CN105069358A

CN105069358A - Keyword searchable encryption method based on Bloom filter with storage structure

Info

Publication number: CN105069358A
Application number: CN201510408233.XA
Authority: CN
Inventors: 王尚平; 龙庚; 刘丽华
Original assignee: Xian University of Technology
Current assignee: Hangzhou shared foreign exchange information technology Co., Ltd.
Priority date: 2015-07-13
Filing date: 2015-07-13
Publication date: 2015-11-18
Anticipated expiration: 2035-07-13
Also published as: CN105069358B

Abstract

The present invention discloses a keyword searchable encryption method based on a Bloom filter with a storage structure, which the following steps: step 1, system parameter initialization; step 2, user secret key generation; step 3, retrieval index generation; and step 4, search token generation; step5,cloud storage server search on cryptograph key word. The present invention allows users to use trap door search linking with a key word to encrypt a document, allows data users to encrypt their data and store the data in the cloud storage server, when needed, the needed cryptograph data can be searched by a key word search token, and then is loaded and decoded. The present invention solves the problem of low retrieval efficiency of a conventional encryption method in the prior art.

Description

Keyword based on the Bloom filtrator with storage organization can search for encryption method

Technical field

The invention belongs to field of information security technology, be specifically related to a kind of keyword based on the Bloom filtrator with storage organization and can search for encryption method.

Background technology

Cloud computing, as a kind of new computation model, can provide the calculation services of lower, the extendible various advanced person of cost, and in order to save the cost of storage and management data, data can be outsourced to cloud storage server by enterprises and individuals.The data that cloud stores service provides have the advantage such as availability and reliability, but it also has a shortcoming clearly, namely data are not under the management of user and controlling, and so how the confidentiality and integrity of service data just becomes the problem that user urgently pays close attention to.

Although the reliability, availability, fault-tolerance etc. of cloud storage service provider (CloudStorageServiceProvider, CSSP) are believed by enterprise, the data of trustship are not used for other objects by the people CSSP that is uncertain about; Same for personal user, they wish that the data of oneself can only be accessed by oneself or the people specified and can not be accessed by CSSP.This will cause the problem of two aspects: on the one hand, from the angle of user, and they cannot find and allow they complete believable CSSP carry out their data of store and management; On the other hand from the angle of CSSP, a large amount of clients will be lost when not solving the problem.Therefore, the popularization that cloud will be hindered to store of the confidentiality of data and integrality and use.

In view of above practical problems, during cloud stores, data before being transferred to CSSP, must being encrypted by user oneself, and also can only be decrypted by user oneself, will alleviate the danger that user data leaks like this.Do their data of wanting of the acquisition that so user can be very fast also ensure the confidentiality of data to CSSP but this is by problem new for introducing one, as user needs the document comprising certain key word?

Summary of the invention

The object of this invention is to provide a kind of keyword based on the Bloom filtrator with storage organization and can search for encryption method, solve the problem that the existing encryption method searching ciphertext efficiency that exists in prior art is not high.

The technical solution adopted in the present invention is, the keyword based on the Bloom filtrator with storage organization can search for encryption method, specifically implements according to following steps:

Step 1, systematic parameter initialization;

Step 2, user key generate;

Step 3, search index generate;

Step 4, search token generate;

Step 5, cloud storage server are about the search of ciphertext keyword.

Feature of the present invention is also,

Step 1 detailed process is:

Set up a Bloom filtrator with storage organization, Bloom filtrator is made up of two parts, and one is a size is the array M of n, its two be m codomain for [1 ..., n] independent random hash function h ₁..., h _m, m hash function is here all from { 0,1} ^*be mapped to [1 ..., n] in the function of arbitrary integer, express with mathematical function and be: h _i: { 0,1} ^*→ [1 ..., n] (i=1 ..., m), input security parameter λ by cloud storage server Serv, select G ₁, G _tfor the group that rank are Big prime p, wherein g is G ₁generator, select a hash function wherein be the integer from 1 to p-1, export common parameter ρ=<G ₁, G _t, g, H>.

Step 2 detailed process is:

Independently calculated by user side, receive the common parameter ρ that cloud storage server Serv exports, Stochastic choice will as the private key sk=<x> of oneself, maintain secrecy.

Step 3 is specifically implemented according to following steps:

Step (3.1), set user to select collection of document to be encrypted as D=(D ₁..., D _n), user selects the crucial phrase W={w of document D to be encrypted ₁..., w _l, 1≤i≤n, receives the key sk of common parameter ρ and previous step generation, for crucial phrase W={w ₁..., w _lin each keyword w _i(i ∈ [1 ..., l]), Stochastic choice on element s _i, calculate

A_{i} = g^{x H (w_{i}) + s_{i}},

B_{i} = g^{s_{i}};

Step (3.2), establish ciphertext bloom filtrator is utilized to generate crucial phrase W={w ₁..., w _lindex M and compressed index M ^*, index M and compressed index M ^*the array of to be all size be n, the element deposited in index M is the μ that following formula calculates _ij, compressed index M ^*what deposit is 0 or 1, and the number of hash function is m, calculates:

μ_{i j} = h_{i} (w_{j}) (\begin{matrix} i &Element; [1, ..., m], \\ j &Element; [1, ..., l] \end{matrix}),

And by μ _ijcorresponding ciphertext be inserted into M [μ _ij] in;

Step (3.3), generate the compressed index M of its correspondence according to array M ^*if, namely M i-th (i=1 ..., n) not empty in individual component, then corresponding to M ^*i-th component be labeled as 1, then according to uploading the sequencing of document, M is inserted in the concordance list of database, by M ^*add in the compressed index table of database.

Step 4 is specifically implemented according to following steps:

Step (4.1), user to be searched input crucial phrase to be searched at user side with key sk, wherein l ₁≤ l, generates the search token t that connects crucial phrase, and all keywords in search token t are w _i, wherein, i ∈ [1 ..., l ₁], l ₁≤ l generates token for all crucial phrases to be retrieved, selects on a random element r, calculate:

S = e (g^{r Σ_{i = 1}^{l_{1}} H (w_{i})}, g^{x}), T = g^{r};

Step (4.2), a newly-generated compressed index its size is n, namely be a size be the array of n, and initialization each element be 0, calculate each keyword w _jμ _ij=h _i(w _j), wherein, i ∈ [1 ..., m], j ∈ [1 ..., l ₁], and will be labeled as 1, export search token to Serv.

Step 5 is specifically implemented according to following steps:

Step (5.1), cloud storage server Serv receive search token to be matched server retrieves index corresponding to all storage documents and compressed index from database, and the index retrieved if current is M and compressed index is M ^*;

Step (5.2), to judge:

A () judges compressed index whether be included in M ^*in, namely here i ₂={ i|M ^*(i)=1}, if namely be included in M ^*in, then carry out next step operation;

B () is according to compressed index add up the repeat element deposited in all M [i], wherein i meets find all repetition numbers to equal the element of m, and it can be used as ciphertext collection owing to there is the situation of Hash collision, therefore obtained ciphertext concentrates ciphertext number can there is the situation of the number being greater than keyword to be retrieved, at this moment, needs ciphertext collection carry out being combined to form a series of new ciphertext collection, and ensure that the number of ciphertext collection is identical with the number of keyword to be retrieved, then next step operation is carried out to new ciphertext collection;

C () is to all newly-generated ciphertext collection make the following judgment, for judge whether following formula is set up:

\frac{e (Π_{j = 1}^{l_{1}} A_{i j}, T)}{S \cdot e (Π_{j = 1}^{l_{1}} B_{i j}, T)} = 1,

If above formula is set up, then the match is successful, exports 1 to user, otherwise export 0.

The invention has the beneficial effects as follows, keyword based on the Bloom filtrator with storage organization can search for encryption method, data user can by after the data encryption of oneself, be stored in cloud storage server, when needing, can by keyword retrieval Token Retrieval to the encrypt data needed, then download decryption, simultaneously, cloud storage server does not also know the keyword of user search, guarantee the data message privacy of user, at calculation cost, namely the overall efficiency of Serv to the speed aspect of document searching is improved, simultaneously, the keyword quantity that each document comprises does not retrain, the affiliated territory of keyword is also in abandoned situation, still ensure that the file retrieval efficiency of Serv.

Embodiment

Below in conjunction with embodiment, the present invention is described in detail.

The keyword that the present invention is based on the Bloom filtrator of storage organization can search for encryption method, specifically implements according to following steps:

Step 1, systematic parameter initialization:

Detailed process is:

Set up a Bloom filtrator with storage organization, Bloom filtrator is made up of two parts, and one is a size is the array M of n, its two be m codomain for [1 ..., n] independent random hash function h ₁..., h _m, m hash function is here all from { 0,1} ^*be mapped to [1 ..., n] in the function of arbitrary integer, express with mathematical function and be: h _i: { 0,1} ^*→ [1 ..., n] (i=1 ..., m), input security parameter λ by cloud storage server Serv, select G ₁, G _tfor the group that rank are Big prime p, wherein g is G ₁generator, select a hash function wherein from the integer of 1 to p-1, export common parameter ρ=<G ₁, G _t, g, H>;

Step 2, user key generate:

Detailed process is:

Independently calculated by user side, receive the common parameter ρ that cloud storage server Serv exports, Stochastic choice will as the private key sk=<x> of oneself, maintain secrecy;

Step 3, search index generate:

Specifically implement according to following steps:

A_{i} = g^{x H (w_{i}) + s_{i}},

B_{i} = g^{s_{i}};

Step (3.2), establish ciphertext bloom filtrator is utilized to generate crucial phrase W={w ₁..., w _lindex M and compressed index M ^*, index M and compressed index M ^*size be all n, the number of hash function is m, calculate:

μ_{i j} = h_{i} (w_{j}) (\begin{matrix} i &Element; [1, ..., m], \\ j &Element; [1, ..., l] \end{matrix}),

And by μ _ijcorresponding ciphertext be inserted into M [μ _ij] in;

Step (3.3), generate the compressed index M of its correspondence according to array M ^*if, namely M i-th (i=1 ..., n) not empty in individual component, then corresponding to M ^*i-th component be labeled as 1, then according to uploading the sequencing of document, M is inserted in the concordance list of database, by M ^*add in the compressed index table of database;

Step 4, search token generate:

Specifically implement according to following steps:

Step (4.1), user to be searched input crucial phrase to be searched at user side with key sk, wherein l ₁≤ l, generate the search token t that connects crucial phrase, all keywords in rope token t are w _i, wherein i ∈ [1 ..., l ₁], l ₁≤ l, generates token for all crucial phrases to be retrieved, selects on a random element r, calculate:

S = e (g^{r Σ_{i = 1}^{l_{1}} H (w_{i})}, g^{x}), T = g^{r};

Step (4.2), a newly-generated compressed index its size is n, namely be a size be the array of n, and initialization each element be 0, calculate each keyword w _jμ _ij=h _i(w _j), wherein, i ∈ [1 ..., m], j ∈ [1 ..., l ₁], and will be labeled as 1, export search token to Serv;

Step 5, cloud storage server are about the search of ciphertext keyword:

Specifically implement according to following steps:

Step (5.2), to judge:

A () judges compressed index whether be included in M ^*in, namely here i ₂={ i|M ^*(i)=1}, if namely be included in M ^*in, then enter next step operation of *;

\frac{e (Π_{j = 1}^{l_{1}} A_{i j}, T)}{S \cdot e (Π_{j = 1}^{l_{1}} B_{i j}, T)} = 1,

The correctness of encryption method can be searched for the keyword of the Bloom filtrator of storage organization and security is analyzed below to the present invention is based on:

(1) Correctness Analysis:

Prove: if all data all describe generation according to the present invention, and have when the match is successful

\begin{matrix} \frac{e (Π_{j = 1}^{l_{1}} A_{i j}, T)}{S \cdot e (Π_{j = 1}^{l_{1}} B_{i j}, T)} \\ = \frac{e (g^{Σ_{j = 1}^{l_{1}} s_{i j}} g^{Σ_{j = 1}^{l_{1}} x H (w_{i j})} g^{r})}{e (g^{r Σ_{j = 1}^{l_{1}} H (w_{i j})} g^{x}) e (g^{Σ_{j = 1}^{l_{1}} s_{i j}} g^{r})} \\ = \frac{e {(g, g)}^{x r Σ_{j = 1}^{l_{1}} x H (w_{i j})} e {(g, g)}^{r Σ_{j = 1}^{l_{1}} s_{i j}}}{e {(g, g)}^{x r Σ_{j = 1}^{l_{1}} H (w_{i j})} e {(g, g)}^{r Σ_{j = 1}^{l_{1}} s_{i j}}} \\ = 1 \end{matrix}

If when mating unsuccessful, the cryptographic hash of keyword is exactly on random element.

(2) safety analysis:

Our whole invention has Semantic Security under undistinguishable Sexual behavior mode keyword (IND-CKA) is attacked.In order to prove this security, need by following safety game.

Suppose opponent and challenger between play, if opponent win game, then he will break through our whole encipherment scheme.

IND-CPA-SEARCH game process:

(1) 1 is inquired: opponent to challenger carry out following inquiry:

● inquiry p different keyword w _i(i ∈ [1 ..., p]) ciphertext;

● inquiry q crucial phrase

W_{j} = {w_{j_{1}}, ..., w_{j_{n_{j}}}}, (j = [1, ..., q], 1 \leq n_{j} \leq n) |

Search token;

(2) challenge: opponent export two different keywords with as keyword to be challenged;

Restriction 1: opponent the ciphertext waiting to challenge keyword can not be inquired

&ForAll; i w_{i} &NotEqual; w_{0}^{*} {Λw}_{i} &NotEqual; w_{1}^{*}

Restriction 2: opponent can not inquire that any comprising waits to challenge the search token of keyword.That is:

Challenger { 0,1} exports keyword to random throwing coin b ∈ ciphertext

(3) 2 are inquired: opponent continue ciphertext and q the search token of inquiry p keyword, restriction is with the same above

(4) guess: opponent export the conjecture b of a b ^*if, b=b ^*then guess successfully

We define opponent advantage is in gaming

If opponent advantage and when 1/poly (λ) is a negligible functions about security parameter λ, we claim scheme safety under above-mentioned game.

Prove: construct a challenger according to the inquiry stage in game IND-CPA-SEARCH and give challenger about G ₁some examples g of DDH problem, g on group ^a, g ^b, g ^c∈ G ₁.

Inquiry 1: preserve a list L=<w _i, α _i, l _i>, wherein α _ibe and keyword w _ivalue of money l is thrown with non-homogeneous _irelevant on random value.Be empty when list is initial, when inquiring a random oracle keyword w, query List L returns one of them value.

(1) if l _i=0, then reply

(2) if l _i=1, then reply g ^a

(3) if keyword w does not exist in list L, then the non-homogeneous coin l ∈ of random throwing one piece 0,1}, and have Pr [coin=0]=δ (value of δ calculates later).

If (a) l=0, stochastic choice one and <w, α, 0> are added in list L

If (b) l=1, <w, ⊥, 1> are added in list L

(c) inquiry is replied according to situation above

Here h is one and is subject to the random oracle controlled.

If opponent need the ciphertext of a keyword w, so challenger to the ciphertext of random oracle inquiry keyword w, namely in list L, search <w by w, α, l>.If throw value of money l=1. terminating operation.Therefore we know the l=0 when the ciphertext inquiry stage does not stop, so g ^{h (w)}=g ^α. select a random value calculate

A＝g ^xH(w)+s＝g ^s(g ^b) ^α、B＝g ^s

If opponent inquire crucial phrase W={w ₁..., w _ntrapdoor, then each keyword w is inquired to random oracle _ithe ciphertext of (1≤i≤n), namely passes through w in list L _isearch <w _i, α _i, l _i>.If throw value of money l=1, terminating operation.Therefore we know the l when the trapdoor inquiry stage does not stop _i=0, so all H (w _i)=α _i. select a random value and calculate

\begin{matrix} S = e (g^{r Σ_{i = 1}^{l_{1}} H (w_{i})}, g^{x}) \\ = e ({(g^{b})}^{r Σ_{i = 1}^{l_{1}} α_{i}}, g) \end{matrix}

T＝g ^r

Challenge: opponent export two different keywords with { 0,1}, to random oracle inquiry keyword w for random throwing one piece of coin b ∈ _b, and <w is inquired about in list L _b, α, l>.If throw value of money l=0, terminating operation.If therefore we know and not to stop in the challenge stage, then l=1, namely calculate

A＝g ^xH(w)+s＝g ^sg ^c、B＝g ^s

Inquiry 2: challenger the same as inquiry 1 answer opponent inquiry

Conjecture: opponent export his conjecture value b ^*if, b ^*=b, then export g ^c=g ^ab.Otherwise g ^cfor G ₁on random element.

If challenger not terminating operation and the example of problem is a DDH tlv triple, so for opponent in whole game process he is the same with the information observed when true attack in whole simulation process.And also the same with the situation under true attack to the inquiry of hash function H, because at G ₁elements all on group is all independent and uniform distribution.If the example of problem is not DDH tlv triple, the ciphertext so challenged will be equally distributed, and not comprise the information of any keyword.According to this rule, the plaintext of all inquiries and the plaintext of challenge are not identical, and the search token of inquiry also cannot distinguish challenge ciphertext.

If g ^c=g ^ab, so opponent just have break through game IND-CPA-SEARCH, so challenger when not stopping, the probability solving DDH problem is

The probability that lower surface analysis does not stop.

Suppose opponent the inquiry of p ciphertext inquiry q search token has all been carried out in each inquiry process.So challenger the probability do not stopped in inquiry 1 and 2 is δ ^{2 (p+nq)}, the probability do not stopped in the challenge stage is 1-δ, and the probability therefore do not stopped at whole game process is δ ^{2 (p+nq)}(1-δ), when derived function goes out maximum probability maximum probability is here e is natural constant.Therefore opponent is worked as just have when breaking through game IND-CPA-SEARCH, challenger have at least solve DDH problem.

The present invention is summarized:

The keyword that the present invention is based on the Bloom filtrator of storage organization can search for encryption method, can in the enterprising line search inquiry of the data acquisition of encryption, concrete grammar is, it is first the set of file set generating indexes, re-using can search for encrypt is encrypted with hiding index content to these indexes, and encryption will meet following character: a 1) token of given multiple key word (i.e. index), can obtain the pointer of the All Files comprising these key words; 2) do not have token, the content of index is hiding; 3) user only with association key could generate token; 4) retrieving is except exposing certain key word of which file-sharing, can not expose the specifying information of any relevant document and key word.The central role can searching for encryption is for cloud stores service provides: one is that user oneself controls its data; Two is that the security property of data can be verified by Cryptography Principles, instead of determines security by law, physical equipment.

Embodiment:

Suppose that user will by a document D, comprise 4 keywords: Xi'an, Hangzhou, Beijing, Shanghai, deposit in a database, after this retrieval is comprised 2 keywords again by this user: the document in Xi'an, Hangzhou, if the size of array M is n=12 in Bloom filtrator, the number of hash function is m=3

First generated by the initialization of step 1 systematic parameter and step 2 user key,

(1) user uploads the document stage:

3 different hash functions are utilized to calculate the cryptographic hash of crucial phrase { Beijing, Shanghai, Hangzhou, Xi'an } respectively as following table:

Table 1 keyword Hash table

Then by ciphertext C corresponding for this 4 keywords ₁, C ₂, C ₃, C ₄add in index M

According to index M, (size is compressed index M n) generating its correspondence ^*(size is n) be 111110101001,

Then the index M of document D is stored in the concordance list of database, compressed index M ^*leave in compressed index table.

(2) the user search document stage

3 cryptographic hash in calculating Xi'an, Hangzhou are as shown in table 1, generate search token wherein compressed index be 111110000000, t uploaded onto the server and carries out matching operation.

When server mates the carrying out of document D, have belong to M, carry out second step coupling, statistics M it is as shown in the table that 1,2,3,4,5} locates position the number of times that each ciphertext occurs altogether:

Table 2 ciphertext frequency table

Occurrence number is equaled the ciphertext C of 3 ₁, C ₂, C ₃be set to ciphertext collection, again because ciphertext concentrates the number of element to be 3 numbers 2 being greater than keyword to be retrieved, therefore ciphertext collection combined, form new ciphertext collection { C ₁, C ₂, { C ₁, C ₃, { C ₂, C ₃, finally the 3rd step coupling is carried out, when ciphertext collection is { C to new 3 the ciphertext collection formed ₁, C ₂time, equation is set up, therefore document matches success, then output document D is the document needing to look for.

Claims

1. the keyword based on the Bloom filtrator with storage organization can search for encryption method, it is characterized in that, specifically implements according to following steps:

Step 1, systematic parameter initialization;

Step 2, user key generate;

Step 3, search index generate;

Step 4, search token generate;

Step 5, cloud storage server are about the search of ciphertext keyword.

2. the keyword based on the Bloom filtrator with storage organization according to claim 1 can search for encryption method, it is characterized in that, described step 1 detailed process is:

Set up a Bloom filtrator with storage organization, Bloom filtrator is made up of two parts, and one is a size is the array M of n, its two be m codomain for [1 ..., n] independent random hash function h ₁..., h _m, m hash function is here all from { 0,1} ^*be mapped to [1 ..., n] in the function of arbitrary integer, express with mathematical function and be: h _i: { 0,1} ^*→ [1 ..., n], wherein, i=1 ..., m, inputs security parameter λ by cloud storage server Serv, selects G ₁, G _tfor the group that rank are Big prime p, wherein g is G ₁generator, select a hash function wherein from the integer of 1 to p-1, export common parameter ρ=<G ₁, G _t, g, H>.

3. the keyword based on the Bloom filtrator with storage organization according to claim 1 can search for encryption method, it is characterized in that, described step 2 detailed process is:

4. the keyword based on the Bloom filtrator with storage organization according to claim 1 can search for encryption method, and it is characterized in that, described step 3 is specifically implemented according to following steps:

A_{i} = g^{x H (w_{i}) + s_{i}},

B_{i} = g^{s_{i}};

Step (3.2), establish ciphertext bloom filtrator is utilized to generate crucial phrase W=[w ₁..., w _lindex M and compressed index M ^*, index M and compressed index M ^*size be all n, the number of hash function is m, calculate:

μ_{i j} = h_{i} (w_{j}) (\begin{matrix} i &Element; [1, ..., m], \\ j &Element; [1, ..., l] \end{matrix}),

And by μ _ijcorresponding ciphertext be inserted into M [μ _ij] in;

5. the keyword based on the Bloom filtrator with storage organization according to claim 1 can search for encryption method, and it is characterized in that, described step 4 is specifically implemented according to following steps:

Step (4.1), user to be searched input crucial phrase to be searched at user side with key sk, wherein l ₁≤ l, generate the search token t that connects crucial phrase, all keywords in rope token t are w _i, wherein, i ∈ [1 ..., l ₁], l ₁≤ l, generates token for all crucial phrases to be retrieved, selects on a random element r, calculate:

S = e (g^{{rΣ}_{i = 1}^{l_{1}} H (w_{i})}, g^{x}), T = g^{r};

6. the keyword based on the Bloom filtrator with storage organization according to claim 1 can search for encryption method, and it is characterized in that, described step 5 is specifically implemented according to following steps:

Step (5.2), to judge:

\frac{e (Π_{j = 1}^{l_{1}} A_{i j}, T)}{S \cdot e (Π_{j = 1}^{l_{1}} B_{i j}, T)} = 1,