Summary of the invention
The object of the invention is to provide a kind of multimachine structure stratification attribute base that is applied to cloud storage to encrypt (HM-ABE) method, the method has realized the common leading subscriber of many authorization center and user property classifying system, solved fail safe and the privacy problem of data file and user profile in cloud storage, realized efficiently, flexibly, fine-grained access control; The method makes the authorization center of different rights administer different attributes and distributes private key assembly, greatly reduce the workload of single trust authority, support the dynamic increase of authorization center, support access control flexibly, design the hierarchical mode of user property simultaneously, supported to compose a plurality of values for single attribute, and supported the inquiry across attribute set, increase the flexibility of community set in CP-ABE mechanism, adapted to more complicated fine granularity access control.
The present invention solves the technical scheme that its technical problem takes: the present invention proposes a kind of multimachine structure stratification attribute base encryption method that is applied to cloud storage, it comprises the steps:
Step 1: authorization center is determined depth of recursion, selects bilinear map and Bilinear Groups, and generation system master key MK and PKI PK retain MK, open PK;
Step 2: authorization center is distributed the master key (carrying out this step when having subcenter) of next stage mandate;
Step 3: user identity file is accepted at central authorization center, for it generates community set A;
Step 4: each authorization center generates key SK for user, and is distributed to user;
Step 5: data owner DO formulates access strategy tree Tree, and by Encrypt method, file File is encrypted, and ciphertext CT is uploaded to high in the clouds;
Step 6: user User is to high in the clouds request access file File, the ciphertext CT of high in the clouds backspace file, User utilizes private key SK declassified document, and in and if only if user SK, attribute can meet the access control policy of File, could decipher completely;
Step 7: if successful decryption, user obtains plaintext M; If decipher unsuccessfully, illustrate that user haves no right to access this document.
The present invention has set up the many authorization center mechanism of the gradational stratification of tool, makes the authorization center of different rights administer different attributes and distribute private key assembly; The present invention has set up the hierarchical mode of user property, and user property is effectively divided according to safe class.
The mathematical knowledge the present invention relates to is provided to definition below:
Definition 1 (bilinear map): establish crowd G
1and G
2be to take the multiplication loop group that prime number p is rank, establish G
1a generator be g, exist bilinearity to mapping
meet following character:
(1) bilinearity: suppose to all g h ∈ G
1, a, b ∈ Z
p, have e (g
a, h
b)=e (g, h)
ab.
(2) non-degeneracy: have g, h ∈ G
1, make e (g, h) ≠ 1.
(3) computability: any g, h ∈ G
1, exist algorithm in a polynomial time to calculate e (g, h) result.
One, system architecture
As shown in Figure 1, the present invention provides the architectural framework of HM-ABE system, and this system is comprised of following five parts: cloud server (CSP), credible central authorization center (TA), subordinate's authorization center (AA), data owner (DO) and user (User).CSP provides high in the clouds data storage service; TA is believable central authorization center, is responsible for system parameters and generates and distribute, and be in charge of first order AA; The AA of subordinate is in charge of User Part attribute, and by upper level, AA authorizes; Data owner uploads encrypt file to high in the clouds after local cipher data; User is according to demand from high in the clouds download file and utilize user key deciphering.Entire system framework is illustrated in fig. 1 shown below.
CSP of the present invention is honest and curious (Honest but Curious), and CSP can be according to the method in scheme and protocol processes high in the clouds data, but can the user of spying upon as much as possible be stored in the data in high in the clouds.TA is that the complete believable ,Er AA of subordinate is half believable.User property is managed jointly by all AA on its place authorization center chain, establishes user property set A
u=(A
1, A
2..., A
n, according to hierarchical structure automatically by A
ube divided into the mutually disjoint subset of K part and be in charge of by the AA of the K on AA chain, and meet
HM-ABE scheme of the present invention is comprised of following four part operations: system initialization, key generation, encryption method, decryption method.
Selection rank are prime number p, the Bilinear Groups G that generator is g
0, G
0on mapping e:G
0* G
0=G
1.Definition hash function H:{0,1}
*→ G
0convert the character string of random length to G
0on random number, utilize this function user property can be changed to G in groups
0on element.
Two, method flow
1. initiation parameter
Central authorization center TA is that all users and AA respectively distribute a unique overall GID and AID in order to the unique identification as User Identity and AA.During initialization, the depth of recursion of TA regulation user key structure is depth, because AA and user property subset exist corresponding relation, so depth has also stipulated the maximum level of many authorization center.
Random the α, { β of selecting
1, β
2..., β
depth∈ Z
p.Here take depth=2 as example, system PKI is
Master key is MK
0={ β
1, β
2, g
α.
One-level AA authorizes: the corresponding overall identification AID of each AA, and the community set Λ={ A of AA management
0, A
1..., A
n, A here
0represent ground floor attribute, A
trepresent second layer attribute, A
i={ A
i, 1, A
i, 2..., A
i, m, 1≤i≤n.When TA carries out initialization mandate to AA, TA selects r ∈ Z at random
prepresent Λ, select r simultaneously
i∈ Z
prepresent A
i∈ Λ, r
i, j∈ Z
prepresent a
i, j∈ A
i, 0≤i≤n, 1≤j≤m.The master key of first order AA is:
In above-mentioned key, E
ifor switching node deciphering, can carry out across sets match attribute.During conversion
can be from r '
igo to r
i.
The AA of subordinate authorizes: when establishing certain AA and need to enter system, first need higher level AA to authorize it.If the higher level AA community set WeiΛ, AA of subordinate community set
and
aA
k+1master key by AA
kfor it generates, AA
krandom selection
representative
representative
representative
0≤i≤n, 1≤j≤m.Generate AA
k+1master key be:
Wherein D, D
i, j, E
irespectively AA
kin respective items.
2. user key generates
User's all properties A
uby authorizing K authorization center on chain, jointly manage.If user is at the k≤K AA
kon community set be
aA
kfirst utilize pseudo-random function PSK according to user GID and AID
kfor user is created on the private key parts α u on this AA
(k)=P
sk(u).AA
kfor user selects ru at random
(k)∈ Z
prepresent Au
(k),
Representative
Representative
Finally generate user at AA
kon key be:
Wherein
respectively AA
kon two local master keys.
So total key of user is:
D wherein
userbe total decruption key of user, for decrypt ciphertext, by TA, issued.
3. encryption method
Data owner before clear data M is uploaded to CSP needs it to encrypt, and the community set according to the access rule of setting and the management of each authorization center, is split as W substrategy by access strategy, respectively a corresponding W authorization center.
If
it is the set of access strategy tree.First data owner selects a random number θ ∈ Z
p, the ciphertext of clear data M is
Use Г
(w)represent AA
(w)on access strategy tree, Г
(w)in from downward each the node x of root node R
(w)corresponding multinomial q all
x.For non-leaf node, q
xrank (use d
xrepresent) for the threshold value of node x subtracts 1, i.e. d
x=k
x-1.If x
(w)for leaf node, q
xrank be 0, i.e. d
x=0.To the arbitrary node x except root node
(w), q
x(0)=q
parent (x)(index (x)), the random selection of polynomial other values; For root node q
r(0)=θ, θ ∈ Z
p, other random selections, determine q with lagrange polynomial
xthresholding multinomial.Use Y
(w)represent all leaf node y
(w)set, X
(w)represent all nonleaf node x
(w)set, generate AA
(w)on ciphertext be:
Similarly, in other W-1 authorization center, carry out similar ciphering process, the ciphertext and the access strategy thereof that finally obtain clear data M are:
4. decryption method
When user accesses the file on CSP, CSP sends to encrypt file after user, and user needs user's key to decipher it, when and if only if user's community set meets the access strategy on each AA, could correctly decipher.If it is upper that access strategy is distributed in W AA, user has K private key parts, and and if only if could decipher when a K >=W and W access strategy all meets.
Whether decryption method first match user private key parts is consistent with the authorization center AID in ciphertext, version match success when VS=VK.If the ciphertext of w authorization center is CT
(w), private key for user parts are
decryption method is called Tree (Au) and is verified private key parts
in Au
(w)whether meet ciphertext CT
(w)in Γ
(w).Tree (Au) adopts recursive fashion to realize, for the arbitrary node x in access strategy tree, Tree
x(Au) return to a S set that comprises label
xif, Au
(w)do not meet Г
(w)tree (Au) returns to null value; Otherwise decryption method is selected i ∈ S and starts recurrence from root node to carry out function at random
be defined as follows:
1) if x is leaf node
A) when
Time,
return to null;
B) when
Time, because
g
oon element, might as well suppose
2) if x is non-leaf node,
be defined as follows:
If B
xany k
xthe set that the child node of individual node x forms, establishes wherein arbitrary child node z ∈ B
x, during satisfied following two conditions that and if only if: the nonempty set that 1. DecryptNode returns is S
z, i ∈ S
zor 2. there is i ' ≠ i, i ' ∈ S
z, and node z is decrypted node z while being a switching node, otherwise function returns to null.For z ∈ B
x:
If 1. i ∈ S
z, call function
function result is kept at F
zin.
If 2. i ' ∈ S
z, i ' ≠ i, call function
and result is kept to F
z' in.
If node conversion is carried out in a) i ≠ 0:
To each z ∈ B
xchild node calculate F
zafter, utilize Lagrange's interpolation can obtain the F of node x
x,
iz=index (z) wherein, S '
z={ index (z): z ∈ B
x, Lagrangian coefficient is
Finally solve the function at node x place
value is:
Recurrence upwards, can obtain root node R place
functional value is:
when i ≠ 0, we are right
change:
If user meets the access strategy of all W authorization center,
without null value, calculate as follows:
Can obtain thus:
Expressly
successful decryption.
Beneficial effect:
1, the present invention supports the gradational multiple authorized organization of tool, simultaneously by user property classification, supports more flexibly, fine-grained access control policy
2, the present invention greatly reduces the workload of single trust authority.
Embodiment
Below by conjunction with Figure of description, further illustrate technical scheme of the present invention.
Embodiment 1
The mathematical knowledge the present invention relates to is provided to definition below:
Definition 1 (bilinear map): establish crowd G
1and G
2be to take the multiplication loop group that prime number p is rank, establish G
1a generator be g, exist bilinearity to mapping
meet following character:
Bilinearity: suppose to all g h ∈ G
1, a, b ∈ Z
p, have e (g
a, h
b)=e (g, h)
ab.
Non-degeneracy: have g, h ∈ G
1, make e (g, h) ≠ 1.
Computability: any g, h ∈ G
1, exist algorithm in a polynomial time to calculate e (g, h) result.
As shown in Figure 1, the present invention provides the architectural framework of HM-ABE system, and system is comprised of following five parts: cloud server (CSP), credible central authorization center (TA), subordinate's authorization center (AA), data owner (DO) and user (User).CSP provides high in the clouds data storage service; TA is believable central authorization center, is responsible for system parameters and generates and distribute, and be in charge of first order AA; The AA of subordinate is in charge of User Part attribute, and by upper level, AA authorizes; Data owner uploads encrypt file to high in the clouds after local cipher data; User is according to demand from high in the clouds download file and utilize user key deciphering.Entire system framework is illustrated in fig. 1 shown below.
CSP of the present invention is honest and curious (Honest but Curious), and CSP can be according to the method in scheme and protocol processes high in the clouds data, but can the user of spying upon as much as possible be stored in the data in high in the clouds.TA is that the complete believable ,Er AA of subordinate is half believable.User property is managed jointly by all AA on its place authorization center chain, establishes user property set A
u={ A
1, A
2..., A
n, according to hierarchical structure automatically by A
ube divided into the mutually disjoint subset of K part and be in charge of by the AA of the K on AA chain, and meet
HM-ABE scheme of the present invention is comprised of following four part operations: system initialization, key generation, encryption method, decryption method.
Selection rank are prime number p, the Bilinear Groups G that generator is g
0, G
0on mapping e:G
0* G
0=G
1.Definition hash function H:{0,1}
*→ G
0convert the character string of random length to G
0on random number, utilize this function user property can be changed to G in groups
0on element.
Method flow
Initiation parameter
Central authorization center TA is that all users and AA respectively distribute a unique overall GID and AID in order to the unique identification as User Identity and AA.During initialization, the depth of recursion of TA regulation user key structure is depth, because AA and user property subset exist corresponding relation, so depth has also stipulated the maximum level of many authorization center.
Random the α, { β of selecting
1, β
2..., β
depth∈ Z
p.Here take depth=2 as example, system PKI is
Master key is MK
0={ β
1, β
2, g
α.
One-level AA authorizes: the corresponding overall identification AID of each AA, and the community set Λ={ A of AA management
0, A
1..., A
n, A here
0represent ground floor attribute, A
irepresent second layer attribute, A
i={ A
i, 1, A
i, 2..., A
i, m, 1≤i≤n.When TA carries out initialization mandate to AA, TA selects r ∈ Z at random
prepresent Λ, select r simultaneously
i∈ Z
prepresent A
i∈ Λ, r
i,j∈ Z
prepresent a
i,j∈ A
i, 0≤i≤n, 1≤j≤m.The master key of first order AA is:
In above-mentioned key, E
ifor switching node deciphering, can carry out across sets match attribute.During conversion
can be from r '
igo to r
i.
The AA of subordinate authorizes: when establishing certain AA and need to enter system, first need higher level AA to authorize it.If the higher level AA community set WeiΛ, AA of subordinate community set
and
aA
k+1master key by AA
kfor it generates, AA
krandom selection
representative
representative
representative
0≤i≤n, 1≤j≤m.Generate AA
k+1master key be:
Wherein D, D
i, j, E
irespectively AA
kin respective items.
User key generates
User's all properties A
uby authorizing K authorization center on chain, jointly manage.If user is at the k≤K AA
kon community set be
aA
kfirst utilize pseudo-random function PSK according to user GID and AID
kfor user is created on the private key parts α u on this AA
(k)=P
sk(u).AA
kfor user selects ru at random
(k)∈ Z
prepresent Au
(k),
Representative
Representative
Finally generate user at AA
kon key be:
Wherein
respectively AA
kon two local master keys.
So total key of user is:
D wherein
userbe total decruption key of user, for decrypt ciphertext, by TA, issued.
Encryption method
Data owner before clear data M is uploaded to CSP needs it to encrypt, and the community set according to the access rule of setting and the management of each authorization center, is split as W substrategy by access strategy, respectively a corresponding W authorization center.
If
it is the set of access strategy tree.First data owner selects a random number θ ∈ Z
p, the ciphertext of clear data M is
Use Г
(w)represent AA
(w)on access strategy tree, Г
(w)in from downward each the node x of root node R
(w)corresponding multinomial q all
x.For non-leaf node, q
xrank (use d
xrepresent) for the threshold value of node x subtracts 1, i.e. d
x=k
x-1.If x
(w)for leaf node, q
xrank be 0, i.e. d
x=0.To the arbitrary node x except root node
(w), q
x(0)=q
parent (x)(index (x)), the random selection of polynomial other values; For root node q
r(0)=θ, θ ∈ Z
p, other random selections, determine q with lagrange polynomial
xthresholding multinomial.Use Y
(w)represent all leaf node y
(w)set, X
(w)represent all nonleaf node x
(w)set, generate AA
(w)on ciphertext be:
Similarly, in other W-1 authorization center, carry out similar ciphering process, the ciphertext and the access strategy thereof that finally obtain clear data M are:
Decryption method
When user accesses the file on CSP, CSP sends to encrypt file after user, and user needs user's key to decipher it, when and if only if user's community set meets the access strategy on each AA, could correctly decipher.If it is upper that access strategy is distributed in W AA, user has K private key parts, and and if only if could decipher when a K >=W and W access strategy all meets.
Whether decryption method first match user private key parts is consistent with the authorization center AID in ciphertext, version match success when VS=VK.If the ciphertext of w authorization center is CT
(w), private key for user parts are
decryption method is called Tree (Au) and is verified private key parts
in Au
(w)whether meet ciphertext CT
(w)in Γ
(w).Tree (Au) adopts recursive fashion to realize, for the arbitrary node x in access strategy tree, Tree
x(Au) return to a S set that comprises label
xif, Au
(w)do not meet Г
(w)tree (Au) returns to null value; Otherwise decryption method is selected i ∈ S and starts recurrence from root node to carry out function at random
be defined as follows:
1) if x is leaf node
A) when
Time,
return to null;
B) when
Time, because
g
oon element, might as well suppose
2) if x is non-leaf node,
be defined as follows:
If B
xany k
xthe set that the child node of individual node x forms, establishes wherein arbitrary child node z ∈ B
x, during satisfied following two conditions that and if only if: the nonempty set that 1. DecryptNode returns is S
z, i ∈ S
zor 2. there is i ' ≠ i, i ' ∈ S
z, and node z is decrypted node z while being a switching node, otherwise function returns to null.For z ∈ B
x:
If 1. i ∈ S
z, call function
function result is kept at F
zin.
If 2. i ' ∈ S
z, i ' ≠ i, call function
and result is kept to F
z' in.
If node conversion is carried out in a) i ≠ 0:
To each z ∈ B
xchild node calculate F
zafter, utilize Lagrange's interpolation can obtain the F of node x
x,
iz=index (z) wherein, S '
z={ index (z): z ∈ B
x, Lagrangian coefficient is
Finally solve the function at node x place
be directly:
Recurrence upwards, can obtain root node R place
functional value is:
when i ≠ 0, we are right
change:
If user meets the access strategy of all W authorization center,
without null value, calculate as follows:
Can obtain thus:
Expressly
successful decryption.
Embodiment 2
As shown in Figure 2, a data owner DO uploads a file File to high in the clouds, and user User obtains the ciphertext of File and utilizes its private key SK to be decrypted from high in the clouds.
Its embodiment is:
(1) authorization center is determined depth of recursion, selects bilinear map and Bilinear Groups, and generation system master key MK and PKI PK retain MK, open PK;
(2) authorization center is distributed the master key (carrying out this step when having subcenter) of next stage mandate;
(3) user identity file is accepted at central authorization center, for it generates community set A;
(4) each authorization center generates key SK for user, and is distributed to user;
Key structure: key structure of the present invention is layering, making the element in key can be both single user property, can be also the attribute set of a recurrence; When system initialization, the level degree of depth of definition key structure is depth, limits maximum recurrence number of times; Suppose depth=3, the element of ground floor and the second layer can be set, can be also single attribute; And the element of the 3rd layer can only, as single user property, be given an example: Name:Jack, ID:30202, Age:24, Sex:Male, and Location:USA, Job:Student}}} is in key structure, and each subset has unique identification; If ψ represents key, ψ
irepresent i attribute set in key structure;
(5) data owner DO formulates access strategy tree Tree, and by Encrypt method, file File is encrypted, and ciphertext CT is uploaded to high in the clouds;
Access control tree: the access control policy in the present invention is tree structure, and leaf node represents a concrete attribute, and nonleaf node represents a threshold value; Definition noc
xfor child's number of node x, k
xfor the threshold value of node x, 0 < k
x≤ noc
x; Work as k
xit within=1 o'clock, is " OR " operation; Work as k
x=noc
xtime be " AND " operation; The child nodes of each node is arrived to noc by 1
xsequence, the father node of parent (x) return node x, index (x) returns to the sequence number that child node x is corresponding, if leaf node, attr (x) returns to the property value of leaf node;
(6) user User is to high in the clouds request access file File, the ciphertext CT of high in the clouds backspace file, and User utilizes private key SK declassified document, and in and if only if user SK, attribute can meet the access control policy of File, could decipher completely;
(7) successful decryption, user obtains plaintext M; Decipher unsuccessfully, illustrate that user haves no right to access this document; Overall process finishes.