CN104038349A - Effective and verifiable public key searching encryption method based on KP-ABE - Google Patents

Abstract

The invention discloses an effective and verifiable public key searching encryption method based on the KP-ABE. According to the method, a creditable authority center, a data owner, a cloud server and a data user are included. The creditable authority center generates a certificate for all cloud users; the data owner outsources a data file and a keyword to the cloud server; the cloud server executes searching operation after providing a storage service and receiving a searching request sent by a user; the data user generates a searching password and sends the password to the cloud sever to search for a target file. According to an effective and verifiable public key searching encryption method based on the KP-ABE, a public and private key pair is generated for the data owner and the cloud server, when the ciphertext keyword and the searching command are sent, the public key pair of the cloud sever is used for encrypting the ciphertext keyword and the searching command firstly, the off-line conjecture aggressive behavior of an external attacker is effectively prevented, and the safety of information and data is improved. In addition, complexity is lowered, the calculation amount of the user is largely reduced, and the efficiency is largely improved.

Description

A kind of PKI that effectively can verify based on KP-ABE can be searched for encryption method

Technical field

The invention belongs to field of data encryption, relate in particular to a kind of PKI that effectively can verify based on KP-ABE and can search for encryption method.

Background technology

PKI can be searched for and encrypt is a very attractive cryptography primitive, and it has realized the information retrieval based on ciphertext, is specially adapted to cloud computing environment.PKI can be searched for encipherment scheme (PEKS) and make user rely on keyword in the situation that not revealing any information, to search for enciphered data.The concept of PEKS is by propositions such as Boneh, and the people such as Baek have proposed a kind of PEKS that removes escape way, make scheme more practical.After this, the people such as the people such as Hu and Zhao has proposed to resist new departure of external attacker off-line keyword conjecture.In brief, the concept of PEKS is to provide that a kind of user relies on keyword removal search enciphered data and not to comprising that its other party of server reveals the mechanism of any information.Along with the fast development of cloud computing, make user to use a large amount of storages of Cloud Server and the ability of calculating with cheap price.This makes PEKS become more popular.Although at present existing PEKS can complete search operation safely and effectively, however the Search Results that most variations is not returned server verify, search subscriber is not limited simultaneously yet.Under the model of one and half honest but believable servers, server may an operating part search operation or returning part Search Results only.For this problem, the people such as Zheng have proposed a new cryptography primitive---the keyword search scheme of verifying based on encryption attribute for this problem first.This scheme allows data owner to remove to control search operation.The validated user of access control policy time-consuming search operation can be contracted out to Cloud Server and effectively authentication server whether carried out truly search operation.This means, the user who possesses the condition of the access strategy that meets data owner just can search for the enciphered data on Cloud Server.In addition the Search Results that, user can also return server carries out the checking of correctness and integrality.This scheme is used module exponent, encryption attribute, and Bloom filter, digital signature and the structure of the keyword search based on encryption attribute form.Yet the operation that this scheme is done in verification of correctness is identical with the way of Cloud Server, yet for user oneself, this needs very large amount of calculation.In addition, this scheme has been neglected off-line guessing attack.Because keyword ciphertext, search password and algorithm are easy to be obtained by opponent, opponent just can carry out search operation like this, thereby breaks the indistinguishability of keyword ciphertext.

Summary of the invention

The object of the present invention is to provide a kind of PKI that effectively can verify based on KP-ABE can search for encryption method, be intended to greatly reduce user's operand aspect verification of correctness, utilize the PKI of server to encrypt again keyword ciphertext, prevent the off-line guessing attack of external attacker, improve the fail safe of scheme.

Symbol description:

F={F ₁|| { F ₂|| ... || { F _n}: the set of encrypt file;

ID{F _i}: file { F _iaddress;

ID _w: the address of the file that comprises keyword w;

W _e: the ciphertext of W;

BF: the Bloom filter that comprises all keywords;

SYM _enc(): symmetric encipherment algorithm;

ABE (): the encryption attribute algorithm based on key strategy.

The present invention realizes like this, the PKI that effectively can verify based on KP-ABE can be searched for an encryption method, and the described PKI that effectively can verify based on KP-ABE can be searched for encryption method and comprise trusted authority center, data owner, Cloud Server, data user; Trusted authority center choose bilinearity to and hash function, be that system generates public ginseng pm and master key mk; By operation RSA Algorithm, be data owner and Cloud Server generation public private key pair; By Share (T, the ac) algorithm in access structure, for user generates private key sk; Data owner extracts keyword w from the data file F of outsourcing; Outsourcing F, and generate keyword w ciphertext cph and send to Cloud Server; The data that Cloud Server sends data owner provide stores service and after receiving the search password tk that user sends, carry out search, and Search Results and search evidence are returned to user; Data user generates search password tk and sends to Cloud Server with private key sk; After receiving the Search Results that Cloud Server returns, the correctness of result and integrality are verified;

The described PKI that effectively can verify based on KP-ABE can be searched for encryption method and comprise six algorithms, and l is security parameter, and trusted authority center operation RSA Algorithm is that Cloud Server and data owner generate public private key pair: { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂; Data owner guarantees the integrality of data file by digital signature, ciphertext keyword is encrypted to prevent again the off-line guessing attack of external attacker, as data owner SYM with the PKI of Cloud Server _enc() cryptographic algorithm is contracted out to Cloud Server after to data file encryption, and server returns to the address of encrypt file, is designated as ID{F _i, the data file that comprises like this keyword w can be expressed as ID _w=ID{F ₁|| ID{F ₂... || ID{F _i.

Further, described PKI can be searched for encryption method and specifically comprises:

Trusted authority center choose bilinearity to and hash function, for searching for encryption system: trusted authorization centre management data owner, user and Cloud Server;

Data owner is sent to Cloud Server by data file;

Cloud Server provides storage and retrieval service;

User searches for data file stored thereon by Cloud Server;

Trusted authority center generates public ginseng pm and master key mk; By moving following RSA Algorithm:

Press following 3 steps:

I) select different large prime number p and q, calculate n=p*q;

Ii) select e with coprime, (n, e) is as PKI;

Iii) pass through calculate d, (n, d) is as private key;

Here number n, e, d is respectively modulus, encryption exponent and decryption exponent;

According to this algorithm, choose different large prime number p ₁and q ₁, p ₂and q ₂, be data owner and server generation public private key pair { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂;

By Share (T, the ac) algorithm in access structure, as follows:

Each leaf node of access tree T associated the part of secret ac share q _v(0),, to each leaf node v ∈ lvs (T), choose t ← Z _p, calculate and B _v=g ^t, note sk=(T, A _v, B _v) | v ∈ lvs (T)) be user's private key.

Further, the described PKI that effectively can verify based on KP-ABE can be searched for encryption method and comprise six algorithms, and l is security parameter, and trusted authority center operation RSA Algorithm is that Cloud Server and data owner generate public private key pair: { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂.Data owner guarantees the integrality of data file by digital signature, ciphertext keyword is encrypted to prevent again the off-line guessing attack of external attacker, as data owner SYM with the PKI of Cloud Server _enc() cryptographic algorithm is contracted out to Cloud Server after to data file encryption, and server returns to the address of encrypt file, is designated as ID{F _i, the data file that comprises like this keyword w can be expressed as ID _w=ID{F ₁|| ID{F ₂... || ID{F _i.

Further, the described PKI that effectively can verify based on KP-ABE can be searched for the concrete scheme of encryption method and is:

Step 1, initialization (1 ^l): bilinearity pair: e:G * G → G is selected at trusted authority center _t, G and G _tbe that rank are the cyclic group of p, p is the primitive element of l bit long, selects the hash function H under random oracle ₁: { 0,1} ^*→ G; H ₂: { 0,1} ^*→ Z _pbe one-way Hash function, select a, b, c ← Z _p, g ← G, pm=(H ₁, H ₂, e, g, p, g ^a, g ^b, g ^c, G, G _t), mk=(a, b, c)

Then choose k independently hash function H ₁' ..., H' _k, be used for the Bloom filter BF of structure m bit of m bit to send to data owner, be that data owner and Cloud Server generate public private key pair { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂;

Step 2, key generate (mk, T): Share (T, ac) algorithm is carried out at trusted authority center, and each leaf node of access tree T can obtain the part of relevant secret ac and share q _v(0),, to each leaf node v ∈ lvs (T), choose t ← Z _p, calculate and B _v=g ^t, note private key sk=(T, A _v, B _v) | v ∈ lvs (T));

Step 3, the encryption to keyword and file address: the hash function that (w, atts, ID (w)) data owner sends by trusted authority center generates Bloom filter, BF ← BFGen ({ H ₁' ..., H' _k, { w ₁..., w _l), to containing keyword w data file address ID _wand Bloom filter, SYM _enc() cryptographic algorithm is encrypted, and symmetric key is sk ₁:

BF _Enc＝SYM(BF),(ID _w) _Enc＝SYM(ID _w)；

User data owner is to ABF _enc(ID _w) _encsign: $A={\mathrm{BF}}_{\mathrm{Enc}}\left|\right|\mathrm{sig}\left({\mathrm{BF}}_{\mathrm{Enc}}\right)={\mathrm{BF}}_{\mathrm{Enc}}\left|\right|{\left({\mathrm{BF}}_{\mathrm{Enc}}\right)}^{d_1},B={\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}\left|\right|\mathrm{sig}{\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}={\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}\left|\right|{\left({\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}\right)}^{d_1}$ To sk ₁by ABE () cryptographic algorithm, be encrypted: C=ABE (sk ₁);

After search finishes, the validated user that attribute meets access strategy just can be deciphered C and obtain sk ₁, and then file destination is obtained in deciphering;

Select r ₁, r ₂← Z _p, calculate $W^{\′}=g^{{\mathrm{cr}}_1},W=g^{a(r_1+r_2)}{g}^{b{H}_2\left(w\right)r_1};$ F=(f ₁, f ₂) wherein $f_1=g^{a(r_1+r_2)},f_2=g^{{\mathrm{br}}_1},W_0=g^{r_2},$ To each at _j∈ Atts, calculates $W_j=H_1{\left({\mathrm{at}}_j\right)}^{r_2},$ With the PKI of server, W is encrypted and obtained $W_E=W^{e_2}={\left(g^{a(r_1+r_2)}{g}^{{\mathrm{bH}}_2\left(w\right)r_1}\right)}^{e_2},$ Can remember that like this ciphertext keyword is: cph=(Atts, W', W _e, W ₀, W _j, F, A, B, C);

Step 4, generation search password (sk, w): select s ← Z _p, each leaf node v ∈ lvs (T) is calculated $A_v^{\′}=A_v^s,B_v^{\′}=B_v^s,$ Search password is ${\mathrm{tok}}_1={\left(g^a{g}^{{\mathrm{bH}}_2\left(w\right)}\right)}^s,$ Tok ₂=g ^cs, use the PKI of server to tok ₂be encrypted: note tk=(tok ₁, (tok ₂) _enc, T, (A' _v, B' _v) | v ∈ lvs (T));

Step 5, search (tk, cph): server is chosen the access tree that property set S meets appointment in search password from cph, if such S set does not exist, returns to 0; Otherwise, to each at _j∈ S, calculates $E_v=e(A_v^{\′},W_0)/e(B_v^{\′},W_j)=e{(g,g)}^{{\mathrm{sr}}_2{q}_v\left(0\right)}\mathrm{att}\left(v\right)={\mathrm{at}}_j,v\∈\mathrm{lvs}\left(T\right),$ In conjunction with (T, E _v| att (v) ∈ S), calculate $e{(g,g)}^{{\mathrm{sr}}_2{q}_v\left(0\right)}=e{(g,g)}^{{\mathrm{sr}}_2{q}_{\mathrm{root}}\left(0\right)},$ And then $E_{\mathrm{root}}=e{(g,g)}^{{\mathrm{acsr}}_2}$ The private key deciphering W of oneself for server _e, (tok ₂) _encobtain W and tok ₂if, e (W', tok ₁) E _root=e (W, tok ₂), return W, F, A, B, C} is to user; Otherwise, only return to A;

Step 6, checking W, and F, A, B, C} data user receives after the Search Results that Cloud Server returns, and carries out verification operation.

Further, the concrete grammar of described verification operation is:

The existence of step 1, searched key word: when data user only receives the A that Cloud Server returns, if first verify with data owner's PKI A by checking; C is decrypted to operation and obtains symmetric key sk ₁, deciphering A obtains Bloom filter BF, if BF (w)=0 means the keyword that does not exist user to search on Cloud Server, otherwise rejection returns results;

The correctness of step 2, searched key word: data user receive W, F, A, B, during C}, calculates W/f ₁with if illustrate correctly, otherwise explanation is error result;

Step 3, the integrality of data file address that comprises keyword w: when data user has verified after the correctness of keyword, then B is verified, if by deciphering C, obtain sk ₁, and then obtain target data file.

Further, the described PKI that effectively can verify based on KP-ABE can be searched for being analyzed as follows of correctness of encryption method:

Step 1, search coupling correctness:

Cloud Server, after receiving data user's searching request, is carried out search operation, first with the private key of oneself, ciphertext keyword and search password is decrypted, and with RSA Algorithm, then, carries out following matching operation:

$\begin{array}{c}e(W^{\′},{\mathrm{tok}}_1)E_{\mathrm{root}}={e(g^{{\mathrm{cr}}_1},\left(g^a{g}^{{\mathrm{bH}}_2\left(w\right)}\right))}^s=\\ e{(g,g)}^{\mathrm{acs}(r_1+r_2)}e{(g,g)}^{{\mathrm{bcsH}}_2\left(w\right)r_1};\end{array}$

$\begin{array}{c}e(W,{\mathrm{tok}}_2)={e\left(g^{a(r_1+r_2)}{g}^{{\mathrm{bH}}_2\left(w_1\right)r_1},g^{\mathrm{cs}})\right)}^s=\\ e{(g,g)}^{\mathrm{acs}(r_1+r_2)}e{(g,g)}^{{\mathrm{bcsH}}_2\left(w_1\right)r_1}.\end{array}$

If w and w ₁same keyword, e (W', tok so ₁) E _rootand e (W, tok ₂) be exactly what equate, illustrate and search for successfully;

Step 2, proving correctness:

When data user receive the Search Results that Cloud Server returns W, F, A, B, during C}, first will verify the correctness of keyword, finds f in F ₁, f ₂, do to calculate as follows:

$W/f_1=g^{a(r_1+r_2)}{g}^{b{H}_2\left(w\right)r_1}/g^{a(r_1+r_2)}=g^{{\mathrm{bH}}_2\left(w\right)r_1}$

The cryptographic Hash H of the keyword that user searches for oneself ₂(w ₁) be calculated as follows:

$f_2^{H_2\left(w_1\right)}=g^{{\mathrm{bH}}_2\left(w_1\right)r_1}$

If w and w ₁while being same keyword, equate, illustrate, Search Results is correct, after this, carrys out correctness and the integrality of verification msg file address by signature.

effect gathers

The PKI that effectively can verify based on KP-ABE of the present invention can be searched for encryption method, first generated public private key pair for data owner and Cloud Server, when sending ciphertext keyword and search password, first use the PKI of Cloud Server to encrypt again it, so effectively prevented the off-line guessing attack behavior of external attacker, the fail safe that has improved scheme, and, reduced complexity, has greatly reduced user's operand, and efficiency has obtained large increase.

Accompanying drawing explanation

Fig. 1 is that the PKI that effectively can verify based on KP-ABE that the embodiment of the present invention provides can be searched for the model schematic diagram of encryption method;

Fig. 2 is that the present invention and the contrast scheme that the embodiment of the present invention provides carried out the comparison diagram of the running time of verification of correctness.

Embodiment

In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.

The present invention is achieved in that as shown in Figure 1, and a kind of PKI that effectively can verify based on KP-ABE can be searched for encryption method and comprise trusted authority center, data owner, Cloud Server, data user; Trusted authority center is that all cloud users Generate Certificate; Data owner's outsourcing data file and keyword are to Cloud Server; Cloud Server is to provide stores service and carries out search operation after receiving the searching request that user sends; Data user generates search password and sends to Cloud Server to find file destination.

Further, described PKI can be searched for encryption method and specifically comprises:

Trusted authority center choose bilinearity to and hash function, for searching for encryption system: trusted authorization centre management data owner, user and Cloud Server;

Data owner is sent to Cloud Server by data file;

Cloud Server provides storage and retrieval service;

User searches for data file stored thereon by Cloud Server;

Trusted authority center generates public ginseng pm and master key mk; By moving following RSA Algorithm:

Press following 3 steps:

I) select different large prime number p and q, calculate n=p*q;

Ii) select e with coprime, (n, e) is as PKI;

Iii) pass through calculate d, (n, d) is as private key;

Here number n, e, d is respectively modulus, encryption exponent and decryption exponent;

According to this algorithm, choose different large prime number p ₁and q ₁, p ₂and q ₂, be data owner and server generation public private key pair { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂;

By Share (T, the ac) algorithm in access structure, as follows:

Each leaf node of access tree T associated the part of secret ac share q _v(0),, to each leaf node v ∈ lvs (T), choose t ← Z _p, calculate and B _v=g ^t, note sk=(T, A _v, B _v) | v ∈ lvs (T)) be user's private key.

Further, the described PKI that effectively can verify based on KP-ABE can be searched for encryption method and comprise six algorithms, and l is security parameter, and trusted authority center operation RSA Algorithm is that Cloud Server and data owner generate public private key pair: { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂, data owner guarantees the integrality of data file by digital signature, ciphertext keyword is encrypted to prevent again the off-line guessing attack of external attacker, as data owner SYM with the PKI of Cloud Server _enc() cryptographic algorithm is contracted out to Cloud Server after to data file encryption, and server returns to the address of encrypt file, is designated as ID{F _i, the data file that comprises like this keyword w can be expressed as ID _w=ID{F ₁|| ID{F ₂... || ID{F _i.

Further, the described PKI that effectively can verify based on KP-ABE can be searched for the concrete scheme of encryption method and is:

Step 1, initialization (1 ^l): bilinearity pair: e:G * G → G is selected at trusted authority center _t, G and G _tbe that rank are the cyclic group of p, p is the primitive element of l bit long, selects the hash function H under random oracle ₁: { 0,1} ^*→ G; H ₂: { 0,1} ^*→ Z _pbe one-way Hash function, select a, b, c ← Z _p, g ← G, pm=(H ₁, H ₂, e, g, p, g ^a, g ^b, g ^c, G, G _t), mk=(a, b, c)

Then choose k independently hash function H ₁' ..., H' _k, be used for the Bloom filter BF of structure m bit of m bit to send to data owner, be that data owner and Cloud Server generate public private key pair { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂;

Step 2, key generate (mk, T): Share (T, ac) algorithm is carried out at trusted authority center, and each leaf node of access tree T can obtain the part of relevant secret ac and share q _v(0),, to each leaf node v ∈ lvs (T), choose t ← Z _p, calculate and B _v=g ^t, note private key sk=(T, A _v, B _v) | v ∈ lvs (T));

Step 3, the encryption to keyword and file address: the hash function that (w, atts, ID (w)) data owner sends by trusted authority center generates Bloom filter, BF ← BFGen ({ H ₁' ..., H' _k, { w ₁..., w _l), to containing keyword w data file address ID _wand Bloom filter, SYM _enc() cryptographic algorithm is encrypted, and symmetric key is sk ₁:

BF _Enc＝SYM(BF),(ID _w) _Enc＝SYM(ID _w)；

User data owner is to ABF _enc(ID _w) _encsign: $A={\mathrm{BF}}_{\mathrm{Enc}}\left|\right|\mathrm{sig}\left({\mathrm{BF}}_{\mathrm{Enc}}\right)={\mathrm{BF}}_{\mathrm{Enc}}\left|\right|{\left({\mathrm{BF}}_{\mathrm{Enc}}\right)}^{d_1},B={\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}\left|\right|\mathrm{sig}{\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}={\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}\left|\right|{\left({\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}\right)}^{d_1}$ To sk ₁by ABE () cryptographic algorithm, be encrypted: C=ABE (sk ₁);

After search finishes, the validated user that attribute meets access strategy just can be deciphered C and obtain sk ₁, and then file destination is obtained in deciphering;

Select r ₁, r ₂← Z _p, calculate $W^{\′}=g^{{\mathrm{cr}}_1},W=g^{a(r_1+r_2)}{g}^{b{H}_2\left(w\right)r_1};$ F=(f ₁, f ₂) wherein $f_1=g^{a(r_1+r_2)},f_2=g^{{\mathrm{br}}_1},W_0=g^{r_2},$ To each at _j∈ Atts, calculates $W_j=H_1{\left({\mathrm{at}}_j\right)}^{r_2},$ With the PKI of server, W is encrypted and obtained $W_E=W^{e_2}={\left(g^{a(r_1+r_2)}{g}^{{\mathrm{bH}}_2\left(w\right)r_1}\right)}^{e_2},$ Can remember that like this ciphertext keyword is: cph=(Atts, W', W _e, W ₀, W _j, F, A, B, C);

Step 4, generation search password (sk, w): select s ← Z _p, each leaf node v ∈ lvs (T) is calculated $A_v^{\′}=A_v^s,B_v^{\′}=B_v^s,$ Search password is ${\mathrm{tok}}_1={\left(g^a{g}^{{\mathrm{bH}}_2\left(w\right)}\right)}^s,$ Tok ₂=g ^cs, use the PKI of server to tok ₂be encrypted: note tk=(tok ₁, (tok ₂) _enc, T, (A' _v, B' _v) | v ∈ lvs (T));

Step 5, search (tk, cph): server is chosen the access tree that property set S meets appointment in search password from cph, if such S set does not exist, returns to 0; Otherwise, to each at _j∈ S, calculates $E_v=e(A_v^{\′},W_0)/e(B_v^{\′},W_j)=e{(g,g)}^{{\mathrm{sr}}_2{q}_v\left(0\right)}\mathrm{att}\left(v\right)={\mathrm{at}}_j,v\∈\mathrm{lvs}\left(T\right),$ In conjunction with (T, E _v| att (v) ∈ S), calculate $e{(g,g)}^{{\mathrm{sr}}_2{q}_v\left(0\right)}=e{(g,g)}^{{\mathrm{sr}}_2{q}_{\mathrm{root}}\left(0\right)},$ And then $E_{\mathrm{root}}=e{(g,g)}^{{\mathrm{acsr}}_2}$ The private key deciphering W of oneself for server _e, (tok ₂) _encobtain W and tok ₂if, e (W', tok ₁) E _root=e (W, tok ₂), return W, F, A, B, C} is to user; Otherwise, only return to A;

Step 6, checking W, and F, A, B, C} data user receives after the Search Results that Cloud Server returns, and carries out verification operation.

Further, the concrete grammar of described verification operation is:

The existence of step 1, searched key word: when data user only receives the A that Cloud Server returns, if first verify with data owner's PKI A by checking; C is decrypted to operation and obtains symmetric key sk ₁, deciphering A obtains Bloom filter BF, if BF (w)=0 means the keyword that does not exist user to search on Cloud Server, otherwise rejection returns results;

The correctness of step 2, searched key word: data user receive W, F, A, B, during C}, calculates W/f ₁with if illustrate correctly, otherwise explanation is error result;

Step 3, the integrality of data file address that comprises keyword w: when data user has verified after the correctness of keyword, then B is verified, if by deciphering C, obtain sk ₁, and then obtain target data file.

Further, the described PKI that effectively can verify based on KP-ABE can be searched for being analyzed as follows of correctness of encryption method:

Step 1, search coupling correctness:

Cloud Server, after receiving data user's searching request, is carried out search operation, first with the private key of oneself, ciphertext keyword and search password is decrypted, and with RSA Algorithm, then, carries out following matching operation:

$\begin{array}{c}e(W^{\′},{\mathrm{tok}}_1)E_{\mathrm{root}}={e(g^{{\mathrm{cr}}_1},\left(g^a{g}^{{\mathrm{bH}}_2\left(w\right)}\right))}^s=\\ e{(g,g)}^{\mathrm{acs}(r_1+r_2)}e{(g,g)}^{{\mathrm{bcsH}}_2\left(w\right)r_1};\end{array}$

$\begin{array}{c}e(W,{\mathrm{tok}}_2)={e\left(g^{a(r_1+r_2)}{g}^{{\mathrm{bH}}_2\left(w_1\right)r_1},g^{\mathrm{cs}})\right)}^s=\\ e{(g,g)}^{\mathrm{acs}(r_1+r_2)}e{(g,g)}^{{\mathrm{bcsH}}_2\left(w_1\right)r_1}.\end{array}$

If w and w ₁same keyword, e (W', tok so ₁) E _rootand e (W, tok ₂) be exactly what equate, illustrate and search for successfully;

Step 2, proving correctness:

When data user receive the Search Results that Cloud Server returns W, F, A, B, during C}, first will verify the correctness of keyword, finds f in F ₁, f ₂, do to calculate as follows:

$W/f_1=g^{a(r_1+r_2)}{g}^{b{H}_2\left(w\right)r_1}/g^{a(r_1+r_2)}=g^{{\mathrm{bH}}_2\left(w\right)r_1}$

The cryptographic Hash H of the keyword that user searches for oneself ₂(w ₁) be calculated as follows:

$f_2^{H_2\left(w_1\right)}=g^{{\mathrm{bH}}_2\left(w_1\right)r_1}$

If w and w ₁while being same keyword, W/f ₁with equate, illustrate, Search Results is correct, after this, carrys out correctness and the integrality of verification msg file address by signature.

By the present invention and document " Verifiable attribute-based keyword search over outsourced encrypted data " (Q.Zheng, Xu, S.Ateniese, G.:Vabks, IACR Cryptology ePrint Archive2013 (2013)) scheme in contrasts, in the solution of the present invention, first generated public private key pair for data owner and Cloud Server, when sending ciphertext keyword and search password, first use the PKI of Cloud Server to encrypt again it, so effectively prevented the off-line guessing attack behavior of external attacker.This does not relate in contrast.In addition, with the contrast of contrast scheme, operation and Cloud Server that contrast scheme is carried out when proving correctness are identical, and method therefor of the present invention has obvious advantage, as shown in table 1:

Table 1

BF represents Bloom filter; What complexity was considered here is asymptotic complexity, is mainly Pair and E _t.Pair represents that bilinearity is to computing; E _trepresent group G _tin exponent arithmetic; The quantity of the attribute of S representative of consumer.The same with contrast scheme, because multiplying and Hash operation be compared with computing and exponent arithmetic are got up, complexity is lower.So when complexity is discussed, ignored multiplying and Hash operation.

The correctness of the Search Results that user returns server is verified:

C Programming with Pascal Language, adopts Ubuntu Linux12.04 system.Computer is configured to: Intel (R) Core (TM) i3-3240Cpu, 2GBRAM.Based on to the cryptographic algorithm of computing (PBC) laboratory 0.514 version.All experimental results are got is the empirical average value of 50 times.Chosen respectively the mould length of 512 bit long and 1024 bit long, 10 to 50 of number of attributes scopes.Finally, as shown in Figure 2, experimental result demonstration, verification method efficiency of the present invention is high, has stronger practicality.

Fig. 2 shows the running time of the solution of the present invention and contrast scheme execution verification of correctness.Compare than scheme, can not change along with the increase of number of attributes the present invention program's running time, further illustrates practicality of the present invention.Oblique stroke in figure is representing interruption in the vertical direction, and the ORIGIN8.0 of being software used herein carries out data analysis mapping.

Although above-mentioned, by reference to the accompanying drawings the specific embodiment of the present invention is described; but be not limiting the scope of the invention; one of ordinary skill in the art should be understood that; on the basis of technical scheme of the present invention, those skilled in the art do not need to pay various modifications that performing creative labour can make or distortion still within protection scope of the present invention.

Claims (6)

1. the PKI that effectively can verify based on KP-ABE can be searched for an encryption method, it is characterized in that, the described PKI that effectively can verify based on KP-ABE can be searched for encryption method and comprise the following steps:

Data owner extracts keyword w from the data file F of outsourcing; Outsourcing F, and generate keyword w ciphertext cph and send to Cloud Server;

The data that Cloud Server sends data owner provide stores service and after receiving the search password tk that user sends, carry out search, and Search Results and search evidence are returned to user;

Data user generates search password tk and sends to Cloud Server with private key sk; After receiving the Search Results that Cloud Server returns, the correctness of result and integrality are verified.

2. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, described PKI can be searched for encryption method and specifically comprise:

Can search for encryption system: trusted authorization centre management data owner, user and Cloud Server;

Data owner is sent to Cloud Server by data file;

Cloud Server provides storage and retrieval service;

User searches for data file stored thereon by Cloud Server;

Trusted authority center choose bilinearity to and hash function, and generate public ginseng pm and master key mk; By moving following RSA Algorithm:

Press following 3 steps:

I) select different large prime number p and q, calculate n=p*q;

Ii) select e with coprime, (n, e) is as PKI;

Iii) pass through calculate d, (n, d) is as private key;

Here number n, e, d is respectively modulus, encryption exponent and decryption exponent;

According to this algorithm, choose different large prime number p ₁and q ₁, p ₂and q ₂, be data owner and server generation public private key pair { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂;

By Share (T, the ac) algorithm in access structure, as follows:

Each leaf node of access tree T associated the part of secret ac share q _v(0),, to each leaf node v ∈ lvs (T), choose t ← Z _p, calculate and B _v=g ^t, note sk=(T, A _v, B _v) | v ∈ lvs (T)) be user's private key.

3. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, the described PKI that effectively can verify based on KP-ABE can be searched for encryption method and comprise: initialization, key generate, the encryption of keyword and file address, generation are searched for to password, search, checking; The method is mainly used in the search to a large amount of enciphered datas in cloud computing.

4. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, the concrete scheme that the described PKI that effectively can verify based on KP-ABE can be searched for encryption method is:

Trusted authority center operation RSA Algorithm is that Cloud Server and data owner generate public private key pair: { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂; Data owner guarantees the integrality of data file by digital signature; With the PKI of Cloud Server, ciphertext keyword is encrypted to prevent again the off-line guessing attack of external attacker, as data owner SYM _enc() cryptographic algorithm is contracted out to Cloud Server after to data file encryption, and server returns to the address of encrypt file, is designated as ID{F _i, the data file that comprises like this keyword w can be expressed as ID _w=ID{F ₁|| ID{F ₂... || ID{F _i; Specifically comprise:

Step 1, initialization (1 ^l): bilinearity pair: e:G * G → G is selected at trusted authority center _t, G and G _tbe that rank are the cyclic group of p, p is the primitive element of l bit long, selects the hash function H under random oracle ₁: { 0,1} ^*→ G; H ₂: { 0,1} ^*→ Z _pbe one-way Hash function, select a, b, c ← Z _p, g ← G,

pm＝(H ₁,H ₂,e,g,p,g ^a,g ^b,g ^c,G,G _T),

mk＝(a,b,c)

Then choose k independently hash function H ₁' ..., H' _k, be used for the Bloom filter BF of structure m bit of m bit to send to data owner, be that data owner and Cloud Server generate public private key pair { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂;

Step 2, key generate (mk, T): Share (T, ac) algorithm is carried out at trusted authority center, and each leaf node of access tree T can obtain the part of relevant secret ac and share q _v(0),, to each leaf node v ∈ lvs (T), choose t ← Z _p, calculate and B _v=g ^t, note private key sk=(T, A _v, B _v) | v ∈ lvs (T));

Step 3, the encryption to keyword and file address: the hash function that (w, atts, ID (w)) data owner sends by trusted authority center generates Bloom filter, BF ← BFGen ({ H ₁' ..., H' _k, { w ₁..., w _l), to containing keyword w data file address ID _wand Bloom filter, SYM _enc() cryptographic algorithm is encrypted, and symmetric key is sk ₁:

BF _Enc＝SYM(BF),(ID _w) _Enc＝SYM(ID _w)；

User data owner is to BF _enc(ID _w) _encsign: $A={\mathrm{BF}}_{\mathrm{Enc}}\left|\right|\mathrm{sig}\left({\mathrm{BF}}_{\mathrm{Enc}}\right)={\mathrm{BF}}_{\mathrm{Enc}}\left|\right|{\left({\mathrm{BF}}_{\mathrm{Enc}}\right)}^{d_1},B={\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}\left|\right|\mathrm{sig}{\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}={\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}\left|\right|{\left({\left({\mathrm{ID}}_w\right)}_{\mathrm{Enc}}\right)}^{d_1}$ To sk ₁by ABE () cryptographic algorithm, be encrypted: C=ABE (sk ₁);

After search finishes, the validated user that attribute meets access strategy just can be deciphered C and obtain sk ₁, and then file destination is obtained in deciphering;

Select r ₁, r ₂← Z _p, calculate $W^{\′}=g^{{\mathrm{cr}}_1},W=g^{a(r_1+r_2)}{g}^{b{H}_2\left(w\right)r_1};$ F=(f ₁, f ₂) wherein $f_1=g^{a(r_1+r_2)},f_2=g^{{\mathrm{br}}_1},W_0=g^{r_2},$ To each at _j∈ Atts, calculates $W_j=H_1{\left({\mathrm{at}}_j\right)}^{r_2},$ With the PKI of server, W is encrypted and obtained $W_E=W^{e_2}={\left(g^{a(r_1+r_2)}{g}^{{\mathrm{bH}}_2\left(w\right)r_1}\right)}^{e_2},$ Can remember that like this ciphertext keyword is:

cph＝(Atts,W',W _E,W ₀,W _j,F,A,B,C)；

Step 4, generation search password (sk, w): select s ← Z _p, each leaf node v ∈ lvs (T) is calculated $A_v^{\′}=A_v^s,B_v^{\′}=B_v^s,$ Search password is ${\mathrm{tok}}_1={\left(g^a{g}^{{\mathrm{bH}}_2\left(w\right)}\right)}^s,$ Tok ₂=g ^cs, use the PKI of server to tok ₂be encrypted: note tk=(tok ₁, (tok ₂) _enc, T, (A' _v, B' _v) | v ∈ lvs (T));

Step 5, search (tk, cph): server is chosen the access tree that property set S meets appointment in search password from cph, if such S set does not exist, returns to 0; Otherwise, to each at _j∈ S, calculates $E_v=e(A_v^{\′},W_0)/e(B_v^{\′},W_j)=e{(g,g)}^{{\mathrm{sr}}_2{q}_v\left(0\right)}\mathrm{att}\left(v\right)={\mathrm{at}}_j,v\∈\mathrm{lvs}\left(T\right),$ In conjunction with (T, E _v| att (v) ∈ S), calculate $e{(g,g)}^{{\mathrm{sr}}_2{q}_v\left(0\right)}=e{(g,g)}^{{\mathrm{sr}}_2{q}_{\mathrm{root}}\left(0\right)},$ And then $E_{\mathrm{root}}=e{(g,g)}^{{\mathrm{acsr}}_2}$ The private key deciphering W of oneself for server _e, (tok ₂) _encobtain W and tok ₂if, e (W', tok ₁) E _root=e (W, tok ₂), return W, F, A, B, C} is to user; Otherwise, only return to A;

Step 6, checking { W, F, A, B, C}: data user receives after the Search Results that Cloud Server returns, and carries out verification operation.

5. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, the concrete grammar of described verification operation is:

The existence of step 1, searched key word: when data user only receives the A that Cloud Server returns, first with data owner's PKI, A is verified; If by checking; C is decrypted to operation and obtains symmetric key sk ₁, deciphering A obtains Bloom filter BF, if BFverify (w)=0 means the keyword that does not exist user to search on Cloud Server, otherwise rejection returns results;

The correctness of step 2, searched key word: data user receive W, F, A, B, during C}, calculates W/f ₁with if illustrate correctly, otherwise explanation is error result;

Step 3, the integrality of data file address that comprises keyword w: when data user has verified after the correctness of keyword, then B is verified, if by deciphering C, obtain sk ₁, and then obtain target data file.

6. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, the described PKI that effectively can verify based on KP-ABE can be searched for being analyzed as follows of correctness of encryption method:

Step 1, search coupling correctness:

Cloud Server, after receiving data user's searching request, is carried out search operation.First by with RSA Algorithm, with the private key of oneself, ciphertext keyword and search password are decrypted, then, carry out following matching operation:

$\begin{array}{c}e(W^{\′},{\mathrm{tok}}_1)E_{\mathrm{root}}={e(g^{{\mathrm{cr}}_1},\left(g^a{g}^{{\mathrm{bH}}_2\left(w\right)}\right))}^s=\\ e{(g,g)}^{\mathrm{acs}(r_1+r_2)}e{(g,g)}^{{\mathrm{bcsH}}_2\left(w\right)r_1};\end{array}$

$\begin{array}{c}e(W,{\mathrm{tok}}_2)={e\left(g^{a(r_1+r_2)}{g}^{{\mathrm{bH}}_2\left(w_1\right)r_1},g^{\mathrm{cs}})\right)}^s=\\ e{(g,g)}^{\mathrm{acs}(r_1+r_2)}e{(g,g)}^{{\mathrm{bcsH}}_2\left(w_1\right)r_1}.\end{array}$

If w and w ₁same keyword, e (W', tok so ₁) E _rootand e (W, tok ₂) be exactly what equate, illustrate and search for successfully;

Step 2, proving correctness:

When data user receive the Search Results that Cloud Server returns W, F, A, B, during C}, first will verify the correctness of keyword, finds f in F ₁, f ₂, do to calculate as follows:

$W/f_1=g^{a(r_1+r_2)}{g}^{b{H}_2\left(w\right)r_1}/g^{a(r_1+r_2)}=g^{{\mathrm{bH}}_2\left(w\right)r_1}$

The cryptographic Hash H of the keyword that user searches for oneself ₂(w ₁) be calculated as follows:

$f_2^{H_2\left(w_1\right)}=g^{{\mathrm{bH}}_2\left(w_1\right)r_1}$

If w and w ₁while being same keyword, W/f ₁with equate, illustrate, Search Results is correct, after this, carrys out correctness and the integrality of verification msg file address by signature.