CN103618729A - Multi-mechanism hierarchical attribute-based encryption method applied to cloud storage - Google Patents

Abstract

The invention discloses a multi-mechanism hierarchical attribute-based encryption method applied to cloud storage. The method comprises the steps that authorization centers determine recursion depths, select bilinear mappings and bilinear groups, generate a system MK and a PK, reserve the MK, and disclose the PK; the authorization centers allocate a master key authorized at the next stage (the step is executed when a subcenter exists); the central authorization center receives a user identity file and generates an attribute set A for the user identity file; the authorization centers generate a secret key SK for a user and distribute the SK to the user; a data owner DO generates an access strategy tree, the file is encrypted through an Encrypt method, and a ciphertext CT is uploaded to the cloud end; the user sends a request to the cloud end to have access to the file, the CT of the file is sent back through the cloud end, the user decrypts the file by means of the SK, and only when the attribute in the user SK meets an access control strategy of the file, complete decryption can be achieved; if decryption succeeds, a plaintext M is obtained by the user; if decryption does not succeed, it is shown that the user has no right to have access to the file.

Description

A kind of multimachine structure stratification attribute base encryption method that is applied to cloud storage

Technical field

The present invention relates to computer security technique field, particularly a kind of multimachine structure stratification attribute base encryption method that is applied to cloud storage.

Background technology

Cloud storage is to extend from the development of cloud computing basis, beyond the clouds for data user provides data outsourcing stores service.This new memory module has caused the extensive concern of academia and industrial circle.Yet, when cloud storage is applied to real life, still face following three challenges: the first, the confidentiality of protected data.When user's sensitive data is stored on cloud server, there is certain risk in the fail safe of data.On the one hand, server may check user data or illegally spy upon privacy of user; On the other hand, undelegated user may illegal wiretapping private data.The second, protection subscriber identity information is not revealed.Privacy of identities protection has in recent years become one of focus of everybody concern, and user does not wish that any server or storage medium obtain user's personal information.The 3rd, the fault-tolerance of cloud storage system.When system encounters attack, should be able to continue to keep its robustness and fail safe.

Access control is one of important means addressing the above problem, and the access control method of supporting fine granularity access is the important method that solves data confidentiality and privacy of user protection in cloud storage.Shamir has proposed first identity base and has encrypted (IBE) mechanism, Sahai and Waters have proposed attribute base and have encrypted (ABE) mechanism on the basis of IBE encryption method, realized the encryption and decryption based on attribute, in ABE scheme, user identity represents with the set of attribute, ABE has realized the access strategy of supporting flexibly thresholding, only needs recipient's community set to cover access strategy and gets final product declassified document.ABE mechanism comprises that key strategy-attribute base is encrypted (KP-ABE) and ciphertext strategy-attribute base is encrypted (CP-ABE) two classes at present.In KP-ABE scheme, ciphertext is relevant to a community set, and in CP-ABE, ciphertext is associated with access structure tree.

Yet above-mentioned two schemes all exists certain deficiency.First, adopt single authorization center mechanism, the system load ability of frequently not only giving alternately of user and authorization center is brought bottleneck, has increased potential potential safety hazard simultaneously.A kind of property set encryption method of many authorization center (Multi-authority ABE) is suggested thereupon; user property set is split; by different authorized organizations, manage and issue private key assembly; by this mechanism; each authorization center only obtains certain customers' attribute, has protected user's identity information.But this mechanism is only supported basic ABE method, lacks the flexibility of access.

Secondly, take CP-ABE in basic model in a large number, the community set in access structure only has one, only can meet access strategy by the various combinations of attribute, greatly reduces the flexibility of access control.Current urgent need is wanted a kind of attribute layering, by user property multi-zone supervision, realizes flexibly, when fine-grained access control the safety of protection user data and user property.And the present invention can solve problem above well.

Summary of the invention

The object of the invention is to provide a kind of multimachine structure stratification attribute base that is applied to cloud storage to encrypt (HM-ABE) method, the method has realized the common leading subscriber of many authorization center and user property classifying system, solved fail safe and the privacy problem of data file and user profile in cloud storage, realized efficiently, flexibly, fine-grained access control; The method makes the authorization center of different rights administer different attributes and distributes private key assembly, greatly reduce the workload of single trust authority, support the dynamic increase of authorization center, support access control flexibly, design the hierarchical mode of user property simultaneously, supported to compose a plurality of values for single attribute, and supported the inquiry across attribute set, increase the flexibility of community set in CP-ABE mechanism, adapted to more complicated fine granularity access control.

The present invention solves the technical scheme that its technical problem takes: the present invention proposes a kind of multimachine structure stratification attribute base encryption method that is applied to cloud storage, it comprises the steps:

Step 1: authorization center is determined depth of recursion, selects bilinear map and Bilinear Groups, and generation system master key MK and PKI PK retain MK, open PK;

Step 2: authorization center is distributed the master key (carrying out this step when having subcenter) of next stage mandate;

Step 3: user identity file is accepted at central authorization center, for it generates community set A;

Step 4: each authorization center generates key SK for user, and is distributed to user;

Step 5: data owner DO formulates access strategy tree Tree, and by Encrypt method, file File is encrypted, and ciphertext CT is uploaded to high in the clouds;

Step 6: user User is to high in the clouds request access file File, the ciphertext CT of high in the clouds backspace file, User utilizes private key SK declassified document, and in and if only if user SK, attribute can meet the access control policy of File, could decipher completely;

Step 7: if successful decryption, user obtains plaintext M; If decipher unsuccessfully, illustrate that user haves no right to access this document.

The present invention has set up the many authorization center mechanism of the gradational stratification of tool, makes the authorization center of different rights administer different attributes and distribute private key assembly; The present invention has set up the hierarchical mode of user property, and user property is effectively divided according to safe class.

The mathematical knowledge the present invention relates to is provided to definition below:

Definition 1 (bilinear map): establish crowd G ₁and G ₂be to take the multiplication loop group that prime number p is rank, establish G ₁a generator be g, exist bilinearity to mapping meet following character:

(1) bilinearity: suppose to all g h ∈ G ₁, a, b ∈ Z _p, have e (g ^a, h ^b)=e (g, h) ^ab.

(2) non-degeneracy: have g, h ∈ G ₁, make e (g, h) ≠ 1.

(3) computability: any g, h ∈ G ₁, exist algorithm in a polynomial time to calculate e (g, h) result.

One, system architecture

As shown in Figure 1, the present invention provides the architectural framework of HM-ABE system, and this system is comprised of following five parts: cloud server (CSP), credible central authorization center (TA), subordinate's authorization center (AA), data owner (DO) and user (User).CSP provides high in the clouds data storage service; TA is believable central authorization center, is responsible for system parameters and generates and distribute, and be in charge of first order AA; The AA of subordinate is in charge of User Part attribute, and by upper level, AA authorizes; Data owner uploads encrypt file to high in the clouds after local cipher data; User is according to demand from high in the clouds download file and utilize user key deciphering.Entire system framework is illustrated in fig. 1 shown below.

CSP of the present invention is honest and curious (Honest but Curious), and CSP can be according to the method in scheme and protocol processes high in the clouds data, but can the user of spying upon as much as possible be stored in the data in high in the clouds.TA is that the complete believable ，Er AA of subordinate is half believable.User property is managed jointly by all AA on its place authorization center chain, establishes user property set A _u=(A ₁, A ₂..., A _n, according to hierarchical structure automatically by A _ube divided into the mutually disjoint subset of K part and be in charge of by the AA of the K on AA chain, and meet

HM-ABE scheme of the present invention is comprised of following four part operations: system initialization, key generation, encryption method, decryption method.

Selection rank are prime number p, the Bilinear Groups G that generator is g ₀, G ₀on mapping e:G ₀* G ₀=G ₁.Definition hash function H:{0,1} ^*→ G ₀convert the character string of random length to G ₀on random number, utilize this function user property can be changed to G in groups ₀on element.

Two, method flow

1. initiation parameter

Central authorization center TA is that all users and AA respectively distribute a unique overall GID and AID in order to the unique identification as User Identity and AA.During initialization, the depth of recursion of TA regulation user key structure is depth, because AA and user property subset exist corresponding relation, so depth has also stipulated the maximum level of many authorization center.

Random the α, { β of selecting ₁, β ₂..., β _depth∈ Z _p.Here take depth=2 as example, system PKI is ${\mathrm{PK}}_0=\{G_0,g,h_1=g^{{\mathrm{\β}}_1},f_1=g^{\frac{1}{{\mathrm{\β}}_1}},h_2=g^{{\mathrm{\β}}_2},f_2=g^{\frac{1}{{\mathrm{\β}}_2}},e{(g,g)}^{\mathrm{\α}}\},$ Master key is MK ₀={ β ₁, β ₂, g ^α.

One-level AA authorizes: the corresponding overall identification AID of each AA, and the community set Λ={ A of AA management ₀, A ₁..., A _n, A here ₀represent ground floor attribute, A _trepresent second layer attribute, A _i={ A _{i, 1}, A _{i, 2}..., A _{i, m}, 1≤i≤n.When TA carries out initialization mandate to AA, TA selects r ∈ Z at random _prepresent Λ, select r simultaneously _i∈ Z _prepresent A _i∈ Λ, r _{i, j}∈ Z _prepresent a _{i, j}∈ A _i, 0≤i≤n, 1≤j≤m.The master key of first order AA is:

$\mathrm{MK}=\{\mathrm{\Λ},D=g^{\frac{\mathrm{\α}+r}{{\mathrm{\β}}_1}},D_{i,j}=g^{r_i}\·H{\left(a_{i,j}\right)}^{r_{i,j}},$

$D_{i,j}^{\′}=g^{r_{i,j}}(0\≤i\≤n,1\≤j\≤m),E_i=g^{\frac{r+r_i}{\mathrm{\β}2}}(1\≤i\≤n,)\}$

In above-mentioned key, E _ifor switching node deciphering, can carry out across sets match attribute.During conversion can be from r ' _igo to r _i.

The AA of subordinate authorizes: when establishing certain AA and need to enter system, first need higher level AA to authorize it.If the higher level AA community set WeiΛ， AA of subordinate community set

and

aA _k+1master key by AA _kfor it generates, AA _krandom selection

representative

representative

representative

0≤i≤n, 1≤j≤m.Generate AA _k+1master key be:

Wherein D, D _{i, j}, E _irespectively AA _kin respective items.

2. user key generates

User's all properties A _uby authorizing K authorization center on chain, jointly manage.If user is at the k≤K AA _kon community set be

aA _kfirst utilize pseudo-random function PSK according to user GID and AID _kfor user is created on the private key parts α u on this AA _(k)=P _sk(u).AA _kfor user selects ru at random ^(k)∈ Z _prepresent Au ^(k), ${\mathrm{ru}}_i^{\left(k\right)}\∈Z_p$ Representative ${\mathrm{Au}}_i^{\left(k\right)}\∈{\mathrm{Au}}^{\left(k\right)},$ ${\mathrm{ru}}_{i,j}^{\left(k\right)}\∈Z_p$ Representative ${\mathrm{au}}_{i,j}^{\left(k\right)}\∈{\mathrm{Au}}_i^{\left(k\right)},$ Finally generate user at AA _kon key be:

${\mathrm{SK}}_u^{\left(k\right)}=\{{\mathrm{VS}}^{\left(k\right)}=g^{\mathrm{index}\left({\mathrm{AA}}_k\right)},{\mathrm{Au}}^{\left(k\right)},{\mathrm{Du}}^{\left(k\right)}=g^{\frac{\mathrm{\α}{u}_{\left(k\right)}+{\mathrm{ru}}^{\left(k\right)}}{{\mathrm{\β}}_{k,1}}},{\mathrm{Du}}_{i,j}^{\left(k\right)}=g^{{\mathrm{ru}}_i^{\left(k\right)}}\·H{\left(a{u}_{i,j}^{\left(k\right)}\right)}^{{\mathrm{ru}}_{i,j}^{\left(k\right)}},$

${\mathrm{Du}}_{i,j}^{\′\left(k\right)}=g^{{\mathrm{ru}}_{i,j}^{\left(k\right)}}(0\≤i\≤n,1\≤j\≤m),E_i^{\left(k\right)}=g^{\frac{{\mathrm{ru}}^{\left(k\right)}+{\mathrm{ru}}_i^{\left(k\right)}}{{\mathrm{\β}}_{k,2}}}(1\≤i\≤n,)\}$

Wherein

respectively AA _kon two local master keys.

So total key of user is: ${\mathrm{SK}}_u=\{{\left\{{\mathrm{SK}}_u^{\left(k\right)}\right\}}_{k=1}^K,D_{\mathrm{user}}=g^{(\mathrm{\α}+\underset{w=1}{\overset{W}{\mathrm{\Σ}}}{\mathrm{\αu}}_{\left(w\right)}/\underset{w=1}{\overset{W}{\mathrm{\Σ}}}{\mathrm{\β}}_{w,1}}\},$ D wherein _userbe total decruption key of user, for decrypt ciphertext, by TA, issued.

3. encryption method

Data owner before clear data M is uploaded to CSP needs it to encrypt, and the community set according to the access rule of setting and the management of each authorization center, is split as W substrategy by access strategy, respectively a corresponding W authorization center.

If it is the set of access strategy tree.First data owner selects a random number θ ∈ Z _p, the ciphertext of clear data M is $\tilde{C}=M\·e{(g,g)}^{\mathrm{\α\θ}}$

Use Г ^(w)represent AA _(w)on access strategy tree, Г ^(w)in from downward each the node x of root node R ^(w)corresponding multinomial q all _x.For non-leaf node, q _xrank (use d _xrepresent) for the threshold value of node x subtracts 1, i.e. d _x=k _x-1.If x ^(w)for leaf node, q _xrank be 0, i.e. d _x=0.To the arbitrary node x except root node ^(w), q _x(0)=q _{parent (x)}(index (x)), the random selection of polynomial other values; For root node q _r(0)=θ, θ ∈ Z _p, other random selections, determine q with lagrange polynomial _xthresholding multinomial.Use Y ^(w)represent all leaf node y ^(w)set, X ^(w)represent all nonleaf node x ^(w)set, generate AA _(w)on ciphertext be:

$\begin{array}{c}{\mathrm{CT}}^{\left(w\right)}=\{V{C}^{\left(w\right)}=g^{\mathrm{iBndex}\left(A{A}_w\right)},{\mathrm{\Γ}}^{\left(w\right)},C^{\left(w\right)}=h_{w,1}^{\mathrm{\θ}},{\stackrel{\‾}{C}}^{\left(w\right)}=h_{w,2}^{\mathrm{\θ}}\\ \∀y^{\left(w\right)}\∈Y^{\left(w\right)}:C_y^{\left(w\right)}=g^{q_y\left(0\right)},C_y^{\′\left(w\right)}=H{\left(\mathrm{attr}\left(y^{\left(w\right)}\right)\right)}^{q_y\left(0\right)}\\ \∀x^{\left(w\right)}\∈X^{\left(w\right)}:{\hat{C}}_x^{\left(w\right)}=h_{w,2}^{q_x\left(0\right)}\}\end{array},$

Similarly, in other W-1 authorization center, carry out similar ciphering process, the ciphertext and the access strategy thereof that finally obtain clear data M are: $C=\{{\left\{{\mathrm{\Γ}}^{\left(w\right)}\right\}}_{w=1}^W,\tilde{C}=M\·e{(g,g)}^{\mathrm{\α\θ}},{\left\{{\mathrm{CT}}^{\left(w\right)}\right\}}_{w=1}^W\}$

4. decryption method

When user accesses the file on CSP, CSP sends to encrypt file after user, and user needs user's key to decipher it, when and if only if user's community set meets the access strategy on each AA, could correctly decipher.If it is upper that access strategy is distributed in W AA, user has K private key parts, and and if only if could decipher when a K >=W and W access strategy all meets.

Whether decryption method first match user private key parts is consistent with the authorization center AID in ciphertext, version match success when VS=VK.If the ciphertext of w authorization center is CT ^(w), private key for user parts are

decryption method is called Tree (Au) and is verified private key parts

in Au ^(w)whether meet ciphertext CT ^(w)in Γ ^(w).Tree (Au) adopts recursive fashion to realize, for the arbitrary node x in access strategy tree, Tree _x(Au) return to a S set that comprises label _xif, Au ^(w)do not meet Г ^(w)tree (Au) returns to null value; Otherwise decryption method is selected i ∈ S and starts recurrence from root node to carry out function at random

be defined as follows:

1) if x is leaf node

A) when $\mathrm{attr}\left(x\right)\∉{\mathrm{Au}}_i^{\left(w\right)},{\mathrm{Au}}_i^{\left(w\right)}\∈{\mathrm{Au}}^{\left(w\right)}$ Time,

return to null;

B) when $\mathrm{attr}\left(x\right)\∈{\mathrm{Au}}_i^{\left(w\right)},{\mathrm{Au}}_i^{\left(w\right)}\∈{\mathrm{Au}}^{\left(w\right)}$ Time, because

g _oon element, might as well suppose

2) if x is non-leaf node,

be defined as follows:

If B _xany k _xthe set that the child node of individual node x forms, establishes wherein arbitrary child node z ∈ B _x, during satisfied following two conditions that and if only if: the nonempty set that 1. DecryptNode returns is S _z, i ∈ S _zor 2. there is i ' ≠ i, i ' ∈ S _z, and node z is decrypted node z while being a switching node, otherwise function returns to null.For z ∈ B _x:

If 1. i ∈ S _z, call function

function result is kept at F _zin.

If 2. i ' ∈ S _z, i ' ≠ i, call function

and result is kept to F _z' in.

If node conversion is carried out in a) i ≠ 0:

B) if i=0,

To each z ∈ B _xchild node calculate F _zafter, utilize Lagrange's interpolation can obtain the F of node x _x,

iz=index (z) wherein, S ' _z={ index (z): z ∈ B _x, Lagrangian coefficient is $\mathrm{\Δiz},S_z^{\′}\left(0\right)=\underset{\mathrm{jz}\∈S_Z^{\′},\mathrm{jz}\≠\mathrm{iz}}{\mathrm{\Π}}\frac{0-\mathrm{jz}}{\mathrm{iz}-\mathrm{jz}},$ Finally solve the function at node x place value is:

Recurrence upwards, can obtain root node R place

functional value is:

when i ≠ 0, we are right

change:

If user meets the access strategy of all W authorization center,

without null value, calculate as follows:

Can obtain thus:

Expressly

successful decryption.

Beneficial effect:

1, the present invention supports the gradational multiple authorized organization of tool, simultaneously by user property classification, supports more flexibly, fine-grained access control policy

2, the present invention greatly reduces the workload of single trust authority.

Accompanying drawing explanation

Fig. 1 is system architecture diagram of the present invention.

Fig. 2 is flow chart of the present invention.

Embodiment

Below by conjunction with Figure of description, further illustrate technical scheme of the present invention.

Embodiment 1

The mathematical knowledge the present invention relates to is provided to definition below:

Definition 1 (bilinear map): establish crowd G ₁and G ₂be to take the multiplication loop group that prime number p is rank, establish G ₁a generator be g, exist bilinearity to mapping

meet following character:

Bilinearity: suppose to all g h ∈ G ₁, a, b ∈ Z _p, have e (g ^a, h ^b)=e (g, h) ^ab.

Non-degeneracy: have g, h ∈ G ₁, make e (g, h) ≠ 1.

Computability: any g, h ∈ G ₁, exist algorithm in a polynomial time to calculate e (g, h) result.

As shown in Figure 1, the present invention provides the architectural framework of HM-ABE system, and system is comprised of following five parts: cloud server (CSP), credible central authorization center (TA), subordinate's authorization center (AA), data owner (DO) and user (User).CSP provides high in the clouds data storage service; TA is believable central authorization center, is responsible for system parameters and generates and distribute, and be in charge of first order AA; The AA of subordinate is in charge of User Part attribute, and by upper level, AA authorizes; Data owner uploads encrypt file to high in the clouds after local cipher data; User is according to demand from high in the clouds download file and utilize user key deciphering.Entire system framework is illustrated in fig. 1 shown below.

CSP of the present invention is honest and curious (Honest but Curious), and CSP can be according to the method in scheme and protocol processes high in the clouds data, but can the user of spying upon as much as possible be stored in the data in high in the clouds.TA is that the complete believable ，Er AA of subordinate is half believable.User property is managed jointly by all AA on its place authorization center chain, establishes user property set A _u={ A ₁, A ₂..., A _n, according to hierarchical structure automatically by A _ube divided into the mutually disjoint subset of K part and be in charge of by the AA of the K on AA chain, and meet

HM-ABE scheme of the present invention is comprised of following four part operations: system initialization, key generation, encryption method, decryption method.

Selection rank are prime number p, the Bilinear Groups G that generator is g ₀, G ₀on mapping e:G ₀* G ₀=G ₁.Definition hash function H:{0,1} ^*→ G ₀convert the character string of random length to G ₀on random number, utilize this function user property can be changed to G in groups ₀on element.

Method flow

Initiation parameter

Central authorization center TA is that all users and AA respectively distribute a unique overall GID and AID in order to the unique identification as User Identity and AA.During initialization, the depth of recursion of TA regulation user key structure is depth, because AA and user property subset exist corresponding relation, so depth has also stipulated the maximum level of many authorization center.

Random the α, { β of selecting ₁, β ₂..., β _depth∈ Z _p.Here take depth=2 as example, system PKI is ${\mathrm{PK}}_0=\{G_0,g,h_1=g^{{\mathrm{\β}}_1},f_1=g^{\frac{1}{{\mathrm{\β}}_1}},h_2=g^{{\mathrm{\β}}_2},f_2=g^{\frac{1}{{\mathrm{\β}}_2}},e{(g,g)}^{\mathrm{\α}}\},$ Master key is MK ₀={ β ₁, β ₂, g ^α.

One-level AA authorizes: the corresponding overall identification AID of each AA, and the community set Λ={ A of AA management ₀, A ₁..., A _n, A here ₀represent ground floor attribute, A _irepresent second layer attribute, A _i={ A _{i, 1}, A _{i, 2}..., A _{i, m}, 1≤i≤n.When TA carries out initialization mandate to AA, TA selects r ∈ Z at random _prepresent Λ, select r simultaneously _i∈ Z _prepresent A _i∈ Λ, r _i,j∈ Z _prepresent a _i,j∈ A _i, 0≤i≤n, 1≤j≤m.The master key of first order AA is:

$\mathrm{MK}=\{\mathrm{\Λ},D=g^{\frac{\mathrm{\α}+r}{{\mathrm{\β}}_1}},D_{i,j}=g^{r_i}\·H{\left(a_{i,j}\right)}^{r_{i,j}},$

$D_{i,j}^{\′}=g^{r_{i,j}}(0\≤i\≤n,1\≤j\≤m),E_i=g^{\frac{r+r_i}{\mathrm{\β}2}}(1\≤i\≤n,)\}$

In above-mentioned key, E _ifor switching node deciphering, can carry out across sets match attribute.During conversion

can be from r ' _igo to r _i.

The AA of subordinate authorizes: when establishing certain AA and need to enter system, first need higher level AA to authorize it.If the higher level AA community set WeiΛ， AA of subordinate community set and

aA _k+1master key by AA _kfor it generates, AA _krandom selection

representative

representative

representative

0≤i≤n, 1≤j≤m.Generate AA _k+1master key be:

Wherein D, D _{i, j}, E _irespectively AA _kin respective items.

User key generates

User's all properties A _uby authorizing K authorization center on chain, jointly manage.If user is at the k≤K AA _kon community set be

aA _kfirst utilize pseudo-random function PSK according to user GID and AID _kfor user is created on the private key parts α u on this AA _(k)=P _sk(u).AA _kfor user selects ru at random ^(k)∈ Z _prepresent Au ^(k), ${\mathrm{ru}}_i^{\left(k\right)}\∈Z_p$ Representative ${\mathrm{Au}}_i^{\left(k\right)}\∈{\mathrm{Au}}^{\left(k\right)},$ ${\mathrm{ru}}_{i,j}^{\left(k\right)}\∈Z_p$ Representative ${\mathrm{au}}_{i,j}^{\left(k\right)}\∈{\mathrm{Au}}_i^{\left(k\right)},$ Finally generate user at AA _kon key be:

${\mathrm{SK}}_u^{\left(k\right)}=\{{\mathrm{VS}}^{\left(k\right)}=g^{\mathrm{index}\left({\mathrm{AA}}_k\right)},{\mathrm{Au}}^{\left(k\right)},{\mathrm{Du}}^{\left(k\right)}=g^{\frac{\mathrm{\α}{u}_{\left(k\right)}+{\mathrm{ru}}^{\left(k\right)}}{{\mathrm{\β}}_{k,1}}},{\mathrm{Du}}_{i,j}^{\left(k\right)}=g^{{\mathrm{ru}}_i^{\left(k\right)}}\·H{\left(a{u}_{i,j}^{\left(k\right)}\right)}^{{\mathrm{ru}}_{i,j}^{\left(k\right)}},$

${\mathrm{Du}}_{i,j}^{\′\left(k\right)}=g^{{\mathrm{ru}}_{i,j}^{\left(k\right)}}(0\≤i\≤n,1\≤j\≤m),E_i^{\left(k\right)}=g^{\frac{{\mathrm{ru}}^{\left(k\right)}+{\mathrm{ru}}_i^{\left(k\right)}}{{\mathrm{\β}}_{k,2}}}(1\≤i\≤n,)\}$

Wherein

respectively AA _kon two local master keys.

So total key of user is: ${\mathrm{SK}}_u=\{{\left\{{\mathrm{SK}}_u^{\left(k\right)}\right\}}_{k=1}^K,D_{\mathrm{user}}=g^{(\mathrm{\α}+\underset{w=1}{\overset{W}{\mathrm{\Σ}}}\mathrm{\α}{u}_{\left(w\right)}/\underset{w=1}{\overset{W}{\mathrm{\Σ}}}{\mathrm{\β}}_{w,1}}\},$ D wherein _userbe total decruption key of user, for decrypt ciphertext, by TA, issued.

Encryption method

Data owner before clear data M is uploaded to CSP needs it to encrypt, and the community set according to the access rule of setting and the management of each authorization center, is split as W substrategy by access strategy, respectively a corresponding W authorization center.

If

it is the set of access strategy tree.First data owner selects a random number θ ∈ Z _p, the ciphertext of clear data M is $\tilde{C}=M\·e{(g,g)}^{\mathrm{\α\θ}}$

Use Г ^(w)represent AA _(w)on access strategy tree, Г ^(w)in from downward each the node x of root node R ^(w)corresponding multinomial q all _x.For non-leaf node, q _xrank (use d _xrepresent) for the threshold value of node x subtracts 1, i.e. d _x=k _x-1.If x ^(w)for leaf node, q _xrank be 0, i.e. d _x=0.To the arbitrary node x except root node ^(w), q _x(0)=q _{parent (x)}(index (x)), the random selection of polynomial other values; For root node q _r(0)=θ, θ ∈ Z _p, other random selections, determine q with lagrange polynomial _xthresholding multinomial.Use Y ^(w)represent all leaf node y ^(w)set, X ^(w)represent all nonleaf node x ^(w)set, generate AA _(w)on ciphertext be:

$\begin{array}{c}{\mathrm{CT}}^{\left(w\right)}=\{V{C}^{\left(w\right)}=g^{\mathrm{iBndex}\left(A{A}_w\right)},{\mathrm{\Γ}}^{\left(w\right)},C^{\left(w\right)}=h_{w,1}^{\mathrm{\θ}},{\stackrel{\‾}{C}}^{\left(w\right)}=h_{w,2}^{\mathrm{\θ}}\\ \∀y^{\left(w\right)}\∈Y^{\left(w\right)}:C_y^{\left(w\right)}=g^{q_y\left(0\right)},C_y^{\′\left(w\right)}=H{\left(\mathrm{attr}\left(y^{\left(w\right)}\right)\right)}^{q_y\left(0\right)}\\ \∀x^{\left(w\right)}\∈X^{\left(w\right)}:{\hat{C}}_x^{\left(w\right)}=h_{w,2}^{q_x\left(0\right)}\}\end{array},$

Similarly, in other W-1 authorization center, carry out similar ciphering process, the ciphertext and the access strategy thereof that finally obtain clear data M are: $C=\{{\left\{{\mathrm{\Γ}}^{\left(w\right)}\right\}}_{w=1}^W,\tilde{C}=M\·e{(g,g)}^{\mathrm{\α\θ}},{\left\{{\mathrm{CT}}^{\left(w\right)}\right\}}_{w=1}^W\}$

Decryption method

When user accesses the file on CSP, CSP sends to encrypt file after user, and user needs user's key to decipher it, when and if only if user's community set meets the access strategy on each AA, could correctly decipher.If it is upper that access strategy is distributed in W AA, user has K private key parts, and and if only if could decipher when a K >=W and W access strategy all meets.

Whether decryption method first match user private key parts is consistent with the authorization center AID in ciphertext, version match success when VS=VK.If the ciphertext of w authorization center is CT ^(w), private key for user parts are

decryption method is called Tree (Au) and is verified private key parts

in Au ^(w)whether meet ciphertext CT ^(w)in Γ ^(w).Tree (Au) adopts recursive fashion to realize, for the arbitrary node x in access strategy tree, Tree _x(Au) return to a S set that comprises label _xif, Au ^(w)do not meet Г ^(w)tree (Au) returns to null value; Otherwise decryption method is selected i ∈ S and starts recurrence from root node to carry out function at random

be defined as follows:

1) if x is leaf node

A) when $\mathrm{attr}\left(x\right)\∉{\mathrm{Au}}_i^{\left(w\right)},{\mathrm{Au}}_i^{\left(w\right)}\∈{\mathrm{Au}}^{\left(w\right)}$ Time,

return to null;

B) when $\mathrm{attr}\left(x\right)\∈{\mathrm{Au}}_i^{\left(w\right)},{\mathrm{Au}}_i^{\left(w\right)}\∈{\mathrm{Au}}^{\left(w\right)}$ Time, because

g _oon element, might as well suppose

2) if x is non-leaf node,

be defined as follows:

If B _xany k _xthe set that the child node of individual node x forms, establishes wherein arbitrary child node z ∈ B _x, during satisfied following two conditions that and if only if: the nonempty set that 1. DecryptNode returns is S _z, i ∈ S _zor 2. there is i ' ≠ i, i ' ∈ S _z, and node z is decrypted node z while being a switching node, otherwise function returns to null.For z ∈ B _x:

If 1. i ∈ S _z, call function

function result is kept at F _zin.

If 2. i ' ∈ S _z, i ' ≠ i, call function

and result is kept to F _z' in.

If node conversion is carried out in a) i ≠ 0:

B) if i=0,

To each z ∈ B _xchild node calculate F _zafter, utilize Lagrange's interpolation can obtain the F of node x _x,

iz=index (z) wherein, S ' _z={ index (z): z ∈ B _x, Lagrangian coefficient is $\mathrm{\Δiz},S_z^{\′}\left(0\right)=\underset{\mathrm{jz}\∈S_Z^{\′},\mathrm{jz}\≠\mathrm{iz}}{\mathrm{\Π}}\frac{0-\mathrm{jz}}{\mathrm{iz}-\mathrm{jz}},$ Finally solve the function at node x place

be directly:

Recurrence upwards, can obtain root node R place

functional value is:

when i ≠ 0, we are right

change:

If user meets the access strategy of all W authorization center,

without null value, calculate as follows:

Can obtain thus:

Expressly

successful decryption.

Embodiment 2

As shown in Figure 2, a data owner DO uploads a file File to high in the clouds, and user User obtains the ciphertext of File and utilizes its private key SK to be decrypted from high in the clouds.

Its embodiment is:

(1) authorization center is determined depth of recursion, selects bilinear map and Bilinear Groups, and generation system master key MK and PKI PK retain MK, open PK;

(2) authorization center is distributed the master key (carrying out this step when having subcenter) of next stage mandate;

(3) user identity file is accepted at central authorization center, for it generates community set A;

(4) each authorization center generates key SK for user, and is distributed to user;

Key structure: key structure of the present invention is layering, making the element in key can be both single user property, can be also the attribute set of a recurrence; When system initialization, the level degree of depth of definition key structure is depth, limits maximum recurrence number of times; Suppose depth=3, the element of ground floor and the second layer can be set, can be also single attribute; And the element of the 3rd layer can only, as single user property, be given an example: Name:Jack, ID:30202, Age:24, Sex:Male, and Location:USA, Job:Student}}} is in key structure, and each subset has unique identification; If ψ represents key, ψ _irepresent i attribute set in key structure;

(5) data owner DO formulates access strategy tree Tree, and by Encrypt method, file File is encrypted, and ciphertext CT is uploaded to high in the clouds;

Access control tree: the access control policy in the present invention is tree structure, and leaf node represents a concrete attribute, and nonleaf node represents a threshold value; Definition noc _xfor child's number of node x, k _xfor the threshold value of node x, 0 < k _x≤ noc _x; Work as k _xit within=1 o'clock, is " OR " operation; Work as k _x=noc _xtime be " AND " operation; The child nodes of each node is arrived to noc by 1 _xsequence, the father node of parent (x) return node x, index (x) returns to the sequence number that child node x is corresponding, if leaf node, attr (x) returns to the property value of leaf node;

(6) user User is to high in the clouds request access file File, the ciphertext CT of high in the clouds backspace file, and User utilizes private key SK declassified document, and in and if only if user SK, attribute can meet the access control policy of File, could decipher completely;

(7) successful decryption, user obtains plaintext M; Decipher unsuccessfully, illustrate that user haves no right to access this document; Overall process finishes.

Claims (4)

1. a multimachine structure stratification attribute base encryption method that is applied to cloud storage, is characterized in that following steps that the method comprises:

Step 1: authorization center is determined depth of recursion, selects bilinear map and Bilinear Groups, and generation system master key MK and PKI PK retain MK, open PK;

Step 2: authorization center is distributed the master key (carrying out this step when having subcenter) of next stage mandate;

Step 3: user identity file is accepted at central authorization center, for it generates community set A;

Step 4: each authorization center generates key SK for user, and is distributed to user;

Step 5: data owner DO formulates access strategy tree Tree, and by Encrypt method, file File is encrypted, and ciphertext CT is uploaded to high in the clouds;

Step 6: user User is to high in the clouds request access file File, the ciphertext CT of high in the clouds backspace file, User utilizes private key SK declassified document, and in and if only if user SK, attribute can meet the access control policy of File, could decipher completely;

Step 7: if successful decryption, user obtains plaintext M; If decipher unsuccessfully, illustrate that user haves no right to access this document.

2. method according to claim 1, is characterized in that: described method has been set up the many authorization center mechanism of the gradational stratification of tool.

3. method according to claim 1, is characterized in that: described method has been set up the hierarchical mode of user property, and user property is effectively divided according to safe class.

4. method according to claim 1, is characterized in that: described method is applied to cloud storage.

Images