CN103346999A - NOT operational character supported characteristic-based CP-ABE method having CCA security - Google Patents

Abstract

The invention relates to a NOT operational character supported characteristic-based CP-ABE method having CCA security. An access control structure is an access control tree; a NOT node is added in the access control tree; and k is equal to -1. Meanwhile, according to regulation, a father node of the NOT node must be an ''AND'' node and only one intermediate node is hung under the NOT node; and thus the intermediate node is used as a root node to set a strategy tree and the strategy tree expresses a related strategy, set by an encryption party, of a NOT attribute. A high one-time signature technology is added to further enhance a security level of the method from a CPA security level to a CCA security level. Strategy expression based on an attribute encryption algorithm is enriched; security of the existing method is enhanced, thereby building the high access controlling capability; and moreover, the method has an encryption method with a provable security.

Description

A kind of NOT of support operator also has the CP-ABE method of CCA safety

Technical field

The present invention relates to a kind ofly under distributed environment, at the requirement of file-sharing and safe storage, proposition a kind of has strong access control ability, and the ciphertext strategy of expansion that reaches CCA safety is based on the encryption attribute method.

Background technology

In distributed environment, especially in the service model of cloud computing, after user data is concentrated, guarantee the safety management of cloud service provider inside and the demand for security that access control mechanisms meets the user, avoiding the potential risk that the multi-user exists jointly or shared data are brought in the distributed environment, is the security challenge that faces in the distributed environment.

At present, data center's protecting data is mainly passed through dual mode: access control and encryption.Access control scheme commonly used has autonomous access control policy (DAC), force access control policy (MAC) and based on role's access control policy (RBAC) etc.Under cloud computing environment, a large amount of file datas is stored in the third-party server that Internet service provider provides, this third party can be regarded as incredible, because from the assault of outside or inner have an illegal service provider may all can cause breaking through of server, even be not broken, if the user's communications passage is illegally listened, can makes significant data suffer to reveal equally and steal.So, utilize full-fledged cryptographic technique that data encryption is stored in the server, even server is broken, significant data can not obtain safety assurance because the opponent has decrypted private key.But the deployment of a cryptographic system must increase the expense of whole system, most critical be that can the employed access control model of system organically combine with encryption system, guarantee the enforcement of access strategy and the flexibility of system simultaneously.Recently the encryption system based on attribute (ABE) that proposes can be realized the access control based on cryptographic algorithm, need not key management and the key distribution mechanisms of load, but ABE be merely able to support with or and the thresholding computing, can not support the NOT operation, flexibility is relatively poor.

Summary of the invention

The problem that technology of the present invention solves: overcome the deficiencies in the prior art, by the access control structure in the expansion CP-ABE algorithm, enriching the CP-ABE access strategy expresses, strengthen the fail safe of existing CP-ABE method simultaneously, a kind ofly have strong access control ability thereby set up, and have the expansion CP-ABE encryption method of CCA safety.

The technical method that the present invention adopts: a kind of NOT of support operator also has the CP-ABE method (BSW-NOT) of CCA safety, it is characterized in that following aspect:

(1) adds the NOT node.

The access control structure Design is based on the threshold secret sharing system in the BSW method, and its access control structure is an access control tree, as shown in Figure 1.Node comprises threshold value k and two attributes of son node number num, wherein 1≤k≤num in the access control tree.To define a node when realizing the NOT operation in the BSW-NOT method, and make k=-1, and be called the NOT node, the child nodes of NOT node is the attribute of being operated by NOT.The NOT operation should be the relation of " intersecting " with the expression of other strategies, and namely the father node of NOT node should be the AND node.We stipulate that the NOT node is only hung an intermediate node down, is root node R' with this intermediate node like this, can set a Policy Tree T _R', as shown in Figure 2, T _R'The corresponding strategies of expressed the is NOT attribute that encryption side sets, expression that like this can refinement NOT strategy.

(2) mode of destruction threshold secret sharing mechanism.

The BSW method is given a multinomial q for each node of access control tree in implementation procedure _x, q _xRank d _x=k _x-1.For root node R, set q _R(0)=and s, again to multinomial q _RUndertaken perfectly at random by the algorithm requirement, afterwards for each node x beyond the root node, set q _x(0)=q _{Parent (x)}(index (x)) is again to q _xUndertaken perfect at random by the algorithm requirement.The multinomial shape of setting the NOT node among our the method BSW-NOT is as q _NOT=q _{Parent (NOT)}(index (NOT))+ax ^-1, and its child nodes is normally used the setting of BSW method.Work as user property like this and satisfy T _R'Strategy when arranging, its child nodes is utilized q _NOTThe q that generates _x(0)=q _{Parent (x)}(index (x))=q _NOT(index (x)) can only recover shape such as q _x=a ₀+ a ₁X+ ... + a _N-1x ^N-1+ a _nx ⁿMultinomial.Continue upwards to date back to root node R, draw q _R(0) ≠ and s, then deciphering failure can't recover correct plaintext, thereby reaches the purpose of NOT operation.

(3) make encryption method reach CCA safety in conjunction with strong once signed technology.

An endorsement method comprises key schedule G, signature algorithm Sign and identifying algorithm Verify.The BSW-NOT method adds strong once signed technology in encryption section, the ciphertext of signature algorithm Sign during encryption in the operation once signed method is signed, and the signature that will obtain is with ciphertext and the final ciphertext that generates of authenticate key conduct.Deciphering side at first moves the verification algorithm Verify in the once signed method when deciphering, with the correctness of authenticate key certifying signature, only just ciphertext is decrypted under the effective situation of signature.By adding strong once signed technology, can make the level of security of BSW-NOT method reach selection ciphertext only attack safety (CCA).

Description of drawings

Fig. 1 is basic access control tree;

Fig. 2 is the access control tree of expansion.

Embodiment

Below with reference to accompanying drawing, embodiments of the invention are described in detail.

The core concept that the present invention mainly comprises: destroy the secret shared mechanism of Shamir, recall when calculating carrying out Lagrange's interpolation, destroy the relevant interpolation point of NOT attribute, when making its calculating date back to the Policy Tree root node, draw q _R(0) ≠ s.From user perspective, decipherment algorithm has obtained execution so, but the M that draws at last is not correct M but, thereby reaches the purpose of NOT operation.

Before describing method, be defined as follows parameter and method earlier:

1.G ₀And G ₁Be two multiplication loop groups that rank are big prime number p, g is group G ₀Generator, e:G ₀* G ₀→ G ₁It is the bilinearity mapping that effectively to calculate.Z _pBe the set that the p delivery is obtained, comprise all less than p and the positive integer coprime with p.

2. establishing k is security parameter, and PK is common parameter, and MK is master key, the message of M for needing to encrypt, and T is the access control tree, and U is the set of all properties, and S is the user property collection.

3. the threshold value of establishing node x is k _x, 1≤k wherein _xThe scope of≤num represent with or and the thresholding computing, make the k of NOT node _x=-1.

4. key schedule G (1 ^k): algorithm is input with a security parameter k, exports an authenticate key vk and a signature key sk, and the length of vk is relevant with the size of k.

5. signature algorithm Sign: algorithm is input with signature key sk and a message m, exports a signature sigma.Note is σ ← Sign _Sk(m).

6. verification algorithm Verify: algorithm is with authenticate key vk, and message m and signature sigma are as input, and { 0,1}, b=1 represent to accept, and b=0 represents refusal to export a bit b ∈.Note is b=Verify _Vk(m, σ).

7. the bit length of setting authentication secret vk in the once signed method is m, uses vk _iRepresent i bit, M represent the set 1 ..., m}.

8. theorem: suppose that the once signed method has strong unforgeable, if the adversary can win CCA and plays safely in polynomial time with the advantage of can not ignore, can construct a mimic so and distinguish DBDH tuple and tuple at random with the advantage of can not ignore.

The inventive method implementation process is as follows:

1. system initialization Setup (k): system generates bilinearity parameter g, G ₀, G ₁, e, Z _p, generate a community set U={a for all user properties ₁, a ₂... a _n, set U comprises an attribute " NOT ".To each attribute a _i(i ∈ n) selects t at random _i∈ Z _pSelect α ∈ Z then at random _p, and at Z _pIn select u at random ₁..., u _2m, to each i ∈ 1 ..., 2m} sets U _i=g ^Ui

The open parameter PK that generates is as follows:

g,

Y=e(g,g) ^α,U ₁,…,U _2m

It is as follows to generate master key MK:

α,t _i(1≤i≤n),u _i(1≤i≤2m)

2. (T): if contain the NOT node among the access control tree T, then the multinomial of this node is set to q for PK, M to encrypt Encrypt _NOT=q _{Parent (NOT)}(index (NOT))+ax ^-1, all the other nodes arrange multinomial by the BSW method.When being encrypted with the plaintext M of T, see the NOT node as leaf node, normally give property value " NOT " and ciphertext member C according to the BSW algorithm _NOT, with C _NOTIncorporate into and be sent to server end in the ciphertext.Simultaneously, algorithm is carried out the key schedule G (1 in the once signed method ^k) generate a pair of signature authentication key to (sk, vk).For each i ∈ M, if vk _i=0, make E _i=U _i ^sIf vk _i=1, make E _i=U _M+i ^s

Make that Y is the leaf node combination of T, it is as follows to generate ciphertext:

Move the signature algorithm Sign in the once signed method then, use the ciphertext CT of signature key sk ^*Sign, obtain signature sigma, generate final ciphertext and be:

CT＝(CT ^*,σ,vk)

Key generate KeyGen (MK, S): be that each attribute is selected a random number r _j, select random number r' ∈ Z _pThis method is set, and all attribute of user are concentrated and must be added " NOT " attribute can comprise in the decruption key that decrypted user the is applied for like this " NOT " key member (D of attribute _NOT, D' _NOT).In addition, to each i ∈ M, w is set at random _i∈ Z _p, order

Set

Make D=g ^α-rThe generation private key for user is as follows:

$\mathrm{SK}=(D=g^{\mathrm{\α}-r},\∀a_i\∈S:D_i=g^{r^{\′}{t}_i^{-1}}\·g^{r_j},{D^{\′}}_i=g^{r_j}$

$\mathrm{NOT}:D_{\mathrm{NOT}},{D^{\′}}_{\mathrm{NOT}}$

$i\∈M:G_i^0,G_i^1)$

The deciphering Decrypt (CT, SK): for ciphertext CT=(CT ^*, σ, vk), algorithm at first moves the correctness of the verification algorithm Verify certifying signature σ in the once signed method.Invalid if sign, then algorithm interrupts, output ⊥; If signature effectively, algorithm is to ciphertext CT ^*Be decrypted, divide two parts to calculate here:

(1) for CT ^*In with the lower part ciphertext

$(T,\tilde{C}={\mathrm{MY}}^s,C=g^s,$

$\∀y\∈Y:C_y=T_i^{q_y\left(0\right)},\mathrm{NOT}:C_{\mathrm{NOT}})$

Utilize among the private key for user SK

$(\∀a_i\∈S:D_i=g^{r^{\′}{t}_i^{-1}}\·g^{r_j},{D^{\′}}_i=g^{r_j}$

$\mathrm{NOT}:D_{\mathrm{NOT}},{D^{\′}}_{\mathrm{NOT}})$

Be decrypted according to BSW algorithm correlation step, when algorithm runs to the NOT node, mainly handle in two kinds of situation:

(I) user property does not comprise the NOT operational attribute

If user property collection S does not comprise the following T of NOT node _R'The attribute of Policy Tree, all T _R'Policy Tree leafy node output ⊥, algorithm dates back the NOT node, is output as ⊥, and the NOT node is to be looked at as a leafy node so, and its property value is " NOT ".Decrypting end is set and is called ciphertext member C _NOTWith key member (D _NOT, D' _NOT), continue to finish the algorithm operation.

(II) user property comprises the NOT operational attribute

If comprise NOT operation association attributes in the user property S set, so, according to CP-ABE algorithm deciphering principle, algorithm can be to the following T of NOT node _R'Policy Tree is recalled and is judged calculating.Here handle in two kinds of situation:

If user property does not satisfy T _R'The strategy setting of tree, algorithm dates back the NOT node, is output as ⊥, then carries out according to situation (I);

If user property satisfies T _R'The strategy setting, algorithm dates back the NOT node, because its child nodes is utilized q _NOTThe q that generates _x(0)=q _{Parent (x)}(index (x))=q _NOT(index (x)) can only recover shape such as q _x=a ₀+ a ₁X+ ... + a _N-1x ^N-1+ a _nx ⁿMultinomial, the q' of NOT node _NOTThe q that arranges during then with encryption _NOT=q _{Parent (NOT)}(index (NOT))+ax ^-1Do not conform to, continue upwards to date back to root node R, draw q _R(0) ≠ and s, then deciphering failure can't recover correct plaintext, thereby reaches the purpose of NOT operation.

After deciphering is finished, draw:

F _R=e(g,g) ^r′s

(2) to each i ∈ M, if vk _i=0, calculate

$e(E_i,G_i^0)=e(g^{u_{i}s},g^{\frac{w_i}{u_i}})=e{(g,g)}^{w_{i}s}$

If vk _i=1, calculate

$e(E_i,G_i^1)=e(g^{u_{m+i}s},g^{\frac{w_i}{u_{m+i}}})=e{(g,g)}^{w_{i}s}$

By step (1) and (2), calculate

${A=e(g,g)}^{r^{\′}s}\·\underset{i=1}{\overset{m}{\mathrm{\Π}}}e{(g,g)}^{w_{i}s}=e{(g,g)}^{\mathrm{rs}}$

At last, by the following plaintext M that calculates:

$\tilde{C}/(e(C,D)\·A)$

$=\tilde{C}/(e(g^s,g^{\mathrm{\α}-r})\·e{(g,g)}^{\mathrm{rs}})$

$=M$

Can prove that according to 8. theorems the level of security of above method can reach CCA safety.

The present invention compares advantage with existing method and is: the expansion by to the access control tree, realized the NOT operation strategy, and enriched the expression of access control policy, strengthened the fail safe of encryption method simultaneously, make its level of security reach CCA safety.

Can apparently draw other advantages and modification for the person of ordinary skill of the art.Therefore, the present invention with more extensive areas is not limited to shown and described specifying and exemplary embodiment here.Therefore, under situation about not breaking away from by the spirit and scope of claim and the defined general inventive concept of equivalents thereof subsequently, can make various modifications to it.

Claims (1)

1. CP-ABE method of supporting the NOT operator and having CCA safety is characterized in that following steps:

Step 1, system initialization Setup (k): system generates bilinearity parameter g, G ₀, G ₁, e, Z _p, G ₀And G ₁Be two multiplication loop groups that rank are big prime number p, g is group G ₀Generator, e:G ₀* G ₀→ G ₁Be the bilinearity mapping that can effectively calculate, Z _pBe the set that the p delivery is obtained, comprise all less than p and the positive integer coprime with p; Generate a community set U={a for all user properties ₁, a ₂... a _n, described user property comprises user's age, department, name, sex attribute; Set U comprises an attribute " NOT "; To each attribute a _i(i ∈ n) selects t at random _i∈ Z _pSelect α ∈ Z then at random _p, and at Z _pIn select u at random ₁..., u _2m, to each i ∈ 1 ..., 2m} sets U _i=g ^Ui

The open parameter PK that generates is as follows:

g,

Y＝e(g,g) ^α,U ₁,…,U _2m

It is as follows to generate master key MK:

α,t _i(1≤i≤n),u _i(1≤i≤2m)；

(T): if contain the NOT node among the access control tree T, then the multinomial of this node is set to q for PK, M for step 2, encryption Encrypt _NOT=q _{Parent (NOT)}(index (NOT))+ax ^-1, all the other nodes arrange multinomial by the BSW method; When being encrypted with the plaintext M of T, see the NOT node as leaf node, normally give property value " NOT " and ciphertext member C according to the BSW algorithm _NOT, with C _NOTIncorporate into and be sent to server end in the ciphertext; Simultaneously, algorithm is carried out the key schedule G (1 in the once signed method ^k) generate a pair of signature authentication key to (sk, vk), the bit length of setting authentication secret vk in the once signed method is m, uses vk _iRepresent i bit, M represent the set 1 ..., m}; For each i ∈ M, if vk _i=0, make E _i=U _i ^sIf vk _i=1, make E _i=U _M+i ^s

Make that Y is the leaf node combination of T, it is as follows to generate ciphertext:

Move the signature algorithm Sign in the once signed method then, described signature algorithm Sign is input with signature key sk and a message m, exports a signature sigma, and note is σ ← Sign _Sk(m); Use the ciphertext CT of signature key sk ^*Sign, obtain signature sigma, generate final ciphertext and be:

CT＝(CT ^*,σ,vk)；

Step 3, key generate KeyGen (MK, S): be that each attribute is selected a random number r _j, select random number r' ∈ Z _pSet all attribute of user and concentrate necessary " NOT " attribute can comprise in the decruption key that decrypted user the is applied for like this " NOT " key member (D of attribute of interpolation _NOT, D' _NOT); In addition, to each i ∈ M, w is set at random _i∈ Z _p, order

Set

Make D=g ^α-rThe generation private key for user is as follows:

Step 4, the deciphering Decrypt (CT, SK): for ciphertext CT=(CT ^*, σ, vk), algorithm at first moves the verification algorithm Verify in the once signed method, described verification algorithm Verify is with authenticate key vk, and message m and signature sigma are exported bit b ∈ { 0 a, 1} as input, b=1 represents to accept, and b=0 represents refusal, and note is b=Verify _Vk(m, σ); The correctness of certifying signature σ; Invalid if sign, then algorithm interrupts, output ⊥; If signature effectively, algorithm is to ciphertext CT ^*Be decrypted, divide two parts to calculate here:

Step (1), for CT ^*In with the lower part ciphertext

Utilize among the private key for user SK

Be decrypted according to the BSW algorithm, when algorithm runs to the NOT node, mainly handle in two kinds of situation:

(I) user property does not comprise the NOT operational attribute

If user property collection S does not comprise the following T of NOT node _R'The attribute of Policy Tree, all T _R'Policy Tree leafy node output ⊥, algorithm dates back the NOT node, is output as ⊥, and the NOT node is to be looked at as a leafy node so, and its property value is " NOT "; Decrypting end is set and is called ciphertext member C _NOTWith key member (D _NOT, D' _NOT), continue to finish the algorithm operation;

(II) user property comprises the NOT operational attribute

If comprise NOT operation association attributes in the user property S set, so, according to CP-ABE algorithm deciphering principle, algorithm can be to the following T of NOT node _R'Policy Tree is recalled and is judged calculating; Here handle in two kinds of situation:

If user property does not satisfy T _R'The strategy setting of tree, algorithm dates back the NOT node, is output as ⊥, then carries out according to situation (I);

If user property satisfies T _R'The strategy setting, algorithm dates back the NOT node, because its child nodes is utilized q _NOTThe q that generates _x(0)=q _{Parent (x)}(index (x))=q _NOT(index (x)) can only recover shape such as q _x=a ₀+ a ₁X+ ... + a _N-1x ^N-1+ a _nx ⁿMultinomial, the q' of NOT node _NOTThe q that arranges during then with encryption _NOT=q _{Parent (NOT)}(index (NOT))+ax ^-1Do not conform to, continue upwards to date back to root node R, draw q _R(0) ≠ and s, then deciphering failure can't recover correct plaintext, thereby reaches the purpose of NOT operation;

After deciphering is finished, draw:

F _R＝e(g,g) ^r's

Step (2), to each i ∈ M, if vk _i=0, calculate

If vk _i=1, calculate

By step (1) and (2), calculate

At last, by the following plaintext M that calculates:

。

Images