CN103731261A - Secret key distribution method under encrypted repeating data deleted scene - Google Patents

Abstract

The invention discloses a secret key distribution method under an encrypted repeating data deleted scene. The secret key distribution method under the encrypted repeating data deleted scene mainly solves the problems that the prior art is low in safety and large in computing amount. The secret key distribution method under the encrypted repeating data deleted scene comprises steps of (1), achieving file ownership authentication through zero-knowledge authentication which is based on a Schnorr system and every time extracting a plurality of plaintext files to generate into ownership evidences; (2), judging whether a client passes the file ownership authentication through a server according to pre-obtained middle evidences and the ownership evidences submitted through the client; (3) generating into repeat encrypted secret keys through a secret key distribution auxiliary, enabling the server to perform agent repeat encryption on the file secret keys through the repeat encrypted secret keys, generating into the repeat encrypted cryptograph, sending the repeat encrypted cryptograph to the client and achieving distribution of the file secret keys. The secret key distribution method under the encrypted repeating data deleted scene can improve the safety of client data, reduce computing amount of the client and the server during the interactive process and applied to the cloud store service which is equipped with the repeat data deleting technology.

Description

Encrypt the cryptographic key distribution method under data de-duplication scene

Technical field

The invention belongs to field of information security technology, particularly a kind of cryptographic key distribution method, can be used in cloud stores service, under the encryption data de-duplication scene that multi-client intersects, and the key distribution of client to initial data.

Background technology

Along with cloud computing technology is growing, increasing individual brings into use cheapness, cloud service easily with branching operation and storage with enterprise.Under this pattern, will certainly produce a large amount of redundant datas.In order to save user's uploading bandwidth and the storage resources of cloud service provider, " data de-duplication " technology is suggested.The uniqueness of the data that this technology can guarantee server memory storage in piece level or file-level, to reduce data redundancy.

The classification of " data de-duplication " technology has: according to the difference on opportunity of data de-duplication application, have client data de-duplication and server end data de-duplication; According to data granularity size, there are piece level data de-duplication and file-level data de-duplication.Wherein, in the client data de-duplication process of file-level, first server judges according to file identification whether this file exists, if existed, this client is without upload file, and server only needs this client tab file owner.Undoubtedly, this technology not only can be saved the storage resources of server, but also can save user's the network bandwidth.At present, there are a lot of well-known cloud stores service, as Dropbox and Memopal, use this technology.It is said, business is applied the data de-duplication rate reaching from 1:10 to 1:500, makes storage and bandwidth conservation reach 90%.

In existing client data deduplication system, the file cryptographic Hash that server is submitted to by client judges whether file exists.Such mechanism can be brought potential injury to user, as whether assailant can need the reply of uploading to guess whether other clients have this file by server end, can sound out to guess by such identity information of user, this attack has been applied to some well-known storage service providers, as MozyHome and Dropbox.Also have a class attack to be, assailant has obtained the cryptographic Hash of file according to certain mode, but does not have actual file, by existing mechanism, he can unauthorized access actual file, because server is thought " have file cryptographic Hash represent have complete file ".Meanwhile, this also can make assailant is content distributing network (CDN) by data storage service abuse, i.e. publication document cryptographic Hash, and with shared file in colony, this will greatly increase the weight of the load of cloud service provider.

Along with user's personal data secret protection consciousness improves constantly; more and more cloud service provider claims to provide and encrypts storage; but report, the client software of social networks Twitter exists security breaches, make the private data that assailant can calling party.But the storage encryption that service provides can not avoid the server of " honest and curious " to obtain user data.Therefore, there is the client data de-duplication scheme that another kind of combination " end-to-end " is encrypted.In this scheme, file is encrypted by the random key of selecting of user, and file cipher text uploads onto the server.But this introduces again a new problem, except the owner of key, no one can determine that whether two parts of ciphertexts are corresponding to same expressly a, and server can only be used data de-duplication technology for a certain user, and this will reduce the deletion efficiency of repeating data greatly.

In order to address the above problem, industry has proposed following solution:

One .Harnik et al. has proposed POW (Proofs of Ownership) strategy to be carried out authentication of users and whether really has file: server and client side carries out after preliminary treatment file, set up Merkle tree, the random set of selecting a leaf node of server, to client, challenge, require client to return to the set of paths from Merkle root vertex to this leaf node collection.But this File Ownership certificate scheme has two shortcomings: one, and this scheme needs frequent I/O request very consuming time and a large amount of consumption calculations resource carried out of client; Its two, the hypothesis of the fail safe of scheme based on difficult of proof.

Two. convergent encryption is the cryptography primitive being proposed by Douceur et al., attempts to guarantee the confidentiality of data in data de-duplication.The symmetric encryption scheme that the convergent encryption of data refers to determine is to being expressly encrypted, and encryption key obtains by apply definite method on plaintext.Obviously, identical plaintext, by producing identical key and identical ciphertext, makes to be achieved across user's data de-duplication.But convergent encryption can not provide Semantic Security, because it is easily subject to content guessing attack.Result of study by Bellare et al. shows, convergent encryption can only provide confidentiality for uncertain data.

Three. known to scheme in, also do not have special cipher key distribution scheme.After file key is encrypted, be directly transferred to client, and key-encrypting key generally obtains with the key generation method in similar convergent encryption scheme, its with the method determined by expressly generating.Therefore, key-encrypting key can face the attack identical with convergent encryption scheme: one, content guessing attack; Its two, without Semantic Security, guarantee.

Summary of the invention

The object of the invention is to the deficiency for above-mentioned prior art, a kind of cryptographic key distribution method of encrypting under data de-duplication scene is proposed, with the fail safe that improves user data in the cloud stores service of data de-duplication, reduce client and the operand of server in reciprocal process.

Technical scheme of the present invention is achieved in that

One. know-why:

In order to solve the safety problem in " data de-duplication under user data secret protection condition " scene, the present invention propose a cryptography safety, efficient proof scheme.In this scheme, comprising two parts, is respectively that the File Ownership based on Schnorr system zero knowledge probative agreement proves and utilizes and act on behalf of the key distribution that re-encryption realizes.

The zero knowledge probative agreement of utilization based on Schnorr system realized the proof of File Ownership.Zero-knowledge proof, is not revealing under the prerequisite of knowledge, and subject proves the correctness of a certain judgement to verifier.Due to its intrinsic " zero knowledge " attribute, the evidences of title based on original plaintext file can not revealed original plaintext fileinfo, by the confidentiality of data in this assurance reciprocal process.The first uploader of file, according to original document, is calculated middle evidence and uploads onto the server; The File Ownership carrying out at follow-up uploader and server prove mutual in, the evidences of title of evidence and follow-up uploader in the middle of server comparison, to determine whether to admit the File Ownership of follow-up uploader.Server, according to stochastical sampling and coefficient of dynamics technology, allows follow-up uploader generate fresh evidences of title, to keep out Replay Attack.

Meanwhile, utilization is acted on behalf of Re-encryption Technology and is realized key distribution.Act on behalf of re-encryption, with the ciphertext of authorized person's public key encryption, can be converted into the ciphertext that grantee's private key can be deciphered.After having follow-up uploader to authenticate by File Ownership, the file owner of auxiliary key distribution generates re-encrypted private key rk, and obtain file key ciphertext k ' with public key encryption file key k, server is used re-encrypted private key rk to carry out after re-encryption computing file key ciphertext k ', obtains re-encryption ciphertext k ' '.Follow-up uploader obtains after the re-encryption ciphertext k ' ' of file key k, and by its private key deciphering re-encryption ciphertext, k ' ' just can obtain file key k, with this, realizes the granted access to original document.

Two. performing step:

For the first uploader and the follow-up uploader of identical file, the concrete steps that realize of the present invention comprise:

(1) the first uploader FU of file uploads middle evidence and original document ciphertext:

1a) the first uploader FU of file, according to the requirement of the zero knowledge probative agreement based on Schnorr system, carries out after piecemeal original document m, utilizes congruence to generate middle evidence IPs;

1b) the random select File key of the first uploader FU k of file, carries out symmetric cryptography to original document m and obtains original document ciphertext m ', and with the PKI pk of the first uploader FU of file _fUencrypt file key k, obtains file key ciphertext k ' _fU;

1c) upload middle evidence IPs, original document ciphertext m ' and file key ciphertext k ' _fUto server;

(2) follow-up uploader SU and server carry out File Ownership proves mutual:

2a) follow-up uploader SU selects random number r, generates coefficient correlation x and is sent to server: x=β ^rmod d, wherein, 1≤β≤d-1, β is that rank are the unit of q, i.e. 1=β ^qmod d, d and q are prime number, and meet d and 1 can be divided exactly by q;

2b) the random select File piece of server is counted c and two random number s ', s ' ', and the set of composition authentication challenge:

Chal=(c, s ', s ' '), and be sent to follow-up uploader SU;

2c) follow-up uploader SU is according to had original document m and authentication challenge set Chal, and spanned file evidences of title FPs is also sent to server;

2d) server is according to middle evidence IPs and the File Ownership evidence FPs that receives from follow-up uploader SU, generate two groups of evidence spacing DPs, to determine whether to admit the File Ownership of follow-up uploader SU, admit the File Ownership of follow-up uploader SU, server is labeled as follow-up uploader SU the owner of file, execution step (3); Otherwise, this File Ownership authentification failure of follow-up uploader SU;

(3) extremely follow-up uploader SU of server distributed key:

3a) follow-up uploader SU uploads the PKI pk of oneself _sUto server;

3b) server is by the PKI pk of follow-up uploader SU _sUbe sent to key distribution auxiliary AU;

3c) the private key sk of oneself for key distribution auxiliary AU _aUwith the PKI pk receiving from server _sU, generate re-encrypted private key rk _{aU → SU};

3d) key distribution auxiliary AU PKI pk _aUencrypt file key k, obtains file key ciphertext k ' _aU;

3e) key distribution auxiliary AU is by the file key ciphertext k ' of oneself _aU, PKI pk _aUand re-encrypted private key rk _{aU → SU}be back to server simultaneously;

3f) server re-encrypted private key rk _{aU → SU}to the file key ciphertext k ' of key distribution auxiliary AU _aUact on behalf of re-encryption, obtain re-encryption ciphertext k ' ' _sUand send it to follow-up uploader SU;

3g) its private key sk for follow-up uploader SU _sUdeciphering re-encryption ciphertext k ' ' _sU, obtain file key k.

The present invention compared with prior art has the following advantages:

The first, confidentiality is strong.

The zero knowledge authentication of utilization of the present invention based on Schnorr system realizes File Ownership authentication, the evidences of title that server cannot be submitted to according to client obtains any information relevant to original plaintext file, has guaranteed the high confidentiality of data in verification process.

The second, safe.

Utilization of the present invention is acted on behalf of Re-encryption Technology and is carried out key distribution, makes server cannot obtain any information of file key, has guaranteed the high security of file key.

The 3rd, operand is few.

The blocks of files that the present invention utilizes random sampling technique to extract some is carried out ownership authentication, has reduced the operand of server and client; Evidences of title generation method based on original plaintext file, has saved the cryptographic calculation of client to original plaintext file.

Accompanying drawing explanation

Fig. 1 is general flow chart of the present invention;

Fig. 2 is the sub-process figure that in the present invention, File Ownership authentication is prepared;

Fig. 3 is the mutual sub-process figure of File Ownership authentication phase in the present invention;

Fig. 4 is mutual sub-process figure of key distribution stage in the present invention.

Embodiment

Symbol and abbreviation

M is original document;

K is the file key of the random original document of selecting of the first uploader of file;

M ' is original document ciphertext, i.e. the ciphertext form of original document m gained after file key k encrypts;

N is the piecemeal number of original document;

{ b ₁, b ₂..., b _i..., b _nit is the set of original document piecemeal;

Pk _fU, sk _fUfor the public private key pair of the first uploader FU;

Pk _sU, sk _sUfor the public private key pair of follow-up uploader SU;

Pk _aU, sk _aUfor the public private key pair of key distribution auxiliary AU;

K ' _aUfor file key k is through the PKI pk of key distribution auxiliary AU _aUciphertext form after encryption;

K ' ' _sUfor file key ciphertext k ' _aUciphertext form after re-encryption;

C is in single challenge proof procedure, the blocks of files number of request;

D, q is prime number, and both sides relation meets d|p-1;

β is that rank are the unit of q, i.e. 1=β ^qmod d, 1≤β≤d-1;

G is that rank are that d generator is the cyclic group of g, G={g ⁰, g ¹..., g ^d-1;

H () is random Harsh function;

G ^j, g ^h, g ^u, g ^v, g ^wfor four different numerical value selecting from cyclic group G, j, h, u, v, the span of w is all from 0 to d-1;

L, s is from integer set Z _dtwo different numerical value of middle selection;

Mod is complementation computing;

TCR () is collisionless hash function, and this function has two input parameters, and this two parameter all belongs to cyclic group G;

TCR ' () is collisionless hash function, and this function has an input parameter, and this parameter belongs to cyclic group G;

SYM.Enc () is symmetric encryption scheme;

SYM.Dec () is symmetrical decrypt scheme.

Below by the drawings and specific embodiments, further illustrate embodiment of the present invention.

With reference to Fig. 1, performing step of the present invention is as follows:

Step 1, the first uploader FU authenticates preparation to File Ownership.

With reference to Fig. 2, being implemented as follows of this step:

1a) original document m is divided into equal-sized n piece, obtains m={b ₁, b ₂..., b _i..., b _n;

1b) according to the requirement of the zero knowledge probative agreement based on Schnorr system, for each piecemeal of original document m, utilize congruence to generate middle evidence IPs:

IPs={IPs _i}，

Wherein, IPs _ielement in the middle of being in evidence IPs,

b _ioriginal document m={b ₁, b ₂..., b _i..., b _neach piecemeal, i is from 1 to n, 1≤β≤d-1, β is that rank are the unit of q, i.e. 1=β ^qmod d, d and q are prime number, and meet d-1 and can be divided exactly by q, and mod is complementation computing; Each element in middle evidence IPs and the piecemeal of original document m have one-to-one relationship;

1c) random select File key k;

1d) with file key k, original document m is carried out to symmetric cryptography, obtains original document ciphertext m ':

m′=SYM.Enc(k,m)，

Wherein, SYM.Enc () is symmetric encryption scheme;

1e) upload middle evidence IPs and original document ciphertext m ' to server.

Step 2, it is mutual that server and follow-up uploader SU carry out File Ownership authentication.

With reference to Fig. 3, being implemented as follows of this step:

2a) follow-up uploader SU selects random number r, generates coefficient correlation x and is sent to server, and its coefficient correlation x generates by following formula:

x=β ^rmod?d，

Wherein, 1≤β≤d-1, β is that rank are the unit of q, i.e. 1=β ^qmod d, d and q are prime number, and meet d-1 and can be divided exactly by q, and mod is complementation computing;

2b) server is received after coefficient correlation x, and selective authenticate blocks of files is counted c and two random number s ', and s ' ' composition authentication challenge set Chal=(c, s ', s ' '), is sent to follow-up uploader SU by authentication challenge set Chal;

2c) follow-up uploader SU is according to authentication challenge set Chal, first spanned file evidences of title FPs, and upload onto the server, evidences of title FPs, generates by following formula:

FPs={FPs _i}，

Wherein, FPs _ithe element in File Ownership evidence FPs,

fPs _i=b _i* s ' '+r,

pseudo-random permutation function, b _ioriginal document m={b ₁, b ₂..., b _i..., b _neach piecemeal, r is random number, ρ is from 1 to c, c is the blocks of files number in authentication challenge set Chal, s ', s ' ' is two random numbers in authentication challenge set Chal;

2d) server, according to middle evidence IPs and File Ownership evidence FPs, generates two groups of evidence spacing DPs:

DPs={DPs _i}，

${\mathrm{DPs}}_i={{\mathrm{IPs}}_i}^{s^{\′\′}}*{\mathrm{\β}}^{{\mathrm{FPs}}_i}\mathrm{mod}d,$

Wherein, DPs _ithe element of evidence spacing DPs, IPs _ithe element of evidence IPs in the middle of being, FPs _iit is the element of File Ownership evidence FPs;

2e) server is according to two evidence spacing DPs={DPs _ijudge whether to admit the File Ownership of follow-up uploader SU: if DPs={DPs _iin each element all equate with coefficient correlation x, admit the File Ownership of follow-up uploader SU, execution step 3; Otherwise, the File Ownership authentification failure of follow-up uploader SU.

Step 3, server carries out key distribution to follow-up uploader SU.

With reference to Fig. 4, being implemented as follows of this step:

3a) follow-up uploader SU uploads the PKI pk of oneself _sUto server;

3b) server is by the PKI pk of follow-up uploader SU _sUbe sent to key distribution auxiliary AU;

3c) key distribution auxiliary AU is according to re-encrypted private key create-rule, with the private key sk of oneself _aUwith the PKI pk receiving from server _sU, generate re-encrypted private key rk _{aU → SU}:

3c1) from integer set Z _din random select two integer x _aU, y _aU, the private key sk of composition key distribution auxiliary AU _aU:

sk _AU=(x _AU,y _AU)，

Wherein, integer set Z _d=0,1 ..., d-1}, d is prime number;

3c2) from integer set Z _din select at random again two integer x _sU, y _sU, form the private key sk of follow-up uploader SU _sU:

sk _SU=(x _SU,y _SU)；

3c3) according to prime number d, determine that rank are that d generator is the cyclic group G of g, G={g ⁰, g ¹..., g ^d-1;

3c4) the random numerical value g that selects from cyclic group G ^j, the span of j is from 0 to d-1;

3c5) according to the private key sk of follow-up uploader SU _sU, cyclic group G generator g and numerical value g ^j, calculate its corresponding PKI pk _sU:

${\mathrm{pk}}_{\mathrm{SU}}=(g^{x_{\mathrm{SU}}},g^{{{j\·x}_{\mathrm{SU}}}^2},g^{y_{\mathrm{SU}}}),$

3c6) according to the private key sk of key distribution auxiliary AU _aUpKI pk with follow-up uploader SU _sU, calculate re-encrypted private key rk _{aU → SU}:

${\mathrm{rk}}_{\mathrm{AU}\→\mathrm{SU}}=g^{{{j\·x}_{\mathrm{SU}}}^2/x_{\mathrm{AU}}}.$

3d) key distribution auxiliary AU PKI pk _aUencrypt file key k, obtains file key ciphertext k ' _aU:

3d1) according to the private key sk of key distribution auxiliary AU _aU, calculate its corresponding PKI pk _aU:

${\mathrm{pk}}_{\mathrm{AU}}=(g^{x_{\mathrm{AU}}},g^{{{j\·x}_{\mathrm{Au}}}^2},g^{y_{\mathrm{AU}}});$

3d2) four different numerical value g of random selection from cyclic group G ^h, g ^u, g ^v, g ^w, wherein, h, u, v, the span of w is all from 0 to d-1, from integer set Z _din random two different numerical value l, the s of selecting;

3d3) according to numerical value g ^j, g ^h, g ^u, g ^v, g ^w, l, the PKI pk of s, key distribution auxiliary AU _aUwith file key k, calculate intermediate variable C ₁, C ₂, C ₃, C ₄, C ₅:

$C_1=g^{x_{\mathrm{AU}}\·1},$

C ₂=g ^h·1，

$C_3=e{(g,g^j)}^1\·k,$

C ₄=(g ^utg ^vsg ^w) ¹, wherein t=TCR (C ₂, C ₃),

C ₅=s，

Wherein, e (g, g ^j) be bilinear map, k is file key, TCR () is collisionless hash function;

3d4) according to intermediate variable C ₁, C ₂, C ₃, C ₄, C ₅, obtain file key ciphertext k ' _aU:

k′ _AU=(C ₁,C ₂,C ₃,C ₄,C ₅)；

3e) key distribution auxiliary AU is by the file key ciphertext k ' of oneself _aU, PKI pk _aUand re-encrypted private key rk _{aU → SU}be back to server simultaneously;

3f) server re-encrypted private key rk _{aU → SU}to the file key ciphertext k ' of key distribution auxiliary AU _aUact on behalf of re-encryption, obtain re-encryption ciphertext k ' ' _sU:

3f1) from integer set Z _d=0,1 ..., random two integer r ' and the r ' ' of selecting in d-1};

3f2) according to integer r ' and r ' ', file key ciphertext k ' _aU, key distribution auxiliary AU PKI pk _aUwith re-encrypted private key be rk _{aU → SU}, calculate intermediate variable C ₆, C ₇, C ₈:

$C_6=C_1^{r^{\′\′}},$

$C_7=g^{x_{\mathrm{AU}}\·r^{\′\′}},$

$C_8={\mathrm{rk}}_{\mathrm{AU}\→\mathrm{SU}}^{1/r^{\′\′}},$

Wherein, C ₁file key ciphertext k ' _aU=(C ₁, C ₂, C ₃, C ₄, C ₅) part, it is key distribution auxiliary AU PKI ${\mathrm{pk}}_{\mathrm{AU}}=(g^{x_{\mathrm{AU}}},g^{{{j\·x}_{\mathrm{AU}}}^2},g^{y_{\mathrm{AU}}});$ Part;

3f3) according to file key ciphertext k ' _aUwith intermediate variable C ₆, C ₇, C ₈, calculate intermediate variable k _t:

k _t=C ₂||C ₃||C ₄||C ₅||C ₆||C ₇||C ₈，

Wherein, symbol || represent concatenation operation;

3f4) according to generator and random number r ', calculate intermediate variable A:

A=g ^r′；

3f5) according to intermediate variable A, numerical value g ^h, r ' and intermediate variable k _tpKI pk with key distribution auxiliary AU _aU, calculate re-encryption ciphertext k ' ' _sU:

k′′ _SU=(A,B,C)，

t′=TCR′(A)，

$B={(g^{y_{\mathrm{AU}}\·t^{\′}}\·g^h)}^{r^{\′}},$

$C\←\mathrm{SYM}.\mathrm{Enc}(H\left(g^{y_{\mathrm{AU}}\·t^{\′}}\right),k_t),$

Wherein, TCR ' () is collisionless hash function, and SYM.Enc () is symmetric encipherment algorithm, and H () is random Harsh function;

3g) its private key sk for follow-up uploader SU _sUdeciphering re-encryption ciphertext k ' ' _sU, obtain file key k:

3g1) according to the private key sk of follow-up uploader SU _sUwith re-encryption ciphertext k ' ' _sU, calculate intermediate variable k _t:

$k_t=\mathrm{SYM}.\mathrm{Dec}(H\left(A^{y_{\mathrm{SU}}}\right),C),$

Wherein, variables A and C are re-encryption ciphertext k ' ' _sU=(A, B, C) part, SYM.Dec () is symmetrical decipherment algorithm;

3g2) resolve intermediate variable k _t:

k _t=C ₂||C ₃||C ₄||C ₅||C ₆||C ₇||C ₈，

Wherein, symbol || represent concatenation operation;

3g3) according to intermediate variable k _tprivate key sk with follow-up uploader SU _sU, calculation document key k:

$k=\frac{C_3}{e{(C_6,C_8)}^{1/x_{\mathrm{SU}}^2}},$

Wherein, e (C ₆, C ₈) be bilinear map.

Claims (8)

1. encrypt the cryptographic key distribution method under data de-duplication scene, comprise the steps:

(1) the first uploader FU of file uploads middle evidence and original document ciphertext:

1a) the first uploader FU of file, according to the requirement of the zero knowledge probative agreement based on Schnorr system, carries out after piecemeal original document m, utilizes congruence to generate middle evidence IPs;

1b) the random select File key of the first uploader FU of file, carries out symmetric cryptography to original document m and obtains original document ciphertext m ';

1c) upload middle evidence IPs and original document ciphertext m ' to server;

(2) follow-up uploader SU and server carry out File Ownership proves mutual:

2a) follow-up uploader SU selects random number r, generates coefficient correlation x and is sent to server: x=β ^rmod d, wherein, 1≤β≤d-1, β is that rank are the unit of q, i.e. 1=β ^qmod d, d and q are prime number, and meet d-1 and can be divided exactly by q;

2b) the random select File piece of server is counted c and two random number s ', s ' ', and the set of composition authentication challenge:

Chal=(c, s ', s ' '), and be sent to follow-up uploader SU;

2c) follow-up uploader SU is according to had original document m and authentication challenge set Chal, and spanned file evidences of title FPs is also sent to server;

2d) server is according to middle evidence IPs and the File Ownership evidence FPs that receives from follow-up uploader SU, generate two groups of evidence spacing DPs, to determine whether to admit the File Ownership of follow-up uploader SU, admit the File Ownership of follow-up uploader SU, server is labeled as follow-up uploader SU the owner of file, execution step (3); Otherwise, this File Ownership authentification failure of follow-up uploader SU;

(3) extremely follow-up uploader SU of server distributed key:

3a) follow-up uploader SU uploads the PKI pk of oneself _sUto server;

3b) server is by the PKI pk of follow-up uploader SU _sUbe sent to key distribution auxiliary AU;

3c) the private key sk of oneself for key distribution auxiliary AU _aUwith the PKI pk receiving from server _sU, generate re-encrypted private key rk _{aU → SU};

3d) key distribution auxiliary AU PKI pk _aUencrypt file key, obtains file key ciphertext k ' _aU;

3e) key distribution auxiliary AU is by the file key ciphertext k ' of oneself _aU, PKI pk _aUand re-encrypted private key rk _{aU → SU}be back to server simultaneously;

3f) server re-encrypted private key rk _{aU → SU}to the file key ciphertext k ' of key distribution auxiliary AU _aUact on behalf of re-encryption, obtain re-encryption ciphertext k ' ' _sUand send it to follow-up uploader SU;

3g) its private key sk for follow-up uploader SU _sUdeciphering re-encryption ciphertext k ' ' _sU, obtain file key.

2. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1, is characterized in that step 1a) described utilize congruence generate in the middle of evidence IPs, by following formula, generate:

IPs={IPs _i}，

Wherein, IPs _ielement in the middle of being in evidence IPs, b _ioriginal document m={b ₁, b ₂..., b _i..., b _neach piecemeal, i is from 1 to n, n is the block count of original document m, 1≤β≤d-1, β is that rank are the unit of q, i.e. 1=β ^qmod d, d and q are prime number, and meet d-1 and can be divided exactly by q, and mod is complementation computing.

3. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1, it is characterized in that, step 2c) described according to had original document m and authentication challenge set Chal, spanned file evidences of title FPs, carries out as follows:

FPs={FPs _i}，

Wherein, FPs _ithe element in File Ownership evidence FPs, fPs _i=b _i* s ' '+r,

pseudo-random permutation function, b _ioriginal document m={b ₁, b ₂..., b _i..., b _neach piecemeal, r is random number, ρ is from 1 to c, c is the blocks of files number in authentication challenge set Chal, s ', s ' ' is two random numbers in authentication challenge set Chal.

4. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1, it is characterized in that, step 2d) described according to middle evidence IPs and the File Ownership evidence FPs that receives from follow-up uploader SU, generate two groups of evidence spacing DPs, by following formula, undertaken:

DPs={DPs _i}，

${\mathrm{DPs}}_i={{\mathrm{IPs}}_i}^{s^{\′\′}}*{\mathrm{\β}}^{{\mathrm{FPs}}_i}\mathrm{mod}d,$

Wherein, DPs _ithe element of evidence spacing DPs, IPs _ithe element of evidence IPs in the middle of being, FPs _iit is the element of File Ownership evidence FPs.

5. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1, is characterized in that step 3c) the described key distribution auxiliary AU private key sk of oneself _aUwith the PKI pk receiving from server _sU, generate re-encrypted private key rk _{aU → SU}, carry out as follows:

3c1) from integer set Z _din random select two integer x _aU, _aU, the private key sk of composition key distribution auxiliary AU _aU:

sk _AU=(x _AU, _AU)，

Wherein, integer set Z _d=, 1 ..., d-1}, d is prime number;

3c2) from integer set Z _din random select two integer x _sU, _sU, form the private key sk of follow-up uploader SU _sU:

sk _SU=(x _SU, _SU)；

3c3) according to prime number d, determine that rank are that d generator is the cyclic group G of g, G={g ⁰, g ¹..., g ^d-1;

3c4) the random numerical value g that selects from cyclic group G ^j, the span of j is from 0 to d-1;

3c5) according to the private key sk of follow-up uploader SU _sU, cyclic group G generator g and numerical value g ^j, calculate its corresponding PKI pk _sU:

${\mathrm{pk}}_{\mathrm{SU}}=(g^{x_{\mathrm{SU}}},g^{{{j\·x}_{\mathrm{SU}}}^2},g^{y_{\mathrm{SU}}}),$

3c6) according to the private key sk of key distribution auxiliary AU _aUpKI pk with follow-up uploader SU _sU, calculate re-encrypted private key rk _{aU → SU}:

${\mathrm{rk}}_{\mathrm{AU}\→\mathrm{SU}}=g^{{{j\·x}_{\mathrm{SU}}}^2/x_{\mathrm{AU}}}.$

6. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1, is characterized in that step 3d) described key distribution auxiliary AU PKI pk _aUencrypt file key, obtains file key ciphertext k ' _aU, carry out as follows:

3d1) according to the private key sk of key distribution auxiliary AU _aU, calculate its corresponding PKI pk _aU:

${\mathrm{pk}}_{\mathrm{AU}}=(g^{x_{\mathrm{AU}}},g^{{{j\·x}_{\mathrm{Au}}}^2},g^{y_{\mathrm{AU}}});$

3d2) four different numerical value g of random selection from cyclic group C ^h, g ^u, g ^v, g ^w, wherein, h, u, v, the span of w is all from 0 to d-1, from integer set Z _din random two different numerical value l, the s of selecting;

3d3) according to numerical value g ^j, g ^h, g ^u, g ^v, g ^w, l, the PKI pk of s, key distribution auxiliary AU _aUwith file key k, calculate intermediate variable C ₁, C ₂, C ₃, C ₄, C ₅:

$C_1=g^{x_{\mathrm{AU}}\·1},$

C ₂=g ^h·1，

$C_3=e{(g,g^j)}^1\·k,$

C ₄=(g ^utg ^vsg ^w) ^l, wherein t=TCR (C ₂, C ₃),

C ₅=s，

Wherein, e (g, g ^j) be bilinear map, k is file key, TCR () is collisionless hash function;

3d4) according to intermediate variable C ₁, C ₂, C ₃, C ₄, C ₅, obtain file key ciphertext k ' _aU:

k′ _AU=(C ₁,C ₂,C ₃,C ₄,C ₅)。

7. according to the cryptographic key distribution method under the encryption data de-duplication scene described in claim 1 or step 5, it is characterized in that step 3f) the described re-encrypted private key rk that uses _{aU → SU}to the file key ciphertext k ' of key distribution auxiliary AU _aUact on behalf of re-encryption, obtain re-encryption ciphertext k ' ' _sU, carry out as follows:

3f1) from integer set Z _d=0,1 ..., random two integer r ' and the r ' ' of selecting in d-1};

3f2) according to integer r ' and r ' ', file key ciphertext k ' _aU, key distribution auxiliary AU PKI pk _aUwith re-encrypted private key be rk _{aU → SU}, calculate intermediate variable C ₆, C ₇, C ₈:

$C_6=C_1^{r^{\′\′}},$

$C_7=g^{x_{\mathrm{AU}}\·r^{\′\′}},$

$C_8={\mathrm{rk}}_{\mathrm{AU}\→\mathrm{SU}}^{1/r^{\′\′}},$

Wherein, C ₁file key ciphertext k ' _aU=(C ₁, C ₂, C ₃, C ₄, C ₅) part,

it is key distribution auxiliary AU PKI ${\mathrm{pk}}_{\mathrm{AU}}=(g^{x_{\mathrm{AU}}},g^{{{j\·x}_{\mathrm{AU}}}^2},g^{y_{\mathrm{AU}}});$ Part;

3f3) according to file key ciphertext k ' _aUwith intermediate variable C ₆, C ₇, C ₈, calculate intermediate variable k _t:

k _t=C ₂||C ₃||C ₄||C ₅||C ₆||C ₇||C ₈，

Wherein, symbol || represent concatenation operation;

3f4) according to generator g and random number r ', calculate intermediate variable A:

A=g ^r′；

3f5) according to intermediate variable A, numerical value g ^h, r ' and intermediate variable k _tpKI pk with key distribution auxiliary AU _aU, calculate re-encryption ciphertext k ' ' _sU:

t′=TCR′(A)，

$B={(g^{y_{\mathrm{AU}}\·t^{\′}}\·g^h)}^{r^{\′}},$

$C\←\mathrm{SYM}.\mathrm{Enc}(H\left(g^{y_{\mathrm{AU}}\·t^{\′}}\right),k_t),$

k′′ _SU=(A,B,C)，

Wherein, TCR ' () is collisionless hash function, and SYM.Enc () is symmetric encipherment algorithm, and H () is random Harsh function.

8. according to the cryptographic key distribution method under the encryption data de-duplication scene described in claim 1 or step 5, it is characterized in that step 3g) described its private key of follow-up uploader SU sk _sUdeciphering re-encryption ciphertext k ' ' _sU, obtain file key k, carry out as follows:

3g1) according to the private key sk of follow-up uploader SU _sUwith re-encryption ciphertext k ' ' _sU, calculate intermediate variable k _t:

$k_t=\mathrm{SYM}.\mathrm{Dec}(H\left(A^{y_{\mathrm{SU}}}\right),C),$

Wherein, variables A and C are re-encryption ciphertext k ' ' _sU=(A, B, C) part, SYM.Dec () is symmetrical decipherment algorithm.

3g2) resolve intermediate variable k _t:

k _t=C ₂||C ₃||C ₄||C ₅||C ₆||C ₇||C ₈，

Wherein, symbol || represent concatenation operation;

3g3) according to intermediate variable k _tprivate key sk with follow-up uploader SU _sU, calculation document key k:

$k=\frac{C_3}{e{(C_6,C_8)}^{1/x_{\mathrm{SU}}^2}},$

Wherein, e (C ₆, C ₈) be bilinear map.

Images