CN103873236B

CN103873236B - One kind can search for encryption method and equipment

Info

Publication number: CN103873236B
Application number: CN201210534843.0A
Authority: CN
Inventors: 高云超; 邹继富; 董秋香; 关志
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Cloud Computing Technologies Co Ltd
Priority date: 2012-12-12
Filing date: 2012-12-12
Publication date: 2017-03-08
Anticipated expiration: 2032-12-12
Also published as: CN103873236A

Abstract

The present invention announces one kind and can search for encryption method and equipment, obtains the identity of searcher or the identity of searcher place group by sender, and the systematic parameter of KMC；The identity according to described searcher for the sender or the identity of searcher place group, and described systematic parameter cryptography key word, and the key word ciphertext after encryption is uploaded to storage server.Pass through searcher simultaneously and query key is obtained from KMC according to the identity of searcher or the identity of searcher place group, query key according to key word and described acquisition generates query token, key word ciphertext after described query token inquires about encryption from storage server, and receive the data that described storage server returns.Thus realizing, in the case that the support and sender not needing expensive PKIX does not need to download public key, realizing can search for encryption technology.

Description

One kind can search for encryption method and equipment

Technical field

The present invention is applied to encryption technology field, and more particularly, to one kind can search for encryption method and equipment.

Background technology

Encipherment scheme, in order to ensure Semantic Security, often requires that in the ciphertext distribution and the cryptogram space that AES produces It is uniformly distributed both in computationally indistinguishable（Computationally indistinguishable refers to, for two probability distribution, there is not polynomial time Algorithm can distinguish them）.Therefore, all cannot obtain any having a mind to from the ciphertext that obtains of encryption for any effective algorithm The semantic information of justice, and losing of semantic information makes to realize the retrieval to ciphertext data by common searching algorithm. In order to solve the problems, such as searching ciphertext, occur in that and can search for encryption technology.

Can search for encrypting it is not necessary to be decrypted to the ciphertext data of encryption, but scanned for using detection algorithm, Output is this ciphertext whether result containing search keyword, usually 0 or 1.The development that can search for encrypting comprises three The main historical stage, it is that symmetric key can search for encrypting first, was proposed by Song etc. in 2000.Its application scenarios is search Side is same entity with encryption side, uploads onto the server after being encrypted data and key word using DSE arithmetic, it Afterwards line retrieval is entered to this ciphertext data.Its shortcoming is that user can only search for the encryption number oneself encrypting and uploading in data base According to.

In order to overcome the limitation in this application, Dan Boneh proposed the public key with keyword search in 2004 Encryption（Public Key Encryption with Keyword Search, PEKS）.The application scenarios of PEKS scheme are multiple Sender sends key word ciphertext data ciphertext to recipient, and recipient utilizes private key to generate search token, is uploaded to service Device, server runs corresponding detection algorithm and carries out keyword search.Recipient in the program can only be single entities, simultaneously The operation of keyword detection algorithm can only realize the retrieval to a key word it is impossible to realize conjunction key word is examined every time Rope（Assume have n key word to be respectively W1, W2 ..., Wn, to comprising key word W1, and comprise key word W2 ..., and comprise pass The ciphertext of keyword Wn scans for, referred to as conjunction keyword search）, this is its bottleneck functionally.

Hwang and Lee proposes the scheme solving this problem, the i.e. public affairs with conjunction keyword search of multi-user within 2007 Key is encrypted（Multi-user Public Key Encryption with Conjunctive Keyword Search, mPECK）, with the public key cryptography scheme of multi-receiver conjunction keyword retrieval.The program is based on public-key cryptosystem, needs The support of the infrastructure of online database of public keys or certificate repository, simultaneously sender need inquiry with download group all become The public key of member, is encrypted to data according to the public key of each recipient, and receiver generates search token according to the private key of oneself Data is scanned for.However, the maintenance and management cost of database of public keys is very high, and multiple use are downloaded in sender's inquiry The public key at family may waste the network bandwidth and storage resource.

Content of the invention

The purpose of the embodiment of the present invention is to provide one kind to can search for encryption method and equipment, solves base in prior art In public key can search for need the support of the infrastructure of online database of public keys or certificate repository in encryption technology, send out simultaneously The side of sending needs inquiry and downloads the problem of the public key of all members of group.

In a first aspect, one kind can search for encryption method, methods described includes：

Obtain the identity information of searcher and the systematic parameter of KMC, the identity information bag of described searcher Include the identity information of described single searchers or the identity information of the group at the plurality of searchers place；

Identity information according to described searcher and described systematic parameter are encrypted to key word, and by after encryption Key word ciphertext uploads to storage server.

In conjunction with a first aspect, in the first possible implementation of first aspect, described according to described searcher Identity information and described systematic parameter are encrypted to key word, including：

Identity information according to described searcher and described systematic parameter calculate the public key encrypting described key word, and root According to key word described in the described public key encryption calculating.

In conjunction with the first possible implementation of first aspect or first aspect, may in the second of first aspect Implementation in, methods described also includes：

Identity information according to described searcher and described systematic parameter encrypting plaintext data, and by encryption after plaintext number According to ciphertext upload to described storage server.

In conjunction with the possible implementation of the second of first aspect, in the third possible implementation of first aspect In, the described identity according to described searcher and described systematic parameter encrypting plaintext data, including：

Identity information according to described searcher and described systematic parameter calculate the public key encrypting described clear data, and Clear data according to the described public key encryption calculating.

In conjunction with the first possible implementation of first aspect or first aspect, in the 4th kind of possibility of first aspect Implementation in, methods described also includes：

According to the encryption attribute clear data of described searcher, and the ciphertext of the clear data after encryption is uploaded to described Storage server.

Second aspect, a kind of identity-based can search for encryption method, methods described includes：

Identity information according to searcher obtains query key, the identity information bag of described searcher from KMC Include the identity information of described single searchers or the identity information of the group at the plurality of searchers place；

Query key according to key word and described acquisition generates query token, by described query token from storage service Key word ciphertext after inquiry encryption in device.

In conjunction with second aspect, in the first possible implementation of second aspect, described by described query token Key word ciphertext after inquiry encryption from storage server, including：

The file of the key word after comprising to encrypt is inquired about by described query token from storage server.

In conjunction with the first possible implementation of second aspect or second aspect, may in the second of second aspect Implementation in, described query key according to key word and described acquisition generates query token, including：

When the identity according to searcher place group obtains query key from KMC, described in the described direction of search Searcher place group submits key word, and described searcher place group checks that whether described searcher is the member in group, if so, then Described searcher place group generates query token according to described key word and described query key, and described query token is returned To described searcher.

The second of the first the possible implementation in conjunction with second aspect or second aspect or second aspect can Can implementation, in the third possible implementation of second aspect, described by described query token from storage clothes Key word ciphertext after inquiry encryption in business device, including：

Receive the ciphertext of the clear data according to public key encryption that described storage server returns.

In conjunction with the third possible implementation of second aspect, in the 4th kind of possible implementation of second aspect In, methods described, after step receives the ciphertext according to the clear data of public key encryption that described storage server returns, is gone back Including：

According to described query key, the ciphertext of the described clear data according to public key encryption is decrypted, obtains deciphering Clear data afterwards.

The second of the first the possible implementation in conjunction with second aspect or second aspect or second aspect can The implementation of energy or the third possible implementation of second aspect or the 4th kind of possible realization of second aspect Mode, in the 5th kind of possible implementation of second aspect, methods described, also include：

The corresponding data deciphering of described attribute is obtained from described KMC according to the searcher attribute pre-setting Key.

In conjunction with the 5th kind of possible implementation of second aspect, in the 6th kind of possible implementation of second aspect In, described key word ciphertext after described query token inquires about encryption from storage server, including：

Receive the clear data according to the described searcher encryption attribute pre-setting that described storage server returns Ciphertext.

In conjunction with the 6th kind of possible implementation of second aspect, in the 7th kind of possible implementation of second aspect In, methods described receives the bright according to the described searcher encryption attribute pre-setting of described storage server return in step After the ciphertext of civilian data, also include：

According to described data decryption key, what described storage server was returned belongs to according to the described searcher pre-setting Property encryption the ciphertext of clear data be decrypted, obtain the clear data after deciphering.

The third aspect, a kind of encryption device, described equipment includes：

First acquisition unit, for obtaining the identity information of searcher and the systematic parameter of KMC, described The identity information of searcher includes the identity information of described single searchers or the body of the group at the plurality of searchers place Part information；

Encryption uploading unit, is carried out to key word for the identity information according to described searcher and described systematic parameter Encryption, and the key word ciphertext after encryption is uploaded to storage server.

In conjunction with the third aspect, in the first possible implementation of the third aspect, described encryption uploading unit is concrete For：

In conjunction with the first possible implementation of the third aspect or the 3rd face, possible in the second of the third aspect In implementation, described equipment also includes：

First ciphering unit, for the identity information according to described searcher and described systematic parameter encrypting plaintext data, And the ciphertext of the clear data after encryption is uploaded to described storage server.

In conjunction with the possible implementation of the second in the 3rd face, in the third possible implementation of the third aspect, Described first ciphering unit specifically for：

In conjunction with the first possible implementation of the third aspect or the third aspect, in the 4th kind of possibility of the third aspect Implementation in, described equipment also includes：

Second ciphering unit, for the encryption attribute clear data according to described searcher, and by the plaintext number after encryption According to ciphertext upload to described storage server.

Fourth aspect, a kind of search equipment, described equipment includes：

Second acquisition unit, obtains query key for the identity information according to searcher from KMC, described The identity information of searcher includes the identity information of described single searchers or the body of the group at the plurality of searchers place Part information；

Inquire-receive unit, generates query token for the query key according to key word and described acquisition, by described Query token inquires about the key word ciphertext after encryption from storage server.

In conjunction with fourth aspect, in the first possible implementation of fourth aspect, hold in described inquire-receive unit Key word ciphertext after described query token inquires about encryption from storage server for the row step, including：

In conjunction with the first possible implementation of fourth aspect or fourth aspect, may in the second of fourth aspect Implementation in, described inquire-receive unit execution step generates inquiry order according to the query key of key word and described acquisition Board, including：

The second of the first the possible implementation in conjunction with fourth aspect or fourth aspect or fourth aspect can The implementation of energy, in the third possible implementation of fourth aspect, described inquire-receive unit, including：

In conjunction with the third possible implementation of fourth aspect, in the 4th kind of possible implementation of fourth aspect In, described equipment also includes the first decryption unit, described first decryption unit specifically for：

The second of the first the possible implementation in conjunction with fourth aspect or fourth aspect or fourth aspect can The implementation of energy or the third possible implementation of fourth aspect or the 4th kind of possible realization of fourth aspect Mode, in the 5th kind of possible implementation of fourth aspect, described equipment also includes the 3rd acquiring unit, and the described 3rd obtains Take unit specifically for：

In conjunction with the 5th kind of possible implementation of fourth aspect, in the 6th kind of possible implementation of fourth aspect In, described inquire-receive unit, including：

In conjunction with the 6th kind of possible implementation of fourth aspect, in the 7th kind of possible implementation of fourth aspect In, described equipment also includes the second decryption unit, and described second decryption unit includes：

Compared with prior art, the embodiment of the present invention provides one kind to can search for encryption method, and methods described is passed through from key Administrative center obtains systematic parameter and private key so that KMC can be equally can be realized using working in the way of offline Sender's encryption and the purpose of searcher search.Meanwhile, sender only needs to know that the identity of searcher or searcher are located Group can achieve the encryption method of key word so that sender does not need to download the identity of multiple searcher or searcher is located The public key of group, it is not necessary to online database of public keys supports, reduces the network bandwidth and storage overhead.Due to corresponding sender's public key Query key produced by described KMC, therefore all of key word ciphertext can be searched for by KMC Data, realizes centralized key escrow function, and this function is even more important in company and some government bodies.Pass through above-mentioned one simultaneously The mode of individual or multiple key word, it is possible to achieve searcher is entered in described storage server to one or more of key words Line search is inquired about, and by searcher place group, searcher inquiry is managed and controls, thus realizing the mesh of multi-user's search 's.

Brief description

For the technical scheme being illustrated more clearly that in the embodiment of the present invention, below by use required in embodiment Accompanying drawing be briefly described it should be apparent that, drawings in the following description are only some embodiments of the present invention, for ability For the those of ordinary skill of domain, without having to pay creative labor, others can also be obtained according to these accompanying drawings Accompanying drawing.

Fig. 1 is that one kind that the embodiment of the present invention one provides can search for encryption method flow chart；

Fig. 2 is that one kind that the embodiment of the present invention two provides can search for encryption method flow chart；

Fig. 3 is that one kind that the embodiment of the present invention one, two provides can search for encryption method schematic diagram；

Fig. 4 is that one kind that the embodiment of the present invention one, two provides can search for encryption method schematic diagram；

Fig. 5 is that one kind that the embodiment of the present invention three provides can search for encryption method flow chart；

Fig. 6 is that one kind that the embodiment of the present invention four provides can search for encryption method flow chart；

Fig. 7 is that one kind that the embodiment of the present invention three, four provides can search for encryption method schematic diagram；

Fig. 8 is that one kind that the embodiment of the present invention five provides can search for encryption method flow chart；

Fig. 9 is that one kind that the embodiment of the present invention six provides can search for encryption method flow chart；

Figure 10 is that one kind that the embodiment of the present invention five, six provides can search for encryption method schematic diagram；

Figure 11 is that one kind that the embodiment of the present invention seven provides can search for encryption method flow chart；

Figure 12 is that one kind that the embodiment of the present invention seven provides can search for encryption method flow chart；

Figure 13 is that one kind that the embodiment of the present invention seven, eight provides can search for encryption method schematic diagram；

Figure 14 is a kind of structure drawing of device of encryption device that the embodiment of the present invention nine provides；

Figure 15 is a kind of structure drawing of device of search equipment that the embodiment of the present invention ten provides；

Figure 16 is a kind of structure drawing of device of encryption device that the embodiment of the present invention 11 provides；

Figure 17 is a kind of structure drawing of device of search equipment that the embodiment of the present invention 12 provides；

Figure 18 is a kind of structure drawing of device of encryption device that the embodiment of the present invention 13 provides；

Figure 19 is a kind of structure drawing of device of search equipment that the embodiment of the present invention 14 provides；

Figure 20 is a kind of structure drawing of device of encryption device that the embodiment of the present invention 15 provides；

Figure 21 is a kind of structure drawing of device of search equipment that the embodiment of the present invention 16 provides.

Specific embodiment

In order that the objects, technical solutions and advantages of the present invention become more apparent, below in conjunction with drawings and Examples, right The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only in order to explain the present invention, and It is not used in the restriction present invention.

The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention Any modification, equivalent and improvement made within god and principle etc., should be included within the scope of the present invention.

Embodiment one

With reference to Fig. 1, Fig. 1 is that one kind that the embodiment of the present invention one provides can search for encryption method flow chart.As shown in figure 1, The method comprises the following steps：

Step 101, obtains the identity information of searcher and the systematic parameter of KMC, and described searcher includes Single searchers or the group at several searchers place, the identity information of described searcher includes the body of described single searchers The identity information of the group at part information or the plurality of searchers place；

Wherein, the identity information of described the searcher including but not limited to phone number of searcher, job number, No. QQ, Email Etc. information.The mode of the described identity information obtaining searcher including but not limited to passes through the side such as Help by Phone or E-mail inquiries Formula obtains.The identity information of described searcher place group includes but is not limited to the QQ group number of searcher place group, department name etc. Information.The mode of the described identity obtaining searcher place group including but not limited to passes through the side such as Help by Phone or E-mail inquiries Formula obtains.Described KMC is responsible for issuing systematic parameter for calculating encrypted public key to sender, can also enter one Walk and issue the corresponding private key of described encrypted public key, i.e. query key, described systematic parameter to searcher or searcher place group Including but not limited to elliptic curve cipher parameter group, mapping function and mapping method.

Specifically, it is consistent by the mapping parameters that identity obtains, and the calculation of public key is by mapping parameters and public affairs The multiplication of key factor matrix obtains, and the calculation of private key is obtained by mapping parameters and private key factor matrix multiple, therefore, Ensure that the one-to-one corresponding of public key and private key.

In this step, described KMC can by using working in the way of offline, that is, send described identity information and Systematic parameter, and send time of query key and do not limit, before offline, systematic parameter can be handed down to sender, And the query key corresponding to the encrypted public key calculating is handed down to searcher or searcher place group it is also possible to carry online For.

Step 102, the identity information according to described searcher and described systematic parameter are encrypted to key word, and will Key word ciphertext after encryption uploads to storage server.

Specifically, the described identity information according to described searcher and described systematic parameter are encrypted to key word, Including：

Identity information according to described searcher and described systematic parameter, calculate for encrypting adding of described key word Migong key, and described key word is encrypted according to the described encrypted public key calculating.

In this step, sender only needs to the identity information knowing the identity information of searcher or searcher place group Can achieve the encryption of key word so that sender does not need to download encryption public affairs from online database of public keys or certificate repository Key, reduces the network bandwidth and storage overhead.

The embodiment of the present invention provide a kind of identity-based can search for encryption method, in methods described, sender only needs to know The identity of road searcher or the searcher place group i.e. encryption method of achievable key word be not so that sender needs download many The public key of the identity of individual searcher or searcher place group, it is not necessary to online database of public keys supports, reduces the network bandwidth And storage overhead.

Embodiment two

With reference to Fig. 2, Fig. 2 be a kind of identity-based that the embodiment of the present invention two provides can search for encryption method flow chart. As shown in Fig. 2 the method comprises the following steps：

Step 201, the identity information according to searcher obtains query key from KMC, and described searcher includes Single searchers or the group at several searchers place, the identity information of described searcher includes the body of described single searchers The identity information of the group at part information or the plurality of searchers place；

Wherein, query key is that described KMC gives birth to according to the identity information of described searcher and systematic parameter The private key corresponding to encryption key becoming.Described KMC equally can calculate public key, because in described key management Feel and contain shared key factor matrix, and private key exists only in described KMC, not external cloth.

Step 202, generates query token according to the query key of key word and described acquisition, by described query token from Key word ciphertext after inquiry encryption in storage server, and receive the Query Result that described storage server returns.

Wherein, the described query key according to key word and described acquisition generates query token, including：

The query key of one or more key word according to searcher and described acquisition generates query token.

By way of said one or multiple key word, it is possible to achieve searcher is to one or more of key words Scan for inquiring about in described storage server.

Preferable, the described query key according to key word and described acquisition generates query token, including：

When the identity information according to searcher place group obtains query key from KMC, the described direction of search Described searcher place group submits key word, and described searcher place group checks that whether described searcher is the member in group, if It is that then described searcher place group generates query token according to described key word and described query key, and described inquiry is made Board returns to described searcher.By searcher place group, searcher inquiry is managed and controls, thus realizing multi-user The purpose of search.

Fig. 3 and Fig. 4 be the embodiment of the present invention one and two provide a kind of identity-based can search for encryption method schematic diagram, Now in the way of Signalling exchange a kind of identity-based described in specific illustrative embodiment one and two can search for encryption method.With When, the implementation of the embodiment of the present invention includes the step of Fig. 3 and Fig. 4, but is not limited to the order of each step, Fig. 3 and Fig. 4 is A kind of preferable embodiment.As shown in figure 3, methods described comprises the steps：

Step 301, sender from KMC obtain systematic parameter, and simultaneously obtain searcher identity information, Described searcher includes the group that single searchers or several searchers are located, and the identity information of described searcher includes described The identity information of the group at the identity information of single searchers or the plurality of searchers place；

Step 302, sender according to the identity information of searcher and systematic parameter obtain that key word is encrypted plus Key, uploads to storage server according to described encryption keys key word and by the key word ciphertext after encryption；

Step 303, searcher obtains query key according to the identity information of oneself correlation from described KMC；

Step 304, searcher generates query token according to described query key and key word；

Step 305, searcher uploads described query token to described storage server；

Step 306, searcher receives, from described storage server, the Query Result returning.

As shown in figure 4, methods described comprises the steps：

Step 401, sender from KMC obtain systematic parameter, and simultaneously obtain searcher identity information, Described searcher includes the group that single searchers or several searchers are located, and the identity information of described searcher includes described The identity information of the group at the identity information of single searchers or the plurality of searchers place；

Step 402, sender according to the identity information of searcher and systematic parameter obtain that key word is encrypted plus Key, uploads to storage server according to described encryption keys key word and by the key word ciphertext after encryption；

Step 403, it is close that searcher place group obtains inquiry according to the identity information of described group from described KMC Key；

Step 404, described direction of search searcher place group submits key word, to searcher place group application inquiry order Board；

Step 405, searcher place group checks whether described searcher is member in group, if so, then generates query token, If it is not, then not generating query token；

Step 406, described searcher receives the query token that described group issues；

Step 407, searcher uploads described query token to described storage server；

Step 408, searcher receives, from described storage server, the Query Result returning.

The embodiment of the present invention provide a kind of identity-based can search for encryption method, methods described pass through said one or The mode of multiple key words, it is possible to achieve searcher scans in described storage server to one or more of key words Inquiry.Pass through searcher place group searcher inquiry to be managed and controls, thus realizing the purpose of multi-user's search simultaneously.

Embodiment three

With reference to Fig. 5, Fig. 5 be a kind of identity-based that the embodiment of the present invention three provides can search for encryption method flow chart. As shown in figure 5, the method comprising the steps of：

Step 501, obtains the identity of searcher or the identity of searcher place group, and the system ginseng of KMC Number；

Step 502, the identity of the identity according to described searcher or searcher place group, and the encryption of described systematic parameter Key word, and the key word ciphertext after encryption is uploaded to storage server；

Step 503, according in prior art any one encryption method encrypting plaintext data, and by encryption after plaintext The ciphertext of data uploads to described storage server.

In this step, described key word corresponding plaintext number is encrypted by the method for any one encryption in prior art According to.

The embodiment of the present invention is all suitable for for searcher or searcher place group, below mainly taking searcher as a example do into One step explanation.With specific reference to the step 703 shown in Fig. 7.

The embodiment of the present invention can search for encryption method by a kind of identity-based of the embodiment of the present invention one and two offer Cryptography key word, encrypts the corresponding clear data of described key word by prior art, thus realizing on the basis of prior art On, realize the scheme that can search for cryptography key word of identity-based.

Example IV

With reference to Fig. 6, Fig. 6 be a kind of identity-based that the embodiment of the present invention four provides can search for encryption method flow chart. As shown in fig. 6, methods described comprises the steps：

Step 601, the identity of the identity according to searcher or searcher place group obtains inquiry from KMC Key；

Step 602, generates query token according to the query key of key word and described acquisition, by described query token from Key word ciphertext after inquiry encryption in storage server, and receive the data that described storage server returns；

Step 603, obtains the corresponding decruption key of method of any one encrypting plaintext data in prior art；

Step 604 is according to the corresponding decruption key of method of any one encrypting plaintext data in described prior art, right The ciphertext of the clear data after described encryption is decrypted, and obtains the clear data after deciphering.

In this step, described key word is deciphered by the corresponding decryption method of method of any one encryption in prior art Corresponding clear data.

The embodiment of the present invention is all suitable for for searcher or searcher place group, below mainly taking searcher as a example do into One step explanation.With specific reference to the step 708 shown in Fig. 7 and step 709.

Fig. 7 be a kind of identity-based that the embodiment of the present invention three and example IV provide can search for encryption method, now with A kind of identity-based described in the mode specific illustrative embodiment three and four of Signalling exchange can search for encryption method, meanwhile, The step that the implementation of the embodiment of the present invention includes Fig. 7, but it is not limited to the order of each step, Fig. 7 is a kind of preferable Embodiment.As shown in fig. 7, methods described comprises the steps：

Step 701, sender from KMC obtain systematic parameter, and simultaneously obtain searcher identity information, Described searcher includes the group that single searchers or several searchers are located, and the identity information of described searcher includes described The identity information of the group at the identity information of single searchers or the plurality of searchers place；

Step 702, sender according to the identity information of searcher and systematic parameter obtain that key word is encrypted plus Key, uploads to storage server according to described encryption keys key word and by the key word ciphertext after encryption；

Step 703, described sender is according to the method encrypting plaintext data of any one encryption in prior art, and will add The ciphertext of the clear data after close uploads to described storage server；

Step 704, searcher obtains query key according to the identity information of oneself correlation from described KMC；

Step 705, searcher generates query token according to described query key and key word；

Step 706, searcher uploads described query token to described storage server；

Step 707, searcher receives, from described storage server, the Query Result returning；

Step 708, described searcher obtains the corresponding deciphering of method of any one encrypting plaintext data in prior art Key；

Step 709 is according to the corresponding decruption key of method of any one encrypting plaintext data in described prior art, right The ciphertext of the clear data after described encryption is decrypted, and obtains the clear data after deciphering.

Embodiment five

With reference to Fig. 8, Fig. 8 be a kind of identity-based that the embodiment of the present invention five provides can search for encryption method flow chart. Methods described comprises the steps：

Step 801, obtains the identity of searcher or the identity of searcher place group, and the system ginseng of KMC Number；

Step 802, the identity of the identity according to described searcher or searcher place group, and the encryption of described systematic parameter Key word, and the key word ciphertext after encryption is uploaded to storage server；

Step 803, the identity according to described searcher and described systematic parameter encrypting plaintext data, and will be bright after encryption The ciphertext of civilian data uploads to described storage server.

Specifically, the described identity according to described searcher and described systematic parameter encrypting plaintext data, including：

Identity according to described searcher and described systematic parameter calculate the public key encrypting described clear data, and according to Clear data described in the described public key encryption calculating.

The embodiment of the present invention is all suitable for for searcher or searcher place group, below mainly taking searcher as a example do into One step explanation.With specific reference to the step 1003 shown in Figure 10.

The embodiment of the present invention is corresponding with the public key encryption key word that systematic parameter calculates by using the identity of searcher Clear data so that searcher only need to by the corresponding private key of described public key decipher described clear data, Ke Yitong Cross a pair of public key and private key is realized key word and clear data are encrypted so that simple to operate simultaneously simultaneously.Described key management Center is provided simultaneously with inquiring about and decipher the ability of total data, it is possible to achieve centralized data management, to company and some political affairs Mansion office is even more important.

Embodiment six

With reference to Fig. 9, Fig. 9 be a kind of identity-based that the embodiment of the present invention six provides can search for encryption method flow chart. As shown in figure 9, methods described comprises the steps：

Step 901, the identity of the identity according to searcher or searcher place group obtains inquiry from KMC Key；

Step 902, generates query token according to the query key of key word and described acquisition, by described query token from Key word ciphertext after inquiry encryption in storage server, and receive the data that described storage server returns；

Step 903, according to described query key, enters to the ciphertext of the clear data of the described identity ciphering according to searcher Row deciphering, obtains the clear data after deciphering.

The embodiment of the present invention is all suitable for for searcher or searcher place group, below mainly taking searcher as a example do into One step explanation.With specific reference to the step 1008 shown in Figure 10.

Figure 10 be a kind of identity-based that the embodiment of the present invention five and embodiment six provide can search for encryption method, now with A kind of identity-based described in the mode specific illustrative embodiment five and six of Signalling exchange can search for encryption method, meanwhile, The step that the implementation of the embodiment of the present invention includes Figure 10, but it is not limited to the order of each step, Figure 10 is a kind of preferable Embodiment.As shown in Figure 10, methods described comprises the steps：

Step 1001, sender from KMC obtain systematic parameter, and simultaneously obtain searcher identity information, Described searcher includes the group that single searchers or several searchers are located, and the identity information of described searcher includes described The identity information of the group at the identity information of single searchers or the plurality of searchers place；

Step 1002, sender according to the identity information of searcher and systematic parameter obtain that key word is encrypted plus Key, uploads to storage server according to described encryption keys key word and by the key word ciphertext after encryption；

Step 1003, the identity according to described searcher and described systematic parameter encrypting plaintext data, and by after encryption The ciphertext of clear data uploads to described storage server；

Step 1004, searcher obtains query key according to the identity information of oneself correlation from described KMC；

Step 1005, searcher generates query token according to described query key and key word；

Step 1006, searcher uploads described query token to described storage server；

Step 1007, searcher receives, from described storage server, the Query Result returning；

Step 1008, according to described query key, the ciphertext to the clear data of the described identity ciphering according to searcher It is decrypted, obtain the clear data after deciphering.

Embodiment seven

With reference to Figure 11, Figure 11 be a kind of identity-based that the embodiment of the present invention seven provides can search for encryption method flow process Figure.As shown in figure 11, the method comprising the steps of：

Step 1101, obtains the identity of searcher or the identity of searcher place group, and the system of KMC Parameter；

Step 1102, the identity of the identity according to described searcher or searcher place group, and described systematic parameter add Close key word, and the key word ciphertext after encryption is uploaded to storage server；

Step 1103, according to the encryption attribute clear data of described searcher, and the ciphertext by the clear data after encryption Upload to described storage server.

Specifically, the including but not limited to following several situations of described attribute：For example, the department that company clerk A is located is certain Certain research and development department of company A group, then the attribute of company clerk A could be arranged to so-and-so research and development department of company A group, or be set to other shapes Formula.Sender is according to the corresponding clear data of encryption attribute key word of company clerk A, and the ciphertext after encryption is uploaded to institute State storage server.

When specifically, according to the encryption attribute clear data of described searcher, the encryption key of generation and being searched according to described The encryption key that the identity ciphering clear data of Suo Fang produces is different.When the identity ciphering clear data according to described searcher When, it is the identity according to described searcher and systematic parameter generation public key, sender encrypts to clear data according to public key, search Root is decrypted according to the clear data after the corresponding private key pair encryption of public key.When the attribute according to searcher enters to clear data During row encryption, it is the encryption key generating encrypting plaintext data according to attribute, generate the mode of key and the mode generating public key Different.

The embodiment of the present invention is all suitable for for searcher or searcher place group, below mainly taking searcher as a example do into One step explanation.With specific reference to the step 1303 shown in Figure 13.

The embodiment of the present invention passes through the corresponding plaintext attribute of encryption attribute searcher key word so that searcher can basis The attribute setting access rights pre-setting, while can carrying out multiple keyword retrieval to group member, to group data The decrypted rights of the public property of can search for data be effectively combined.

Embodiment eight

With reference to Figure 12, Figure 12 be a kind of identity-based that the embodiment of the present invention eight provides can search for encryption method flow process Figure.As shown in figure 12, the method comprising the steps of：

Step 1201, the identity of the identity according to searcher or searcher place group obtains inquiry from KMC Key；

Step 1202, the query key according to key word and described acquisition generates query token, by described query token Key word ciphertext after inquiry encryption from storage server, and receive the data that described storage server returns；

Step 1203, obtains described attribute according to the searcher attribute pre-setting from described KMC corresponding Data decryption key；

Step 1204, according to described data decryption key, pre-sets according to described to what described storage server returned The ciphertext of the clear data of searcher encryption attribute be decrypted, obtain the clear data after deciphering.

The embodiment of the present invention is all suitable for for searcher or searcher place group, below mainly taking searcher as a example do into One step explanation.With specific reference to the step 1308 shown in Figure 13 and step 1309.

Figure 13 be a kind of identity-based that the embodiment of the present invention seven and embodiment eight provide can search for encryption method, now with A kind of identity-based described in the mode specific illustrative embodiment seven and eight of Signalling exchange can search for encryption method, meanwhile, The step that the implementation of the embodiment of the present invention includes Figure 13, but it is not limited to the order of each step, Figure 13 is a kind of preferable Embodiment.As shown in figure 13, methods described comprises the steps：

Step 1301, sender from KMC obtain systematic parameter, and simultaneously obtain searcher identity information, Described searcher includes the group that single searchers or several searchers are located, and the identity information of described searcher includes described The identity information of the group at the identity information of single searchers or the plurality of searchers place；

Step 1302, sender according to the identity information of searcher and systematic parameter obtain that key word is encrypted plus Key, uploads to storage server according to described encryption keys key word and by the key word ciphertext after encryption；

Step 1303, described sender according to the encryption attribute clear data of described searcher, and by the plaintext after encryption The ciphertext of data uploads to described storage server；

Step 1304, searcher obtains query key according to the identity information of oneself correlation from described KMC；

Step 1305, searcher generates query token according to described query key and key word；

Step 1306, searcher uploads described query token to described storage server；

Step 1307, searcher receives, from described storage server, the Query Result returning；

Step 1308, obtains described attribute according to the searcher attribute pre-setting from described KMC corresponding Data decryption key；

Step 1309, according to described data decryption key, pre-sets according to described to what described storage server returned The ciphertext of the clear data of searcher encryption attribute be decrypted, obtain the clear data after deciphering.

The embodiment of the present invention passes through the corresponding clear data of encryption attribute searcher key word so that searcher can basis The attribute setting access rights pre-setting, while can carrying out multiple keyword retrieval to group member, to group data The decrypted rights of the public property of can search for data be effectively combined.

Embodiment nine

With reference to Figure 14, Figure 14 is a kind of structure drawing of device of encryption device that the embodiment of the present invention nine provides, described equipment Including with lower unit：

First acquisition unit 1401 and encryption uploading unit 1402, described first acquisition unit 1401 is used for executing embodiment The step 101 of Fig. 1 in one, described encryption uploading unit 1402 is used for the step 102 executing Fig. 1 in embodiment one.

One of ordinary skill in the art will appreciate that each included by the equipment in the described embodiment of the present invention nine is single Unit is simply divided according to function logic, but is not limited to above-mentioned division, as long as be capable of corresponding function being Can；In addition, the specific name of each functional unit, also only to facilitate mutual distinguish, is not limited to the protection model of the application Enclose.

First acquisition unit 1401, for obtaining the identity information of searcher and the systematic parameter of KMC, The identity information of described searcher includes the group that the identity information of described single searchers or the plurality of searchers are located Identity information；

Wherein, the identity of described searcher includes but is not limited to the phone number of searcher, job number, No. QQ, the letter such as Email Breath.The mode of the described identity obtaining searcher is including but not limited to obtained by modes such as Help by Phone or E-mail inquiries. The identity of described searcher place group includes but is not limited to the information such as the QQ group number of searcher place group, department name.Described obtain The mode taking the identity of searcher place group is including but not limited to obtained by modes such as Help by Phone or E-mail inquiries.Described KMC is responsible for issuing, to sender, the systematic parameter using during cryptography key word, simultaneously to searcher or searcher Place group issues the public key that sender calculates according to the identity of searcher or the identity of searcher place group and systematic parameter Corresponding private key, i.e. query key, using public key and the one-to-one mode of private key manage the public key of sender and searcher or The private key of person's searcher place group.With specific reference to the step 401 step 301 in Fig. 3 Suo Shi and in Fig. 4.

In this unit, described KMC can be by using working in the way of offline, by systematic parameter before offline It is handed down to sender, and the query key corresponding to public key that searcher is calculated is handed down to searcher or searcher is located Group.

Encryption uploading unit 1402, for the identity information according to described searcher and described systematic parameter to key word It is encrypted, and the key word ciphertext after encryption is uploaded to storage server.

Specifically, the identity of the described identity according to described searcher or searcher place group, and described systematic parameter Cryptography key word, including：

Identity according to described searcher or the identity of searcher place group, and described systematic parameter calculate encryption institute State the public key of key word, and key word according to the described public key encryption calculating.

In this unit, sender only needs to know that the identity of searcher or searcher place group can achieve key word Encryption method so that sender do not need to download the identity of multiple searcher or searcher place group public key it is not necessary to Line database of public keys supports, and reduces the network bandwidth and storage overhead.Simultaneously because the query key of corresponding sender's public key is Produced by described KMC, therefore KMC can inquire about and decipher total data, realize centralized close Key escrow function, this function is even more important in company and some government bodies.Step 302 with specific reference to Fig. 3.

The embodiment of the present invention provides a kind of encryption device, and in described encryption device, sender only needs to know the body of searcher Part or searcher place group can achieve the encryption method of key word so that sender does not need to download the body of multiple searcher The public key of part or searcher place group, it is not necessary to online database of public keys supports, reduces the network bandwidth and storage overhead.

Embodiment ten

With reference to Figure 15, Figure 15 is a kind of structure drawing of device of search equipment that the embodiment of the present invention ten provides, described equipment Including with lower unit：

Second acquisition unit 1501 and inquire-receive unit 1502, described second acquisition unit 1501 is used for executing embodiment The step 201 of Fig. 2 in two, described encryption uploading unit 1502 is used for the step 202 executing Fig. 2 in embodiment two.

One of ordinary skill in the art will appreciate that each included by the equipment in the described embodiment of the present invention ten is single Unit is simply divided according to function logic, but is not limited to above-mentioned division, as long as be capable of corresponding function being Can；In addition, the specific name of each functional unit, also only to facilitate mutual distinguish, is not limited to the protection model of the application Enclose.

Second acquisition unit 1501, obtains query key for the identity information according to searcher from KMC, The identity information of described searcher includes the group that the identity information of described single searchers or the plurality of searchers are located Identity information；

Wherein, query key is described KMC according to the identity of described searcher or searcher place group The private key that identity generates.

Inquire-receive unit 1502, generates query token for the query key according to key word and described acquisition, passes through Described query token inquires about the key word ciphertext after encryption from storage server.

The embodiment of the present invention provides a kind of search equipment, and described search equipment passes through said one or multiple key word Mode, it is possible to achieve searcher scans for inquiring about in described storage server to one or more of key words.Lead to simultaneously Cross searcher place group searcher inquiry to be managed and controls, thus realizing the purpose of multi-user's search.

Embodiment 11

With reference to Figure 16, Figure 16 is a kind of structure drawing of device of encryption device that the embodiment of the present invention 11 provides, and described sets Standby include with lower unit：

First acquisition unit 1601 and encryption uploading unit 1602, the first ciphering unit 1603, described first ciphering unit 1603 are used for the step 803 executing embodiment five Fig. 8.

One of ordinary skill in the art will appreciate that each included by the equipment in the described embodiment of the present invention 11 Unit is simply divided according to function logic, but is not limited to above-mentioned division, as long as being capable of corresponding function ?；In addition, the specific name of each functional unit, also only to facilitate mutual distinguish, is not limited to the protection of the application Scope.

First acquisition unit 1601, for obtaining the identity information of searcher and the systematic parameter of KMC, The identity information of described searcher includes the group that the identity information of described single searchers or the plurality of searchers are located Identity information；

Encryption uploading unit 1602, for the identity information according to described searcher and described systematic parameter to key word It is encrypted, and the key word ciphertext after encryption is uploaded to storage server；

First ciphering unit 1603, for the identity information according to described searcher and described systematic parameter encrypting plaintext number According to, and the ciphertext of the clear data after encryption is uploaded to described storage server.

The embodiment of the present invention is all suitable for for searcher or searcher place group, below mainly taking searcher as a example do into One step explanation.The embodiment of the present invention is corresponding with the public key encryption key word that systematic parameter calculates by using the identity of searcher Clear data so that searcher only need to by the corresponding private key of described public key decipher described clear data, Ke Yitong Cross a pair of public key and private key is realized key word and clear data are encrypted so that simple to operate simultaneously simultaneously.Described key management Center is provided simultaneously with inquiring about and decipher the ability of total data, it is possible to achieve centralized data management, to company and some political affairs Mansion office is even more important.

Embodiment 12

With reference to Figure 17, Figure 17 is a kind of structure drawing of device of search equipment that the embodiment of the present invention 12 provides, and described sets Standby include with lower unit：

Second acquisition unit 1701 and inquire-receive unit 1702, the first decryption unit 1703, described first decryption unit 1703 are used for the step 903 executing embodiment six Fig. 9.

One of ordinary skill in the art will appreciate that each included by the equipment in the described embodiment of the present invention 12 Unit is simply divided according to function logic, but is not limited to above-mentioned division, as long as being capable of corresponding function ?；In addition, the specific name of each functional unit, also only to facilitate mutual distinguish, is not limited to the protection of the application Scope.

Second acquisition unit 1701, obtains query key for the identity information according to searcher from KMC, The identity information of described searcher includes the group that the identity information of described single searchers or the plurality of searchers are located Identity information；

Inquire-receive unit 1702, generates query token for the query key according to key word and described acquisition, passes through Described query token inquires about the key word ciphertext after encryption from storage server；

First decryption unit 1703, for according to described query key, to the described clear data according to public key encryption Ciphertext is decrypted, and obtains the clear data after deciphering.

The embodiment of the present invention is corresponding with the public key encryption key word that systematic parameter calculates by using the identity of searcher Clear data so that searcher only need to by the corresponding private key of described public key decipher described ciphertext data, Ke Yitong Cross a pair of public key and private key is realized key word and clear data are encrypted so that simple to operate simultaneously simultaneously.Described key management Center is provided simultaneously with inquiring about and decipher the ability of total data, it is possible to achieve centralized data management, to company and some political affairs Mansion office is even more important.

Embodiment 13

With reference to Figure 18, Figure 18 is a kind of structure drawing of device of encryption device that the embodiment of the present invention 13 provides, and described sets Standby include with lower unit：

First acquisition unit 1801 and encryption uploading unit 1802, the second ciphering unit 1803, described second ciphering unit 1803 are used for the step 1103 executing embodiment seven Figure 11.

One of ordinary skill in the art will appreciate that each included by the equipment in the described embodiment of the present invention 13 Unit is simply divided according to function logic, but is not limited to above-mentioned division, as long as being capable of corresponding function ?；In addition, the specific name of each functional unit, also only to facilitate mutual distinguish, is not limited to the protection of the application Scope.

First acquisition unit 1801, for obtaining the identity information of searcher and the systematic parameter of KMC, The identity information of described searcher includes the group that the identity information of described single searchers or the plurality of searchers are located Identity information；

Encryption uploading unit 1802, for the identity information according to described searcher and described systematic parameter to key word It is encrypted, and the key word ciphertext after encryption is uploaded to storage server；

Second ciphering unit 1803, for the encryption attribute clear data according to described searcher, and will be bright after encryption The ciphertext of civilian data uploads to described storage server.

Embodiment 14

With reference to Figure 19, Figure 19 is a kind of structure drawing of device of search equipment that the embodiment of the present invention 14 provides, and described sets Standby include with lower unit：

Second acquisition unit 1901 and inquire-receive unit 1902, the 3rd acquiring unit 1903, the second decryption unit 1904, Described 3rd acquiring unit 1903 is used for the step 1203 executing Figure 12 in embodiment eight, and described second decryption unit 1904 is used for The step 1204 of Figure 12 in execution embodiment eight.

One of ordinary skill in the art will appreciate that each included by the equipment in the described embodiment of the present invention 14 Unit is simply divided according to function logic, but is not limited to above-mentioned division, as long as being capable of corresponding function ?；In addition, the specific name of each functional unit, also only to facilitate mutual distinguish, is not limited to the protection of the application Scope.

Second acquisition unit 1901, obtains query key for the identity information according to searcher from KMC, The identity information of described searcher includes the group that the identity information of described single searchers or the plurality of searchers are located Identity information；

Inquire-receive unit 1902, generates query token for the query key according to key word and described acquisition, passes through Described query token inquires about the key word ciphertext after encryption from storage server；

3rd acquiring unit 1903, for obtaining institute according to the searcher attribute pre-setting from described KMC State the corresponding data decryption key of attribute；

Second decryption unit 1904, for according to described data decryption key, the basis that described storage server is returned The ciphertext of the described clear data of searcher encryption attribute pre-setting is decrypted, and obtains the clear data after deciphering.

Embodiment 15

With reference to Figure 20, Figure 20 is a kind of structure drawing of device of encryption device that the embodiment of the present invention 15 provides.With reference to figure 20, Figure 20 is a kind of encryption device 2000 provided in an embodiment of the present invention, and the specific embodiment of the invention does not set to described network Standby implementing limits.Described equipment 2000 includes：

Processor (processor) 2001, communication interface (Communications Interface) 2002, memorizer (memory) 2003, bus 2004.

Processor 2001, communication interface 2002, memorizer 2003 completes mutual communication by bus 2004.

Communication interface 2002, for being communicated with other equipment；

Processor 2001, for configuration processor A.

Specifically, program A can include program code, and described program code includes computer-managed instruction.

Processor 2001 is probably a central processor CPU, or specific integrated circuit ASIC（Application Specific Integrated Circuit）, or be arranged to implement the one or more integrated electricity of the embodiment of the present invention Road.

Memorizer 2003, is used for depositing program A.Memorizer 2003 may comprise high-speed RAM memorizer it is also possible to also include Nonvolatile memory（non-volatile memory）, for example, at least one disk memory.Program A specifically can include：

Or program A specifically can include：

The implementing referring to the corresponding units in Figure 14 or Figure 16 or embodiment illustrated in fig. 18 of each unit in program A, This does not repeat.

Embodiment 16

With reference to Figure 21, Figure 21 is a kind of structure drawing of device of search equipment that the embodiment of the present invention 16 provides.With reference to figure 21, Figure 21 is a kind of search equipment 2100 provided in an embodiment of the present invention, and the specific embodiment of the invention does not set to described network Standby implementing limits.Described search equipment 2100 includes：

Processor (processor) 2101, communication interface (Communications Interface) 2102, memorizer (memory) 2103, bus 2104.

Processor 2101, communication interface 2102, memorizer 2103 completes mutual communication by bus 2104.

Communication interface 2102, for being communicated with other equipment；

Processor 2101, for configuration processor A.

Processor 2101 is probably a central processor CPU, or specific integrated circuit ASIC（Application Specific Integrated Circuit）, or be arranged to implement the one or more integrated electricity of the embodiment of the present invention Road.

Memorizer 2103, is used for depositing program A.Memorizer 2103 may comprise high-speed RAM memorizer it is also possible to also include Nonvolatile memory（non-volatile memory）, for example, at least one disk memory.Program A specifically can include：

Or program A specifically can include：

The implementing referring to the corresponding units in Figure 15 or Figure 17 or embodiment illustrated in fig. 19 of each unit in program A, This does not repeat.

The foregoing is only the preferred embodiment of the present invention, do not constitute limiting the scope of the present invention.Any Any modification, equivalent and improvement of being made within the spirit and principles in the present invention etc., should be included in application claims Within the scope of comprising.

Claims

1. one kind can search for encryption method it is characterised in that methods described includes：

Obtain the identity information of searcher and the systematic parameter of KMC, the identity information of described searcher includes list The identity information of the group at the identity information of individual searchers or several searchers place；

Identity information according to described searcher and described systematic parameter are encrypted to key word, and by encryption after key Word ciphertext uploads to storage server；

The described identity information according to described searcher and described systematic parameter are encrypted to key word, including：

Identity information according to described searcher and described systematic parameter calculate the public key encrypting described key word, and according to institute State key word described in the public key encryption calculating.

2. method according to claim 1 is it is characterised in that methods described also includes：

Identity information according to described searcher and described systematic parameter encrypting plaintext data, and by the clear data after encryption Ciphertext uploads to described storage server.

3. method according to claim 2 is it is characterised in that the described identity according to described searcher and described system are joined Number encrypting plaintext data, including：

Identity information according to described searcher and described systematic parameter calculate the public key encrypting described clear data, and according to Clear data described in the described public key encryption calculating.

4. method according to claim 1 is it is characterised in that methods described also includes：

5. a kind of identity-based can search for encryption method it is characterised in that methods described includes：

Identity information according to searcher obtains query key from KMC, and the identity information of described searcher includes list The identity information of the group at the identity information of individual searchers or several searchers place；

Query key according to key word and described acquisition generates query token, by described query token from storage server Key word ciphertext after inquiry encryption；

Described key word ciphertext after described query token inquires about encryption from storage server, including：

6. method according to claim 5 is it is characterised in that the described query key according to key word and described acquisition is given birth to Become query token, including：

When the identity according to searcher place group obtains query key from KMC, search for described in the described direction of search Square place group submits key word, and described searcher place group checks that whether described searcher is the member in group, if so, then described Searcher place group generates query token according to described key word and described query key, and described query token is returned to institute State searcher.

7. method according to claim 5 is it is characterised in that described looked into from storage server by described query token Ask the key word ciphertext after encryption, including：

8. method according to claim 7 is it is characterised in that methods described receives described storage server return in step The ciphertext according to the clear data of public key encryption after, also include：

According to described query key, the ciphertext of the described clear data according to public key encryption is decrypted, after obtaining deciphering Clear data.

9. the method described in the method according to claim 5 to 8 any one, it is characterised in that methods described, is also wrapped Include：

The corresponding data decryption key of described attribute is obtained from described KMC according to the searcher attribute pre-setting.

10. method according to claim 9 it is characterised in that described by described query token from storage server Key word ciphertext after inquiry encryption, including：

Receive the ciphertext of the clear data according to the described searcher encryption attribute pre-setting that described storage server returns.

11. methods according to claim 10 are it is characterised in that methods described is returned in the described storage server of step reception After the ciphertext of the clear data according to the described searcher encryption attribute pre-setting returned, also include：

According to described data decryption key, added according to the described searcher attribute pre-setting to what described storage server returned The ciphertext of close clear data is decrypted, and obtains the clear data after deciphering.

A kind of 12. encryption devices are it is characterised in that described equipment includes：

First acquisition unit, for obtaining the identity information of searcher and the systematic parameter of KMC, described search The identity information of side includes the identity information of single searchers or the identity information of the group at several searchers place；

Encryption uploading unit, carries out to key word adding for the identity information according to described searcher and described systematic parameter Close, and the key word ciphertext after encryption is uploaded to storage server；

Described encryption uploading unit specifically for：

13. equipment according to claim 12 are it is characterised in that described equipment also includes：

First ciphering unit, for the identity information according to described searcher and described systematic parameter encrypting plaintext data, and will The ciphertext of the clear data after encryption uploads to described storage server.

14. equipment according to claim 13 it is characterised in that described first ciphering unit specifically for：

15. equipment according to claim 12 are it is characterised in that described equipment also includes：

Second ciphering unit, for the encryption attribute clear data according to described searcher, and by the clear data after encryption Ciphertext uploads to described storage server.

A kind of 16. search equipment are it is characterised in that described equipment includes：

Second acquisition unit, obtains query key, described search for the identity information according to searcher from KMC The identity information of side includes the identity information of single searchers or the identity information of the group at several searchers place；

Inquire-receive unit, generates query token for the query key according to key word and described acquisition, by described inquiry Token inquires about the key word ciphertext after encryption from storage server；

Key after described query token inquires about encryption from storage server for the execution step in described inquire-receive unit Word ciphertext, including：

17. equipment according to claim 16 are it is characterised in that described inquire-receive unit execution step is according to key word Generate query token with the query key of described acquisition, including：

18. equipment according to claim 16 it is characterised in that described inquire-receive unit, including：

19. equipment according to claim 18 it is characterised in that described equipment also includes the first decryption unit, described One decryption unit specifically for：

20. equipment according to claim 16 to 19 any one are it is characterised in that described equipment also includes the 3rd acquisition Unit, described 3rd acquiring unit specifically for：

21. equipment according to claim 20 it is characterised in that described inquire-receive unit, including：

22. equipment according to claim 21 it is characterised in that described equipment also includes the second decryption unit, described Two decryption unit specifically for：