CN103731261B - Secret key distribution method under encrypted repeating data deleted scene - Google Patents

Abstract

The invention discloses a secret key distribution method under an encrypted repeating data deleted scene. The secret key distribution method under the encrypted repeating data deleted scene mainly solves the problems that the prior art is low in safety and large in computing amount. The secret key distribution method under the encrypted repeating data deleted scene comprises steps of (1), achieving file ownership authentication through zero-knowledge authentication which is based on a Schnorr system and every time extracting a plurality of plaintext files to generate into ownership evidences; (2), judging whether a client passes the file ownership authentication through a server according to pre-obtained middle evidences and the ownership evidences submitted through the client; (3) generating into repeat encrypted secret keys through a secret key distribution auxiliary, enabling the server to perform agent repeat encryption on the file secret keys through the repeat encrypted secret keys, generating into the repeat encrypted cryptograph, sending the repeat encrypted cryptograph to the client and achieving distribution of the file secret keys. The secret key distribution method under the encrypted repeating data deleted scene can improve the safety of client data, reduce computing amount of the client and the server during the interactive process and applied to the cloud store service which is equipped with the repeat data deleting technology.

Description

Cryptographic key distribution method under encryption data de-duplication scene

Technical field

The invention belongs to field of information security technology, particularly to a kind of cryptographic key distribution method, can be used for cloud storage service In, under the encryption data de-duplication scene that multi-client intersects, client is distributed to the key of initial data.

Background technology

Growing with cloud computing technology, more and more personal begin to use with enterprise inexpensively, easily cloud service With branching operation and storage.In such a mode, substantial amounts of redundant data will certainly be produced.In order to save the uploading bandwidth of user With the storage resource of cloud service provider, " data de-duplication " technology is suggested.This technology can ensure that server memory is stored up Uniqueness in block level or file-level for the data, to reduce data redundancy.

" data de-duplication " technology classification has: the opportunity according to data de-duplication application is different, has client weight Complex data deletes server end data de-duplication；There are block level data de-duplication and file-level weight according to data granularity size Complex data is deleted.Wherein, during the client-side deduplication of file-level, server judges according to file identification first Whether this document has existed, if existed, this client need not go up transmitting file, and this client only need to be marked by server File owner.Undoubtedly, this technology not only can save the storage resource of server, but also can save the net of user Network bandwidth.At present, there is much well-known cloud storage service, such as dropbox and memopal, using this technology.It is said that business Apply reached data de-duplication rate from 1:10 to 1:500 so that storage and bandwidth conservation reach 90%.

In existing client-side deduplication system, file cryptographic Hash that server is submitted to by client is sentencing Whether disconnected file exists.Such mechanism can bring potential injury to user, and such as attacker by server end can be The no reply needing to upload, to guess whether other clients have this document, can guess the body of user by such exploration Part information, this attack has been applied to some well-known storage service providers, such as mozyhome and dropbox.Also has a class Attack is that attacker obtains the cryptographic Hash of file according to certain mode, but does not have actual file, by existing machine System, he can be with unauthorized access actual file, because server thinks " have file cryptographic Hash then represent have complete file ". Meanwhile, this also can make attacker abuse as content distributing network (cdn) by data storage service, i.e. publication document cryptographic Hash, With shared file in colony, this is greatly increased the load of cloud service provider.

Personal data secret protection consciousness with user improves constantly, and increasing cloud service provider claims offer Encryption storage, but it has been reported that, the client software of social networks twitter there are security breaches so that attacker is permissible Access the private data of user.But the storage encryption that service provides nor the server acquisition user avoiding " honest and curious " Data.Therefore, occur in that the client-side deduplication scheme that another kind of combination " end-to-end " is encrypted.In this scheme, File is encrypted by the key that user randomly chooses, and file cipher text uploads onto the server.But this introduces a new problem again, Except the owner of key, whether no one can determine that two parts of ciphertexts corresponding to a plaintext, and server can only be directed to a certain User uses data de-duplication technology, and this will substantially reduce the deletion efficiency of repeated data.

In order to solve the above problems, industry proposes solution below:

Whether one .harnik et al. proposes pow (proofs of ownership) strategy real to verify user Have file: after server and client side pre-processes to file, set up merkle tree, server randomly chooses a leaf The set of child node, challenges to client it is desirable to client returns from merkle root vertex to this leaf node collection Set of paths.But this document ownership certificate scheme has two shortcomings: first, the program needs client to frequently execute pole For time-consuming i/o request and a large amount of consumption calculations resource；Second, the security of scheme is based on hypothesis difficult of proof.

Two. convergent encryption is the cryptographic primitive being proposed by douceur et al. it is intended to protect in data de-duplication The confidentiality of card data.The convergent encryption of data refers to the symmetric encryption scheme determining, plaintext is encrypted, encryption key Obtained by the method that determination is applied on plaintext.Obviously, identical plaintext will produce identical key and identical ciphertext, So that the data de-duplication across user is achieved.But convergent encryption is not provided that Semantic Security, because it is easily by interior Hold guessing attack.Shown by the result of study of bellare et al., convergent encryption is only uncertain data and provides guarantor Close property.

Three. in known scheme, also there is not special cipher key distribution scheme.After file key is encrypted, directly transmit To client, and key-encrypting key generally uses key generation method in similar convergent encryption scheme to obtain, that is, its with The method determining is by generating in plain text.Therefore, key-encrypting key can face and attack with convergent encryption scheme identical: first, interior Hold guessing attack；Second, no Semantic Security ensures.

Content of the invention

Present invention aims to the deficiency of above-mentioned prior art, propose under a kind of encryption data de-duplication scene Cryptographic key distribution method, with the cloud storage service of data de-duplication improve user data security, reduce client With operand in interaction for the server.

The technical scheme is that and be achieved in that:

One. know-why:

In order to solve the safety problem in " data de-duplication under the conditions of user data secret protection " scene, the present invention One cryptography safety, efficient proof scheme are proposed.Include two parts in the program, be based on schnorr body respectively The File Ownership of zero knowledge probative agreement processed proves and using the key distribution acting on behalf of re-encryption realization.

Using the proof realizing File Ownership based on the zero knowledge probative agreement of schnorr system.Zero-knowledge proof, that is, On the premise of not revealing knowledge, subject proves the correctness of a certain judgement to verifier.Due to its intrinsic " Zero Knowledge " Attribute, the evidences of title based on original plain text file will not reveal original plain text file information, is ensured in interaction with this The confidentiality of data.The first uploader of file, according to original document, calculates middle evidence and uploads onto the server；On follow-up During the File Ownership that biography person is carried out with server proves to interact, server compares the ownership of middle evidence and follow-up uploader Evidence, to determine whether to recognize the File Ownership of follow-up uploader.Server, according to stochastical sampling and coefficient of dynamics technology, allows Follow-up uploader generates fresh evidences of title, to keep out Replay Attack.

Meanwhile, using act on behalf of Re-encryption Technology realize key distribution.Act on behalf of re-encryption, that is, close with authorized person's public key encryption Literary composition can be converted into the ciphertext that grantee's private key can be deciphered.When having follow-up uploader after File Ownership certification, assist The file owners of key distribution generate re-encrypted private key rk, and obtain file key ciphertext k ' with public key encryption file key k, clothes Business device is carried out after re-encryption computing to file key ciphertext k ' using re-encrypted private key rk, obtains re-encryption ciphertext k ' '.Follow-up upload After person obtains the re-encryption ciphertext k ' ' of file key k, just can obtain file key k with its private key deciphering re-encryption ciphertext k ' ', Realize the mandate to original document with this to access.

Two. realize step:

The first uploader for identical file and follow-up uploader, the concrete steps of realizing of the present invention include:

(1) evidence and original document ciphertext in the middle of the upload of file first place uploader fu:

1a) the first uploader fu of file is according to the requirement of the zero knowledge probative agreement based on schnorr system, to original After file m carries out piecemeal, generate middle evidence ips using congruence；

1b) the first uploader fu of file randomly chooses file key k, original document m is carried out symmetric cryptography obtain original File cipher text m ', and the public key pk with file first place uploader fu_fuEncryption file key k, obtains file key ciphertext k '_fu；

1c) upload middle evidence ips, original document ciphertext m ' and file key ciphertext k '_fuTo server；

(2) follow-up uploader su carries out File Ownership with server proves to interact:

2a) follow-up uploader su selects random number r, generates coefficient correlation x and sends to server: x=β^rMod d, its In, 1≤β≤d-1, β are the units that rank is q, i.e. 1=β^qMod d, d and q are prime number, and meet d and can be divided exactly by q for 1；

2b) server randomly chooses file block number c and two random number s ', s ' ', composition authentication challenge set:

Chal=(c, s ', s ' '), and send to follow-up uploader su；

2c) follow-up uploader su, according to the original document m being had and authentication challenge set chal, generates File Ownership Evidence fps simultaneously sends to server；

2d) server is according to middle evidence ips with the File Ownership evidence fps that receives from follow-up uploader su, raw Become between two groups of evidences apart from dps, to determine whether to recognize the File Ownership of follow-up uploader su, recognize follow-up uploader su File Ownership, then server follow-up uploader su is labeled as the owner of file, execution step (3)；Otherwise, follow-up upload This File Ownership authentification failure of person su；

(3) server distribution key is to follow-up uploader su:

3a) follow-up uploader su uploads the public key pk of oneself_suTo server；

3b) server is by the public key pk of follow-up uploader su_suSend and distribute auxiliary au to key；

3c) key distributes the auxiliary au private key sk of oneself_auWith the public key pk receiving from server_su, generate re-encryption Key rk_au→su；

3d) key distribution auxiliary au public key pk_auEncryption file key k, obtains file key ciphertext k '_au；

3e) key distribution auxiliary au is by the file key ciphertext k ' of oneself_au, public key pk_auAnd re-encrypted private key rk_au→su It is back to server simultaneously；

3f) server re-encrypted private key rk_au→suKey is distributed with the file key ciphertext k ' of auxiliary au_auCarry out generation Reason re-encryption, obtains re-encryption ciphertext k ' '_suAnd send it to follow-up uploader su；

3g) follow-up uploader su its private key sk_suDeciphering re-encryption ciphertext k ' '_su, obtain file key k.

The present invention compared with prior art has the advantage that

First, confidentiality is strong.

The present invention using File Ownership certification is realized based on the Zero Knowledge certification of schnorr system so that server no The evidences of title that method is submitted to according to client obtains any information related to original plain text file it is ensured that in verification process The high confidentiality of data.

Second, safe.

The present invention carries out key distribution so that server cannot obtain any of file key using acting on behalf of Re-encryption Technology Information is it is ensured that the high security of file key.

3rd, operand is few.

The present invention extracts a number of blocks of files using random sampling technique and carries out ownership certification, decreases server Operand with client；Based on the evidences of title generation method of original plain text file, save client to original plaintext The cryptographic calculation of file.

Brief description

Fig. 1 is the general flow chart of the present invention；

Fig. 2 is the sub-process figure that in the present invention, File Ownership certification prepares；

Fig. 3 is the sub-process figure of File Ownership authentication phase interaction in the present invention；

Fig. 4 is the sub-process figure of key distribution phase interaction in the present invention.

Specific embodiment

Symbol and abbreviation

M is original document；

K is the file key of the original document that file first place uploader randomly chooses；

M ' is original document ciphertext, i.e. the ciphertext form of original document m gained after file key k encryption；

N is the piecemeal number of original document；

{b₁,b₂,…,b_i,…,b_nFor original document piecemeal set；

pk_fu,sk_fuPublic private key pair for the first uploader fu；

pk_su,sk_suPublic private key pair for follow-up uploader su；

pk_au,sk_auDistribute the public private key pair of auxiliary au for key；

k′_auDistribute the public key pk of auxiliary au for file key k through key_auCiphertext form after encryption；

k′′_suFor file key ciphertext k '_auCiphertext form after re-encryption；

C challenges in proof procedure for single, the blocks of files number of request；

D, q are prime number, and both sides relation meets d | p-1；

β is the unit that rank is q, i.e. 1=β^qMod d, 1≤β≤d-1；

G is rank is that d generates the cyclic group for g for the unit, g={ g⁰,g¹,…,g^d-1}；

H () is random Harsh function；

g^j,g^h,g^u,g^v,g^wBe the four different numerical value selecting from cyclic group g, the span of j, h, u, v, w all from 0 arrives d-1；

L, s are from integer set z_dTwo different numerical value of middle selection；

Mod is complementation computing；

Tcr () is collisionless hash function, and this function has two |input parametes, and this two parameter belongs to cyclic group g；

Tcr ' () is collisionless hash function, and this function has a |input paramete, and this parameter belongs to cyclic group g；

Sym.enc () is symmetric encryption scheme；

Sym.dec () is symmetrical deciphering scheme.

Further illustrate embodiment of the present invention below by the drawings and specific embodiments.

With reference to Fig. 1, the present invention to realize step as follows:

Step 1, the first uploader fu is authenticated to File Ownership preparing.

With reference to Fig. 2, being implemented as follows of this step:

1a) original document m is divided into equal-sized n block, obtains m={ b₁,b₂,…,b_i,…,b_n}；

1b) according to the requirement of the zero knowledge probative agreement based on schnorr system, for each piecemeal of original document m, Using evidence ips in the middle of congruence generation:

ips={ips_i,

Wherein, ips_iIt is the element in middle evidence ips,b_iIt is original document m={ b₁, b₂,…,b_i,…,b_nEach piecemeal, from 1 to n, 1≤β≤d-1, β are the units that rank is q to i, i.e. 1=β^qMod d, d are with q Prime number, and meet d-1 and can be divided exactly by q, mod is complementation computing；Each element in middle evidence ips is divided with original document m's Block has one-to-one relationship；

1c) randomly choose file key k；

1d) with file key k, symmetric cryptography is carried out to original document m, obtains original document ciphertext m ':

M '=sym.enc (k, m),

Wherein, sym.enc () is symmetric encryption scheme；

1e) upload middle evidence ips and original document ciphertext m ' to server.

Step 2, server carries out File Ownership certification with follow-up uploader su and interacts.

With reference to Fig. 3, being implemented as follows of this step:

2a) follow-up uploader su selects random number r, generates coefficient correlation x and sends to server, its coefficient correlation x is pressed Equation below generates:

x=β^rMod d,

Wherein, 1≤β≤d-1, β are the units that rank is q, i.e. 1=β^qMod d, d and q are prime number, and meet d-1 can be whole by q Remove, mod is complementation computing；

After 2b) server receives coefficient correlation x, select authentication document block number c and two random number s ', s ' ' forms certification Challenge set chal=(c, s ', s ' '), authentication challenge set chal is sent to follow-up uploader su；

2c) follow-up uploader su, according to authentication challenge set chal, firstly generates File Ownership evidence fps, and uploads To server, evidences of title fps, generate as follows:

fps={fps_i,

Wherein, fps_iIt is the element in File Ownership evidence fps,fps_i=b_i* s ' '+r,It is pseudo- Random permutation function, b_iIt is original document m={ b₁,b₂,…,b_i,…,b_nEach piecemeal, r be random number, from 1 to c, c is ρ File block number in authentication challenge set chal, s ', s ' ' be two random numbers in authentication challenge set chal；

2d) server, according to middle evidence ips and File Ownership evidence fps, generates between two groups of evidences apart from dps:

dps={dps_i,

${\mathrm{dps}}_i={{\mathrm{ips}}_i}^{s^{\′\′}}*{\mathrm{\β}}^{{\mathrm{fps}}_i}\mathrm{mod}d,$

Wherein, dps_iIt is the element apart from dps between evidence, ips_iIt is the element of middle evidence ips, fps_iIt is that file owns Warrant is according to the element of fps；

2e) server according between two evidences apart from dps={ dps_iJudging whether to recognize the file institute of follow-up uploader su Have the right: if dps=is { dps_iIn each element all equal with coefficient correlation x, then recognize follow-up uploader su file own Power, execution step 3；Otherwise, the File Ownership authentification failure of follow-up uploader su.

Step 3, server carries out key distribution to follow-up uploader su.

With reference to Fig. 4, being implemented as follows of this step:

3a) follow-up uploader su uploads the public key pk of oneself_suTo server；

3b) server is by the public key pk of follow-up uploader su_suSend and distribute auxiliary au to key；

3c) key distributes auxiliary au according to re-encrypted private key create-rule, with the private key sk of oneself_auConnect with from server The public key pk receiving_su, generate re-encrypted private key rk_au→su:

3c1) from integer set z_dTwo integer x of middle random selection_au,y_au, the private key of composition key distribution auxiliary au sk_au:

sk_au=(x_au,y_au),

Wherein, integer set z_d={ 0,1 ..., d-1 }, d are prime number；

3c2) from integer set z_dIn randomly choose two integer x again_su,y_su, form the private key sk of follow-up uploader su_su:

sk_su=(x_su,y_su)；

3c3) according to prime number d, determine that rank is that d generates cyclic group g for g for the unit, g={ g⁰,g¹,…,g^d-1}；

3c4) randomly choose numerical value g from cyclic group g^j, the span of j is from 0 to d-1；

3c5) the private key sk according to follow-up uploader su_su, cyclic group g generation unit g and numerical value g^j, calculate its corresponding public key pk_su:

${\mathrm{pk}}_{\mathrm{su}}=(g^{x_{\mathrm{su}}},g^{{{j\·x}_{\mathrm{su}}}^2},g^{y_{\mathrm{su}}}),$

The private key sk of auxiliary au 3c6) is distributed according to key_auPublic key pk with follow-up uploader su_su, calculate re-encryption Key rk_au→su:

${\mathrm{rk}}_{\mathrm{au}\→\mathrm{su}}=g^{{{j\·x}_{\mathrm{su}}}^2/x_{\mathrm{au}}}.$

3d) key distribution auxiliary au public key pk_auEncryption file key k, obtains file key ciphertext k '_au:

The private key sk of auxiliary au 3d1) is distributed according to key_au, calculate its corresponding public key pk_au:

${\mathrm{pk}}_{\mathrm{au}}=(g^{x_{\mathrm{au}}},g^{{{j\·x}_{\mathrm{au}}}^2},g^{y_{\mathrm{au}}});$

3d2) randomly choose four different numerical value g from cyclic group g^h,g^u,g^v,g^w, wherein, the value model of h, u, v, w Enclose all from 0 to d-1, from integer set z_dMiddle random selection two different numerical value l, s；

3d3) according to numerical value g^j,g^h,g^u,g^v,g^w, l, s, key distribute the public key pk of auxiliary au_auWith file key k, count Calculate intermediate variable c₁,c₂,c₃,c₄,c₅:

$c_1=g^{x_{\mathrm{au}}\·1},$

c₂=g^h·1,

$c_3=e{(g,g^j)}^1\·k,$

c₄=(g^u·t·g^v·s·g^w)¹, wherein t=tcr (c₂,c₃),

c₅=s,

Wherein, e (g, g^j) it is bilinear map, k is file key, and tcr () is collisionless hash function；

3d4) according to intermediate variable c₁,c₂,c₃,c₄,c₅, obtain file key ciphertext k '_au:

k′_au=(c₁,c₂,c₃,c₄,c₅)；

3e) key distribution auxiliary au is by the file key ciphertext k ' of oneself_au, public key pk_auAnd re-encrypted private key rk_au→su It is back to server simultaneously；

3f) server re-encrypted private key rk_au→suKey is distributed with the file key ciphertext k ' of auxiliary au_auCarry out generation Reason re-encryption, obtains re-encryption ciphertext k ' '_su:

3f1) from integer set z_d=0,1 ..., and d-1 } middle random selection two integer r ' and r ' '；

3f2) according to integer r ' and r ' ', file key ciphertext k '_au, key distribute auxiliary au public key pk_auAdd again Key is rk_au→su, calculate intermediate variable c₆,c₇,c₈:

$c_6=c_1^{r^{\′\′}},$

$c_7=g^{x_{\mathrm{au}}\·r^{\′\′}},$

$c_8={\mathrm{rk}}_{\mathrm{au}\→\mathrm{su}}^{1/r^{\′\′}},$

Wherein, c₁It is file key ciphertext k '_au=(c₁,c₂,c₃,c₄,c₅) part,It is key distribution auxiliary Person's au public key ${\mathrm{pk}}_{\mathrm{au}}=(g^{x_{\mathrm{au}}},g^{{{j\·x}_{\mathrm{au}}}^2},g^{y_{\mathrm{au}}});$ Part；

3f3) according to file key ciphertext k '_auWith intermediate variable c₆,c₇,c₈, calculate intermediate variable k_t:

k_t=c₂||c₃||c₄||c₅||c₆||c₇||c₈,

Wherein, symbol | | represent concatenation operation；

3f4) according to generation unit and random number r ', calculating intermediate variable a:

a=g^r′；

3f5) according to intermediate variable a, numerical value g^h, r ' and intermediate variable k_tDistribute the public key pk of auxiliary au with key_au, meter Calculate re-encryption ciphertext k ' '_su:

k′′_su=(a, b, c),

T '=tcr ' (a),

$b={(g^{y_{\mathrm{au}}\·t^{\′}}\·g^h)}^{r^{\′}},$

$c\←\mathrm{sym}.\mathrm{enc}(h\left(g^{y_{\mathrm{au}}\·t^{\′}}\right),k_t),$

Wherein, tcr ' () is collisionless hash function, and sym.enc () is symmetric encipherment algorithm, and h () is random Harsh letter Number；

3g) follow-up uploader su its private key sk_suDeciphering re-encryption ciphertext k ' '_su, obtain file key k:

3g1) the private key sk according to follow-up uploader su_suWith re-encryption ciphertext k ' '_su, calculate intermediate variable k_t:

$k_t=\mathrm{sym}.\mathrm{dec}(h\left(a^{y_{\mathrm{su}}}\right),c),$

Wherein, variable a and c is re-encryption ciphertext k ' '_su=(a, b, c) part, sym.dec () is that symmetrical deciphering is calculated Method；

3g2) parse intermediate variable k_t:

k_t=c₂||c₃||c₄||c₅||c₆||c₇||c₈,

Wherein, symbol | | represent concatenation operation；

3g3) according to intermediate variable k_tPrivate key sk with follow-up uploader su_su, calculation document key k:

$k=\frac{c_3}{e{(c_6,c_8)}^{1/x_{\mathrm{su}}^2}},$

Wherein, e (c₆,c₈) it is bilinear map.

Claims (8)

1. the cryptographic key distribution method under a kind of encryption data de-duplication scene, comprises the steps:

(1) evidence and original document ciphertext in the middle of the upload of file first place uploader fu:

1a) the first uploader fu of file is according to the requirement of the zero knowledge probative agreement based on schnorr system, to original document After m carries out piecemeal, generate middle evidence ips using congruence；

1b) the first uploader fu of file randomly chooses file key k, carries out symmetric cryptography to original document m and obtains original document Ciphertext m '；

1c) upload middle evidence ips and original document ciphertext m ' to server；

(2) follow-up uploader su carries out File Ownership with server proves to interact:

2a) follow-up uploader su selects random number r, generates coefficient correlation x and sends to server: x=β^rMod d, wherein, 1≤ β≤d-1, β are the units that rank is q, i.e. 1=β^qMod d, d and q are prime number, and meet d-1 and can be divided exactly by q；

2b) server randomly chooses file block number c and two random number s ', s ", composition authentication challenge set: chal=(c, s ', S "), and send to follow-up uploader su；

2c) follow-up uploader su, according to the original document m being had and authentication challenge set chal, generates File Ownership evidence Fps simultaneously sends to server；

2d) server according to middle evidence ips with the File Ownership evidence fps that receives from follow-up uploader su, generates two Apart from dps between group evidence, to determine whether to recognize the File Ownership of follow-up uploader su, recognize the file of follow-up uploader su Ownership, then server follow-up uploader su is labeled as the owner of file, execution step (3)；Otherwise, follow-up uploader su This File Ownership authentification failure；

(3) server distribution key is to follow-up uploader su:

3a) follow-up uploader su uploads the public key pk of oneself_suTo server；

3b) server is by the public key pk of follow-up uploader su_suSend and distribute auxiliary au to key；

3c) key distributes the auxiliary au private key sk of oneself_auWith the public key pk receiving from server_su, generate re-encrypted private key rk_au→su；

3d) key distribution auxiliary au public key pk_auEncryption file key k, obtains file key ciphertext k '_au；

3e) key distribution auxiliary au is by the file key ciphertext k ' of oneself_au, public key pk_auAnd re-encrypted private key rk_au→suSimultaneously It is back to server；

3f) server re-encrypted private key rk_au→suKey is distributed with the file key ciphertext k ' of auxiliary au_auCarry out agency's weight Encryption, obtains re-encryption ciphertext k "_suAnd send it to follow-up uploader su；

3g) follow-up uploader su its private key sk_suDeciphering re-encryption ciphertext k "_su, obtain file key k.

2. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1 is it is characterised in that step Utilization congruence described in 1a) generates middle evidence ips, is generated by equation below:

Ips={ ips_i,

Wherein, ips_iIt is the element in middle evidence ips,b_iIt is original document m={ b₁,b₂,..., b_i,...,b_nEach piecemeal, from 1 to n, n is the block count of original document m to i, and 1≤β≤d-1, β are the units that rank is q, i.e. 1= β^qMod d, d and q are prime number, and meet d-1 and can be divided exactly by q, and mod is complementation computing.

3. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1 is it is characterised in that step Described in 2c) according to the original document m being had and authentication challenge set chal, generate File Ownership evidence fps, by as follows Step is carried out:

Fps={ fps_i,

Wherein, fps_iIt is the element in File Ownership evidence fps,fps_i=b_i* s "+r,It is that pseudorandom is put Exchange the letters number, b_iIt is original document m={ b₁,b₂,...,b_i,...,b_nEach piecemeal, r be random number, from 1 to c, c is certification to ρ File block number in challenge set chal, s ', s " are two random numbers in authentication challenge set chal.

4. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1 is it is characterised in that step Described in 2d) according to middle evidence ips and the File Ownership evidence fps that receives from follow-up uploader su, generate two groups of cards According between apart from dps, carry out as follows:

Dps={ dps_i,

${\mathrm{dps}}_i={{\mathrm{ips}}_i}^{s^{\′\′}}*{\mathrm{\β}}^{{\mathrm{fps}}_i}\mathrm{mod}d,$

Wherein, dps_iIt is the element apart from dps between evidence, ips_iIt is the element of middle evidence ips, fps_iIt is File Ownership card Element according to fps.

5. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1 is it is characterised in that step Key described in 3c) distributes the auxiliary au private key sk of oneself_auWith the public key pk receiving from server_su, generate re-encryption close Key rk_au→su, carry out as follows:

3c1) from integer set z_dTwo integer x of middle random selection_au,y_au, the private key sk of composition key distribution auxiliary au_au:

sk_au=(x_au,y_au),

Wherein, integer set z_d={ 0,1 ..., d-1 }, d is prime number；

3c2) from integer set z_dTwo integer x of middle random selection_su,y_su, form the private key sk of follow-up uploader su_su:

sk_su=(x_su,y_su)；

3c3) according to prime number d, determine that rank is that d generates cyclic group g for g for the unit, g={ g⁰,g¹,...,g^d-1}；

3c4) randomly choose numerical value g from cyclic group g^j, the span of j is from 0 to d-1；

3c5) the private key sk according to follow-up uploader su_su, cyclic group g generation unit g and numerical value g^j, calculate its corresponding public key pk_su:

${\mathrm{pk}}_{su}=(g^{x_{su}},g^{j\·{x_{su}}^2},g^{y_{su}}),$

The private key sk of auxiliary au 3c6) is distributed according to key_auPublic key pk with follow-up uploader su_su, calculate re-encrypted private key rk_au→su:

${\mathrm{rk}}_{au\→su}=g^{j\·{x_{su}}^2/x_{au}}.$

6. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1 is it is characterised in that step Key distribution auxiliary au public key pk described in 3d)_auEncryption file key k, obtains file key ciphertext k '_au, walk by following Suddenly carry out:

The private key sk of auxiliary au 3d1) is distributed according to key_au, calculate its corresponding public key pk_au:

${\mathrm{pk}}_{au}=(g^{x_{au}},g^{j\·{x_{au}}^2},g^{y_{au}});$

3d2) randomly choose four different numerical value g from cyclic group g^h,g^u,g^v,g^w, wherein, the span of h, u, v, w all from 0 arrives d-1, from integer set z_dMiddle random selection two different numerical value l, s；

3d3) according to numerical value g^j,g^h,g^u,g^v,g^w, l, s, key distribute the public key pk of auxiliary au_auWith file key k, in calculating Between variable c₁,c₂,c₃,c₄,c₅:

$c_1=g^{x_{au}\·l},$

c₂=g^h·l,

c₃=e (g, g^j)^lK,

c₄=(g^u·t·g^v·s·g^w)^l, wherein t=tcr (c₂,c₃),

c₅=s,

Wherein, e (g, g^j) it is bilinear map, k is file key, and tcr () is collisionless hash function；

3d4) according to intermediate variable c₁,c₂,c₃,c₄,c₅, obtain file key ciphertext k '_au:

k′_au=(c₁,c₂,c₃,c₄,c₅).

7. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1 is it is characterised in that step Re-encrypted private key rk is used described in 3f)_au→suKey is distributed with the file key ciphertext k ' of auxiliary au_auCarry out acting on behalf of re-encryption, Obtain re-encryption ciphertext k "_su, carry out as follows:

3f1) from integer set z_dTwo integer r ' and r is randomly choosed " in={ 0,1 ..., d-1 }；

3f2) according to integer r ' and r ", file key ciphertext k '_au, key distribute auxiliary au public key pk_auAnd re-encrypted private key For rk_au→su, calculate intermediate variable c₆,c₇,c₈:

$c_6=c_1^{r^{\′\′}},$

$c_7=g^{x_{au}\·r^{\′\′}},$

$c_8={\mathrm{rk}}_{au\→su}^{1/r^{\′\′}},$

Wherein, c₁It is file key ciphertext k '_au=(c₁,c₂,c₃,c₄,c₅) part,It is key distribution auxiliary au Public keyPart；

3f3) according to file key ciphertext k '_auWith intermediate variable c₆,c₇,c₈, calculate intermediate variable k_t:

k_t=c₂||c₃||c₄||c₅||c₆||c₇||c₈,

Wherein, symbol | | represent concatenation operation；

3f4) according to the first g and random number r ' of generation, calculating intermediate variable a:

A=g^r′；

3f5) according to intermediate variable a, numerical value g^h, r ' and intermediate variable k_tDistribute the public key pk of auxiliary au with key_au, calculate weight Encrypted cipher text k "_su:

T '=tcr ' (a),

$b={(g^{y_{au}\·t^{\′}}\·g^h)}^{r^{\′}},$

$c\←sym.enc\left(h\right(g^{y_{au}\·t^{\′}}),k_t),$

k″_su=(a, b, c),

Wherein, tcr ' () is collisionless hash function, and sym.enc () is symmetric encipherment algorithm, and h () is random Harsh function.

8. the cryptographic key distribution method under encryption data de-duplication scene according to claim 1 is it is characterised in that step Follow-up uploader su described in 3g) its private key sk_suDeciphering re-encryption ciphertext k "_su, obtain file key k, enter as follows OK:

3g1) the private key sk according to follow-up uploader su_suWith re-encryption ciphertext k "_su, calculate intermediate variable k_t:

$k_t=sym.dec\left(h\right(a^{y_{su}}),c),$

Wherein, variable a and c is re-encryption ciphertext k "_su=(a, b, c) part, sym.dec () is symmetrical decipherment algorithm.

3g2) parse intermediate variable k_t:

k_t=c₂||c₃||c₄||c₅||c₆||c₇||c₈,

Wherein, symbol | | represent concatenation operation；

3g3) according to intermediate variable k_tPrivate key sk with follow-up uploader su_su, calculation document key k:

$k=\frac{c_3}{e{(c_6,c_8)}^{1/x_{su}^2}},$

Wherein, e (c₆,c₈) it is bilinear map.