The number of "0" in the attribute vector of each outsourced electronic document is taken as the score of the corresponding outsourced electronic document.
And screening all ciphertexts larger than or equal to N from the scores of all outsourced electronic documents, and sorting all screened ciphertexts from large to small according to the score.
And sending the sequenced ciphertext to a third-party trusted key management system.
And 9, decrypting the returned ciphertext.
And decrypting the ciphertext received by the third-party trusted key management system by using the symmetric key to obtain a plaintext corresponding to each ciphertext.
And sending the decrypted plaintext to a corresponding inquiring user.
And 10, deleting the revoked inquiry user.
And sending a notice for inquiring user revocation to the cloud server.
And deleting the identity of the revoked inquiry user and the corresponding re-encryption key from the user key mapping set according to the notification sent by the third-party trusted key management system.

Claims (6)

1. A data ciphertext query method based on fine-grained sequencing in a multi-user environment is characterized in that different trapdoor generation keys and re-encryption keys are generated for each query user, and the cancelled query user is deleted, and the method specifically comprises the following steps:
(1) generating a target data matrix with an access structure:
(1a) converting each outsourced electronic document into an intermediate data matrix by using a text matrixing method;
(1b) selecting Y elements from the residual class rings of the modulo p after 0 is removed to form an access role set, wherein the value of Y is equal to the total number of the query user classes;
(1c) selecting all access roles which have access to the electronic document from the access role set for each outsourced electronic document as roots to construct a role polynomial;
(1d) adding terms with coefficients of 0 and power exponents less than or equal to Y so that the number of terms of each angular polynomial expansion is Y + 1;
(1e) arranging the items of each angle polynomial expansion according to the ascending order of power indexes, and expanding the arranged coefficients to the tail of each column of a middle data matrix corresponding to the corresponding outsourcing electronic document to obtain a target data matrix;
(2) setting a master key and a symmetric key:
(2a) randomly generating a binary vector with the same dimension as the row number of the target data matrix and two reversible matrixes with the same order as the row number of the target data matrix, and forming a master key by the binary vector and the two reversible matrixes;
(2b) generating a symmetric key of a symmetric encryption algorithm;
(2c) sending the master key to the data owner, and reserving the symmetric key;
(3) encrypting the target data matrix:
(3a) splitting a target data matrix corresponding to each outsourced electronic document into two random matrices by using a data matrix splitting method, and taking the two random matrices as two sub-matrices of the corresponding outsourced electronic document;
(3b) transposing two reversible matrixes in the main key, and multiplying the transposed two reversible matrixes with two sub-matrixes of each outsourced electronic document to form a corresponding outsourced electronic document index;
(3c) encrypting each outsourcing electronic document by using a symmetric key to obtain a ciphertext;
(3d) packaging and sending all electronic document indexes and ciphertexts to a cloud server;
(3f) selecting an access role from the access role set for the inquiry user according to the identity of each inquiry user, and sending each access role to the selected inquiry user through a secure channel;
(4) generating a target query vector for binding the access role:
(4a) extracting all keywords from a query request submitted by a query user by using a text keyword extraction algorithm to form a query keyword set;
(4b) expanding a query keyword set into a target keyword set containing d keywords by adding keywords which are not contained in an outsourced electronic document set, wherein d is the total number of the keywords which can be input by a query user at most;
(4c) mapping each keyword in the target keyword set to a modulo p residual class ring after 0 is removed by utilizing a Hash function;
(4d) taking the hash values of all keywords in the target keyword set as roots, and constructing a query polynomial;
(4e) arranging coefficients of the terms of the query polynomial expansion in the order of increasing power exponent to form an intermediate query vector;
(4f) expanding the power of 0-Y of the owned access role to the tail of the intermediate query vector to obtain a target query vector;
(5) different trapdoor generation keys and re-encryption keys are generated for each querying user:
(5a) randomly generating two reversible matrixes with the same order number as the row number of the target data matrix for each inquiry user, and forming the two generated reversible matrixes and the binary vector in the master key into a trapdoor generation key of the corresponding inquiry user;
(5b) performing inversion operation on two reversible matrixes in the trap door generation key of each inquiry user, and multiplying the two inverted reversible matrixes with two reversible matrixes in the main key respectively to form a re-encryption key of the corresponding inquiry user;
(5c) sending each trapdoor generation key to a corresponding inquiry user;
(5d) sending the identities of all the query users and the corresponding re-encryption keys to a cloud server in pairs;
(5f) adding the received identity of the query user and the corresponding re-encryption key in pairs into a user key mapping set of which the initial state is an empty set;
(6) encrypting the target query vector:
(6a) splitting a target query vector into two random vectors by using a query vector splitting method, and taking the two random vectors as two sub-vectors of a corresponding query request;
(6b) performing inversion operation on two reversible matrixes in the trap door generation key, and multiplying the two inverted reversible matrixes with two sub-vectors of the query request respectively to form an intermediate trap door of the query request;
(6c) submitting the intermediate trapdoor of the query request, the identity of the corresponding query user and N to a cloud server, wherein N is a positive integer in an interval [1, u ], and u represents the total number of keywords in the query keyword set;
(7) and carrying out re-encryption on the intermediate trap door of the query request:
(7a) finding out a corresponding re-encryption key from the user key mapping set according to the identity submitted by the inquiring user;
(7b) performing inversion operation on the two reversible matrixes in the re-encryption key, and multiplying the two inverted reversible matrixes with the two subvectors in the intermediate trapdoor of the query request respectively to form a target trapdoor of the query request;
(8) and (5) inquiring the ciphertext:
(8a) transposing two matrixes in each outsourced electronic document index, multiplying the transposed two matrixes by two vectors in the target trapdoor respectively, and adding the two multiplication results to obtain the attribute vector of the corresponding outsourced electronic document;
(8b) taking the number of '0' in the attribute vector of each outsourced electronic document as the score of the corresponding outsourced electronic document;
(8c) screening all ciphertexts larger than or equal to N from the scores of all outsourced electronic documents, and sequencing all screened ciphertexts from large to small according to the scores;
(8d) sending the sequenced cipher texts to a third-party trusted key management system;
(9) decrypting the returned ciphertext:
(9a) decrypting the ciphertext received by the third-party trusted key management system by using the symmetric key to obtain a plaintext corresponding to each ciphertext;
(9b) sending the decrypted plaintext to a corresponding inquiring user;
(10) delete revoked querying users:
(10a) sending a notification for inquiring user revocation to a cloud server;
(10b) and deleting the identity of the revoked inquiry user and the corresponding re-encryption key from the user key mapping set according to the notification sent by the third-party trusted key management system.
2. The method for querying data ciphertext based on fine-grained sorting under the multi-user environment according to claim 1, wherein the text matrixing method in step (1a) comprises the following steps:
the method comprises the following steps of firstly, extracting all keywords from an outsourced electronic document by using a text keyword extraction algorithm, wherein the text keyword extraction algorithm comprises the following steps: any one of a TextRank algorithm, a TF-IDF algorithm and a RAKE algorithm;
secondly, generating a (d +1) x n-order empty matrix, wherein d represents the total number of the keywords which can be input by the query user at most, and n represents the total number of the keywords in the outsourced electronic document;
thirdly, mapping each keyword in the outsourced electronic document to a modulo-p residual class ring after 0 is removed by utilizing a Hash function, wherein p represents a prime number, and the value of the prime number is greater than the total number of the keywords in the outsourced electronic document set;
and fourthly, respectively calculating the 0-d power of the hash value of each keyword in the outsourced electronic document, and sequentially filling each power of the hash value into each row of the empty matrix to obtain an intermediate data matrix.
3. The method for querying data ciphertext based on fine-grained sequencing under the multi-user environment of claim 1, wherein the symmetric encryption algorithm in the step (2b) is: any one of an advanced encryption algorithm, a data encryption standard algorithm, and an international data encryption algorithm.
4. The method for querying the data ciphertext based on the fine-grained sequencing under the multi-user environment of claim 1, wherein the data matrix splitting method in the step (3a) comprises the following steps:
firstly, generating two random matrixes with the same type as a target data matrix;
secondly, selecting an arbitrary unselected element value from the binary vector in the master key;
thirdly, judging whether the value of the selected element is 0, if so, executing the fourth step, otherwise, executing the fifth step;
fourthly, assigning the element value corresponding to the selected element in each column of the target data matrix to the element corresponding to the selected element in the corresponding columns of the first random matrix and the second random matrix;
and fifthly, randomly selecting R random numbers in the interval (0,1), respectively assigning to the element corresponding to the selected element in each column of the first random matrix, subtracting the random numbers from the element value corresponding to the selected element in the corresponding column of the target data matrix, and assigning the difference to the element corresponding to the selected element in the corresponding column of the second random matrix, wherein the value of R is equal to the column number of the target data matrix.
5. The method for querying data ciphertext based on fine-grained sequencing under the multi-user environment of claim 1, wherein the text keyword extraction algorithm in the step (4a) is: the TextRank algorithm, the TF-IDF algorithm and the RAKE algorithm.
6. The method for querying data ciphertext based on fine-grained sorting under the multi-user environment of claim 1, wherein the step of querying the vector splitting method in the step (6a) is as follows:
firstly, generating two random vectors with the same dimensionality as a target query vector;
secondly, selecting an arbitrary unselected element value from the binary vector in the master key;
thirdly, judging whether the value of the selected element is 0, if so, executing the fourth step, otherwise, executing the fifth step;
step four, randomly selecting a random number on the interval (0,1), assigning the random number to the element at the position corresponding to the first random vector, subtracting the random number from the element value corresponding to the selected element in the target query vector, and assigning the difference value to the element corresponding to the selected element in the second random vector;
and fifthly, assigning the element value corresponding to the selected element in the target query vector to the element corresponding to the selected element in the first random vector and the second random vector.
CN201910493925.7A 2019-06-08 2019-06-08 Data ciphertext query method based on fine-grained sequencing in multi-user environment Active CN110222081B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910493925.7A CN110222081B (en) 2019-06-08 2019-06-08 Data ciphertext query method based on fine-grained sequencing in multi-user environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910493925.7A CN110222081B (en) 2019-06-08 2019-06-08 Data ciphertext query method based on fine-grained sequencing in multi-user environment

Publications (2)

Publication Number Publication Date
CN110222081A CN110222081A (en) 2019-09-10
CN110222081B true CN110222081B (en) 2022-04-19

Family

ID=67816259

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910493925.7A Active CN110222081B (en) 2019-06-08 2019-06-08 Data ciphertext query method based on fine-grained sequencing in multi-user environment

Country Status (1)

Country Link
CN (1) CN110222081B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112668015B (en) * 2019-12-12 2022-02-01 华控清交信息科技(北京)有限公司 Data processing method and device and data processing device
CN112257455B (en) * 2020-10-21 2024-04-30 西安电子科技大学 Semantic understanding ciphertext space keyword retrieval method and system
CN112528064B (en) * 2020-12-10 2022-12-13 西安电子科技大学 Privacy-protecting encrypted image retrieval method and system
CN113420175B (en) * 2021-06-15 2022-12-09 西安电子科技大学 Verifiable fine-grained encrypted image retrieval method and system
CN113987144A (en) * 2021-10-18 2022-01-28 深圳前海微众银行股份有限公司 Query method and device for space text
CN117407864B (en) * 2023-12-13 2024-02-27 苏州元脑智能科技有限公司 Trusted domain expansion method, system, device, equipment and computer medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871543A (en) * 2016-03-29 2016-08-17 西安电子科技大学 Attribute-based multi-keyword ciphertext retrieval method under background of multiple data owners
CN107491497A (en) * 2017-07-25 2017-12-19 福州大学 Multi-user's multi-key word sequence of any language inquiry is supported to can search for encryption system
CN108632032A (en) * 2018-02-22 2018-10-09 福州大学 The safe multi-key word sequence searching system of no key escrow
CN109450935A (en) * 2018-12-19 2019-03-08 河南科技大学 The multi-key word searching method for the Semantic Security that can verify that in cloud storage

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7346637B2 (en) * 2003-07-31 2008-03-18 Indian Institute Of Technology Polynomial time deterministic method for testing primality of numbers

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871543A (en) * 2016-03-29 2016-08-17 西安电子科技大学 Attribute-based multi-keyword ciphertext retrieval method under background of multiple data owners
CN107491497A (en) * 2017-07-25 2017-12-19 福州大学 Multi-user's multi-key word sequence of any language inquiry is supported to can search for encryption system
CN108632032A (en) * 2018-02-22 2018-10-09 福州大学 The safe multi-key word sequence searching system of no key escrow
CN109450935A (en) * 2018-12-19 2019-03-08 河南科技大学 The multi-key word searching method for the Semantic Security that can verify that in cloud storage

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
privacy-preserving attribute-based keyword search in shared multi-owner setting;YinBin Miao et al.;《IEEE》;20190205;全文 *
security techniques for protecting data in cloud computing;Someswar E.;《global research academy》;20141231;全文 *
云计算环境中访问控制的机制和关键技术研究;涂山山;《中国博士学位论文全文数据库》;20150415;全文 *
支持用户撤销的多关键字密文查询方案;伍祈应 等;《通信学报》;20170831;全文 *

Also Published As

Publication number Publication date
CN110222081A (en) 2019-09-10

Similar Documents

Publication Publication Date Title
CN110222081B (en) Data ciphertext query method based on fine-grained sequencing in multi-user environment
Wang et al. Enabling secure and efficient ranked keyword search over outsourced cloud data
Wang et al. Secure ranked keyword search over encrypted cloud data
CN108062485A (en) A kind of fuzzy keyword searching method of multi-service oriented device multi-user
CN112270006A (en) Searchable encryption method for hiding search mode and access mode in e-commerce platform
CN106934301B (en) Relational database secure outsourcing data processing method supporting ciphertext data operation
CN109740362B (en) Ciphertext index generation and retrieval method and system based on entropy coding
CN112332979B (en) Ciphertext search method, system and equipment in cloud computing environment
CN110727951B (en) Lightweight outsourcing file multi-keyword retrieval method and system with privacy protection function
CN112446041A (en) Verifiable multi-keyword ciphertext query method and system based on security index
CN111177787B (en) Attribute-based connection keyword searching method in multi-data owner environment
Handa et al. A cluster based multi-keyword search on outsourced encrypted cloud data
Zheng et al. Symmetric searchable encryption scheme that supports phrase search
Hu et al. Efficient and secure multi‐functional searchable symmetric encryption schemes
Li et al. Multi-keyword fuzzy search over encrypted cloud storage data
CN110222012B (en) Data ciphertext query method based on fine-grained sequencing in single user environment
Park et al. PKIS: practical keyword index search on cloud datacenter
Ali et al. Searchable encryption with conjunctive field free keyword search scheme
Agrawal et al. Secure data management in the cloud
Raghavendra et al. DRSMS: Domain and range specific multi-keyword search over encrypted cloud data
Song et al. An efficient and privacy-preserving multi-user multi-keyword search scheme without key sharing
CN113158245A (en) Method, system, equipment and readable storage medium for searching document
CN109582818B (en) Music library cloud retrieval method based on searchable encryption
Abdelraheem et al. Executing boolean queries on an encrypted bitmap index
Xu et al. Symmetric searchable encryption with supporting search pattern and access pattern protection in multi‐cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant