CN105100083A

CN105100083A - Attribute-based encryption method and attribute-based encryption system capable of protecting privacy and supporting user Undo

Info

Publication number: CN105100083A
Application number: CN201510392617.7A
Authority: CN
Inventors: 李继国; 石岳蓉; 陆阳; 张亦辰
Original assignee: Hohai University HHU
Current assignee: Hohai University HHU
Priority date: 2015-07-06
Filing date: 2015-07-06
Publication date: 2015-11-25
Anticipated expiration: 2035-07-06
Also published as: CN105100083B

Abstract

The invention discloses an attribute-based encryption method and system that protects privacy and supports user revocation. The invention includes eight modules: a system parameter setting module (Setup), a key generation module (KeyGen), an encryption module (Encrypt), and a decryption module (Decrypt), re-encryption module (ReKey), conversion key generation module (TKGen), conversion partial ciphertext module (TK-Encrypt), conversion decryption module (TK-DEcrypt). Moreover, the method provided by the invention can solve the problem of privacy protection in cloud computing, and supports user revocation and safe outsourcing operations on ciphertext. At the same time, it provides a verification function for the converted ciphertext, which ensures that the converted ciphertext is not illegally replaced to cause adverse consequences, and the system has high flexibility.

Description

A privacy-preserving attribute-based encryption method and system that supports user revocation

技术领域technical field

本发明属于信息安全领域，涉及一种基于属性的加密技术，具体地说是一种支持用户撤销的、保护用户隐私的、支持数据外包并支持验证转换密文的正确性的基于属性的加密方法。The invention belongs to the field of information security, and relates to an attribute-based encryption technology, in particular to an attribute-based encryption method that supports user revocation, protects user privacy, supports data outsourcing, and supports verification of the correctness of converted ciphertexts .

背景技术Background technique

今天，在计算机被广泛应用的信息时代，由于网络技术的蓬勃发展，加之云计算的概念相继被提出，大量信息以数字形式存储在公共云端及计算机系统中已成为一种趋势。信息的传输通过公共信道，而这些系统和公共信道在不设防备的情况下是很脆弱的，比较容易受到攻击和破坏，若信息的失窃不容易被发现，后果相当严重。在云计算技术的发展的今天，人们对云计算数据存储安全性的担忧和安全措施的需求会愈加强烈，所以将数据以加密的形式存储到公共云端是一种必然，没有解密权限的游客只能从公共云端截取密文，而不能得到对应的明文。怎么样保证只有合理权限的用户能够解密密文而不是给出数据拥有者自己的私钥或者数据拥有者一一共享数据给那些拥有权限的解密者呢？Today, in the information age where computers are widely used, due to the vigorous development of network technology and the concept of cloud computing, it has become a trend to store a large amount of information in digital form in public clouds and computer systems. Information is transmitted through public channels, and these systems and public channels are vulnerable to attacks and damage if they are not protected. If the theft of information is not easy to be found, the consequences will be quite serious. With the development of cloud computing technology today, people's concerns about the security of cloud computing data storage and the demand for security measures will become more and more intense. Therefore, it is inevitable to store data in the public cloud in an encrypted form. Tourists without decryption permission only The ciphertext can be intercepted from the public cloud, but the corresponding plaintext cannot be obtained. How to ensure that only users with reasonable permissions can decrypt the ciphertext instead of giving the data owner's own private key or sharing the data with those decryptors who have permission?

2005年基于属性加密的概念被引入，因其特殊的应用意义以及使用场景的广泛性正在受到各界越来越多的瞩目，该加密系统利用访问控制结构来控制系统中用户的解密能力，并成为了最有效的途径之一。基于属性的加密体制(ABE)可以很好地解决上述大数据在云计算中的问题。在这种加密体制中加密者无须知道解密者的详细身份信息，而是掌握了解密者的一系列的描述属性，这种描述属性比详细身份信息与用户的联系更加紧密。在基于属性的密码体制中，在加密过程中是用属性定义访问规则，当用户的密钥与密文在这个访问规则下相“匹配”时解密用户就可以解密密文。为了更好的表示系统的灵活性，基于属性的加密被分为两类，即密钥策略的基于属性的加密(KP-ABE)和密文策略的基于属性的加密(CP-ABE)。在KP-ABE中，密文被一系列描述性属性集标记，而用户的密钥与授权中心指定的访问策略相关联。在CP-ABE中，用户的密钥被一系列描述性属性集标记，而密文与加密者指定的访问策略相关联。The concept of attribute-based encryption was introduced in 2005, and it is attracting more and more attention from all walks of life because of its special application significance and wide range of usage scenarios. The encryption system uses the access control structure to control the decryption ability of users in the system, and has become a one of the most effective ways. Attribute-based encryption (ABE) can well solve the above-mentioned problems of big data in cloud computing. In this encryption system, the encryptor does not need to know the detailed identity information of the decryptor, but has a series of descriptive attributes of the decryptor. This descriptive attribute is more closely related to the user than the detailed identity information. In the attribute-based cryptosystem, the access rules are defined by attributes in the encryption process. When the user's key and the ciphertext "match" under the access rules, the decryption user can decrypt the ciphertext. In order to better represent the flexibility of the system, attribute-based encryption is divided into two categories, namely key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE). In KP-ABE, ciphertexts are marked with a set of descriptive attributes, while the user's key is associated with the access policy specified by the authority. In CP-ABE, a user's key is tagged with a set of descriptive attributes, while the ciphertext is associated with an access policy specified by the encryptor.

CP-ABE机制比较接近于现实中的应用场景。假设每个用户根据自身条件或者属性从授权中心处得到密钥，然后加密者制定对消息的访问控制，更适合访问控制类应用，如社交网站的访问、电子医疗系统等。基本的CP-ABE方案包括系统参数设置(Setup)、密钥生成(KeyGeneration)、加密(Encryption)和解密(Decryption)四个模块。The CP-ABE mechanism is relatively close to the actual application scenarios. Assume that each user obtains the key from the authorization center according to their own conditions or attributes, and then the encryptor formulates access control for messages, which is more suitable for access control applications, such as access to social networking sites, electronic medical systems, etc. The basic CP-ABE scheme includes four modules: system parameter setting (Setup), key generation (KeyGeneration), encryption (Encryption) and decryption (Decryption).

1.系统参数设置模块(Setup)1. System parameter setting module (Setup)

输入安全参数σ，返回系统公开参数params和主私钥MK。Input security parameter σ, return system public parameter params and master private key MK.

2.密钥生成模块(KeyGen)2. Key generation module (KeyGen)

授权中心运行密钥生成算法为系统内用户生成私钥。授权中心输入主私钥MK，用户的描述性属性集，计算出用户属性集合相关的私钥SK_L。这里L表示与用户相对应的属性集。The authorization center runs the key generation algorithm to generate private keys for users in the system. The authorization center inputs the master private key MK and the user's descriptive attribute set, and calculates the private key SK _L related to the user attribute set. Here L represents the attribute set corresponding to the user.

3.加密模块(Encryption)3. Encryption module (Encryption)

输入系统公开参数params，消息M，以及访问策略W，加密者加密得到一个密文CT。只有当与私钥相关联的用户属性集L满足访问策略W的时候，用户才能解密密文CT。Input system public parameters params, message M, and access policy W, and the encryptor encrypts to obtain a ciphertext CT. Only when the user attribute set L associated with the private key satisfies the access policy W, the user can decrypt the ciphertext CT.

4.解密模块(Decryption)4. Decryption module (Decryption)

接收者输入他的解密密钥SK_L以及密文CT，解密得到消息M。只有当与私钥相关联的用户属性集L满足访问策略W的时候，用户才能解密密文CT。The receiver inputs his decryption key SK _L and ciphertext CT, and decrypts to get the message M. Only when the user attribute set L associated with the private key satisfies the access policy W, the user can decrypt the ciphertext CT.

从上述流程可以看出，虽然密文策略的基于属性的加密体制可以在云端提供安全的访问控制，但是访问策略是和密文一起发送给接收者的，接收者无论能不能解密都将从访问策略中获得相关有效信息，任意中间用户都能通过访问策略得到潜在接收者的列表的信息，从而泄露了用户的隐私，这对一些从事商业活动或者希望对访问策略进行保护的加密者不是件有利的事情。所以构造一个隐藏访问结构的基于属性的方案是更具现实意义的。From the above process, it can be seen that although the attribute-based encryption system of the ciphertext policy can provide secure access control in the cloud, the access policy is sent to the recipient together with the ciphertext, and the recipient will access the To obtain relevant and effective information in the policy, any intermediate user can obtain the information of the list of potential recipients through the access policy, thereby leaking the privacy of the user, which is not beneficial to some encryption operators who are engaged in commercial activities or want to protect the access policy things. So it is more practical to construct an attribute-based scheme that hides the access structure.

从上述的CP-ABE方案的流程还可以看出，授权中心负责分发私钥和管理属性。在现实生活中，尤其在现在的大数据时代中，常会存在系统中新老用户的经常性变更，这就要求系统能灵活的变更授予用户的权限来保证系统的安全性和灵活性。所以构造一个支持用户撤销的CP-ABE方案可以大大提高系统的灵活性。It can also be seen from the flow of the above CP-ABE scheme that the authorization center is responsible for distributing private keys and managing attributes. In real life, especially in the current era of big data, there are often frequent changes of new and old users in the system, which requires the system to flexibly change the permissions granted to users to ensure the security and flexibility of the system. So constructing a CP-ABE scheme that supports user revocation can greatly improve the flexibility of the system.

在当今时代，云端的数据越来越多地被资源受限的无线端用户访问，对于无线用户来言，计算代价和通信代价是首先需要考虑的因素，而传统的基于属性加密方案在解密操作中的大量的双线性对运算带来的电池的耗费和通信的代价是不经济的，所以将部分计算外包给云存储提供方进行操作有很大的经济性、很好的系统可扩展性和访问性。现实生活中可能存在云端的不端行为或对云端恶意攻击，转换密文的正确性无法验证，存在密文被非法替换从而造成不良后果。In today's era, data in the cloud is increasingly accessed by resource-constrained wireless end users. For wireless users, computing costs and communication costs are the first factors to be considered. The cost of battery consumption and communication caused by a large number of bilinear pairing operations is uneconomical, so outsourcing part of the calculation to the cloud storage provider for operation has great economics and good system scalability and accessibility. In real life, there may be misconduct in the cloud or malicious attacks on the cloud. The correctness of the converted ciphertext cannot be verified, and the ciphertext is illegally replaced, resulting in adverse consequences.

基于以上的分析，本发明人对现有的基于属性的加密方案进行研究改进，从而提高系统的灵活性，并保证了用户的隐私，更具有现实意义。Based on the above analysis, the inventors research and improve the existing attribute-based encryption scheme, so as to improve the flexibility of the system and ensure the privacy of users, which is more practical.

发明内容Contents of the invention

发明目的：针对上述基于属性加密的缺陷，提供一种完全隐藏访问结构、支持用户撤销、支持数据外包并支持验证转换密文的正确性的基于属性的加密方法，提高系统的灵活性，保证用户的隐私，降低无线端的用户的总通信成本，保证了转换后密文未被非法替换且避免造成不良后果。Purpose of the invention: To address the above-mentioned defects of attribute-based encryption, provide an attribute-based encryption method that completely hides the access structure, supports user revocation, supports data outsourcing, and supports verification of the correctness of converted ciphertexts, so as to improve the flexibility of the system and ensure that users privacy, reduce the total communication cost of wireless end users, and ensure that the converted ciphertext is not illegally replaced and avoid adverse consequences.

技术方案：一种隐私保护且支持用户撤销的基于属性加密方法和系统，该加密系统包括八个模块，具体为：Technical solution: An attribute-based encryption method and system that protects privacy and supports user revocation. The encryption system includes eight modules, specifically:

系统参数设置模块：生成系统公开参数，并发送给其他模块；密钥生成模块：根据用户的属性集合生成用户的用于解密消息的私钥；加密模块：用于加密消息；解密模块：用于解密消息；重加密模块：生成重加密密钥，并更新密文和用户的私钥；转换密钥生成模块：生成转换密钥和恢复私钥；转换部分密文模块：在原来密文基础上生成转换后的部分密文；转换解密模块：用于解密转换后的密文；System parameter setting module: generate system public parameters and send them to other modules; key generation module: generate the user’s private key for decrypting messages according to the user’s attribute set; encryption module: for encrypting messages; decryption module: for Decrypt message; re-encryption module: generate re-encryption key, and update ciphertext and user's private key; conversion key generation module: generate conversion key and restore private key; conversion part of ciphertext module: based on the original ciphertext Generate converted partial ciphertext; conversion and decryption module: used to decrypt the converted ciphertext;

该加密方法具体步骤如下：The specific steps of the encryption method are as follows:

步骤1，设定系统公开参数params和主密钥MK；Step 1, set system public parameters params and master key MK;

步骤2，根据所述系统公开参数params，生成用户的私钥SK_L；Step 2, generate the user's private key SK _L according to the system public parameters params;

步骤3，根据所述系统公开参数params和选定的访问策略对消息M进行加密得到密文CT；Step 3, encrypt the message M according to the system public parameters params and the selected access strategy to obtain the ciphertext CT;

步骤4，根据所述系统公开参数params和用户的私钥SK_L对密文CT进行解密得到消息M；Step 4, decrypt the ciphertext CT according to the system public parameters params and the user's private key SK _L to obtain the message M;

步骤5，根据所述系统公开参数params和组私钥u_x生成重加密密钥ck_vn，得到重加密后的密文CT_vn，并更新授权用户的部分私钥D_2,vn；Step 5, generate a re-encryption key ck _vn according to the system public parameters params and the group private key u _x , obtain the re-encrypted ciphertext CT _vn , and update the partial private key D _2,vn of the authorized user;

步骤6，根据所述系统公开参数params和用户的私钥SK_L，生成转换密钥TK_L和恢复私钥HK_L；Step 6, according to the system public parameters params and the user's private key SK _L , generate a conversion key TK _L and a recovery private key HK _L ;

步骤7，根据所述系统公开参数params、原始密文CT以及转换密钥TK_L，生成转换后的密文CT′；Step 7: Generate converted ciphertext CT′ according to the system public parameters params, original ciphertext CT and conversion key TK _L ;

步骤8，根据所述系统公开参数params、原始密文CT、转换后的密文CT′及恢复私钥HK_L，对密文解密得到消息M。Step 8: Decrypt the ciphertext to obtain the message M according to the system public parameters params, the original ciphertext CT, the converted ciphertext CT′ and the restored private key HK _L .

进一步地，所述步骤1还包括：Further, said step 1 also includes:

步骤1-1，选取大素数p，p阶乘法循环群G和G_T，双线性映射e:G×G→G_T；从G中选择生成元g,u,v,d；Step 1-1, select a large prime number p, p factorial method cyclic group G and G _T , bilinear mapping e:G×G→G _T ; select generators g,u,v,d from G;

步骤1-2，授权中心随机选择t_i,j∈Z_p(i∈[1,n],j∈[1,n_i])，把Step 1-2, the authorization center randomly selects t _i,j ∈ Z _p (i∈[1,n],j∈[1,n _i ]), put

{α,g^α,δ}，作为其私钥；计算Y＝e(g,g)^α，定义一个哈希函数H:这里表示集合{1,2,…,p-2,p-1}；{α,g ^α ,δ}, as its private key; calculate Y=e(g,g) ^α , Define a hash function H: here Represents the set {1,2,...,p-2,p-1};

步骤1-3，数据拥有者选择随机值作为数据拥有者的私钥SK_DO，并计算其公钥发送到公共区域，SK_DO作为数据拥有者的私钥不泄露；这里表示集合{1,2,…,p-2,p-1}；Steps 1-3, the data owner chooses a random value As the private key SK _DO of the data owner, and calculate its public key Sent to the public area, SK _DO as the private key of the data owner will not be disclosed; here Represents the set {1,2,...,p-2,p-1};

步骤1-4，授权中心设置初始版本号vn＝0，并选择随机值作为组私钥GSK，并将其线下发送给注册的用户，计算作为组公钥发送到公共区域；Steps 1-4, the authorization center sets the initial version number vn=0, and selects a random value As the group private key GSK, and send it offline to registered users, calculate sent to the public domain as the group public key;

系统公开参数其中(i∈[1,n],j∈[1,n_i])，系统主密钥为MK＝{α,g^α,δ}，数据拥有者的私钥为SK_DO＝{β}；System public parameters Where (i∈[1,n],j∈[1,n _i ]), the system master key is MK＝{α,g ^α ,δ}, and the private key of the data owner is SK _DO ＝{β};

其中，步骤1-2中，对于两个不同的用户属性集L和L′，应满足 $Σ_{v_{i, j} &Element; L} t_{i, j} &NotEqual; Σ_{v_{i, j} &Element; L^{'}} t_{i, j} .$ Among them, in step 1-2, for two different user attribute sets L and L', should satisfy $Σ_{v_{i, j} &Element; L} t_{i, j} &NotEqual; Σ_{v_{i, j} &Element; L^{'}} t_{i, j} .$

进一步地，所述步骤2还包括：Further, said step 2 also includes:

步骤2-1，输入用户的属性集L；Step 2-1, input user's attribute set L;

步骤2-2，授权中心随机选取r, $λ_{i} &Element; Z_{p}^{*},$ 并计算作为用户的私钥，其中t_i,j∈L_i(i∈[1,n],j∈[1,n_i])；同时对授权的用户计算并设置版本号vn＝0；这里表示集合{1,2,…,p-2,p-1}；Step 2-2, the authorization center randomly selects r, $λ_{i} &Element; Z_{p}^{*},$ and calculate As the user's private key, where t _i,j ∈L _i (i∈[1,n],j∈[1,n _i ]); at the same time, the authorized user calculates And set the version number vn=0; here Represents the set {1,2,...,p-2,p-1};

授权中心颁发给用户的私钥为 ${SK}_{L} = (D_{0}, {D_{i, 1}, D_{i, 2}}_{i &Element; [1, n], j &Element; [1, n_{i}]}, D_{2}) .$ The private key issued by the authorization center to the user is ${SK}_{L} = ({D.}_{0}, {{D.}_{i, 1}, {D.}_{i, 2}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}, {D.}_{2}) .$

进一步地，所述步骤3还包括：Further, said step 3 also includes:

步骤3-1，加密者选择明文消息m∈G_T、一条随机消息m′∈G_T，访问结构W＝[W₁,W₂,...,W_n]，并计算这里H是G到的密码学哈希函数；Step 3-1, the encryptor selects a plaintext message m∈G _T , a random message m′∈G _T , accesses the structure W=[W ₁ ,W ₂ ,...,W _n ], and calculates Here H is G to cryptographic hash function;

步骤3-2，对于将要进行分享的消息m，加密者随机选取并计算 $C_{0} = m \cdot Y^{s} \cdot e {(g, g)}^{u_{0} s} = m \cdot e {(g, g)}^{α s + u_{0} s}, C_{1} = g^{β s}, C_{2} = g^{δ s};$ 加密者设置有关属性密文部分，设s为访问结构的根节点，设定所有的儿子节点为未标记，标记根节点为已标记，为每个未标记的非叶子节点递归地进行如下运算：非叶子节点为“与”门，且其儿子节点状态为未标记，选择随机值并设置最后一个儿子节点的值为并标记此节点为已标记；反之若为“或”门，标记该节点下的任意节点的值为s，并设置此节点为已标记；对于叶子节点，加密者进行如下计算：步骤3-3，对于将要随机消息m′，加密者随机选取并计算Step 3-2, for the message m to be shared, the encryptor randomly selects and calculate $C_{0} = m &Center Dot; Y^{the s} \cdot e {(g, g)}^{u_{0} the s} = m &Center Dot; e {(g, g)}^{α the s + u_{0} the s}, C_{1} = g^{β the s}, C_{2} = g^{δ the s};$ The encryptor sets the relevant attribute ciphertext part, sets s as the root node of the access structure, sets all child nodes as unmarked, marks the root node as marked, and performs the following operation recursively for each unmarked non-leaf node: The non-leaf node is an "AND" gate, and its child node status is unmarked, and a random value is selected And set the value of the last child node to And mark this node as marked; otherwise, if it is an "or" gate, mark the value of any node under this node as s, and set this node as marked; for leaf nodes, the encryptor performs the following calculation: Step 3-3, for the message m′ to be randomized, the encryptor randomly selects and calculate

$C_{3} = m^{'} \cdot Y^{s^{'}} \cdot e {(g, g)}^{u_{0} s^{'}} = m^{'} \cdot e {(g, g)}^{{αs}^{'} + u_{0} s^{'}},$ C₄＝g^βs′,C₅＝g^δs′；加密者设置有关属性密文部分，设s′为访问结构的根节点，设定所有的儿子节点为未标记，标记根节点为已标记，为每个未标记的非叶子节点递归地进行如下运算：非叶子节点为“与”门，且其儿子节点状态为未标记，选择随机值并设置最后一个儿子节点的值为并标记此节点为已标记；反之若为“或”门，标记该节点下的任意节点的值为s′，并设置此节点为已标记；对于叶子节点，加密者进行如下计算：这里表示集合{1,2,…,p-2,p-1}； $C_{3} = m^{'} &Center Dot; Y^{{the s}^{'}} &Center Dot; e {(g, g)}^{u_{0} {the s}^{'}} = m^{'} \cdot e {(g, g)}^{{αs}^{'} + u_{0} {the s}^{'}},$ C ₄ ＝g ^βs′ , C ₅ ＝g ^δs′ ; the encryptor sets the ciphertext part of the relevant attributes, sets s′ as the root node of the access structure, sets all the child nodes as unmarked, and marks the root node as marked, Recursively perform the following operations for each unmarked non-leaf node: the non-leaf node is an "AND" gate, and its child node status is unmarked, select a random value And set the value of the last child node to And mark this node as marked; otherwise, if it is an "or" gate, mark the value of any node under this node as s′, and set this node as marked; for leaf nodes, the encryptor performs the following calculation: here Represents the set {1,2,...,p-2,p-1};

步骤3-4，加密者设置版本号vn＝0；加密得到的密文为 $C T = {v n = 0, \hat{c}, {CT}_{o w n 1}, {CT}_{o w n 2}}, {CT}_{o w n 1} = {C_{0}, C_{1}, C_{2}, {C_{i, j, 1}, C_{i, j, 2}}_{i &Element; [1, n], j &Element; [1, n_{i}]}},$ ${CT}_{o w n 2} = {C_{3}, C_{4}, C_{5}, {{\overset{&OverBar;}{C}}_{i, j, 1}, {\overset{&OverBar;}{C}}_{i, j, 2}}_{i &Element; [1, n], j &Element; [1, n_{i}]}} .$ Step 3-4, the encryptor sets the version number vn=0; the encrypted ciphertext is $C T = {v no = 0, \hat{c}, {CT}_{o w no 1}, {CT}_{o w no 2}}, {CT}_{o w no 1} = {C_{0}, C_{1}, C_{2}, {C_{i, j, 1}, C_{i, j, 2}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}},$ ${CT}_{o w no 2} = {C_{3}, C_{4}, C_{5}, {{\overset{&OverBar;}{C}}_{i, j, 1}, {\overset{&OverBar;}{C}}_{i, j, 2}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}} .$

进一步地，所述步骤4还包括：Further, said step 4 also includes:

步骤5-1，解密者检查私钥SK_L与密文CT的版本号，如果不一致，向授权中心申请更新私钥，如果一致，则继续下面的步骤；Step 5-1, the decryptor checks the version numbers of the private key SK _L and the ciphertext CT, if they are not consistent, apply to the authorization center for updating the private key, if they are consistent, proceed to the following steps;

步骤5-2，解密者如果未拥有与访问策略下标匹配的属性，则解密失败，否则通过下面的步骤可恢复出明文；Step 5-2, if the decryptor does not have the attribute matching the subscript of the access policy, the decryption fails, otherwise the plaintext can be recovered through the following steps;

解密者计算 $F = Π_{i = 1}^{n} e (C_{i, j, 2}, D_{i, 2}), O = Π_{i = 1}^{n} e (C_{i, j, 1}, D_{i, 1}),$ S＝e(C₁,D₀)， $B = Π_{i = 1}^{n} e (C_{1}, D_{2}),$ 计算得到 $m = \frac{C_{0} \cdot F}{O \cdot S \cdot B};$ 同时计算 $F^{'} = Π_{i = 1}^{n} e ({\overset{&OverBar;}{C}}_{i, j, 2}, D_{i, 2}),$ $O^{'} = Π_{i = 1}^{n} e ({\overset{&OverBar;}{C}}_{i, j, 1}, D_{i, 1}),$ S′＝e(C₄,D₀)， $B^{'} = Π_{i = 1}^{n} e (C_{4}, D_{2}),$ 计算得到同时验证若是则输出消息m，否则输出⊥。decryptor calculation $f = Π_{i = 1}^{no} e (C_{i, j, 2}, {D.}_{i, 2}), o = Π_{i = 1}^{no} e (C_{i, j, 1}, {D.}_{i, 1}),$ S=e(C ₁ ,D ₀ ), $B = Π_{i = 1}^{no} e (C_{1}, {D.}_{2}),$ calculated $m = \frac{C_{0} &Center Dot; f}{o &Center Dot; S &Center Dot; B};$ Simultaneous computing $f^{'} = Π_{i = 1}^{no} e ({\overset{&OverBar;}{C}}_{i, j, 2}, {D.}_{i, 2}),$ $o^{'} = Π_{i = 1}^{no} e ({\overset{&OverBar;}{C}}_{i, j, 1}, {D.}_{i, 1}),$ S'=e(C ₄ ,D ₀ ), $B^{'} = Π_{i = 1}^{no} e (C_{4}, {D.}_{2}),$ calculated Simultaneous verification If so, output message m, otherwise output ⊥.

进一步地，所述步骤5还包括：Further, said step 5 also includes:

步骤5-1，授权中心收到用户撤销的信息，选择新的随机值作为新的组私钥GSK_x，其中x为此时版本号标识，当系统中的合法用户需要访问数据时通过安全的线下通道发送给他们；这里Z_p表示集合{1,2,…,p-1,p}；Step 5-1, the authorization center receives the user's revocation information and selects a new random value As a new group private key GSK _x , where x is the version number identification at this time, it is sent to legal users in the system through a secure offline channel when they need to access data; here Z _p represents the set {1,2,…, p-1,p};

步骤5-2，授权中心更新授权用户的私钥部分 Step 5-2, the authorization center updates the private key part of the authorized user

步骤5-3，授权中心计算重加密密钥为并发送给云存储提供方，云存储提供方计算版本号为vn＝x的新的密文CT_vn；Step 5-3, the authorization center calculates the re-encryption key as And send to the cloud storage provider, the cloud storage provider calculates a new ciphertext CT _vn whose version number is vn=x;

对于密文的第一部分CT_own1,vn而言，进行如下计算：For the first part of the ciphertext CT _own1,vn , the following calculations are performed:

${C C}_{00,, v v n no} = = {C C}_{00} \cdot &Center Dot; e e (({C C}_{22},, {ck ck}_{v v n no})) = = m m \cdot &Center Dot; e e {((g g,, g g))}^{α α s the s + + {u u}_{00} s the s} \cdot \cdot e e (({g g}^{δ δ s the s},, {g g}^{\frac{{u u}_{x x} - - {u u}_{00}}{δ δ}})) = = m m \cdot &Center Dot; e e {((g g,, g g))}^{α α s the s + + {u u}_{x x} s the s};;$

同样地，对于密文的第二部分CT_own2,vn而言，进行如下计算：Similarly, for the second part of the ciphertext CT _own2,vn , the following calculation is performed:

${C C}_{33,, v v n no} = = {C C}_{33} \cdot &Center Dot; e e (({C C}_{55},, {ck ck}_{v v n no})) = = {m m}^{' '} \cdot &Center Dot; e e {((g g,, g g))}^{{αs αs}^{' '} + + {u u}_{00} {s the s}^{' '}} \cdot &Center Dot; e e (({g g}^{{δs δs}^{' '}},, {g g}^{\frac{{u u}_{x x} - - {u u}_{00}}{δ δ}})) = = m m \cdot &Center Dot; e e {((g g,, g g))}^{{αs αs}^{' '} + + {u u}_{x x} {s the s}^{' '}};;$

更新后的密文CT_vn＝{CT_own1,vn,CT_own2,vn}如下：The updated ciphertext CT _vn ={CT _own1,vn ,CT _own2,vn } is as follows:

${CT CT}_{o o w w n no 11,, v v n no} = = {{v v n no = = x x,, \overset{^^}{c c},, {C C}_{00,, v v n no},, {C C}_{11},, {C C}_{22},, {{{C C}_{i i,, j j,, 11},, {C C}_{i i,, j j,, 22}}}_{i i &Element; &Element; [[11,, n no]],, j j &Element; &Element; [[11,, {n no}_{i i}]]}}}$

${CT CT}_{o o w w n no 22,, v v n no} = = {{v v n no = = x x,, \overset{^^}{c c},, {C C}_{33,, v v n no},, {C C}_{44},, {C C}_{55},, {{{\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 11},, {\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 22}}}_{i i &Element; &Element; [[11,, n no]],, j j &Element; &Element; [[11,, {n no}_{i i}]]}}} . .$

进一步地，所述步骤6还包括：Further, said step 6 also includes:

步骤6-1，授权中心选择随机值以系统公共参数params以及用户的私钥 ${SK}_{L} = (D_{0}, &ForAll; v_{i &Element; [1, n], j &Element; [1, n_{i}]} &Element; L : {D_{i, 1}, D_{i, 2}}, D_{2})$ 作为输入，并计算转换密钥为 ${TK}_{L} = {{D_{0}}^{'} = {D_{0}}^{\frac{1}{z}}, {D_{2}}^{'} = {D_{2}}^{\frac{1}{z}}, {{D_{i, 1}}^{'} = {D_{i, 1}}^{\frac{1}{z}}, {D_{i, 2}}^{'} = {D_{i, 2}}^{\frac{1}{z}}}_{i &Element; [1, n], j &Element; [1, n_{i}]}},$ 并保存HK_L＝z作为恢复密钥给用户，其中，Z_p表示集合{1,2,…,p-1,p}。Step 6-1, the authorization center selects a random value Take the system public parameter params and the user's private key ${SK}_{L} = ({D.}_{0}, &ForAll; v_{i &Element; [1, no], j &Element; [1, {no}_{i}]} &Element; L : {{D.}_{i, 1}, {D.}_{i, 2}}, {D.}_{2})$ as input, and computes the transformation key as ${TK}_{L} = {{D.}_{0}^{'} = {D.}_{0}^{\frac{1}{z}}, {D.}_{2}^{'} = {D.}_{2}^{\frac{1}{z}}, {{D.}_{i, 1}^{'} = {D.}_{i, 1}^{\frac{1}{z}}, {D.}_{i, 2}^{'} = {D.}_{i, 2}^{\frac{1}{z}}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}},$ And save HK _L =z as the recovery key to the user, where Z _p represents the set {1,2,...,p-1,p}.

进一步地，所述步骤7还包括：Further, said step 7 also includes:

步骤7-1，云存储提供方将密文CT＝{CT_own1,CT_own2}以及转换密钥TK_L＝{D₀′,D₂′,{D_i,1′,D_i,2′}_i∈[1,n]}作为输入，计算转换后的部分密文如下：Step 7-1, the cloud storage provider sends the ciphertext CT={CT _own1 ,CT _own2 } and the conversion key TK _L ={D ₀ ′,D ₂ ′,{D _i,1 ′,D _i,2 ′} _i∈[1,n] } as input, calculate the converted part of the ciphertext as follows:

${K K}_{o o w w n no 11}^{' '} = = \frac{{Π Π}_{i i = = 11}^{n no} e e (({C C}_{i i,, j j,, 11},, {D D.}_{i i,, 11}^{' '})) \cdot &Center Dot; e e (({C C}_{11},, {D D.}_{00}^{' '})) \cdot &Center Dot; e e (({C C}_{11},, {D D.}_{22}^{' '}))}{{Π Π}_{i i = = 11}^{n no} e e (({C C}_{i i,, j j,, 22},, {D D.}_{i i,, 22}^{' '}))} = = e e {((g g,, g g))}^{\frac{α α s the s + + {u u}_{00} s the s}{z z}}$

${K K}_{o o w w n no 22}^{' '} = = \frac{{Π Π}_{i i = = 11}^{n no} e e (({\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 11},, {D D.}_{i i,, 11}^{' '})) \cdot &Center Dot; e e (({C C}_{44},, {D D.}_{00}^{' '})) \cdot \cdot e e (({C C}_{44},, {D D.}_{22}^{' '}))}{{Π Π}_{i i = = 11}^{n no} e e (({\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 22},, {D D.}_{i i,, 22}^{' '}))} = = e e {((g g,, g g))}^{\frac{{αs αs}^{' '} + + {u u}_{00} {s the s}^{' '}}{z z}}$

输出转换后密文如下： ${CT}^{'} = {v n, K^{'} = \hat{c}, K_{1} = C_{0}, K_{o w n 1}^{'}, K_{2} = C_{3}, K_{o w n 2}^{'}} .$ The output converted ciphertext is as follows: ${CT}^{'} = {v no, K^{'} = \hat{c}, K_{1} = C_{0}, K_{o w no 1}^{'}, K_{2} = C_{3}, K_{o w no 2}^{'}} .$

所述步骤8还包括：Said step 8 also includes:

步骤8-1，解密者进行检查如下，若K₁≠C₀、K₂≠C₃，则输出⊥；否则继续下面的步骤；Step 8-1, the decryptor checks as follows, if K ₁ ≠C ₀ , K ₂ ≠C ₃ , then output ⊥; otherwise continue to the following steps;

步骤8-2，解密者如果未拥有与访问策略下标匹配的属性，则解密失败，否则通过下面的步骤可恢复出明文；6解密者计算m＝K₁/K′_own1 ^z，m′＝K₂/K′_own2 ^z，并验证K′＝u^H(m)v^H(m′)d来正确解密密文CT得到消息m；否则，算法失败并输出⊥。Step 8-2, if the decryptor does not have the attribute matching the subscript of the access policy, the decryption will fail, otherwise the plaintext can be recovered through the following steps; 6 The decryptor calculates m=K ₁ /K′ _own1 ^z , m′= K ₂ /K′ _own2 ^z , and verify K′=u ^H(m) v ^H(m′) d to correctly decrypt the ciphertext CT to get the message m; otherwise, the algorithm fails and outputs ⊥.

本发明所用的数学知识说明：The mathematical knowledge used in the present invention illustrates:

1、双线性对(BilinearPairing)1. Bilinear Pairing

简要介绍双线性映射的基本定义和它需满足的性质。Briefly introduce the basic definition of a bilinear map and the properties it needs to satisfy.

令G,G_T是两个p阶的乘法循环群，其中p为素数，g是G的生成元。定义两个群上的双线性映射为：e:G×G→G_T，且满足下面的性质：Let G, G _T be two multiplicative cyclic groups of order p, where p is a prime number and g is a generator of G. Define the bilinear mapping on two groups as: e:G×G→G _T , and satisfy the following properties:

(1)双线性性：e(g^a,g^b)＝e(g,g)^ab，对所有g∈G,a,b∈Z_p都成立。(1) Bilinearity: e(g ^a ,g ^b )=e(g,g) ^ab holds for all g∈G,a,b∈Z _p .

(2)非退化性：e(g,g)≠1。(2) Non-degenerate: e(g,g)≠1.

(3)可计算性：存在有效算法来计算e(g,g)，对所有g∈G都成立。(3) Computability: There exists an efficient algorithm to compute e(g,g), which holds for all g∈G.

2、访问结构(AccessStructure)2. Access Structure

设{P₁,P₂,...,P_n}是n个参与者的集合。设表示由参与者集合的子集构成的集合，B,C表示参与者集合的子集，对于所有的B,C：如果B∈A并且那么则说A是一个单调的访问结构。属于A的参与者的子集称为授权集，不属于A的参与者的子集称为非授权集。Let {P ₁ , P ₂ ,...,P _n } be a set of n participants. set up Represents the set composed of a subset of the participant set, B, C represent the subset of the participant set, for all B, C: If B∈A and So Then A is said to be a monotonic access structure. The subset of participants belonging to A is called the authorized set, and the subset of participants not belonging to A is called the non-authorized set.

3、判定双线性DH(DecisionalBilinearDiffie-Hellman)困难问题假定3. Decision Bilinear DH (Decisional Bilinear Diffie-Hellman) difficult problem assumption

给定p阶循环群G，其中p为素数，g是G的生成元。则群G上的DBDH问题是：已知t₁,t₂,t₃,z是从Z_p随机选取的，以不可忽略的概率区分 $(A, B, C, Z) = (g^{t_{1}}, g^{t_{2}}, g^{t_{3}}, e {(g, g)}^{t_{1} t_{2} t_{3}})$ 和 $(A, B, C, Z) = (g^{t_{1}}, g^{t_{2}}, g^{t_{3}}, e {(g, g)}^{z})$ 这两个元组。这里Z_p表示集合{1,2,…,p-1,p}。Given a cyclic group G of order p, where p is a prime number and g is a generator of G. Then the DBDH problem on the group G is: given that t ₁ , t ₂ , t ₃ , and z are randomly selected from Z _p , they can be distinguished with non-negligible probability $(A, B, C, Z) = (g^{t_{1}}, g^{t_{2}}, g^{t_{3}}, e {(g, g)}^{t_{1} t_{2} t_{3}})$ and $(A, B, C, Z) = (g^{t_{1}}, g^{t_{2}}, g^{t_{3}}, e {(g, g)}^{z})$ These two tuples. Here Z _p represents the set {1,2,...,p-1,p}.

有益效果：与现有技术相比，本发明所提供的一种基于属性的加密方法与普通的基于属性的加密方法相比，支持了用户撤销，提高了系统的灵活性。此外，该加密方案达到了完全隐藏访问结构来保护用户的隐私，防止恶意的用户通过访问策略来获得解密用户所需的属性值，从而获得用户的隐私信息。该加密方案还支持数据外包，并支持验证转换密文的正确性，从而降低无线端的用户的总通信成本，并保证了转换后密文未被非法替换且避免造成不良后果。因此本发明所提供的一种基于属性的加密方法是一种安全有效灵活的基于属性的加密方法。Beneficial effect: Compared with the prior art, compared with the common attribute-based encryption method, the attribute-based encryption method provided by the present invention supports user revocation and improves the flexibility of the system. In addition, the encryption scheme can completely hide the access structure to protect the user's privacy, and prevent malicious users from obtaining the attribute values needed to decrypt the user through the access policy, thereby obtaining the user's private information. The encryption scheme also supports data outsourcing and verifies the correctness of converted ciphertexts, thereby reducing the total communication cost of users at the wireless end, and ensuring that the converted ciphertexts are not illegally replaced and avoid adverse consequences. Therefore, the attribute-based encryption method provided by the present invention is a safe, effective and flexible attribute-based encryption method.

附图说明Description of drawings

图1为本发明加密系统的工作示意图；Fig. 1 is the working schematic diagram of encryption system of the present invention;

图2为本发明加密方法的流程图。Fig. 2 is a flowchart of the encryption method of the present invention.

具体实施方式Detailed ways

下面结合附图和具体实施方式，进一步阐明本发明。The present invention will be further explained below in conjunction with the accompanying drawings and specific embodiments.

下面将结合附图说明本发明的具体过程。The specific process of the present invention will be described below in conjunction with the accompanying drawings.

如图1所示，本发明提供的一种ABE系统包括如下八个模块：As shown in Figure 1, a kind of ABE system provided by the present invention includes following eight modules:

1.系统参数设置模块(Setup)：输入安全参数κ，返回系统公开参数params和主密钥MK。1. System parameter setting module (Setup): input security parameter κ, return system public parameter params and master key MK.

2.密钥生成模块(KeyGen)：授权中心运行密钥生成算法为用户生成私钥。授权中心输入系统公开参数params，一个描述性属性集L，计算出用户与属性集L相关联的私钥SK_L。2. Key generation module (KeyGen): The authorization center runs a key generation algorithm to generate a private key for the user. The authorization center inputs the system public parameters params, a descriptive attribute set L, and calculates the private key SK _L associated with the user and the attribute set L.

3.加密模块(Encrypt)：输入系统公开参数params，消息m，访问策略W，加密者加密得到一个密文CT。只有当与私钥相关联的用户属性集L满足访问策略时且通过密文正确性验证，用户才能解密密文CT。3. Encryption module (Encrypt): Input the system public parameters params, message m, access policy W, and the encryptor encrypts to obtain a ciphertext CT. Only when the user attribute set L associated with the private key satisfies the access policy and passes the verification of the correctness of the ciphertext, the user can decrypt the ciphertext CT.

4.解密模块(Decrypt)：接收者输入解密密钥SK_L以及密文CT，解密得到消息m。4. Decryption module (Decrypt): The receiver inputs the decryption key SK _L and the ciphertext CT, and decrypts to obtain the message m.

5.重加密模块(ReKey)：授权中心根据所述系统公开参数params、主密钥MK、组私钥u_x生成重加密密钥ck_vn，得到重加密后的密文CT_vn，并更新授权用户的部分私钥D_2,vn。5. Re-encryption module (ReKey): the authorization center generates a re-encryption key ck _vn according to the system public parameters params, master key MK, and group private key u _x , obtains the re-encrypted ciphertext CT _vn , and updates the authorization The user's partial private key D _2,vn .

6.转换密钥生成模块(TKGen)：授权中心根据系统公开参数params和用户的私钥SK_L，生成转换密钥TK_L和恢复私钥HK_L。6. Conversion key generation module (TKGen): the authorization center generates conversion key TK _L and recovery private key HK _{L according to the system public parameters params and the user's private key SK L} _.

7.转换部分密文模块(TK-Encrypt)：系统公开参数params、原始密文CT以及转换密钥TK_L，生成转换后的密文CT′。7. Convert partial ciphertext module (TK-Encrypt): The system publicizes parameters params, original ciphertext CT and conversion key TK _L to generate converted ciphertext CT′.

8.转换解密模块(TK-DEcrypt)：授权中心根据系统公开参数params、原始密文CT、转换后的密文CT′以及恢复私钥HK_L，对密文解密得到消息M。8. Transformation and decryption module (TK-DEcrypt): The authorization center decrypts the ciphertext to obtain the message M according to the system public parameters params, the original ciphertext CT, the converted ciphertext CT′ and the restored private key HK _L .

下面将结合本方法的流程图对该加密系统的各个模块进行具体的说明。Each module of the encryption system will be specifically described below in conjunction with the flow chart of the method.

如图2所示，本发明提供的一种基于属性的加密方法执行流程具体如下：As shown in Figure 2, the execution flow of an attribute-based encryption method provided by the present invention is specifically as follows:

该系统的系统参数设置模块A具体包括如下操作，其特征在于所述步骤1包括：The system parameter setting module A of the system specifically includes the following operations, characterized in that the step 1 includes:

选取大素数p，p阶乘法循环群G和G_T，双线性映射e:G×G→G_T。从G中选择生成元g,u,v,d。Choose a large prime number p, p factorial method cyclic groups G and G _T , bilinear mapping e:G×G→G _T . Select generators g,u,v,d from G.

授权中心随机选择t_i,j∈Z_p(i∈[1,n],j∈[1,n_i])，把{α,g^α,δ}，作为其私钥。计算Y＝e(g,g)^α，定义一个哈希函数这里表示集合{1,2,…,p-2,p-1}。Authorization center randomly selects t _i,j ∈ Z _p (i∈[1,n],j∈[1,n _i ]), takes {α,g ^α ,δ} as its private key. Calculate Y=e(g,g) ^α , define a hash function here Denotes the set {1,2,...,p-2,p-1}.

数据拥有者选择随机值作为数据拥有者的私钥SK_DO，并计算其公钥发送到公共区域，SK_DO作为数据拥有者的私钥不泄露。这里表示集合{1,2,…,p-2,p-1}。The data owner chooses a random value As the private key SK _DO of the data owner, and calculate its public key Send to the public area, SK _DO as the private key of the data owner will not be disclosed. here Denotes the set {1,2,...,p-2,p-1}.

授权中心设置初始版本号vn＝0，并选择随机值作为组私钥GSK，并(i∈[1,n],j∈[1,n_i])，系统主密钥为MK＝{α,g^α,δ}，数据拥有者的私钥为SK_DO＝{β}。The authorization center sets the initial version number vn=0, and selects a random value as the group private key GSK, and (i∈[1,n],j∈[1,n _i ]), the system master key is MK={α,g ^α ,δ}, and the private key of the data owner is SK _DO ={β}.

步骤1-3中，对于两个不同的用户属性集L和L′，应满足 $Σ_{v_{i, j} &Element; L} t_{i, j} &NotEqual; Σ_{v_{i, j} &Element; L^{'}} t_{i, j} .$ In steps 1-3, for two different user attribute sets L and L', it should satisfy $Σ_{v_{i, j} &Element; L} t_{i, j} &NotEqual; Σ_{v_{i, j} &Element; L^{'}} t_{i, j} .$

密钥生成模块B具体包括如下操作：The key generation module B specifically includes the following operations:

用户的属性集为L。The user's attribute set is L.

授权中心随机选取 $r, λ_{i} &Element; Z_{p}^{*},$ 并计算 $D_{0} = g^{\frac{α - γ}{β}}, D_{i, 1} = g^{r + λ_{i} t_{i, j}}, D_{i, 2} = g^{λ_{i}}$ 作The authorization center randomly selects $r, λ_{i} &Element; Z_{p}^{*},$ and calculate ${D.}_{0} = g^{\frac{α - γ}{β}}, {D.}_{i, 1} = g^{r + λ_{i} t_{i, j}}, {D.}_{i, 2} = g^{λ_{i}}$ do

为用户的私钥，其中t_i,j∈L_i(i∈[1,n],j∈[1,n_i])。同时对授权的用户计算is the user's private key, where t _i,j ∈L _i (i∈[1,n],j∈[1,n _i ]). Simultaneous calculations for authorized users

并设置版本号vn＝0。这里表示集合{1,2,…,p-2,p-1}。 And set the version number vn=0. here Denotes the set {1,2,...,p-2,p-1}.

加密模块C具体包括如下操作：The encryption module C specifically includes the following operations:

加密者选择明文消息m∈G_T、一条随机消息m′∈G_T，访问结构W＝[W₁,W₂,...,W_n]，并计算这里H是G到的密码学哈希函数。The encryptor chooses a plaintext message m∈G _T , a random message m′∈G _T , accesses the structure W=[W ₁ ,W ₂ ,...,W _n ], and calculates Here H is G to cryptographic hash function.

对于将要进行分享的消息m，加密者随机选取并计算C₁＝g^βs,C₂＝g^δs。加密者设置有关属性密文部分，设s为访问结构的根节点，设定所有的儿子节点为未标记，标记根节点为已标记，为每个未标记的非叶子节点递归地进行如下运算：非叶子节点为“与”门，且其儿子节点状态为未标记，选择随机值并设置最后一个儿子节点的值为并标记此节点为已标记。反之若为“或”门，标记该节点下的任意节点的值为s，并设置此节点为已标记。对于叶子节点，加密者进行如下计算： For the message m to be shared, the encryptor randomly selects and calculate C ₁ =g ^βs , C ₂ =g ^δs . The encryptor sets the relevant attribute ciphertext part, sets s as the root node of the access structure, sets all child nodes as unmarked, marks the root node as marked, and performs the following operation recursively for each unmarked non-leaf node: The non-leaf node is an "AND" gate, and its child node status is unmarked, and a random value is selected And set the value of the last child node to and mark this node as marked. On the contrary, if it is an "or" gate, mark the value of any node under this node as s, and set this node as marked. For leaf nodes, the encryptor performs the following calculations:

对于将要随机消息m′，加密者随机选取并计算C₄＝g^βs′,C₅＝g^δs′。加密者设置有关属性密文部分，设s′为访问结构的根节点，设定所有的儿子节点为未标记，标记根节点为已标记，为每个未标记的非叶子节点递归地进行如下运算：非叶子节点为“与”门，且其儿子节点状态为未标记，选择随机值并设置最后一个儿子节点的值为并标记此节点为已标记。反之若为“或”门，标记该节点下的任意节点的值为s′，并设置此节点为已标记。对于叶子节点，加密者进行如下计算：这里表示集合{1,2,…,p-2,p-1}。For the message m′ to be randomized, the encryptor randomly selects and calculate C ₄ =g ^βs' , C ₅ =g ^δs' . The encryptor sets the ciphertext part of the relevant attributes, sets s′ as the root node of the access structure, sets all child nodes as unmarked, and marks the root node as marked, and performs the following operation recursively for each unmarked non-leaf node : The non-leaf node is an "AND" gate, and its child node status is unmarked, choose a random value And set the value of the last child node to and mark this node as marked. On the contrary, if it is an "or" gate, mark the value of any node under this node as s', and set this node as marked. For leaf nodes, the encryptor performs the following calculations: here Denotes the set {1,2,...,p-2,p-1}.

加密者设置版本号vn＝0。加密得到的密文为 ${CT}_{o w n 1} = {C_{0}, C_{1}, C_{2}, {C_{i, j, 1}, C_{i, j, 2}}_{i &Element; [1, n], j &Element; [1, n_{i}]}}, {CT}_{o w n 2} = {C_{3}, C_{4}, C_{5}, {{\overset{&OverBar;}{C}}_{i, j, 1}, {\overset{&OverBar;}{C}}_{i, j, 2}}_{i &Element; [1, n], j &Element; [1, n_{i}]}} .$ The encryptor sets the version number vn=0. The encrypted ciphertext is ${CT}_{o w no 1} = {C_{0}, C_{1}, C_{2}, {C_{i, j, 1}, C_{i, j, 2}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}}, {CT}_{o w no 2} = {C_{3}, C_{4}, C_{5}, {{\overset{&OverBar;}{C}}_{i, j, 1}, {\overset{&OverBar;}{C}}_{i, j, 2}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}} .$

解密模块D具体包括如下操作：The decryption module D specifically includes the following operations:

解密者检查私钥SK_L与密文CT的版本号，如果不一致，向授权中心申请更新私钥，如果一致，则继续下面的步骤。The decryptor checks the version numbers of the private key SK _L and the ciphertext CT, if they are inconsistent, apply to the authorization center for updating the private key, if they are consistent, continue to the following steps.

解密者如果未拥有与访问策略下标匹配的属性，则解密失败，否则通过下面的步骤可恢复出明文。If the decryptor does not have the attribute matching the subscript of the access policy, the decryption will fail. Otherwise, the plaintext can be recovered through the following steps.

解密者计算 $F = Π_{i = 1}^{n} e (C_{i, j, 2}, D_{i, 2}), O = Π_{i = 1}^{n} e (C_{i, j, 1}, D_{i, 1}),$ S＝e(C₁,D₀)， $B = Π_{i = 1}^{n} e (C_{1}, D_{2}),$ 计算得到 $m = \frac{C_{0} \cdot F}{O \cdot S \cdot B} .$ 同时计算 $F^{'} = Π_{i = 1}^{n} e ({\overset{&OverBar;}{C}}_{i, j, 2}, D_{i, 2}),$ $O^{'} = Π_{i = 1}^{n} e ({\overset{&OverBar;}{C}}_{i, j, 1}, D_{i, 1}),$ S′＝e(C₄,D₀)， $B^{'} = Π_{i = 1}^{n} e (C_{4}, D_{2}),$ 计算得到同时验证若是则输出消息m，否则输出⊥。decryptor calculation $f = Π_{i = 1}^{no} e (C_{i, j, 2}, {D.}_{i, 2}), o = Π_{i = 1}^{no} e (C_{i, j, 1}, {D.}_{i, 1}),$ S=e(C ₁ ,D ₀ ), $B = Π_{i = 1}^{no} e (C_{1}, {D.}_{2}),$ calculated $m = \frac{C_{0} &Center Dot; f}{o &Center Dot; S \cdot B} .$ Simultaneous computing $f^{'} = Π_{i = 1}^{no} e ({\overset{&OverBar;}{C}}_{i, j, 2}, {D.}_{i, 2}),$ $o^{'} = Π_{i = 1}^{no} e ({\overset{&OverBar;}{C}}_{i, j, 1}, {D.}_{i, 1}),$ S'=e(C ₄ , D ₀ ), $B^{'} = Π_{i = 1}^{no} e (C_{4}, {D.}_{2}),$ calculated Simultaneous verification If so, output message m, otherwise output ⊥.

重加密模块E具体包括如下操作：The re-encryption module E specifically includes the following operations:

授权中心收到用户撤销的信息，选择新的随机值作为新的组私钥GSK_x，其中x为此时版本号标识，当系统中的合法用户需要访问数据时通过安全的线下通道发送给他们。这里Z_p表示集合{1,2,…,p-1,p}。The authorization center receives the user's revocation information and selects a new random value As a new group private key GSK _x , where x is the current version number identification, it is sent to legitimate users in the system through a secure offline channel when they need to access data. Here Z _p represents the set {1,2,...,p-1,p}.

授权中心更新授权用户的私钥部分 The authorization center updates the private key part of the authorized user

授权中心计算重加密密钥为并发送给云存储提供方，云存储提供方计算版本号为vn＝x的新的密文CT_vn。The authorization center calculates the re-encryption key as And send it to the cloud storage provider, and the cloud storage provider calculates a new ciphertext CT _vn whose version number is vn=x.

${C C}_{00,, v v n no} = = {C C}_{00} \cdot \cdot e e (({C C}_{22},, {ck ck}_{v v n no})) = = m m \cdot \cdot e e {((g g,, g g))}^{α α s the s + + {u u}_{00} s the s} \cdot &Center Dot; e e (({g g}^{δ δ s the s},, {g g}^{\frac{{u u}_{x x} - - {u u}_{00}}{δ δ}})) = = m m \cdot \cdot e e {((g g,, g g))}^{α α s the s + + {u u}_{x x} s the s} . .$

${C C}_{33,, v v n no} = = {C C}_{33} \cdot \cdot e e (({C C}_{55},, {ck ck}_{v v n no})) = = {m m}^{' '} \cdot \cdot e e {((g g,, g g))}^{{αs αs}^{' '} + + {u u}_{00} {s the s}^{' '}} \cdot &Center Dot; e e (({g g}^{{δs δs}^{' '}},, {g g}^{\frac{{u u}_{x x} - - {u u}_{00}}{δ δ}})) = = m m \cdot \cdot e e {((g g,, g g))}^{{αs αs}^{' '} + + {u u}_{x x} {s the s}^{' '}} . .$

${CT CT}_{o o w w n no 22,, v v n no} = = {{v v n no = = x x,, \overset{^^}{c c},, {C C}_{33,, v v n no},, {C C}_{44},, {C C}_{55},, {{{\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 11},, {\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 22}}}_{i i &Element; &Element; [[11,, n no]],, j j &Element; &Element; [[11,, {n no}_{i i}]]}}}$

转换密钥生成模块F具体包含如下操作：The conversion key generation module F specifically includes the following operations:

授权中心选择随机值以系统公共参数params以及用户的私钥为恢复密钥给用户。这里Z_p表示集合{1,2,…,p-1,p}。Authorization center chooses random value Take the system public parameter params and the user's private key for the recovery key to the user. Here Z _p represents the set {1,2,...,p-1,p}.

转换部分密文模块具体包含如下操作：The conversion part of the ciphertext module specifically includes the following operations:

云存储提供方将密文CT＝{CT_own1,CT_own2}以及转换密钥TK_L＝{D₀′,D₂′,{D_i,1′,D_i,2′}_i∈[1,n]}作为输入，计算转换后的部分密文如下：The cloud storage provider sends the ciphertext CT={CT _own1 ,CT _own2 } and the conversion key TK _L ={D ₀ ′,D ₂ ′,{D _i,1 ′,D _i,2 ′} _{i∈[1, n]} } as input, calculate the converted part of the ciphertext as follows:

${K K}_{o o w w n no 11}^{' '} = = \frac{{Π Π}_{i i = = 11}^{n no} e e (({C C}_{i i,, j j,, 11},, {D D.}_{i i,, 11}^{' '})) \cdot \cdot e e (({C C}_{11},, {D D.}_{00}^{' '})) \cdot \cdot e e (({C C}_{11},, {D D.}_{22}^{' '}))}{{Π Π}_{i i = = 11}^{n no} e e (({C C}_{i i,, j j,, 22},, {D D.}_{i i,, 22}^{' '}))} = = e e {((g g,, g g))}^{\frac{α α s the s + + {u u}_{00} s the s}{z z}}$

${K K}_{o o w w n no 22}^{' '} = = \frac{{Π Π}_{i i = = 11}^{n no} e e (({\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 11},, {D D.}_{i i,, 11}^{' '})) \cdot \cdot e e (({C C}_{44},, {D D.}_{00}^{' '})) \cdot \cdot e e (({C C}_{44},, {D D.}_{22}^{' '}))}{{Π Π}_{i i = = 11}^{n no} e e (({\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 22},, {D D.}_{i i,, 22}^{' '}))} = = e e {((g g,, g g))}^{\frac{{αs αs}^{' '} + + {u u}_{00} {s the s}^{' '}}{z z}}$

转换解密模块具体包含如下操作：The conversion and decryption module specifically includes the following operations:

解密者进行检查如下，若K₁≠C₀、K₂≠C₃，则输出⊥。否则继续下面的步骤。The decryptor checks as follows, if K ₁ ≠C ₀ , K ₂ ≠C ₃ , then output ⊥. Otherwise continue with the steps below.

解密者如果未拥有与访问策略下标匹配的属性，则解密失败，否则通过下面的步骤可恢复出明文。解密者计算m＝K₁/K′_own1 ^z，m′＝K₂/K′_own2 ^z，并验证K′＝u^H(m)v^H(m′)d来正确解密密文CT得到消息m。否则，算法失败并输出⊥。If the decryptor does not have the attribute matching the subscript of the access policy, the decryption will fail. Otherwise, the plaintext can be recovered through the following steps. The decryptor calculates m=K ₁ /K' _own1 ^z , m'=K ₂ /K' _own2 ^z , and verifies K'=u ^H(m) v ^H(m') d to correctly decrypt the ciphertext CT to get the message m . Otherwise, the algorithm fails and outputs ⊥.

以上阐述和说明了本发明的基本原理、主要优点以及操作步骤。The basic principles, main advantages and operation steps of the present invention have been set forth and illustrated above.

下面将对如上所述的ABE系统应用于云计算中的情形进行说明。The situation where the above-mentioned ABE system is applied to cloud computing will be described below.

依照本发明的步骤，当用户A要将数据存储到公共云端的时候，授权中心运行算法得到公共参数params，用户A制定一个访问策略W在公共参数params下对要存储的数据进行加密。当某用户B想访问该用户加密的数据时，他首先根据自身属性向授权中心申请私钥，如果用户B的属性集合满足加密者制定的访问策略且通过密文的正确性验证时，B可以利用自己的私钥、公共参数params对密文进行解密得到明文。假设系统中原有用户C、D离职，授权中心需要对C、D拥有的解密权限的密文进行重加密来保证系统安全性，并为系统中其他用户更新私钥。由于本方案能够完全隐藏访问策略，因此解密者即使能够解密也不知道访问策略的具体值，从而保护了用户的隐私。此外，本方案支持还支持数据外包，并提供了对转换密文的正确性验证功能，从而降低无线端的用户的总通信成本，并保证了转换后密文未被非法替换且避免造成不良后果，提高了系统的灵活性。According to the steps of the present invention, when user A wants to store data in the public cloud, the authorization center runs an algorithm to obtain the public parameter params, and user A formulates an access strategy to encrypt the data to be stored under the public parameter params. When a user B wants to access the user's encrypted data, he first applies for a private key from the authorization center according to his own attributes. If the attribute set of user B satisfies the access policy formulated by the encryptor and passes the correctness verification of the ciphertext, B can Use your own private key and public parameter params to decrypt the ciphertext to get the plaintext. Assuming that the original users C and D in the system leave their jobs, the authorization center needs to re-encrypt the ciphertext of the decryption authority owned by C and D to ensure system security, and update the private keys for other users in the system. Because this scheme can completely hide the access policy, even if the decryptor can decrypt it, he will not know the specific value of the access policy, thereby protecting the user's privacy. In addition, this solution also supports data outsourcing, and provides the correctness verification function for the converted ciphertext, thereby reducing the total communication cost of the wireless end user, and ensuring that the converted ciphertext is not illegally replaced and avoids adverse consequences. Improved system flexibility.

本领域普通技术人员应该了解，本发明不受上述实例限制，上述实例的描述只是为说明本发明的基本原理与特点，在上述实例的基础上可以很容易的联想到其他的优点和变形。在不背离本发明宗旨的范围内，本领域普通技术人员可以根据上述具体实例通过各种等同替换所得到的技术方案，但是这些技术方案均应该包含在本发明的权利要求的范围及其等同的范围之内。Those of ordinary skill in the art should understand that the present invention is not limited by the above examples, and the description of the above examples is only to illustrate the basic principles and characteristics of the present invention, and other advantages and deformations can be easily imagined on the basis of the above examples. Within the scope of not departing from the gist of the present invention, those skilled in the art can obtain the technical solutions through various equivalent replacements according to the above specific examples, but these technical solutions should be included in the scope of the claims of the present invention and their equivalents. within range.

Claims

1. An attribute-based encryption method and system that protects privacy and supports user revocation, is characterized in that: the encryption system includes eight modules, specifically:

System parameter setting module: generate system public parameters and send them to other modules;

Key generation module: generate the user's private key for decrypting messages according to the user's attribute set;

Encryption module: used to encrypt messages;

Decryption module: used to decrypt messages;

Re-encryption module: generate a re-encryption key, and update the ciphertext and the user's private key;

Conversion key generation module: generate conversion key and recover private key;

Convert partial ciphertext module: generate converted partial ciphertext based on the original ciphertext;

Conversion and decryption module: used to decrypt the converted ciphertext;

The specific steps of the encryption method are as follows:

Step 1, set system public parameters params and master key MK;

Step 2, generate the user's private key SK _L according to the system public parameters params;

Step 3, encrypt the message M according to the system public parameters params and the selected access strategy to obtain the ciphertext CT;

Step 4, decrypt the ciphertext CT according to the system public parameters params and the user's private key SK _L to obtain the message M;

Step 5, generate a re-encryption key ck _vn according to the system public parameters params and the group private key u _x , obtain the re-encrypted ciphertext CT _vn , and update the partial private key D _2,vn of the authorized user;

Step 6, according to the system public parameters params and the user's private key SK _L , generate a conversion key TK _L and a recovery private key HK _L ;

Step 7: Generate converted ciphertext CT′ according to the system public parameters params, original ciphertext CT and conversion key TK _L ;

Step 8: Decrypt the ciphertext to obtain the message M according to the system public parameters params, the original ciphertext CT, the converted ciphertext CT′ and the restored private key HK _L .

2. A privacy-protecting attribute-based encryption method and system that supports user revocation according to claim 1, characterized in that: said step 1 also includes:

Step 1-1, select a large prime number p, p factorial method cyclic group G and G _T , bilinear mapping e:G×G→G _T ; select generators g,u,v,d from G;

Step 1-2, the authorization center randomly selects t _i,j ∈ Z _p (i∈[1,n],j∈[1,n _i ]), take {α,g ^α ,δ} as its private key; calculate Y=e(g,g) ^α , define a hash function here Represents the set {1,2,...,p-2,p-1};

Steps 1-3, the data owner chooses a random value As the private key SK _DO of the data owner, and calculate its public key Sent to the public area, SK _DO as the private key of the data owner will not be disclosed; here Represents the set {1,2,...,p-2,p-1};

Steps 1-4, the authorization center sets the initial version number vn=0, and selects a random value As the group private key GSK, and send it offline to registered users, calculate sent to the public domain as the group public key;

System public parameters

p a r a m the s : {Y, p, G, G_{T}, e, g, u, v, d, g^{δ}, g^{β}, g^{\frac{1}{β}}, {T_{i, j}}},

Where (i∈[1,n],j∈[1,n _i ]), the system master key is MK＝{α,g ^α ,δ}, and the private key of the data owner is SK _DO ＝{β};

Among them, in step 1-2, for two different user attribute sets L and L', should satisfy

Σ_{v_{i, j} &Element; L} t_{i, j} &NotEqual; Σ_{v_{i, j} &Element; L^{'}} t_{i, j} .

3. An attribute-based encryption method and system that protects privacy and supports user revocation according to claim 1, characterized in that: said step 2 also includes:

Step 2-1, input user's attribute set L;

Step 2-2, the authorization center randomly selects

r, λ_{i} &Element; Z_{p}^{*},

and calculate

{D.}_{0} = g^{\frac{α - γ}{β}},

{D.}_{i, 1} = g^{r + λ_{i} t_{i, j}},

As the user's private key, where t _i,j ∈L _i (i∈[1,n],j∈[1,n _i ]); at the same time, the authorized user calculates And set the version number vn=0; here Represents the set {1,2,...,p-2,p-1};

The private key issued by the authorization center to the user is

{SK}_{L} = ({D.}_{0}, {{D.}_{i, 1}, {D.}_{i, 2}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}, {D.}_{2}) .

4. An attribute-based encryption method and system that protects privacy and supports user revocation according to claim 1, characterized in that: said step 3 also includes:

Step 3-1, the encryptor selects a plaintext message m∈G _T , a random message m′∈G _T , accesses the structure W=[W ₁ ,W ₂ ,...,W _n ], and calculates Here H is G to cryptographic hash function;

Step 3-2, for the message m to be shared, the encryptor randomly selects and calculate

C_{0} = m \cdot Y^{the s} &Center Dot; e {(g, g)}^{u_{0} the s} = m \cdot e {(g, g)}^{α the s + u_{0} the s},

C ₁ ＝g ^βs , C ₂ ＝g ^δs ; the encryptor sets the ciphertext part of the relevant attributes, sets s as the root node of the access structure, sets all child nodes as unmarked, and marks the root node as marked, for each The unmarked non-leaf nodes recursively perform the following operations: the non-leaf nodes are "AND" gates, and the state of their child nodes is unmarked, and a random value is selected And set the value of the last child node to And mark this node as marked; otherwise, if it is an "or" gate, mark the value of any node under this node as s, and set this node as marked; for leaf nodes, the encryptor performs the following calculation:

Step 3-3, for the message m′ to be randomized, the encryptor randomly selects and calculate

C_{3} = m^{'} \cdot Y^{{the s}^{'}} \cdot e {(g, g)}^{u_{0} {the s}^{'}} = m^{'} &Center Dot; e {(g, g)}^{{αs}^{'} + u_{0} {the s}^{'}},

C ₄ ＝g ^βs′ , C ₅ ＝g ^δs′ ; the encryptor sets the relevant attribute ciphertext part, sets s′ as the root node of the access structure, sets all child nodes as unmarked, and marks the root node as marked, Recursively perform the following operations for each unmarked non-leaf node: the non-leaf node is an "AND" gate, and its child node status is unmarked, select a random value And set the value of the last child node to And mark this node as marked; otherwise, if it is an "or" gate, mark the value of any node under this node as s′, and set this node as marked; for leaf nodes, the encryptor performs the following calculation: here Represents the set {1,2,...,p-2,p-1};

Step 3-4, the encryptor sets the version number vn=0; the encrypted ciphertext is

C T = {v no = 0, \hat{c}, {CT}_{o w no 1}, {CT}_{o w no 2}},

{CT}_{o w no 1} = {C_{0}, C_{1}, C_{2}, {C_{i, j, 1}, C_{i, j, 2}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}},

{CT}_{o w no 2} = {C_{3}, C_{4}, C_{5}, {{\overset{&OverBar;}{C}}_{i, j, 1}, {\overset{&OverBar;}{C}}_{i, j, 2}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}} .

5. An attribute-based encryption method and system that protects privacy and supports user revocation according to claim 1, characterized in that: said step 4 also includes:

Step 5-1, the decryptor checks the version numbers of the private key SK _L and the ciphertext CT, if they are not consistent, apply to the authorization center for updating the private key, if they are consistent, proceed to the following steps;

Step 5-2, if the decryptor does not have the attribute matching the subscript of the access policy, the decryption fails, otherwise the plaintext can be recovered through the following steps;

decryptor calculation

f = Π_{i = 1}^{no} e (C_{i, j, 2}, {D.}_{i, 2}),

o = Π_{i = 1}^{no} e (C_{i, j, 1}, {D.}_{i, 1}),

S=e(C ₁ ,D ₀ ),

B = Π_{i = 1}^{no} e (C_{1}, {D.}_{2}),

calculated

m = \frac{C_{0} &Center Dot; f}{o &Center Dot; S &Center Dot; B};

Simultaneous computing

f^{'} = Π_{i = 1}^{no} e ({\overset{&OverBar;}{C}}_{i, j, 2}, {D.}_{i, 2}),

o^{'} = Π_{i = 1}^{no} e ({\overset{&OverBar;}{C}}_{i, j, 1}, {D.}_{i, 1}),

S'=e(C ₄ ,D ₀ ),

B^{'} = Π_{i = 1}^{no} e (C_{4}, {D.}_{2}),

calculated Simultaneous verification If so, output message m, otherwise output ⊥.

6. An attribute-based encryption method and system that protects privacy and supports user revocation according to claim 1, characterized in that: said step 5 also includes:

Step 5-1, the authorization center receives the user's revocation information and selects a new random value As a new group private key GSK _x , where x is the version number identification at this time, it is sent to legal users in the system through a secure offline channel when they need to access data; here Z _p represents the set {1,2,…, p-1,p};

Step 5-2, the authorization center updates the private key part of the authorized user

Step 5-3, the authorization center calculates the re-encryption key as And send to the cloud storage provider, the cloud storage provider calculates a new ciphertext CT _vn whose version number is vn=x;

For the first part of the ciphertext CT _own1,vn , the following calculations are performed:

{C C}_{00,, v v n no} = = {C C}_{00} \cdot \cdot e e (({C C}_{22},, {ck ck}_{v v n no})) = = m m \cdot \cdot e e {((g g,, g g))}^{α α s the s + + {u u}_{00} s the s} \cdot \cdot e e (({g g}^{δ δ s the s},, {g g}^{\frac{{u u}_{x x} - - {u u}_{00}}{δ δ}})) = = m m \cdot &Center Dot; e e {((g g,, g g))}^{α α s the s + + {u u}_{x x} s the s};;

Similarly, for the second part of the ciphertext CT _own2,vn , the following calculation is performed:

{C C}_{33,, v v n no} = = {C C}_{33} \cdot &Center Dot; e e (({C C}_{55},, {ck ck}_{v v n no})) = = {m m}^{' '} \cdot &Center Dot; e e {((g g,, g g))}^{{αs αs}^{' '} + + {u u}_{00} {s the s}^{' '}} \cdot \cdot e e (({g g}^{{δs δs}^{' '}},, {g g}^{\frac{{u u}_{x x} - - {u u}_{00}}{δ δ}})) = = m m \cdot &Center Dot; e e {((g g,, g g))}^{{αs αs}^{' '} + + {u u}_{x x} {s the s}^{' '}};;

The updated ciphertext CT _vn ={CT _own1,vn ,CT _own2,vn } is as follows:

{CT CT}_{o o w w n no 11,, v v n no} = = {{v v n no = = x x,, \overset{^^}{c c},, {C C}_{00,, v v n no},, {C C}_{11},, {C C}_{22},, {{{C C}_{i i,, j j,, 11},, {C C}_{i i,, j j,, 22}}}_{i i &Element; &Element; [[11,, n no]],, j j &Element; &Element; [[11,, {n no}_{i i}]]}}}

{CT CT}_{o o w w n no 22,, v v n no} = = {{v v n no = = x x,, \overset{^^}{c c},, {C C}_{33,, v v n no},, {C C}_{44},, {C C}_{55},, {{{\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 11},, {\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 22}}}_{i i &Element; &Element; [[11,, n no]],, j j &Element; &Element; [[11,, {n no}_{i i}]]}}} . .

7. An attribute-based encryption method and system that protects privacy and supports user revocation according to claim 1, wherein the step 6 further comprises:

Step 6-1, the authorization center selects a random value Take the system public parameter params and the user's private key

{SK}_{L} = ({D.}_{0}, &ForAll; v_{i &Element; [1, no], j &Element; [1, {no}_{i}]} &Element; L : {{D.}_{i, 1}, {D.}_{i, 2}}, {D.}_{2})

as input, and computes the transformation key as

{TK}_{L} = {{D.}_{0}^{'} = {D.}_{0}^{\frac{1}{z}}, {D.}_{2}^{'} = {D.}_{2}^{\frac{1}{z}}, {{D.}_{i, 1}^{'} = {D.}_{i, 1}^{\frac{1}{z}}, {D.}_{i, 2}^{'} = {D.}_{i, 2}^{\frac{1}{z}}}_{i &Element; [1, no], j &Element; [1, {no}_{i}]}},

And save HK _L =z as the recovery key to the user, where Z _p represents the set {1,2,...,p-1,p}.

8. An attribute-based encryption method and system that protects privacy and supports user revocation according to claim 1, characterized in that: said step 7 also includes:

Step 7-1, the cloud storage provider sends the ciphertext CT={CT _own1 ,CT _own2 } and the conversion key TK _L ={D ₀ ′,D ₂ ′,{D _i,1 ′,D _i,2 ′} _i∈[1,n] } as input, calculate the converted part of the ciphertext as follows:

{K K}_{o o w w n no 11}^{' '} = = \frac{{Π Π}_{i i = = 11}^{n no} e e (({C C}_{i i,, j j,, 11},, {D D.}_{i i,, 11}^{' '})) \cdot \cdot e e (({C C}_{11},, {D D.}_{00}^{' '})) \cdot &Center Dot; e e (({C C}_{11},, {D D.}_{22}^{' '}))}{{Π Π}_{i i = = 11}^{n no} e e (({C C}_{i i,, j j,, 22},, {D D.}_{i i,, 22}^{' '}))} = = e e {((g g,, g g))}^{\frac{α α s the s + + {u u}_{00} s the s}{z z}}

{K K}_{o o w w n no 22}^{' '} = = \frac{{Π Π}_{i i = = 11}^{n no} e e (({\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 11},, {D D.}_{i i,, 11}^{' '})) \cdot \cdot e e (({C C}_{44},, {D D.}_{00}^{' '})) \cdot &Center Dot; e e (({C C}_{44},, {D D.}_{22}^{' '}))}{{Π Π}_{i i = = 11}^{n no} e e (({\overset{&OverBar; &OverBar;}{C C}}_{i i,, j j,, 22},, {D D.}_{i i,, 22}^{' '}))} = = e e {((g g,, g g))}^{\frac{{αs αs}^{' '} + + {u u}_{00} {s the s}^{' '}}{z z}}

The output converted ciphertext is as follows:

{CT}^{'} = {v no, K^{'} = \hat{c}, K_{1} = C_{0}, K_{o w no 1}^{'}, K_{2} = C_{3}, K_{o w no 2}^{'}} .

9. An attribute-based encryption method and system that protects privacy and supports user revocation according to claim 1, wherein the step 8 further comprises:

Step 8-1, the decryptor checks as follows, if K ₁ ≠C ₀ , K ₂ ≠C ₃ , then output ⊥; otherwise continue to the following steps;

Step 8-2, if the decryptor does not have the attribute matching the subscript of the access policy, the decryption will fail, otherwise the plaintext can be recovered through the following steps; 6 The decryptor calculates m=K ₁ /K′ _own1 ^z , m′= K ₂ /K′ _own2 ^z , and verify K′=u ^H(m) v ^H(m′) d to correctly decrypt the ciphertext CT to get the message m; otherwise, the algorithm fails and outputs ⊥.