CN117040800A - Personal archive management scheme based on alliance chain and non-certificate searchable encryption - Google Patents
Personal archive management scheme based on alliance chain and non-certificate searchable encryption Download PDFInfo
- Publication number
- CN117040800A CN117040800A CN202310867878.4A CN202310867878A CN117040800A CN 117040800 A CN117040800 A CN 117040800A CN 202310867878 A CN202310867878 A CN 202310867878A CN 117040800 A CN117040800 A CN 117040800A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- key
- transaction
- file
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 37
- 238000007726 management method Methods 0.000 claims abstract description 17
- 238000004422 calculation algorithm Methods 0.000 claims description 60
- 230000008569 process Effects 0.000 claims description 21
- 238000012795 verification Methods 0.000 claims description 13
- 238000013475 authorization Methods 0.000 claims description 6
- 230000008520 organization Effects 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 abstract description 31
- 238000005516 engineering process Methods 0.000 abstract description 24
- 238000004458 analytical method Methods 0.000 abstract description 11
- 230000006870 function Effects 0.000 description 10
- 238000004088 simulation Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 6
- 239000000284 extract Substances 0.000 description 5
- 238000000605 extraction Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000010363 phase shift Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000013441 quality evaluation Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a personal archive management method based on a alliance chain and certificate-free searchable encryption, and belongs to the technical field of blockchain cloud encryption. The method comprises the steps of global setting, user ciphertext retrieval key generation, data encryption, user attribute private key generation, keyword ciphertext retrieval and data ciphertext decryption. The personal archive management method is based on a alliance chain, a certificate-free searchable and attribute-based encryption technology, adopts the searchable encryption technology to search document ciphertext to protect keyword privacy, adopts the certificate-free encryption technology to solve the problem of key escrow in certificate management, increases user authorized access, utilizes attribute-based encryption and decryption to realize fine-grained access control, solves the problem of one-to-many encryption and decryption in open cloud application, utilizes the alliance chain to realize open storage and traceability of archive data encryption, and enhances the credibility of an authority. The result of safety and experimental analysis shows that the method is safe and has higher calculation performance.
Description
Technical Field
The invention relates to federation chain technology and certificateless searchable encryption technology.
Background
The concept of blockchain was first presented in a paper published by Nakamoto in 2008, and this technology was subsequently highly focused by governments, businesses and financial institutions and has found widespread use. The blockchain is taken as a brand new decentralization infrastructure and a distributed computing paradigm, is hopeful to become a prototype of next-generation cloud computing, thoroughly remodels the human social life form like the Internet, and realizes the transition from the information Internet to the value Internet. The block chain ensures the non-tamper property and the non-falsifiability of data by utilizing the cryptography technology, generates and updates the data by utilizing a distributed node consensus algorithm, programs and operates the data by utilizing an automatic script code, is a distributed account integrating key technologies such as distributed storage, point-to-point transmission, consensus mechanism, cryptography algorithm, intelligent contract and the like, and has the characteristics of decentralization, non-tamper property, transparency and the like. Blockchains are classified into public chains, private chains and alliance chains according to the degree of openness. The public chain is completely decentralised, the opening degree is highest, all nodes can join or withdraw from the public chain at any time, each node can participate in the consensus and accounting process, and the data are disclosed outwards; the private chain has the lowest opening degree, is only used in a certain organization, does not need a consensus process in accounting, and the data operation authority completely belongs to the private chain owner, so that the data is not disclosed outside; the coalition chain is open between the two, and node joining or exiting of data on the maintenance chain must be authorized, and the block chain is partially decentralised.
The blockchain is used as a brand new decentralization infrastructure and a distributed computing paradigm and is widely applied to the fields of finance, medical treatment, agriculture, internet of things and the like. With the continued perfection of blockchain technology, its field of application gradually expands to the educational field, and some papers discuss the benefits and challenges of using blockchain technology in education. Some research has focused mainly on the use of blockchains in student certificate sharing and verification. Han et al propose a new blockchain-based technique for creating an environment in which individuals can become custodians of their official educational records and can exchange records with others. Arenas et al designed a centralized diploma verification platform based on a coalition chain. Zhao et al propose a student competence assessment system based on blockchain technology. Liang et al propose a student comprehensive quality evaluation network architecture based on a alliance chain. Alam et al propose a blockchain-based framework for securely and reliably managing student records. The scheme analyzes the application prospect of the blockchain in the education field, but fails to provide a specific effective and safe scheme.
The user stores ciphertext data into the cloud server, besides directly sharing the data, the user also hopes to obtain document ciphertext containing the keyword after submitting the keyword search certificate, and on the basis, the cloud server hopes not to obtain the target document and plaintext information of the keyword in the process of inquiring based on the keyword and returning an inquiry result, namely the searchable encryption (Searchable Encryption, SE) technology. Al-Riyami et Al first proposed the concept of CL-PKC and gave a first certificateless public key encryption scheme and a certificateless signature scheme. To enhance keyword privacy protection, certificateless encryption techniques are commonly used for keyword ciphertext retrieval. Some schemes enable the retrieval of certification-free ciphertext for single-user, single-keyword searches. Golle et al in 2004 propose a ciphertext retrieval scheme that supports multi-keyword searching. The partial scheme realizes the ciphertext retrieval function supporting multi-user search. In 2019 Xu et al constructed a time controlled public key encryption and delegated connection key search for internet of things deployment. In 2020, ma et al propose a multi-user multi-keyword ciphertext retrieval scheme based on a certificateless encryption technique. There is also a blockchain technology applied to the certificateless searchable encryption, and Yang et al designed a multi-key certificateless searchable public key authentication encryption scheme by the blockchain technology in 2020. The solution proposed by Pan et al in 2021 focuses on keyword retrieval and also on the security of ciphertext. 2022 Chenam et al is proposing an IKGA-resistant multi-user multi-keyword ciphertext retrieval scheme, but the search results are not accurate enough. 2022 Yang et al propose a multi-user multi-keyword certificateless ciphertext retrieval scheme based on cloud edge collaboration, which is higher in security and higher in retrieval efficiency, but is based on one-to-one symmetric encryption of identities.
Disclosure of Invention
The invention aims to solve the technical problems of high centralized management of data, unsafe sharing of data, complex verification of offline certificates and the like in the conventional personal archive management.
The invention adopts the following technical scheme for solving the technical problems:
a federation chain and certificateless searchable encryption-based personal archive management scheme comprising the steps of:
(1) Global setting:
Setup(1 λ ): initializing algorithm to import security parameter 1 λ The system parameters Parms and master key MSK are derived. Each character in the system is assigned a unique identifier ID. Attribute authority center AA manages attribute setsThe system builds a federation chain CB with nodes composed of all roles and users.
Set G 0 ,G 1 Is a cyclic group of prime order p. Let G be G 0 Is a generator of the above. e, G 0 ×G 0 →G 1 Is a bilinear map. Selecting a hash function H 0 :{0,1} * →G 0 ,H 1 :{0,1} * →G 0 , KGC random selection->Calculate->Given the attribute field set ATT and the maximum column n of the LSSS matrix, randomly choose +.>Finally, the system parameter is output asThe master key is msk= { S 0 ,g γ }。
(2) User ciphertext retrieval key generation:
PartKeyGen(Parms,MSK,ID i ,ID i′ ,ID j ): partial key generation algorithm inputs Parms, MSK, data producer DP i Identifier ID of (2) i And data user DU j Identifier ID of (2) j 。
1)DP i By transmitting its own identifier ID i The KGC is applied for partial keys. KGC selects a random numberThen calculate +.>α i =H 2 (ID i ,R i )、/>Pi i =x i +S 0 ·α i KGC is DP i Generating partial key PSK i ={R i ,π i }。
2) DO will self-identifier ID i′ And sending to KGC. KGC selects a random numberThen calculateα i′ =H 2 (ID i′ ,R i′ )、/>And pi i′ =x i′ +S 0 ·α i′ . KGC generates partial private key PSK for DO i′ ={R i′ ,π i′ }。
3)DU j To use the identifier ID of oneself j And sending the private key to the KGC application part. KGC selecting random numberThen calculate +.>α j =H 2 (ID j ,R j ) And pi j =x j +S 0 ·α j . KGC is DU j Generating partial private key PSK j ={R j ,π j }。
KGC records the process of generating and distributing part of the private key for the user in the form of transactions. Suppose KGC distributes part of the private key to DUs j The procedure of (1) is recorded as transaction->Algorithm inputs identifier ID of KGC KGC 、DU j Identifier ID of (2) j 、DU j Signature of->Partial private key PSK j Hash value H of (a) 3 (PSK j )。
1) KGC according to DU j Transmitted identifier ID j A corresponding partial private key is generated. As a distributor of federated chain nodes and partial private keys, KGC may be attacked or corrupted, resulting in erroneous decisions or complete denial of the request.In order to enhance the trust level of KGC and to enable traceability and non-repudiation of part of the private key authorization process, KGC is responsible for generating a transactionThe content of which includes the identifier of KGC and other relevant information, see table 1./>Representation->Transaction identification number, ID of (2) KGC And ID j Indicating KGC and DU, respectively j Unique identifier of H 3 (PSK j ) Is PSK (phase shift keying) j Hash value of ++>Representation DU j Approve the transaction and sign the signature. Transaction of the above information once recorded in the blockchain +.>KGC cannot deny that anyone cannot tamper with the disclosure of the blockchain being transparent.
Table 1 transactionIs the main content of (1)
2) KGC generating signaturesWherein include transaction->And timestamp->Is used to generate the hash value of (a). KGC packaging transaction->Signature->And timestamp->And then transferred to the transaction pool.
3) KGC sorts the transactions according to the time stamps, calculates Merkle root of the selected transaction, and packages the transaction into Block #x Is a kind of medium. KGC broadcasts Block to other alliance chain nodes through PBFT protocol #x To achieve consensus. As shown in FIG. 2, the remaining federation link points verify Block #x And broadcast blocks to other federation link points in the same manner #x . Let f be the number of bayer nodes, they broadcast acknowledgement messages to other blocks once 2f identical blocks are received. If the node receives 2f+1 acknowledgement message, block is added at the end of the blockchain #x 。
4) When Block #x After the addition is successful, KGC obtains the corresponding block number #x and transaction identification number from the blockchainAnd with part private key PSK j Secure delivery to DU together j 。
In the same way KGC passes PSK through secure channels i And xi, and corresponding block number and transaction identification number to the DP i . KGC passing PSK through secure channel i′ And xi' and the corresponding block number and transaction identification number to the DO.
FulKeyGen(PSK i ,PSK i′ ,PSK j ): the complete private key generation algorithm is respectively composed of DP i DO and DU j And (5) running. Taking DP i Partial private key PSK of (2) i Partial private key PSK of DO i′ And DU j Partial private key PSK of (2) j As input.
1)DP i Random selectionAs a secret value, the full private key is then set to FK i ={π i ,σ i }。DP i Calculation ofThe public key is then set to PK i ={R i ,X i }。
2) DO random selectionAs a secret value, the full private key is then set to FK i′ ={π i′ ,σ i′ }. DO calculationThe public key is then set to PK i′ ={R i′ ,X i′ }。
3)DU j Random selectionAs a secret value, the full private key is then set to FK j ={π j ,σ j }。DU j Calculation ofThe public key is then set to PK j ={R j ,X j }。
(3) Data encryption:
encryption of data files:
FileEnc (params, (M, ρ), F): the file encryption algorithm inputs Parms, LSSS access policy (M, ρ) and data file set F= (F) 1 ,F 2 ,…F q ) Where q is the number of files.
1)DP i A data file is generated and the set of files is sent to the DO. DO selective symmetric encryption keyEncrypting the file to generate a file ciphertext C F =E K (F η ) Wherein eta is more than or equal to 1 and q is more than or equal to q.
2) In the access policy (M, ρ), M is one l×n max The matrix, function ρ, associates the rows of M with the attributes. The DO designs the corresponding access policy. The DO randomly selects a secret value s. Setting a vector
3) DO inputs Parms, K and access policy (M, ρ), then encrypts K to get C=Ke (g, g) γs 。
4) For 1.ltoreq.i.ltoreq.l, DO calculationWherein M is i Is the vector corresponding to the ith row of M. DO random selection r 1 ,r 2 ,…,r l ∈Z p Calculate C' =g s ,/>
5) Finally, DO sets the key ciphertext to C K ={C,C′,C i ,D i (M, ρ) }, followed by C F And C K And transmitted to the CSP.
Transaction Tx HF Generating algorithm input DP i Identifier ID of (2) i 、DP i For hash value H 1 (F) Signature of->DP i Public key PK of (2) i Signature Sig of DO DO 。
1) In order to protect the integrity of the original data file and prevent an attacker from tampering with the file, the DP calculates the original data textThe hash value of the piece is signed and then uploaded to the CB, so that the purpose of protecting the original data file is achieved. Thus, ID i 、And PK i Is recorded into a transaction. DP (DP) i Generating a blockchain transaction Tx HF As shown in table 2.
TABLE 2 transaction Tx HF Is the main content of (1)
2)DP i Generating signaturesThe signature comprises DP i Generated transaction Tx HF And timestamp t HF 。DP i Will trade Tx HF Signature->And timestamp t HF Packaged and then transferred to a transaction pool.
3)DP i Ordering the transactions according to the time stamps, computing Merkle root of the selected transaction, and packaging the transactions into blocks #y Is a kind of medium. DP (DP) i Broadcasting Block to other federated nodes via PBFT protocol #y To achieve consensus, finally, block is added after the Block chain #y 。
4) When Block #y After the addition is successful, the blockchain will correspond to the blocknumber #y and the transaction identification numberReturn to DP i 。
(ii) keyword encryption:
IndexEnc (Parms, FK, PK, W): keyword encryption algorithm uses Parms, DP i Is a complete private key FK of (1) i 、DP i Public key PK of (2) i 、DU j Public key PK of (2) j Andthe corresponding set of data file keywords W is the input.
1) For each F η ,DP i Select keyword set w= { W 1 ,w 2 ,…,w m }。
2)DP i Random selectionAnd->Calculate a= (X i ·R i ·ξ) t And->Wherein v is j =H 3 (ID j ,P,X j ,R j )。DP i For each keyword w k (1. Ltoreq.k. Ltoreq.m) calculating +.>Wherein the method comprises the steps ofThen set the file index ciphertext C I ={C 1 ,C 2 ,…,C m }。
Finally, DP i Will eventually ciphertext C I Block number #y and transaction identification numberAnd transmitted to the CSP.
(4) User attribute private key generation:
attribute key generation algorithm inputs MSK and DU j Attribute set +.>AA random selection +.>Generating an attribute private key->
Transaction Tx AKG Generation algorithm with identification ID of AA AA 、DU j Identity ID of (2) j 、DU j Signature of->And DU j Attribute set +.>Is input.
1) AA according to DU j Transmitted attribute setA corresponding attribute private key ASK is generated. The AA, as a distributor of federation nodes and attribute keys, may be attacked or damaged, resulting in erroneous decisions or direct denial of requests. To enhance the reliability of the AA, the attribute authorization process is traceable and non-repudiatable, and the AA is responsible for generating a containing DU j Transaction of property sets and related information ∈>Defined blockchain transaction->As shown in Table 3->Representation->Transaction identification number, ID of (2) j And ID AA Respectively represent DU j And a unique identifier of AA,>representation DU j Approve the transaction and sign. Once in the alliance chain transaction->The authorization attribute of the user is recorded, the AA cannot deny, and no one can tamper because the disclosure of the blockchain is transparent.
TABLE 3 transactionIs the main content of (1)
2) AA generation signaturesWherein comprises AA generated transaction->And a time stampAA will trade->Signature->And timestamp->Packaged and then transferred to a transaction pool.
3) AA sorts the transactions, calculates Merkle root of the transactions, and packages the transactions into a Block #z Is a kind of medium. AA broadcasts to other nodes through PBFT protocolBlock #z To achieve consensus, finally Block #z Add to the federated blockchain.
4) When Block #z After the addition is successful, the AA acquires the corresponding block number #z and transaction identification number from the blockchainAnd transmitted to the DU together with the Attribute private key ASK j 。
(5) Keyword ciphertext retrieval:
Trapdoor(Parms,FK j ,PK i w'): trapdoor generation algorithm inputs Parms, DU j Is a complete private key FK of (1) j 、DP i Public key PK of (2) i And search keyword set W' = { W 1 ,…w k′ ,…,w n′ }。DU j Random selectionCalculate T' =g r 、/>AndDU j setting search key w k′ Trapdoor T of (1) j ={T′,T″,T″′},DU j Calculating trapdoor T W′ ={T 1 ,T 2 ,…,T n′ }。
Search(Parms,C I ,T W′ ): the matching algorithm indexes ciphertext C by Parms and file I And trapdoor T W′ Is input.
1)DU j Will trapdoor T W′ 、#x、# z and->To the CSP. CSP receives DU j Transmitted trapdoor, authentication DU j Identification information B of (2) j . If successful, the CSP continues to perform the following steps; otherwise, CSP returns 0.
2) CSP transmits #x,# z and->An access request is sent to the CB. CSP search federation chain according to #x, +.># z and->Find and trade->Block of information related to the like #x And Block #x 。
3) CSP from Block #x Extract transactionSignature->And timestamp->Public key PK with KGC KGC The signature is calculated and verified. Verifying the result with->And (3) representing. If it is->The CSP reads the partial private key PSK j Validating DU j Whether legal, authorized. If the verification is passed, the CSP executes the next step; otherwise, CSP returns 0 to DU j 。
4)CSPFrom Block #z Extract transactionSignature->And timestamp->The CSP then calculates and verifies the signature, which is generated by the AA using the public key PK AA Signed off. For verifying the resultAnd (3) representing. If it isCSP from transaction->Medium-read attribute setIf DU j The attribute of (1) is truly authorized by AA, and then CSP carries out the next operation; otherwise the CSP returns 0.
5) CSP input C I And T W′ For each trapdoor T j And performing matching calculation. That is, CSP verifies equation e (T', C Ik )=e(A,T″)·e(B j T' ") is true. Whenever the equation is established, the document ciphertext is represented as containing the corresponding key.
6) CSP according toSearch key ciphertext C K And file ciphertext C F And is combined with block number #y, transaction identification number +.>Together send to DU j . If neither step 4) nor step 5) is successful, CSP returns0。
(6) Decrypting the data ciphertext:
FileDec(C K ,C F ,ASK j ): file decryption algorithm to access ciphertext C of policy (M, ρ) K Sum setTakes as input the attribute private key of +.>Satisfying the access policy, define->Is->Then set { omega ] i ∈Z p } i∈I Is a group of structures: if { lambda } i Any secret s is based on the effective share of M, then->
1)DU j Calculation of
2)DU j Decrypting file ciphertext C using K F Then calculate D K (C F )=D K (E K (F η ))=F η 。
The file verification algorithm inputs the block number #y and transaction identification number sent by CSPInput DU j Calculated hash value H 1 (F)。
1)DU j According to #y andsearching Tx from federation chain HF Extraction of DP i Public key PK of (2) i And DP i Signature of signature
2)DU j Calculating slave C F Hash value H of decrypted file 1 (F) For verifying the resultAnd (3) representing. If->The data file which is generated by DP and has authority character is shown that the data is not tampered maliciously in the sharing process; if the verification fails, it means that the original data file has been tampered with.
The specific flow of the scheme is shown in figure 3.
The beneficial effects of the invention are as follows:
1. and (5) performance analysis.
Theoretical analysis:
in this section we have summarized the main characteristics of PAM-CB-CL-SE scheme and compared with the similar scheme in terms of function and features, respectively. The main characteristics of the PAM-CB-CL-SE scheme are as follows:
(1) The computing overhead of the cryptographic algorithm is reduced: because of the characteristics of a plurality of personal archive data and rich variety, the complete data of the file is encrypted and decrypted by adopting a symmetric encryption technology, so that the calculation burden of a data owner and a data user is reduced. The public key cryptosystem is used for encrypting the symmetric key, and the scheme has the advantages of simple deployment and convenient operation by combining a public key encryption mechanism with a symmetric cryptosystem, so that the calculation cost in a cryptoalgorithm is reduced.
(2) Protection key, anti-key escrow: a certificateless encryption technique is used to implement the key ciphertext search function. The certificate-free encryption technology can well solve the problem of key escrow in certificate management, so that part of private keys are mastered in the hands of data owners, and the security of the keys is further improved. In order to enhance the practicability of personal archive management and enable a data user to conveniently inquire data and protect the personal privacy of the data owner, key words are encrypted by adopting a certificateless encryption technology, so that the archive data is safely searched. In addition, the designed keyword ciphertext retrieval function supports multiple keywords and multiple users.
(3) Fine grain data sharing: and realizing multi-user fine-grained data sharing through an attribute encryption mechanism. Unlike broadcast-based identity encryption mechanisms, the data owners such as students do not need to know the identity information of the data users in advance, unnecessary communication overhead is reduced, and the risk of privacy disclosure is reduced. The data owner only needs to formulate the corresponding access control policy and generate the re-encryption key (re-encrypt the symmetric key). And the scheme provides richer access control using a linear secret sharing scheme. The scheme ensures that the data owner has more flexible capability of generating the access strategy through rich access structures, saves unnecessary communication overhead and has better expandability.
(4) Centered on the data owner: the data owner enjoys full data management rights. In conventional solutions, the data owner only provides the data, and cannot manage the data. The solution solves the problem that the data user needs to request access to the data from the data owner. The data owner (e.g., student) authorizes the data user to decrypt its personal profile by formulating an access policy based on the encryption of the attributes. Even if the data user obtains the file ciphertext through keyword ciphertext retrieval, if the attribute of the data user cannot meet the access policy formulated by the data owner, the data user cannot decrypt and obtain the file plaintext. Therefore, the data owners such as students in the scheme enjoy the core management authority of the archive data.
(5) Verifiability: the data user has the capability of verifying the integrity of the plaintext data, and provides a verification mechanism of the integrity of the ciphertext for the cloud server. The data producer sends the file plaintext to the data owner, and then the data owner encrypts the file and uploads the file data ciphertext (i.e., file ciphertext and key ciphertext) to the cloud server; the data producer links the hash value of the original file and the important related information record by utilizing the transparent and tamper-proof technology of the alliance chain, and the alliance chain returns the corresponding block number and the transaction identification number; the data producer generates a keyword ciphertext according to the file, and sends the keyword ciphertext, the block number and the transaction identification number to the cloud server; the server matches the trapdoor and the keyword ciphertext provided by the data user, and if the matching is successful, the corresponding block number and the transaction number are returned to the data user; the data user can determine the integrity and authenticity of the data by comparing and verifying the decrypted plaintext with the information found on the blockchain.
(6) Safety: the scheme can simultaneously meet the authenticability of the keyword ciphertext and the search trapdoor, the indistinguishability under the attack of the selected keyword and the confidentiality of file data. The alliance chain technology is applied to further improve the safety of data sharing and enhance the credibility of authority roles. The alliance chain is used as a distributed account book, and can disperse rights and avoid single-point faults, so that the archive data is more guaranteed.
The scheme realizes safe sharing of the user archive data, privacy protection, keyword ciphertext search and the like. The function of the scheme is compared with that of a traditional ciphertext search scheme, and the scheme realizes verification of the integrity and the authenticity of the original data by a user on a alliance chain by recording important information and important operation, and enhances the authority and the credibility of each mechanism. In addition, the scheme realizes the safe sharing of the archive data through fine-granularity access control, thereby widening the practical application scene. For further analysis we define some symbols.And->Respectively represent G 0 And G 1 Index operation time of middle group element, T p For the calculation time of bilinear pairing operation, l', n respectively represent the number of encryption keywords, the number of search keywords and the number of data users, l W And->Representing the number of attributes in the access policy and the number of attributes in the key, respectively.
The computational costs of the proposed solution are shown in table 4. In the key generation stage, the calculation cost of the scheme is thatIn the encryption stage, the scheme needs to perform a plurality of exponential operations, and the scheme increases the access control function based on the attribute, but has lower calculated amount; in the trapdoor generation stage, the proposed scheme only needs exponential operation, and the calculation cost is low; in the keyword matching stage, the calculation cost of our scheme is low, and we calculate bilinear pairing operation for each keyword match.
Table 4 cost of calculation of the scheme
Experimental simulation:
the section mainly carries out related experiments on the calculation cost of keyword ciphertext retrieval in the scheme, and carries out simulation on the introduction of alliance chain experiments and the flow operated in the scheme.
Simulation experiments of the computational overhead of keyword ciphertext retrieval are run on Windows 7 systems,Core TM i7CPU,2.3GHZ,4GB RAM. Among them, we use a pairing-based password library (PBC) implementation. The calculation overhead of the scheme in the stages of key generation, encryption, trapdoor generation, keyword matching and the like is shown in fig. 4. Wherein, is provided with->l=20。
As shown in fig. 4, in the key generation stage, as the number of users increases, the calculation cost of the present solution gradually increases, but the calculation cost and the growth rate are lower. In the encryption stage, for convenience of comparing the number of key indexes, let l=20 here, although the calculation overhead of the scheme gradually increases with the increase of the number of users, the calculation cost of the scheme is obviously not high. In the trapdoor generation stage, the calculation overhead of the scheme increases with the increase of the number of the user search keywords l', but the calculation cost of the scheme is very low. In the keyword matching stage, the number of keywords increases, and the calculation consumption of the scheme gradually increases linearly with the number of keywords. In summary, the scheme has relatively abundant characteristics and functions, relatively less calculation consumption in the aspect of ciphertext keyword retrieval, and the calculation cost of the attribute-based encryption technology adopted by the scheme is also tiny. Therefore, the simulation experiment result of the keyword ciphertext retrieval shows that the scheme is feasible.
Regarding experimental simulation testing of the federated chains, a federated chain network was built using a Hyperledger Fabric platform. The chain comprises KGC, AA, CSP, DPs, DO, DUs roles, each role comprises a plurality of nodes, wherein KGC and AA serve as main nodes, important information is signed and encrypted by using a alliance chain technology, and the important business process is billed, so that the roles inquire and download data from the alliance chain. And broadcasting to other alliance chain nodes through the PBFT protocol to achieve consensus. In actual analysis, the testing analysis can be carried out on the data uplink of the part on the chain, the query flow on the chain and the like. For the large workload reasons, this chapter fails to give specific alliance chain simulation experiments for the solution.
2. A personal archive management scheme based on federation chains and certificate-free searchable encryption is presented. The scheme solves the problems that in the scenes of job hunting, entrance qualification examination and the like, the integrity of data in the process of generating or sharing the personal archive is not guaranteed, the data is distributed in a discrete mode and is excessively managed in a centralized mode, archive data is easy to tamper, personal privacy is revealed, certificate verification is complex and the like. By adopting technologies such as alliance chain, certificate-free encryption, attribute-based encryption and the like, ciphertext keyword search is realized, so that personal privacy is protected. Attribute-based encryption techniques allow data owners to govern access rights to their data. Through the characteristics of decentralization, disclosure transparency, tamper resistance and the like of the alliance chain, the integrity of the data of the file is verified, so that the data is more reliable, and meanwhile, the credibility of an authority is enhanced. The result of the security and keyword ciphertext retrieval experimental analysis shows that the scheme is secure, low in cost and high in calculation performance.
3. The invention has higher safety.
Definition 1 security of a federation chain and a certificateless searchable encryption based personal archive management scheme should meet the following conditions at the same time:
security of (i) Certificateless public key cryptography
In discussing the security of a certificateless public key cryptography, two types of adversaries A are generally considered 1 And A 2 。A 1 A is that the system master key cannot be accessed but public key substitution attack can be performed 2 A public key substitution attack cannot be made on the data user but the system master key can be accessed.
1) Authenticability of keyword ciphertext and search trapdoor
In the enemy A 1 And A 2 Under the attack of (1), if the scheme can ensure the authenticability of the keyword index ciphertext and the search trapdoor, a malicious internal attacker cannot make an internal keyword guessing attack on the scheme.
2) Indistinguishability under select keyword attack
In the enemy A 1 And A 2 Under the attack of the selected keywords, the scheme needs to ensure the indistinguishability of the keyword index ciphertext.
(ii) confidential analysis of File data
Even if an adversary intercepts part of the ciphertext file, the ciphertext file cannot be decrypted or the search keywords corresponding to the ciphertext file cannot be guessed, and only a user with file access authority can access and inquire shared file data.
(iii) based on the security of steps (i) and (ii), the federated Chain (CB) technology improves the security of data sharing, enhancing the trustworthiness of each authoritative role.
According to the security scheme of definition 1, this section performs security analysis or security proof such as authenticability of keyword ciphertext and search trapdoor, indistinguishability under the attack of selected keywords, confidentiality of file data, and the like.
(1) Authentication analysis of keyword ciphertext and search trapdoor
Data producer DP i Generating key word ciphertextIn the process of (2) using the private key FK i ={σ i ,π i }. Data user DU j In the generation of trapdoor T j = { T ', T ", T '" }, where T ' =g r ,/>In the process of (2) using the private key FK j ={π j ,σ j }. Cloud service provider and other users in the system are not having DP i And DU j On the premise of the private key, the internal keyword guessing attack can not be performed on the scheme by generating or tampering the keyword ciphertext and searching the trapdoor. The key ciphertext and the search trapdoor are authenticated and are DP i With DP i The keyword ciphertext and the search trapdoor are signed separately. Based on the non-counterfeitability of the digital signature, an attacker cannot perform IKGA on the scheme, and the specific proving process can refer to documents.
(2) The scheme can resist attack under the random predictive model Person A 1 And A 2 Is attacked by the keyword.
Theorem 1: based on the DLDHP assumption, the text scheme satisfies the indistinguishability of the keyword ciphertext under the selected keyword attack under the random predictive model.
Theorem 1 may be demonstrated by lemma 1 and lemma 2.
Lemma 1: in the random predictive model, if adversary A 1 The challenger C can break the scheme in polynomial time with a non-negligible probability dominance epsilonConstructing a polynomial time algorithm solves the DLDHP problem. q t Representing the maximum number of executions of trapdoor queries, N is the number of data users.
And (3) proving: challenger C through the game with adversary A 1 The DLDHP problem is solved by playing the interactive game as follows.
Given input tuple f= (g 1 ,g 2 ,g 3 ,Z,v 1 ,v 2 ,v 3 ) WhereinLet->g=g 1 ,/>C executing system initialization algorithm to generate common parametersRandom selection->As a system master key and send the common parameter Parms to A 1 。
Interrogation phase: a is that 1 A series of queries may be made to C as follows. C maintaining lists respectively And->For replying to A 1 Is initially empty.
1)H 0 And (5) inquiring. When C receives A 1 For keyword w i H of (2) 0 When inquiring, if tuple (w i ,c i ,e i ,m i ) Already existing inIn C output e i As H 0 Reply to the query. Otherwise C selects C i E {0,1}, when c i When=0, C randomly selects +.>Calculation ofWhen c i When=1, C is randomly selected +.>Calculate->Last C output e i In return, and tuple (w i ,c i ,e i ,m i ) Store->
2)H 1 And (5) inquiring. When C receives A 1 For keyword w i H of (2) 1 When inquiring, if tuple (w i ,c i ,f i ,n i ) Already existing inIn C, output f i As H 1 Reply to the query. Otherwise C selects C i E {0,1}, when c i When=0, C randomly selects +.>Calculation ofWhen c i When=1, calculate +.>Wherein n is i =(δ i +π i )m i And/n. Last C output f i As H 1 Reply to the query, and combine the tuples (w i ,c i ,f i ,n i ) Store->
3)H 2 And (5) inquiring. C receiving A 1 With respect to user identity ID j H of (2) 2 After interrogation, if the tuple (ID j ,R j ,α j ) Already existing inIn C, directly output alpha j . Otherwise C random selection->Output alpha j As H 2 Reply to the query and send the tuple (ID j ,R j ,α j ) Store->
4)H 3 And (5) inquiring. When C receives A 1 With respect to user identity ID j H of (2) 3 When inquiring, if the tuple (ID j ,P,X j ,R j ,v j ) Is present in H 3 list In C output v j . Otherwise C randomly selectsOutput v j As H 3 Reply to the query and send the tuple (ID j ,P,X j ,R j ,v j ) Store->Is a kind of medium.
5) A partial private key challenge. When C receives A 1 For identity as ID j If the tuple (ID j ,x j ,R j ,π j ) Exist inIn (C), tuple (R j ,π j ) Return to A 1 . Otherwise C random selection->And calculate +.>Tuple (ID) j ,R j ,α j ) Store->Tuple (ID) j ,x j ,R j ,π j ) Store->Output (R) j ,π j ) In return for a partial private key challenge.
6) The public key extracts the challenge. When C receives A 1 For identity as ID j After a public key challenge of the user of (a), if the tuple (ID j ,x j ,R j ,π j ) Exist inIn C random selection->Calculate->Tuple +.>Store->And outputs (X) j ,R j ) As a reply to the public key extraction challenge. Otherwise C first executing ID j Partial private key challenge generating tuples (ID j ,R IDj ,α j ). Then C random selection +.>Calculate->Tuple (ID) j ,X j ,R j ) Store->And outputs (R) j ,X j ) As a reply to the public key extraction challenge.
7) The public key replaces the challenge. When C receives A 1 For identity as ID j When the public key of the user of (a) is substituted for the challenge, C is replaced with a tuple (ID j ′,R j ′,X j ') replacement tuple (ID) j ,R j ,X j )。
8) Secret value challenge. When C receives A 1 For identity as ID j If the tuple (ID j ,δ j ) Already existing inC return delta j . Otherwise C random selection->Tuple (ID) j ,δ j ) Store->And output delta j In return for a secret value challenge.
9) Trapdoor interrogation. Receipt A 1 With respect to keyword w i After the trapdoor interrogation of C reverts to A as follows 1 。
(1) C performing the above-mentioned inquiry to obtain tuples (w i ,c i ,e i ,m i )、(w i ,c i ,f i ,n i )、(ID j ,R j ,α j )、(ID j ,R j ,X j )、(ID j ,P,X j ,R j ,v j ) Sum (ID) j ,δ j )。
(2) C selecting random numberCalculate->And->Output T j = (T ', T ", T'") as a reply to the trapdoor interrogation.
Challenge phase: a is that 1 Select w= (W) 0,1 ,w 0,2 ,…,w 0,n ) As a challenge keyword, C randomly selects r= (w 1,1 ,w 1,2 ,…,w 1,n ) Let W 0 =W*,W 1 =r, and a 1 Can not inquire about W 0 And W is 1 Is a trapdoor of (2). Then C randomly selects b E {0,1}, for all keywords W b,i Proceed H 0 Interrogation and H 1 Query, get tuple (w b,i ,c b,i ,e b,i ,m b,i ) And tuple pi (w b,i ,c b,i ,f b,i ,n b,i ). If all c b,i Not equal to 1, c terminates the game; otherwise C calculatingA=(X i ·R i ·ξ) a ,When c b,i When=0, C calculates challenge ciphertextWhen c b,i When=1, C calculates challenge ciphertext ++>Last C sends W 0 、W 1 Challenge ciphertext (A, B 1 ,B 2 ,…,B n ,C b,1 ,C b,2 ,…,C b,m ) Give A 1 。
Guessing stage: a is that 1 Output a guess value b 'e {0,1}, if b' e @ is not equal to b, let v 3 =z, C terminates the game; no order of noC may perform the following calculations to verify the validity of the challenge ciphertext.
A * =X i ·R i ·ξ
If c b,i =0, calculate
If c b,i =1, calculate
The following calculates the probability dominance epsilon' that challenger C successfully solves the DLDHP problem. Let event E 1 Indicating that C has not terminated during trapdoor interrogation, event E 2 Indicating that C has not terminated in the challenge phase, event E 3 Indicating that C does not correspond to W 0 And W is 1 A trapdoor inquiry is made. Event E 1 、E 2 And E is 3 Which occur successively.
If A 1 Can break through the solution with epsilon probability, thenBy->And->Can calculate->From the following components Can calculate->Thus (2)I.e. < ->Challenger C successfully solves the probability advantage of DLDHP problem
In the above game, C solves the DLDHP problem with a non-negligible probability ε', which contradicts the accepted difficulty of the DLDHP problem. Thus A is 1 The probability epsilon of breaking the solution herein is a negligible value, and the solution satisfies the indistinguishability of the keyword ciphertext under the attack of the selected keyword in the face of the first class of adversaries Sex.
And (4) lemma 2: in the random predictive model, if adversary A 2 Being able to break the solution in this context in polynomial time with a non-negligible probability dominance epsilon, challenger C may construct an algorithm with a non-negligible probability dominance in polynomial timeSolving the DLDHP problem. q t Representing the maximum number of executions of trapdoor queries, N representing the number of data users.
And (3) proving: challenger C can pass through the enemy A 2 To solve the DLDHP problem.
Given tuple f= (g 1 ,g 2 ,g 3 ,Z,v 1 ,v 2 ,v 3 ) WhereinLet->g=g 1 ,/>C executing an initialization algorithm to generate a common parameter Parms= { e, p, G 0 ,G 1 ,H 0 ,H 1 ,H 2 ,H 3 ,g,P,e(g,g) γ ,h atti And send secret value S and public parameter Parms to attacker A 2 . Furthermore, C random selection->And holds n in secret. />
Interrogation phase: a is that 2 A series of queries may be made for C as follows. H 0 、H 1 、H 2 And H 3 The query is the same as lemma 1.
1) A partial private key challenge. When C receives A 2 For identity as ID j If the tuple (ID j ,x j ,R j ,π j ) Exist inIn C return tuple (R j ,π j ) Give A 2 . Otherwise C random selection->And->Calculate->α j =h 0 (ID j ,R j ) And pi j =α(x j +α j s). Then C will tuple (ID j ,R j ,α j ) And tuple (ID) j ,x j ,R j ,π j ) Store->And->In the return tuple (R j ,π j ) In return for a partial private key challenge.
2) The public key extracts the challenge. When C receives A 2 For identity as ID j If the tuple (ID j ,X j ,R j ) Exist inIn C output tuple (X j ,R j ) As a reply to the public key extraction challenge. Otherwise C randomly selects +.>Andcalculate->And->Wherein->Last C will tuple (ID j ,X j ,R j ) Added to->And outputs the tuple (X j ,R j ) As a reply to the public key extraction challenge.
3) Trapdoor interrogation. Receipt A 2 For keyword w i After the trapdoor interrogation, C reverts as follows.
(1) C obtaining tuples (w) from the lists respectively i ,c i ,e i ,m i ) Tuple (w) i ,c i ,f i ,n i ) Tuple (ID) j ,P,X j ,R j ,v j ) Tuple (ID) j ,x j ,R j ,π j )。
(2) C random selectionCalculate->And->Output T j = (T ', T ", T'") as a reply to the trapdoor interrogation.
Challenge phase: enemy A 2 Select challenge keyword W = (W 0,1 ,w 0,2 ,…,w 0,n ). Cselect r= (w 1,1 ,w 1,2 ,…,w 1,n ) And let W 0 =W*,W 1 =R,A 2 Can not inquire about W 0 And W is 1 Is a trapdoor of (2). Then C randomly selects b E {0,1}, for all keywords W b,i Proceed H 0 Interrogation and H 1 Query, get tuple (w b,i ,c b,i ,e b,i ,m b,i ) And tuple (w) b,i ,c b,i ,f b,i ,n b,i ). If all c b,i Not equal to 1, c terminates the simulation; otherwise C calculates a= (X i ·R i ·ξ) a Andwhen c b,i When=0,>when c b,i When=1,>c sending challenge ciphertext (A, B 1 ,B 2 ,…,B n ,C b,1 ,C b,2 ,…,C b,m )、W 0 And W is 1 Give A 2 。
Guessing stage: a is that 2 Output guess b 'e {0,1}, let b=b', letC, the validity of the challenge ciphertext can be verified by the following calculation; no make v 3 =z, C terminates the game.
A * =X i ·R i ·ξ
If c b,i =0, calculate
If c b,i =1, calculate
Challenger C has the advantage of successfully solving the DLDHP problem in the game (the relevant calculation process is similar to that of approach 1), which contradicts the acknowledged difficulty of the DLDHP problem. Thus A is 2 The probability epsilon of breaking the solution herein is a negligible value, and the solution satisfies the indistinguishability of the keyword ciphertext under the chosen keyword attack in the face of the second class of adversaries.
(3) Confidentiality analysis of shared data
Confidentiality and security of file data are ensured by the security of a symmetric encryption algorithm and an attribute-based encryption algorithm. In this scenario, firstly the data producer DP produces data for the data consumer DO and secondly DO selects the symmetric encryption keyEncrypting the file to generate a file ciphertext C F =E K (F η ) (wherein, 1.ltoreq.η.ltoreq.q) then DO makes relevant access strategies according to the data user attributes to carry out attribute-based encryption on the symmetric encryption key K, and finally only the access users with the attributes meeting the access strategies made by the data owners can correctly decrypt the key ciphertext to obtain the symmetric encryption key, so that plaintext data is calculated by using the symmetric key, wherein the security certification of the attribute-based encryption algorithm can refer to relevant documents.
(4) The scheme is set forth to satisfy the requirement of (iii) in definition 1 of the specification
Blockchains are essentially a distributed ledger database, which is itself a sequence of data blocks related to cryptography. Each block on the blockchain contains valid acknowledgements for multiple transactions, achieving weak centralisation, openness, invariance and traceability.
1) And (5) decentralizing. However, from the current development, the application of the federated Chain (CB) technology is also in a weakly centralized and multicentric state. Herein, CB is interposed between public and private chains, with partial decentration. The key generation center, the attribute authority, other personnel units and the like together maintain a alliance chain, the generation of each block is decided by a designated node, and other nodes participate in the transaction but do not participate in the accounting process.
2) Open. All billing processes are open to the public. Anyone can query the blockchain data and develop related applications through an open interface, so the information of the whole system is highly transparent.
3) Non-variability and traceability. CB applies hash functions and signature techniques, and is secure and trusted. The data cannot be modified in the CB because the other block link points cannot identify the modified information. The scheme actually records the processes of mutual interaction among ciphertext data, user attribute authorization and between any user and CSP.
Drawings
FIG. 1 is a diagram of a system model of the present invention;
FIG. 2 achieves a consensus diagram;
FIG. 3 is a flow chart of the present invention;
FIG. 4 is a diagram showing the computational cost of the present invention.
Detailed Description
The technical scheme of the invention is further described in detail below with reference to the accompanying drawings:
the scheme comprises the following seven roles: a key generation center (Key Generation Center, KGC), an attribute authority (Attribute Authority, AA), a federation chain (Consortium Blockchain, CB), a cloud service provider (Cloud Service Provider, CSP), a Data Producer (DPs), a Data Owner (Data Owner, DO), and a Data consumer (DUs). Schools, public security offices, teachers and the like in the system are generators of personal files, and any authenticated organization or person can participate in the system and jointly form a alliance chain node. The consensus algorithm adopts an optimized Bayesian-preemptive fault-tolerant algorithm, and all roles will join the consensus. If the number of nodes in each network layer is denoted as d, there are at most (d-1)/3 Bayesian nodes among the d nodes according to the practical Bayesian fault tolerance algorithm. Thus, the system is composed of at least 4 nodes, and the system model is shown in fig. 1 in the drawings of the specification.
The roles are described as follows:
1) KGC: is responsible for generating system parameters and partial keys for each character, records partial keys and important information are uplink.
2) AA: and the method is responsible for verifying the unique identifier of the role and distributing the attribute private key to legal users. The authorized attributes and important information records are linked up.
3) CB: all roles in the system together constitute nodes of a federation chain, some of which are hosting management nodes, such as educational offices. The master node is responsible for the final chaining of the new block. The transactions generated by the key generation center, the attribute authorization center, the data generator, and the like are stored.
4) CSP: and storing the complete ciphertext file and the corresponding access policy.
5) DPs: refers to the role of creating personal profiles, such as schools, public security authorities, individuals, etc. Some data generators serve as authority nodes of a chain alliance, such as schools, educational offices, human resource centers and the like, generate file keyword ciphertext and store the file keyword ciphertext into the cloud, and record hash values of complete file ciphertext into a transaction uplink.
6) DO: representative has the role of personal profile, such as students. Generating a key ciphertext and formulating a corresponding ciphertext access policy.
7) DUs: refers to a user accessing data. A multi-keyword trapdoor is generated and sent to a cloud service provider. And decrypting the file ciphertext returned by the cloud service provider. And after decryption, verifying the integrity and authenticity of the file plaintext.
The system operation flow is as follows:
Step 1: and (5) setting globally. The key generating center KGC and the attribute authority AA perform an initialization algorithm, which includes setting system public parameters and a master key. Building a alliance chain platform, and distributing a unique identifier for each role.
Step 2: and (5) key generation. The complete process is 1 to 4 in fig. 1:
1) The data user DU sends the identification information of the data user DU to the KGC, and the KGC generates a corresponding partial key for the DU according to the identification information.
2) KGC records transactions, the contents of which include partial key hash values, KGC identifiers, DU identifiers, and DU signatures. KGC places transactions in a transaction pool and packages transactions in the pool into chunks.
3) All nodes on the chain reach consensus and upload blocks to the federation chain CB. The CB then returns the corresponding block number and transaction identification number to KGC. KGC sends the block number, transaction identifier and partial key in step 22) to DU.
4) The DU randomly selects a secret value and combines the secret value with the partial key to generate a full private key. A corresponding public key is then generated from the full private key.
Step 3: and (5) encrypting the data. The data producer DPs and the data owner DO execute the corresponding algorithm, the complete flow of this step is 5 to 9 in fig. 1:
1) The data producer DP generates an archive file and sends it to the DO. The DO first selects a symmetric key to encrypt the original file to generate a file ciphertext, then formulates a corresponding ciphertext access policy to generate a key ciphertext, and finally sends the file ciphertext and the key ciphertext to the cloud service provider CSP, as shown in fig. 1 at 5 and 6.
2) The DP records the hash value of the original file as a transaction, the transaction content including an identifier of the DP, a public key of the DP, and a signature of the DP. DP places transactions in a pool of transactions, which are then packed into blocks and then uploaded to CB. The CB then returns the corresponding block number and transaction identification number to the DP, as shown at 7 and 8 in fig. 1.
3) The DP selects a keyword from the archive file and generates a keyword ciphertext, and then transmits the block number, the transaction identification number, and the keyword ciphertext in step 32) to the CSP, as shown at 9 in fig. 1.
Step 4: and generating an attribute private key. This step is performed by the AA with a complete flow of 10 to 13 in fig. 1:
1) The DU sends its own attributes to the AA to apply for the attribute private key, and then the AA generates the corresponding attribute private key according to the attributes of the DU.
2) The AA records the attribute authorization process in step 41) as a transaction, wherein the transaction contents include an identifier of the AA, an identifier of the DU, an attribute that the DU has been authorized by the AA, and a signature of the DU. The AA puts the transaction into a transaction pool, and the transaction is packed into blocks and uploaded to the CB. After receiving the new block, the CB returns the corresponding block number and transaction identification number to the AA.
3) The AA sends the block number, transaction identification number, and attribute private key in step 42) to the DU.
Step 5: ciphertext access. DUs performs the correlation algorithm, the complete flow of this step is 14 to 17 in fig. 1:
1) The DU generates trapdoors from the search keywords of the search content and transmits the block numbers and transaction identification numbers in step 22) and step 42), and trapdoors to the CSP to apply for the ciphertext.
2) After receiving the request of the DU, the CSP accesses the CB according to the block number and the transaction identification number provided by the DU and acquires the related information. After extracting the transaction content in the block, the CSP verifies whether the part private key and the attribute private key of the DU are authorized to judge whether the DU is a legal user or not. If the verification is successful, the CSP performs keyword ciphertext and trapdoor matching operation; otherwise, CSP returns 0.
3) If the key ciphertext is successfully matched with the trapdoor, the CSP sends the block number and the transaction identification number in the step 32) and the file ciphertext to the DU; otherwise, CSP returns 0.
Step 6: and (5) decrypting the data. The DU obtains the file ciphertext from the CSP, then executes a decryption algorithm to obtain the file plaintext, and calculates the hash value of the plaintext. The DU searches the CB for the relevant transaction information according to the block number and the transaction identification number sent by the CSP. The DU extracts the relevant transaction containing the original file generated by the DP on the CB and compares the hash value of the original file in the transaction with the hash value calculated by itself. If the values are consistent, the original file is not tampered; otherwise, the file has been tampered with during sharing, and the data decryption process is shown at 18 to 19 in fig. 1.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the invention (including the claims) is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the invention, the steps may be implemented in any order and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
The present invention is intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omission, modification, equivalent replacement, improvement, etc. of the present invention should be included in the scope of the present invention.
Claims (2)
1. A personal archive management method based on a federation chain and a certificate-free searchable encryption, comprising the establishment of a system model, wherein the system model comprises 7 roles:
a key generation center (Key Generation Center, KGC), an attribute authority (Attribute Authority, AA), a federation chain (Consortium Blockchain, CB), a cloud service provider (Cloud Service Provider, CSP), a Data Producer (DPs), a Data Owner (Data Owner, DO), and a Data consumer (DUs);
-said key generation center (Key Generation Center, KGC): the system parameters are responsible for generating system parameters and partial keys for each role, and the partial keys and important information are recorded and uplink;
-said attribute authority (Attribute Authority, AA): the method is responsible for verifying the unique identifier of the role, distributing the attribute private key to legal users, and uploading authorized attribute and important information records;
the federated chain (Consortium Blockchain, CB): all roles in the system together form nodes of a alliance chain, some of which are master management nodes, such as educational administration, wherein the master management nodes are responsible for finally linking up new blocks, and storing transactions generated by a key generation center, an attribute authorization center, a data producer and the like;
the cloud service provider (Cloud Service Provider, CSP): storing the complete ciphertext file and the corresponding access policy;
the Data producer (Data producer, DPs): the method comprises the steps that roles of generating personal files, such as schools, public security bureaus, individuals and the like, are used as authority nodes of alliance chains, such as schools, educational bureaus, human resource centers and the like, file keyword ciphertext is generated and stored in cloud, and hash values of complete file ciphertext are recorded into a transaction uplink;
The Data Owner (Data Owner, DO): generating a key ciphertext and formulating a corresponding ciphertext access policy by a representative having the role of a personal archive, such as a student;
the Data Users (DUs): the method comprises the steps that a user accessing data generates a multi-keyword trapdoor and sends the multi-keyword trapdoor to a cloud service provider, a file ciphertext returned by the cloud service provider is decrypted, and the integrity and the authenticity of the file plaintext are verified after decryption;
the schools, public security offices and teachers in the system are personal files generators, any authenticated organization or person can participate in and jointly form alliance chain nodes, the consensus algorithm adopts an optimized Bayesian fault-tolerant algorithm, all roles will participate in consensus, if the node number of each network layer is marked as d, and according to the practical Bayesian fault-tolerant algorithm, at most (d-1)/3 Bayesian nodes are arranged in the d nodes, so that the system is at least composed of 4 nodes, and a system model is shown in figure 1 in the attached drawing of the specification.
2. A federation chain and certificateless searchable encryption based personal archive management method according to claim 1, comprising the system operation steps of:
step A: the method comprises the steps of globally setting, namely executing an initialization algorithm by a key generation center KGC and an attribute authorization center AA, setting system public parameters and a master key, building a alliance chain platform, and distributing a unique identifier for each role;
This step executes the system initialization algorithm Setup (1 λ ):
Setup(1 λ ) Params, MSK: the algorithm inputs the security parameter 1 λ Public parameters Parms and a master key MSK, AA management attribute set are outputThe platform constructs a platform composed ofAlliance chain CB composed by all roles and users in the system;
and (B) step (B): the user ciphertext retrieval key generation comprises the following generation steps: step B-1: the data user DU sends the identification information of the data user DU to KGC, and the KGC generates a corresponding partial key for the DU according to the identification information;
step B-2: the KGC records transaction, the transaction content comprises a part key hash value, a KGC identifier, a DU identifier and a DU signature, the KGC puts the transaction into a transaction pool, and packages the transaction in the pool into blocks;
step B-3: all nodes on the chain reach consensus and upload blocks to a alliance chain CB, then the CB returns corresponding block numbers and transaction identification numbers to KGC, and the KGC sends the block numbers, the transaction identification symbols and part of keys in the step B-2 to the DU;
step B-4: the DU randomly selects a secret value, combines the secret value with a partial key to generate a complete private key, and then generates a corresponding public key according to the complete private key;
this step performs a partial key generation algorithm PartifeKeyGen (Parms, MSK, ID), transaction Generating algorithmComplete key generation algorithm FulKeyGen (PSK) →pk:
partialkekgen (Parms, MSK, ID) →PSK: partial key PSK of the user is output by taking Parms, MSK and unique identifier ID of the user as inputs;
the algorithm uses the identifier ID of KGC KGC User DU j Identifier ID of (2) j 、DU j Signature of->And partial key PSK j Hash value H of (a) 3 (PSK j ) For input, the corresponding block number #x and transaction identification number +.>
FulKeyGen (PSK) →PK: the algorithm inputs PSK and secret values, and outputs a corresponding complete private key FK and a corresponding public key PK;
step C: the data encryption method comprises the following generation steps:
step C-1: the data producer DP generates an archive file and sends the archive file to the DO, the DO firstly selects a symmetric key to encrypt an original file to generate a file ciphertext, then a corresponding ciphertext access strategy is formulated to generate a key ciphertext, and finally the file ciphertext and the key ciphertext are sent to the cloud service provider CSP;
step C-2: the DP records the hash value of the original file into a transaction, the transaction content comprises an identifier of the DP, a public key of the DP and a signature of the DP, the DP puts the transaction into a transaction pool, the transactions are then packed into blocks and then uploaded to the CB, and then the CB returns the corresponding block number and the transaction identification number to the DP;
Step C-3: the DP selects keywords from the archive file and generates keyword ciphertext, and then the block number, the transaction identification number and the keyword ciphertext in the step C-2 are sent to the CSP;
this step is performed by the data producer DPs and the data owner DO by the file encryption algorithm FileEnc (Parms, (M, ρ), F), transaction Tx HF Generating algorithmKeyword encryption algorithm IndexEnc (Parms, FK, PK, W):
FileEnc(Parms,(M,ρ),F)→C F ,C K : the algorithm inputs Parms, LSSS access strategy (M, ρ) and data file set F as output file ciphertext C F And key ciphertext C K ;
The algorithm is as followsData producer DP i Identifier ID of (2) i 、DP i Hash value H for file 1 (F) Signature of->DP i Public key PK of (2) i Signature Sig of DO DO For input, it outputs the corresponding block number #y and transaction identification number +.>
IndexEnc(Parms,FK,PK,W)→C I : the algorithm inputs Parms, DP i Is a complete private key FK of (1) i Public key PK i 、DU j Public key PK of (2) j And the corresponding data file keyword set W, output file index ciphertext C I ;
Step D: the user attribute private key is generated by the following steps:
step D-1: the DU sends the attribute to the AA to apply for the attribute private key, and then the AA generates a corresponding attribute private key according to the attribute of the DU;
step D-2: the AA records the attribute authorization process in the step D-1 as a transaction, wherein the transaction content comprises an identifier of the AA, an identifier of the DU, an attribute that the DU has been authorized by the AA, and a signature of the DU; the AA puts the transaction into a transaction pool, the transaction is packed into blocks and uploaded to the CB, and the CB returns the corresponding block number and transaction identification number to the AA after receiving the new block;
Step D-3: the AA sends the block number, the transaction identification number and the attribute private key in the step D-2 to the DU;
this step performs an attribute key generation algorithm by the AATransaction Tx AKG Generating algorithm
Attribute key generation algorithm with MSK and DU j Attribute set +.>As input, output DU j Attribute private key ASK j ;
The algorithm uses the identification ID of AA AA 、DU j Identity ID of (2) j 、DU j Signature of->And DU j Attribute set +.>For input, the corresponding block number #z and transaction identification number +.>
Step E: the key ciphertext search comprises the following generation steps:
step E-1: the DU generates trapdoors according to the search keywords of the search content, and sends the block numbers and the transaction identification numbers in the step B-2 and the step D-2 and the trapdoors to the CSP to apply for file ciphertext;
step E-2: after receiving the request of the DU, the CSP accesses the CB according to the block number and the transaction identification number provided by the DU and acquires related information, after extracting transaction contents in the block, the CSP verifies whether the part of the private key and the attribute private key of the DU are authorized to judge whether the DU is a legal user or not, and if the verification is successful, the CSP performs keyword ciphertext and trapdoor matching operation; otherwise, CSP returns 0;
step E-3: c-2, if the key ciphertext is successfully matched with the trapdoor, the CSP sends the block number, the transaction identification number and the file ciphertext in the step C-2 to the DU; otherwise, CSP returns 0;
This step is performed by DUs to execute Trapdoor generation algorithm trap (Parms, FK j ,PK i W'), match algorithm Search (Parms, C I ,T W′ ):
Trapdoor(Parms,FK j ,PK i ,W′)→T W′ : algorithm input Parms, DU j Is a complete private key FK of (1) j 、DP i Public key PK of (2) i And searching keyword set W' to output trapdoor T W′ ;
Search(Parms,C I ,T W′ )→C K ,C F : the algorithm indexes ciphertext C by Parms and files I And trapdoor T W′ To input and output key ciphertext C K And file ciphertext C F ;
Step F: decrypting the data ciphertext, performing a decryption algorithm to obtain a file plaintext from the CSP by the DU, calculating a hash value of the plaintext, searching related transaction information on the CB by the DU according to a block number and a transaction identification number sent by the CSP, extracting related transaction containing an original file generated by the DP on the CB by the DU, comparing the hash value of the original file in the transaction with the hash value calculated by the DU, and if the values are consistent, indicating that the original file is not tampered; otherwise, the file is tampered in the sharing process;
this step performs the file decryption algorithm FileDec (C K ,C F ,ASK j ) Sum file verification algorithm
FileDec(C K ,C F ,ASK j ) F: file decryption algorithm input key ciphertext C K Ciphertext C of file F And DU j Attribute private key ASK j Outputting a plaintext file F;
the algorithm uses block number #y and transaction identification number +.>And outputting a verification result for input.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310867878.4A CN117040800A (en) | 2023-07-17 | 2023-07-17 | Personal archive management scheme based on alliance chain and non-certificate searchable encryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310867878.4A CN117040800A (en) | 2023-07-17 | 2023-07-17 | Personal archive management scheme based on alliance chain and non-certificate searchable encryption |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117040800A true CN117040800A (en) | 2023-11-10 |
Family
ID=88623464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310867878.4A Pending CN117040800A (en) | 2023-07-17 | 2023-07-17 | Personal archive management scheme based on alliance chain and non-certificate searchable encryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117040800A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220271933A1 (en) * | 2021-02-19 | 2022-08-25 | Samsung Electronics Co., Ltd. | System and method for device to device secret backup and recovery |
-
2023
- 2023-07-17 CN CN202310867878.4A patent/CN117040800A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220271933A1 (en) * | 2021-02-19 | 2022-08-25 | Samsung Electronics Co., Ltd. | System and method for device to device secret backup and recovery |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | Blockchain-assisted public-key encryption with keyword search against keyword guessing attacks for cloud storage | |
| Zhao et al. | Secure pub-sub: Blockchain-based fair payment with reputation for reliable cyber physical systems | |
| Han et al. | Improving privacy and security in decentralized ciphertext-policy attribute-based encryption | |
| CN113489733B (en) | Content center network privacy protection method based on block chain | |
| Ma et al. | Redactable blockchain in decentralized setting | |
| Tian et al. | Policy-based chameleon hash for blockchain rewriting with black-box accountability | |
| Yan et al. | Efficient identity-based public integrity auditing of shared data in cloud storage with user privacy preserving | |
| Zhao et al. | Are you the one to share? Secret transfer with access structure | |
| Wang et al. | Security analysis of a privacy‐preserving decentralized ciphertext‐policy attribute‐based encryption scheme | |
| Feng et al. | Blockchain data privacy access control based on searchable attribute encryption | |
| Sun et al. | Secure data sharing with flexible cross-domain authorization in autonomous vehicle systems | |
| Stefanov et al. | Policy-enhanced private set intersection: sharing information while enforcing privacy policies | |
| Xu et al. | Accountable and fine-grained controllable rewriting in blockchains | |
| CN117040800A (en) | Personal archive management scheme based on alliance chain and non-certificate searchable encryption | |
| Liu et al. | Multiauthority attribute-based access control for supply chain information sharing in blockchain | |
| Oberko et al. | A survey on attribute-based signatures | |
| Lyu et al. | A2UA: An Auditable Anonymous User Authentication Protocol Based on Blockchain for Cloud Services | |
| Feng et al. | A new public remote integrity checking scheme with user privacy | |
| CN115883102B (en) | Cross-domain identity authentication method and system based on identity credibility and electronic equipment | |
| Feng et al. | A new public remote integrity checking scheme with user and data privacy | |
| CN116318663A (en) | Multi-strategy safe ciphertext data sharing method based on privacy protection | |
| Chen et al. | Adaptively secure multi-authority attribute-based broadcast encryption in fog computing | |
| Burra et al. | Certificateless reliable and privacy-preserving auditing of group shared data for fog-cpss | |
| Osmanoğlu et al. | Privacy in blockchain systems | |
| Han et al. | Public integrity auditing of shared encrypted data within cloud storage group |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |