CN105187201A - Attribute encryption method capable of revoking key policies of two attributes - Google Patents

Abstract

The present invention provides an attribute encryption method capable of revoking the key policies of two attributes and is an important progress of a revocable attribute encryption method. The specific method comprises the steps of selecting two different attributes under multiple users, establishing revocation lists, considering whether the users in a key generation process are in two revocation lists, and if so, judging the relation of the remaining attributes of the users and a visit structure. Only when the attribute set of a ciphertext satisfies the key strategies of the users, can the users complete a decryption process. The process comprises the steps of establishing a main key and a common parameter by an authority center, using a linear secret sharing algorithm to convert an access strategy into an access structure, generating user private keys under a corresponding access structure, encrypting a message according to the attribute set and two known revocation lists, judging whether the users are in the two revocation lists, completing the decryption process, combined with the known private keys and user tracking, and judging the relevance of the users and the private keys. According to the method, the problem that a user single attribute can not be revoked by an encryption method in the prior art is solved.

Description

The encryption attribute method of the key strategy of revocable two attributes

Technical field

The invention belongs to field of information security technology, be specifically related to a kind of encryption attribute method of key strategy of revocable two attributes.

Background technology

Along with the appearance of early stage fuzzy Identity-based encryption method, enter mankind's sight line based on properties secret.In reality, user not only has unique PKI or identity, the substitute is the attribute that user is corresponding, for example, name, age, department etc., thus widen based on properties secret systematic difference field, cause the concern of researcher.

For the attribute revocation mechanism under multi-user, already present article is the user directly cancelled under this attribute mostly, user is made no longer to possess any character, but user may only need to cancel certain attribute in reality, and do not affect other attributes of this user, ensure that user still has certain encryption and decryption character.That therefore sets up the single attribute under multi-user cancels technology, make comprise in revocation list be cancel single attribute user set, it does not affect other attributes of user, when user cancel rear property set still meet access structure time, user still just has decryption capabilities.The voidable encryption attribute method of fine granularity that has like this is very important.

Summary of the invention

The object of this invention is to provide a kind of encryption attribute method of key strategy of revocable two attributes, solve the problem that the encryption method existed in prior art can not cancel the single attribute of user.

The technical solution adopted in the present invention is, the encryption attribute method of the key strategy of revocable two attributes, specifically implements according to following steps:

Step 1, system parameters initialization;

Step 2, secret generating;

Step 3, encryption;

Step 4, deciphering;

Step 5, tracking.

Feature of the present invention is also,

The process of step 1 builds revocation list R for establishing for two attribute i and attribute j _iand R _j, revocation list R _irepresent all users cancelling attribute i, be designated as revocation list R _jrepresent the user having cancelled attribute j, be designated as wherein allow not cancel number of users not etc. in each revocation list of q ≠ q ' i.e., user is in any one revocation list, or be present in two revocation lists simultaneously, namely allow user to cancel attribute i and attribute j simultaneously, make all user's collection in U expression system, if attribute number is m in system, the property set of user when encrypting in revocation list, the maximum number of user is n, and message is access strategy is converted to access strategy (M, ρ) by linear Secret sharing techniques LSSS, specifically implements according to following steps:

Step (1.1), make G ₁and G ₂the group of prime number p that to be rank be, wherein g is G ₁generator, definition bilinear map e:G ₁× G ₁→ G ₂;

Step (1.2), Stochastic choice α ∈ Z _p, Z here _p=0,1 ..., p-1}, $\stackrel{\→}{\mathrm{\α}}={({\mathrm{\α}}_1,{\mathrm{\α}}_2,...,{\mathrm{\α}}_n)}^T,\stackrel{\→}{\mathrm{\β}}={({\mathrm{\β}}_1,{\mathrm{\β}}_2,...,{\mathrm{\β}}_n)}^T\∈Z_p^n,$ Order $\stackrel{\→}{H}=g^{\stackrel{\→}{\mathrm{\α}}}={(g^{{\mathrm{\α}}_1},g^{{\mathrm{\α}}_2},\mathrm{...},g^{{\mathrm{\α}}_n})}^T={(h_1,\mathrm{...},h_n)}^T,$ $\stackrel{\→}{F}=g^{\stackrel{\→}{\mathrm{\β}}}={(f_1,\mathrm{...},f_n)}^T={(g^{{\mathrm{\β}}_1},g^{{\mathrm{\β}}_2},\mathrm{...},g^{{\mathrm{\β}}_n})}^T,$ Then random selecting { t _{0, i}∈ G ₁, t _{1, i}∈ G ₁, t _{2, i}∈ G ₁, t _{3, i}∈ G ₁| _{i=0,1 ..., m}, and define four function T _k(x): Z _p→ G ₁, wherein k={0,1,2,3}, have $T_k\left(x\right)={\Π}_{i=0}^m{t}_{k,i}^{x^i}\∈G_1;$

Step (1.3), construct main private key and corresponding common parameter

$\stackrel{\→}{H}={(h_1,...,h_n)}^T,\stackrel{\→}{F}={(f_1,...,f_n)}^T\}.$

The process of step 2, for access strategy is converted to access structure (M, ρ) by linear Secret sharing techniques LSSS, generates the private key of user ID under access structure (M, ρ), specifically implements according to following steps:

Step (2.1), access strategy is converted to access structure (M, ρ) by LSSS, matrix M is the matrix of a l × k, M _ibe corresponding i-th row of matrix M, map ρ by M _ibe mapped to attribute ρ (i) ∈ [1, m];

Step (2.2), first according to input identity ID ∈ Z _pdefine vectorial X=(x ₁..., x _n) ^tmeet: x _i=ID ^i-1modp, i={1 ..., n}, random selecting { z _{i, 0}} _{i ∈ 2 ..., k}}, { z _{i, 1}} _{i ∈ 2 ..., k}}, { z _{i, 2}} _{i ∈ 2 ..., k}}, { z _{i, 3}} _{i ∈ 2 ..., k}}∈ Z _pwith r ∈ Z _p, definition vector ${\stackrel{\→}{v}}_0={(\mathrm{\α}+{\mathrm{r\α}}_1+{\mathrm{r\β}}_1,z_{2,0},\mathrm{...},z_{k,0})}^T,$ Vector ${\stackrel{\→}{v}}_1={(\mathrm{\α}+{\mathrm{r\α}}_1,z_{2,1},...,z_{k,1})}^T,$ And vector ${\stackrel{\→}{v}}_2={(\mathrm{\α}+{\mathrm{r\β}}_1,z_{2,2},...,z_{k,2})}^T$ And vector ${\stackrel{\→}{v}}_3={(\mathrm{\α},z_{2,3},...,z_{k,3})}^T,$ Here k is the columns of matrix M, for any i ∈ 1 ..., l} and j={0,1,2,3}, calculate corresponding inner product

Step (2.3), Stochastic choice { r _{i, 0}} _{i ∈ [l]}, { r _{i, 1}} _{i ∈ [l]}, { r _{i, 2}} _{i ∈ [l]}, { r _{i, 3}} _{i ∈ [l]}∈ Z _p, thus export the private key of ID under (M, ρ):

$sk=(D_{1,0},D_{1,1},D_{1,2},D_{1,3},D_{2,0},D_{2,1},D_{2,2},D_{2,3},D_3,K_X^{\left(1\right)},K_X^{\left(2\right)}),$

Wherein $D_{1,0}=\{D_{1,0}^{\left(1\right)},...,D_{1,0}^{\left(l\right)}\}\∈G_1^l,D_{1,0}^{\left(i\right)}=g^{{\mathrm{\λ}}_{i,0}}{T}_0{\left(\mathrm{\ρ}\right(i\left)\right)}^{r_{i,0}},D_{2,0}=\{g^{r_{1,0}},...,g^{r_{l,0}}\}\∈G_1^l$

$D_{1,1}=\{D_{1,1}^{\left(1\right)},...,D_{1,1}^{\left(l\right)}\}\∈G_1^l,D_{1,1}^{\left(i\right)}=g^{{\mathrm{\λ}}_{i,1}}{T}_1{\left(\mathrm{\ρ}\right(i\left)\right)}^{r_{i,1}},D_{2,1}=\{g^{r_{1,1}},...,g^{r_{l,1}}\}\∈G_1^l$

$D_{1,2}=\{D_{1,2}^{\left(1\right)},...,D_{1,2}^{\left(l\right)}\}\∈G_1^l,D_{1,2}^{\left(i\right)}=g^{{\mathrm{\λ}}_{i,2}}{T}_2{\left(\mathrm{\ρ}\right(i\left)\right)}^{r_{i,2}},D_{2,2}=\{g^{r_{1,2}},...,g^{r_{l,2}}\}\∈G_1^l$

$D_{1,3}=\{D_{1,3}^{\left(1\right)},...,D_{1,3}^{\left(l\right)}\}\∈G_1^l,D_{1,3}^{\left(i\right)}=g^{{\mathrm{\λ}}_{i,3}}{T}_3{\left(\mathrm{\ρ}\right(i\left)\right)}^{r_{i,3}},D_{2,3}=\{g^{r_{1,3}},...,g^{r_{l,3}}\}\∈G_1^l$

D ₃＝g ^r，

$K_X^{\left(1\right)}=(K_2^{\left(1\right)},...,K_n^{\left(1\right)}),$ Wherein $K_k^{\left(1\right)}={(h_1^{-\frac{x_k}{x_1}}\·h_k)}^r,k=2,\mathrm{...},n,$

$K_X^{\left(2\right)}=(K_2^{\left(2\right)},...,K_n^{\left(2\right)}),$ Wherein $K_k^{\left(2\right)}={({f_1}^{-\frac{x_k}{x_1}}\·f_k)}^r,k=2,\mathrm{...},n,$

Will by matrix M _xbe designated as $K_X^{\left(1\right)}=(K_2^{\left(1\right)},...,K_n^{\left(1\right)})=g^{r\·M_X^T\·\stackrel{\→}{\mathrm{\α}}},$ $K_X^{\left(2\right)}=(K_2^{\left(2\right)},...,K_n^{\left(2\right)})=g^{r\·M_X^T\·\stackrel{\→}{\mathrm{\β}}},$ Wherein matrix M _x∈ (Z _p) ^{n × (n-1)}concrete structure be:

$M_X=\left(\begin{array}{c}-\frac{x_2}{x_1}-\frac{x_3}{x_1}\mathrm{...}-\frac{x_n}{x_1}\\ I_{n-1}\end{array}\right).$

The process of step 3 is the user's revocation list R for attribute i _i(| R _i| <n) and user's revocation list R of attribute j _j(| R _j| <n), wherein i, j ∈ ω, to message under property set ω be encrypted, specifically implement according to following steps:

Step (3.1), according to revocation list R _ithe interior user that cancels collects definition Y _i=(y _{i, 1}..., y _i,n) ^tas the coefficient vector of formula;

Step (3.2), according to revocation list R _jthe interior user that cancels defines Y _j=(y _{j, 1}..., y _j,n) ^t, and by Y _j=(y _{j, 1}..., y _j,n) ^tas the coefficient vector of formula;

Step (3.3), choose random value s ∈ Z _p, under property set ω, for the user's revocation list R comprising i attribute _iwith the user's revocation list R comprising j attribute _jstructure ciphertext:

$ct=(C,C_1,C_{2,0},C_{2,1},C_{2,2}{C}_{2,3},C_3^{\left(1\right)},C_3^{\left(2\right)}),$

Wherein:

C ₁＝g ^s，

$C_{2,0}=\left\{C_{2,0}^{\left(x\right)}\right|C_{2,0}^{\left(x\right)}=T_0{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}\},$

$C_{2,1}=\left\{C_{2,1}^{\left(x\right)}\right|C_{2,1}^{\left(x\right)}=T_1{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}-\left\{j\right\}\}$

$C_{2,2}=\left\{C_{2,2}^{\left(x\right)}\right|C_{2,2}^{\left(x\right)}=T_2{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}-\left\{i\right\}\},$

$C_{2,3}=\left\{C_{2,3}^{\left(x\right)}\right|C_{2,3}^{\left(x\right)}=T_3{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}-\left\{j\right\}-\left\{i\right\}\}$

$C_3^{\left(1\right)}\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{s\&CenterDot;y_{i,k}},$

$C_3^{\left(2\right)}=\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{s\&CenterDot;y_{j,k}}.$

The private key sk that the process of step 4 is formed under access structure (M, ρ) for establishing user ID, and the revocation list R of the ciphertext ct encrypted under property set ω and user _iand R _j, need to judge that whether ID is at revocation list R _iand R _jin, specifically implement according to following steps:

Step (4.1) if then make ω '=ω;

If then ω '=ω-{ j};

If then ω '=ω-{ i};

If ID ∈ is R _i∧ ID ∈ R _j, then ω '=ω-{ i}-{j};

Step (4.2), and if only if when property set ω ' meets access structure (M, the ρ) in the private key of user, and user could successful decryption, in conjunction with $sk=(D_{1,0},D_{1,1},D_{1,2},D_{1,3},D_{2,0},D_{2,1},D_{2,2},D_{2,3},D_3,K_X^{\left(1\right)},K_X^{\left(2\right)}),$ Specifically decipher, process is as follows:

If first according to ID define X=(1, ID ..., ID ^n-1) ^t=(x ₁..., x _n) ^t, according to revocation list R _idefinition Y _i=(y _{i, 1}..., y _i,n) ^tas the coefficient vector of formula, and revocation list R _jdefinition Y _j=(y _{j, 1}..., y _j,n) ^tas the coefficient vector of formula, calculates:

$K^{\left(1\right)}=\underset{k=2}{\overset{n}{\&Pi;}}{\left(K_k^{\left(1\right)}\right)}^{y_{i,k}}={(h_1^{-\frac{<X,Y_i>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{y_{i,k}})}^r$

$K^{\left(2\right)}=\underset{k=2}{\overset{n}{\&Pi;}}{\left(K_k^{\left(2\right)}\right)}^{y_{j,k}}={(f_1^{-\frac{<X,Y_j>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{y_{j,k}})}^r$

Work as <X, Y _i> ≠ 0 and <X, Y _jduring > ≠ 0, namely have:

${\mathrm{\&tau;}}_0={\left(\frac{e(K^{\left(1\right)},C_1)}{e(C_3^{\left(1\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_i>}}\&CenterDot;{\left(\frac{e(K^{\left(2\right)},C_1)}{e(C_3^{\left(2\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_j>}}=e{(g,g)}^{rs({\mathrm{\&alpha;}}_1+{\mathrm{\&beta;}}_1)},$

Make I={i: ρ (i) ∈ ω ' }, then according to known matrix M, within the probabilistic polynomial time, find out constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), calculate:

${\mathrm{\&phi;}}_0=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,0}^{\left(i\right)})}{e(C_{2,0}^{\mathrm{\&rho;}\left(i\right)},D_{2,0}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1+{\mathrm{r\&beta;}}_1)},$

In conjunction with τ ₀value, calculate known utilize division arithmetic, can successful decryption outbound message

If calculate:

${\mathrm{\&tau;}}_1={\left(\frac{e(K^{\left(1\right)},C_1)}{e(C_3^{\left(1\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_i>}}=e{(g,g)}^{{\mathrm{rs\&alpha;}}_1}$

Make I={i: ρ (i) ∈ ω ' }, there is constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), thus calculate:

${\mathrm{\&phi;}}_1=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,1}^{\left(i\right)})}{e(C_{2,1}^{\mathrm{\&rho;}\left(i\right)},D_{2,1}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1)}$

Obtain in conjunction with C, can go out by successful decryption

If have:

${\mathrm{\&tau;}}_2={\left(\frac{e(K^{\left(2\right)},C_1)}{e(C_3^{\left(2\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_j>}}=e{(g,g)}^{{\mathrm{rs\&beta;}}_1}$

Make I={i: ρ (i) ∈ ω ' }, there is constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), thus calculate:

${\mathrm{\&phi;}}_2=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,2}^{\left(i\right)})}{e(C_{2,2}^{\mathrm{\&rho;}\left(i\right)},D_{2,2}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&beta;}}_1)}$

Obtain in conjunction with C, can go out by successful decryption

If ID ∈ is R _i∧ ID ∈ R _j, make I={i: ρ (i) ∈ ω ' }, there is constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), thus calculate:

${\mathrm{\&phi;}}_3=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,3}^{\left(i\right)})}{e(C_{2,2}^{\mathrm{\&rho;}\left(i\right)},D_{2,3}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;\mathrm{\&alpha;}}$

In conjunction with C, pass through successful decryption goes out

Step 5 is specially:

Order $sk=(D_{1,0},D_{1,1},D_{1,2},D_{1,3},D_{2,0},D_{2,1},D_{2,2},D_{2,3},D_3,K_X^{\left(1\right)},K_X^{\left(2\right)})$ Effective decruption key, then a tracing computation:

${\mathrm{\&psi;}}_1=\frac{e(g,K_2^{\left(1\right)})}{e(h_2,D_3)}=e{(g,h_1)}^{-r\&CenterDot;ID}$

${\mathrm{\&psi;}}_2=\frac{e(g,K_2^{\left(2\right)})}{e(f_2,D_3)}=e{(g,f_1)}^{-r\&CenterDot;ID}$

This tracking is for determining whether existence user ID ∈ U={ID ₁..., ID _k, make wherein i={1,2}, if there is such user, then illustrate that this user and private key are relevant, otherwise then this user and private key has nothing to do, thus obtains the user responsibility in scheme.

The invention has the beneficial effects as follows, the encryption attribute method of the key strategy of revocable two attributes, a certain attribute of cancelling user can't affect other attributes of this user and have other users of this attribute; Simultaneously for the more realistic demand of process of cancelling of two attributes; Tracing algorithm is adopted to determined the relevance of user and private key for user in decrypting process; Finally by the fail safe stipulations of attack option in DBDHE problem, ensure that the fail safe of method.

Embodiment

Below in conjunction with embodiment, the present invention is described in detail.

The encryption attribute method of the key strategy of revocable two attributes of the present invention, specifically implement according to following steps:

Step 1, system parameters initialization:

Process builds revocation list R for establishing for two attribute i and attribute j _iand R _j, revocation list R _irepresent all users cancelling attribute i, be designated as revocation list R _jrepresent the user having cancelled attribute j, be designated as wherein allow not cancel number of users not etc. in each revocation list of q ≠ q ' i.e., user is in any one revocation list, or be present in two revocation lists simultaneously, namely allow user to cancel attribute i and attribute j simultaneously, make all user's collection in U expression system, if attribute number is m in system, the property set of user when encrypting in revocation list, the maximum number of user is n, and message is access strategy is converted to access strategy (M, ρ) by linear Secret sharing techniques LSSS, specifically implements according to following steps:

Step (1.1), make G ₁and G ₂the group of prime number p that to be rank be, wherein g is G ₁generator, definition bilinear map e:G ₁× G ₁→ G ₂;

Step (1.2), Stochastic choice α ∈ Z _p, Z here _p=0,1 ..., p-1}, $\stackrel{\&RightArrow;}{\mathrm{\&alpha;}}={({\mathrm{\&alpha;}}_1,{\mathrm{\&alpha;}}_2,...,{\mathrm{\&alpha;}}_n)}^T,\stackrel{\&RightArrow;}{\mathrm{\&beta;}}={({\mathrm{\&beta;}}_1,{\mathrm{\&beta;}}_2,...,{\mathrm{\&beta;}}_n)}^T\&Element;Z_p^n,$ Order $\stackrel{\&RightArrow;}{H}=g^{\stackrel{\&RightArrow;}{\mathrm{\&alpha;}}}={(g^{{\mathrm{\&alpha;}}_1},g^{{\mathrm{\&alpha;}}_2},\mathrm{...},g^{{\mathrm{\&alpha;}}_n})}^T={(h_1,...,h_n)}^T,$ $\stackrel{\&RightArrow;}{F}=g^{\stackrel{\&RightArrow;}{\mathrm{\&beta;}}}={(f_1,...,f_n)}^T={(g^{{\mathrm{\&beta;}}_1},g^{{\mathrm{\&beta;}}_2},...,g^{{\mathrm{\&beta;}}_n})}^T,$ Then random selecting { t _{0, i}∈ G ₁, t _{1, i}∈ G ₁, t _{2, i}∈ G ₁, t _{3, i}∈ G ₁| _{i=0,1 ..., m}, and define four functions wherein k={0,1,2,3}, have $T_k\left(x\right)={\&Pi;}_{i=0}^m{t}_{k,i}^{x^i}\&Element;G_1;$

Step (1.3), construct main private key and corresponding common parameter

$\stackrel{\&RightArrow;}{H}={(h_1,...,h_n)}^T,\stackrel{\&RightArrow;}{F}={(f_1,...,f_n)}^T\}$

Step 2, secret generating:

Access strategy is converted to access structure (M, ρ) by LSSS, generates the private key of user ID under access structure (M, ρ), specifically implement according to following steps:

Step (2.1), access strategy is converted to access structure (M, ρ) by LSSS, matrix M is the matrix of a l × k, M _ibe corresponding i-th row of matrix M, map ρ by M _ibe mapped to attribute ρ (i) ∈ [1, m],

Step (2.2), first according to input identity ID ∈ Z _pdefine vectorial X=(x ₁..., x _n) ^tmeet: x _i=ID ^i-1modp, i={1 ..., n}, random selecting { z _{i, 0}} _{i ∈ 2 ..., k}}, { z _{i, 1}} _{i ∈ 2 ..., k}}, { z _{i, 2}} _{i ∈ 2 ..., k}}, { z _{i, 3}} _{i ∈ 2 ..., k}}∈ Z _pwith r ∈ Z _p, definition vector ${\stackrel{\&RightArrow;}{v}}_0={(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1+{\mathrm{r\&beta;}}_1,z_{2,0},...,z_{k,0})}^T,$ Vector ${\stackrel{\&RightArrow;}{v}}_1={(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1,z_{2,1},...,z_{k,1})}^T,$ And vector ${\stackrel{\&RightArrow;}{v}}_2={(\mathrm{\&alpha;}+{\mathrm{r\&beta;}}_1,z_{2,2},...,z_{k,2})}^T$ And vector ${\stackrel{\&RightArrow;}{v}}_3={(\mathrm{\&alpha;},z_{2,3},...,z_{k,3})}^T,$ Here k is the columns of matrix M, for any i ∈ 1 ..., l} and j={0,1,2,3}, calculate corresponding inner product

Step (2.3), Stochastic choice { r _{i, 0}} _{i ∈ [l]}, { r _{i, 1}} _{i ∈ [l]}, { r _{i, 2}} _{i ∈ [l]}, { r _{i, 3}} _{i ∈ [l]}∈ Z _p, thus export the private key of ID under (M, ρ):

$sk=(D_{1,0},D_{1,1},D_{1,2},D_{1,3},D_{2,0},D_{2,1},D_{2,2},D_{2,3},D_3,K_X^{\left(1\right)},K_X^{\left(2\right)}),$

Wherein $D_{1,0}=\{D_{1,0}^{\left(1\right)},...,D_{1,0}^{\left(l\right)}\}\&Element;G_1^l,D_{1,0}^{\left(i\right)}=g^{{\mathrm{\&lambda;}}_{i,0}}{T}_0{\left(\mathrm{\&rho;}\right(i\left)\right)}^{r_{i,0}},D_{2,0}=\{g^{r_{1,0}},...,g^{r_{l,0}}\}\&Element;G_1^l$

$D_{1,1}=\{D_{1,1}^{\left(1\right)},...,D_{1,1}^{\left(l\right)}\}\&Element;G_1^l,D_{1,1}^{\left(i\right)}=g^{{\mathrm{\&lambda;}}_{i,1}}{T}_1{\left(\mathrm{\&rho;}\right(i\left)\right)}^{r_{i,1}},D_{2,1}=\{g^{r_{1,1}},...,g^{r_{l,1}}\}\&Element;G_1^l$

$D_{1,2}=\{D_{1,2}^{\left(1\right)},...,D_{1,2}^{\left(l\right)}\}\&Element;G_1^l,D_{1,2}^{\left(i\right)}=g^{{\mathrm{\&lambda;}}_{i,2}}{T}_2{\left(\mathrm{\&rho;}\right(i\left)\right)}^{r_{i,2}},D_{2,2}=\{g^{r_{1,2}},...,g^{r_{l,2}}\}\&Element;G_1^l$

$D_{1,3}=\{D_{1,3}^{\left(1\right)},...,D_{1,3}^{\left(l\right)}\}\&Element;G_1^l,D_{1,3}^{\left(i\right)}=g^{{\mathrm{\&lambda;}}_{i,3}}{T}_3{\left(\mathrm{\&rho;}\right(i\left)\right)}^{r_{i,3}},D_{2,3}=\{g^{r_{1,3}},...,g^{r_{l,3}}\}\&Element;G_1^l$

D ₃＝g ^r，

$K_X^{\left(1\right)}=(K_2^{\left(1\right)},...,K_n^{\left(1\right)}),$ Wherein $K_k^{\left(1\right)}={(h_1^{-\frac{x_k}{x_1}}\&CenterDot;h_k)}^r,k=2,...,n,$

$K_X^{\left(2\right)}=(K_2^{\left(2\right)},...,K_n^{\left(2\right)}),$ Wherein $K_k^{\left(2\right)}={(f_1^{-\frac{x_k}{x_1}}\&CenterDot;f_k)}^r,k=2,...,n,$

Will by matrix M _xcan be designated as $K_X^{\left(1\right)}=(K_2^{\left(1\right)},...,K_n^{\left(1\right)})=g^{r\&CenterDot;M_X^T\&CenterDot;\stackrel{\&RightArrow;}{\mathrm{\&alpha;}}},$ wherein matrix M _x∈ (Z _p) ^{n × (n-1)}concrete structure be:

$M_X=\left(\begin{array}{c}-\frac{x_2}{x_1}-\frac{x_3}{x_1}\mathrm{...}-x\frac{x_n}{x_1}\\ I_{n-1}\end{array}\right).$

Step 3, encryption:

Process is the user's revocation list R for attribute i _i(| R _i| <n) and user's revocation list R of attribute j _j(| R _j| <n), wherein i, j ∈ ω, to message under property set ω be encrypted, specifically implement according to following steps:

Step (3.1), according to revocation list R _ithe interior user that cancels collects definition Y _i=(y _{i, 1}..., y _i,n) ^tas the coefficient vector of formula;

Step (3.2), according to revocation list R _jthe interior user that cancels defines Y _j=(y _{j, 1}..., y _j,n) ^t, and by Y _j=(y _{j, 1}..., y _j,n) ^tas the coefficient vector of formula;

Step (3.3), choose random value s ∈ Z _p, under property set ω, for the user's revocation list R comprising i attribute _iwith the user's revocation list R comprising j attribute _jstructure ciphertext:

$ct=(C,C_1,C_{2,0},C_{2,1},C_{2,2},C_{2,3},C_3^{\left(1\right)},C_3^{\left(2\right)}),$

Wherein:

C ₁＝g ^s，

$C_{2,0}=\left\{C_{2,0}^{\left(x\right)}\right|C_{2,0}^{\left(x\right)}=T_0{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}\},$

$C_{2,1}=\left\{C_{2,1}^{\left(x\right)}\right|C_{2,1}^{\left(x\right)}=T_1{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}-\left\{j\right\}\}$

$C_{2,2}=\left\{C_{2,2}^{\left(x\right)}\right|C_{2,2}^{\left(x\right)}=T_2{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}-\left\{i\right\}\},$

$C_{2,3}=\left\{C_{2,3}^{\left(x\right)}\right|C_{2,3}^{\left(x\right)}=T_3{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}-\left\{j\right\}-\left\{i\right\}\}$

$C_3^{\left(1\right)}=\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{s\&CenterDot;y_{i,k}},$

$C_3^{\left(2\right)}=\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{s\&CenterDot;y_{j,k}};$

Step 4, deciphering:

The private key sk that process is formed under access structure (M, ρ) for establishing user ID, and the revocation list R of the ciphertext ct encrypted under property set ω and user _iand R _j, need to judge that whether ID is at revocation list R _iand R _jin, specifically implement according to following steps:

Step (4.1) if then make ω '=ω;

If then ω '=ω-{ j};

If then ω '=ω-{ i};

If ID ∈ is R _i∧ ID ∈ R _j, then ω '=ω-{ i}-{j};

Step (4.2), and if only if when property set ω ' meets access structure (M, the ρ) in the private key of user, and user could successful decryption, in conjunction with $sk=(D_{1,0},D_{1,1},D_{1,2},D_{1,3},D_{2,0},D_{2,1},D_{2,2},D_{2,3},D_3,K_X^{\left(1\right)},K_X^{\left(2\right)}),$ Specifically decipher, process is as follows:

If first according to ID define X=(1, ID ..., ID ^n-1) ^t=(x ₁..., x _n) ^t, according to revocation list R _idefinition Y _i=(y _{i, 1}..., y _i,n) ^tas the coefficient vector of formula, and revocation list R _jdefinition Y _j=(y _{j, 1}..., y _j,n) ^tas the coefficient vector of formula, calculates:

$K^{\left(1\right)}=\underset{k=2}{\overset{n}{\&Pi;}}{\left(K_k^{\left(1\right)}\right)}^{y_{i,k}}={(h_1^{-\frac{<X,Y_i>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{y_{i,k}})}^r$

$K^{\left(2\right)}=\underset{k=2}{\overset{n}{\&Pi;}}{\left(K_k^{\left(2\right)}\right)}^{y_{j,k}}={(f_1^{-\frac{<X,Y_j>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{y_{j,k}})}^r$

Work as <X, Y _i> ≠ 0 and <X, Y _jduring > ≠ 0, namely have:

${\mathrm{\&tau;}}_0={\left(\frac{e(K^{\left(1\right)},C_1)}{e(C_3^{\left(1\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_i>}}\&CenterDot;{\left(\frac{e(K^{\left(2\right)},C_1)}{e(C_3^{\left(2\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_j>}}=e{(g,g)}^{rs({\mathrm{\&alpha;}}_1+{\mathrm{\&beta;}}_1)},$

Make I={i: ρ (i) ∈ ω ' }, then according to known matrix M, within the probabilistic polynomial time, find out constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), calculate:

${\mathrm{\&phi;}}_0=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,0}^{\left(i\right)})}{e(C_{2,0}^{\mathrm{\&rho;}\left(i\right)},D_{2,0}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1+{\mathrm{r\&beta;}}_1)},$

In conjunction with τ ₀value, calculate known utilize division arithmetic, can successful decryption outbound message

If calculate:

${\mathrm{\&tau;}}_1=\left({\frac{e(K^{\left(1\right)},C_1)}{e(C_3^{\left(1\right)},D_3)}}^{-\frac{x_1}{<X,Y_i>}}\right)=e{(g,g)}^{{\mathrm{rs\&alpha;}}_1}$

Make I={i: ρ (i) ∈ ω ' }, there is constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), thus calculate:

${\mathrm{\&phi;}}_1=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,1}^{\left(i\right)})}{e(C_{2,1}^{\mathrm{\&rho;}\left(i\right)},D_{2,1}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1)}$

Obtain in conjunction with C, can go out by successful decryption

If have:

${\mathrm{\&tau;}}_2={\left(\frac{e(K^{\left(2\right)},C_1)}{e(C_3^{\left(2\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_j>}}=e{(g,g)}^{{\mathrm{rs\&beta;}}_1}$

Make I={i: ρ (i) ∈ ω ' }, there is constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), thus calculate:

${\mathrm{\&phi;}}_2=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,2}^{\left(i\right)})}{e(C_{2,2}^{\mathrm{\&rho;}\left(i\right)},D_{2,2}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&beta;}}_1)}$

Obtain in conjunction with C, can go out by successful decryption

If ID ∈ is R _i∧ ID ∈ R _j, make I={i: ρ (i) ∈ ω ' }, there is constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), thus calculate:

${\mathrm{\&phi;}}_3=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,3}^{\left(i\right)})}{e(C_{2,2}^{\mathrm{\&rho;}\left(i\right)},D_{2,3}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;\mathrm{\&alpha;}}$

In conjunction with C, pass through successful decryption goes out

Step 5, tracking: be specially,

Order $sk=(D_{1,0},D_{1,1},D_{1,2},D_{1,3},D_{2,0},D_{2,1},D_{2,2},D_{2,3},D_3,K_X^{\left(1\right)},K_X^{\left(2\right)})$ Effective decruption key, then a tracing computation:

${\mathrm{\&psi;}}_1=\frac{e(g,K_2^{\left(1\right)})}{e(h_2,D_3)}=e{(g,h_1)}^{-r\&CenterDot;ID}$

${\mathrm{\&psi;}}_2=\frac{e(g,K_2^{\left(2\right)})}{e(f_2,D_3)}=e{(g,f_1)}^{-r\&CenterDot;ID}$

This tracking is for determining whether existence user ID ∈ U={ID ₁..., ID _k, make wherein i={1,2}, if there is such user, then illustrate that this user and private key are relevant, otherwise then this user and private key has nothing to do, thus obtains the user responsibility in scheme.

Prove fail safe of the present invention below:

Prove: if all data all generate according to describing in the inventive method, then the local parameter in computation key generative process, decrypting process and tracing process:

(1) by revocation list R _icorresponding Y _i=(y _{i, 1}..., y _i,n) ^tand R _jy _j=(y _{j, 1}..., y _j,n) ^tobtain K ⁽¹⁾and K ⁽²⁾, be calculated as follows:

The first step, calculates obtain the K after abbreviation _x:

$K_k^{\left(1\right)}={(h_1^{-\frac{x_k}{x_1}}\&CenterDot;h_k)}^r$

$={(g^{-\frac{x_k}{x_1}\&CenterDot;{\mathrm{\&alpha;}}_1}\&CenterDot;g^{{\mathrm{\&alpha;}}_k})}^r$

$=g^{r\&CenterDot;(-\frac{x_k}{x_1}\&CenterDot;{\mathrm{\&alpha;}}_1+{\mathrm{\&alpha;}}_k)}$

$M_X=\left(\begin{array}{c}-\frac{x_2}{x_1}-\frac{x_3}{x_1}\mathrm{...}-\frac{x_n}{x_1}\\ I_{n-1}\end{array}\right)$

$\left(\begin{array}{cc}\begin{array}{c}-\frac{x_2}{x_1}\\ -\frac{x_3}{x_1}\\ .\\ .\\ .\\ -\frac{x_n}{x_1}\end{array}& I_{n-1}\end{array}\right)\&CenterDot;\left(\begin{array}{c}{\mathrm{\&alpha;}}_1\\ {\mathrm{\&alpha;}}_2\\ .\\ .\\ .\\ {\mathrm{\&alpha;}}_n\end{array}\right)=\left(\begin{array}{c}-\frac{x_2}{x_1}\&CenterDot;{\mathrm{\&alpha;}}_1+{\mathrm{\&alpha;}}_2\\ -\frac{x_3}{x_1}\&CenterDot;{\mathrm{\&alpha;}}_1+{\mathrm{\&alpha;}}_3\\ .\\ .\\ .\\ -\frac{x_n}{x_1}\&CenterDot;{\mathrm{\&alpha;}}_1+{\mathrm{\&alpha;}}_n\end{array}\right)=M_X^T\&CenterDot;\stackrel{\&RightArrow;}{\mathrm{\&alpha;}}$

$K_X=\{K_2,\mathrm{...},K_n\}=g^{r\&CenterDot;M_X^T\&CenterDot;\stackrel{\&RightArrow;}{\mathrm{\&alpha;}}}$

Second step, according to K after abbreviation _xexpression formula, calculating K ⁽¹⁾:

$K^{\left(1\right)}=\underset{k=2}{\overset{n}{\&Pi;}}{K}_k^{y_{i,k}}$

$=\underset{k=2}{\overset{n}{\&Pi;}}{(h_1^{-\frac{x_k}{x1}}\&CenterDot;h_k)}^{r\&CenterDot;y_{i,k}}$

$={(h_1^{-(\frac{x_2\&CenterDot;y_{i,2}}{x1}+\mathrm{...}+\frac{x_n\&CenterDot;y_{i,n}}{x1})}\&CenterDot;\underset{k=2}{\overset{n}{\&Pi;}}{h_k}^{y_{i,k}})}^r$

$={(h_1^{-(\frac{x_2{y}_{i,2}}{x1}+\mathrm{...}+\frac{x_n{y}_{i,n}}{x1})}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{h_k}^{y_{i,k}}\&CenterDot;h_1^{-y_{i,1}})}^r$

$={(h_1^{-(\frac{x_1{y}_{i,2}}{x1}+\mathrm{...}+\frac{x_n{y}_{i,n}}{x1})}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{h_k}^{y_{i,k}}\&CenterDot;h_1^{-\frac{y_{i,1}\&CenterDot;x_1}{x_1}})}^r$

$={(h_1^{-(\frac{x_1{y}_{i,1}}{x1}+\mathrm{...}+\frac{x_n{y}_{i,n}}{x1})}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{h_k}^{y_{i,k}})}^r$

$={(h_1^{-\frac{<X,Y_i>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{y_{i,k}})}^r$

In like manner can obtain, $K^{\left(2\right)}=\underset{k=2}{\overset{n}{\&Pi;}}{\left(K_k^{\left(2\right)}\right)}^{y_{j,k}}={(f_1^{-\frac{<X,Y_j>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{y_{j,k}})}^r.$

(2) when time, τ ₀and φ ₀calculating:

${\mathrm{\&tau;}}_0={\left(\frac{e(K^{\left(1\right)},C_1)}{e(C_3^{\left(1\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_i>}}\&CenterDot;{\left(\frac{e(K^{\left(2\right)},C_1)}{e(C_3^{\left(2\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_j>}}$

$={\left(\frac{e({\left(h_1^{-\frac{<X,Y_i>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{y_{i,k}}\right)}^r,g^s)}{e({\left(\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{y_{i,k}}\right)}^s,g^r)}\right)}^{-\frac{x_1}{<X,Y_i>}}\&CenterDot;{\left(\frac{e({\left(f_1^{-\frac{<X,Y_j>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{y_{j,k}}\right)}^r,g^s)}{e({\left(\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{y_{j,k}}\right)}^s,g^s)}\right)}^{-\frac{x_1}{<X,Y_j>}}$

$={\left(\frac{e\left(\right(h_1^{-\frac{<X,Y_i>}{x_1}}),g)\&CenterDot;e\left(\right(\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{y_{i,k}}),g)}{e\left(\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{y_{i,k}},g\right)}\right)}^{-\frac{x_1}{<X,Y_i>}\&CenterDot;r\&CenterDot;s}\&CenterDot;{\left(\frac{e\left(\right(f_1^{-\frac{<X,Y_j>}{x_1}}),g)\&CenterDot;e\left(\right(\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{y_{j,k}}),g)}{e\left(\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{y_{j,k}},g\right)}\right)}^{-\frac{x_1}{<X,Y_j>}\&CenterDot;r\&CenterDot;s}$

$={\left(e\right(\left(h_1^{-\frac{<X,Y_i>}{x_1}}\right),g\left)\right)}^{-\frac{x_1}{<X,Y_i>}\&CenterDot;r\&CenterDot;s}\&CenterDot;{\left(e\right(\left(f_1^{-\frac{<X,Y_j>}{x_1}}\right),g\left)\right)}^{-\frac{x_1}{<X,Y_j>}\&CenterDot;r\&CenterDot;s}$

$={\left(e\right(\left(g^{-\frac{<X,Y_i>}{x_1}\&CenterDot;{\mathrm{\&alpha;}}_1}\right),g\left)\right)}^{-\frac{x_1}{<X,Y_i>}\&CenterDot;r\&CenterDot;s}\&CenterDot;{\left(e\right(\left(g^{-\frac{<X,Y_j>}{x_1}\&CenterDot;{\mathrm{\&beta;}}_1}\right),g\left)\right)}^{-\frac{x_1}{<X,Y_j>}\&CenterDot;r\&CenterDot;s}$

$=e{(g,g)}^{{\mathrm{rs\&alpha;}}_1+{\mathrm{rs\&beta;}}_1}$

${\mathrm{\&phi;}}_0=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,0}^{\left(i\right)})}{e(C_{2,0}^{\mathrm{\&rho;}\left(i\right)},D_{2,0}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1+{\mathrm{r\&beta;}}_1)}$

$\mathrm{\&phi;}=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,0}^{\left(i\right)})}{e(C_{2,0}^{\mathrm{\&rho;}\left(i\right)},D_{2,0}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}$

$=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(g^s.g^{{\mathrm{\&lambda;}}_{i,0}}{T}_0{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_{i,0}})}{e(T_0{\left(\mathrm{\&rho;}\left(i\right)\right)}^s,g^{r_{i,0}})}\right)}^{{\mathrm{\&mu;}}_i}$

$=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(g^s,g^{{\mathrm{\&lambda;}}_{i,0}})\&CenterDot;e(g^s,T_0{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_{i,0}})}{e(T_0{\left(\mathrm{\&rho;}\left(i\right)\right)}^s,g^{r_{i,0}})}\right)}^{{\mathrm{\&mu;}}_i}$

$=\underset{i\&Element;I}{\&Pi;}{\left(e\right(g^s,g^{{\mathrm{\&lambda;}}_{i,0}}\left)\right)}^{{\mathrm{\&mu;}}_i}$

$=\underset{i\&Element;I}{\&Pi;}e{(g,g)}^{s\&CenterDot;{\mathrm{\&lambda;}}_{i,0}\&CenterDot;{\mathrm{\&mu;}}_i}$

$=e{(g,g)}^{s\&CenterDot;({\&Sigma;}_{i\&Element;I}{\mathrm{\&lambda;}}_{i,0}\&CenterDot;{\mathrm{\&mu;}}_i)}$

$=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1+{\mathrm{r\&beta;}}_1)}$

Thus obtain $\frac{{\mathrm{\&phi;}}_0}{{\mathrm{\&tau;}}_0}=e{(g,g)}^{s\&CenterDot;\mathrm{\&alpha;}},$ Known message can be decrypted in like manner, the message under different situations can be decrypted.

(3) calculating of parameter in tracing algorithm:

${\mathrm{\&psi;}}_1=\frac{e(g,K_2^{\left(1\right)})}{e(h_2,D_3)}$

$=\frac{e(g,g^{r\&CenterDot;(-\frac{x_2}{x_1}\&CenterDot;{\mathrm{\&alpha;}}_1+{\mathrm{\&alpha;}}_1)})}{e(g^{{\mathrm{\&alpha;}}_2},g^r)}$

$=\frac{e(g,g^{r\&CenterDot;(-\frac{x_1}{x_2}\&CenterDot;{\mathrm{\&alpha;}}_1)})\&CenterDot;e(g,g^{r\&CenterDot;{\mathrm{\&alpha;}}_2})}{e(g^{{\mathrm{\&alpha;}}_2},g^r)}$

$=e(g,g^{-r\&CenterDot;{\mathrm{\&alpha;}}_1\&CenterDot;ID})$

$=e{(g,h_1)}^{-r\&CenterDot;ID}$

In like manner can calculate:

${\mathrm{\&psi;}}_2=\frac{e(g,K_2^{\left(2\right)})}{e(f_2,D_3)}=e{(g,f_1)}^{-r\&CenterDot;ID}$

To summary of the present invention: the encryption attribute method of the key strategy of revocable two attributes of the present invention, it is an impressive progress of revocable encryption attribute method, concrete grammar is, select two different attributes under multi-user, set up revocation list, consider user in key generation process whether in two revocation lists, if exist and judge the attribute of user's remainder and the relation of access structure, the property set when ciphertext is only had to meet the key strategy of user, user just can complete decrypting process, design process needs: 1) set up master key and common parameter 2 by authoritative center) utilize linear privacy share algorithm to transfer access strategy to access structure, generate the private key for user under corresponding access structure.3) according to property set and known two revocation lists, message is encrypted.4) judge user whether in two revocation lists, point situation discussion, completes decrypting process.5) in conjunction with known private key and user, set up tracing algorithm, judge the relevance of user and private key.

Claims (6)

1. the encryption attribute method of the key strategy of revocable two attributes, is characterized in that, specifically implements according to following steps:

Step 1, system parameters initialization;

Step 2, secret generating;

Step 3, encryption;

Step 4, deciphering;

Step 5, tracking.

2. the encryption attribute method of the key strategy of revocable two attributes according to claim 1, is characterized in that, the process of described step 1 builds revocation list R for establishing for two attribute i and attribute j _iand R _j, revocation list R _irepresent all users cancelling attribute i, be designated as revocation list R _jrepresent the user having cancelled attribute j, be designated as wherein allow not cancel number of users not etc. in each revocation list of q ≠ q ' i.e., user is in any one revocation list, or be present in two revocation lists simultaneously, namely allow user to cancel attribute i and attribute j simultaneously, make all user's collection in U expression system, if attribute number is m in system, the property set of user when encrypting in revocation list, the maximum number of user is n, and message is access strategy is converted to access strategy (M, ρ) by linear Secret sharing techniques LSSS, specifically implements according to following steps:

Step (1.1), make G ₁and G ₂the group of prime number p that to be rank be, wherein g is G ₁generator, definition bilinear map e:G ₁× G ₁→ G ₂;

Step (1.2), Stochastic choice α ∈ Z _p, Z here _p=0,1 ..., p-1}, $\stackrel{\&RightArrow;}{\mathrm{\&alpha;}}={({\mathrm{\&alpha;}}_1,{\mathrm{\&alpha;}}_2,...,{\mathrm{\&alpha;}}_n)}^T,\stackrel{\&RightArrow;}{\mathrm{\&beta;}}={({\mathrm{\&beta;}}_1,{\mathrm{\&beta;}}_2,...,{\mathrm{\&beta;}}_n)}^T\&Element;Z_p^n,$ Order $\stackrel{\&RightArrow;}{H}=g^{\stackrel{\&RightArrow;}{\mathrm{\&alpha;}}}={(g^{{\mathrm{\&alpha;}}_1},g^{{\mathrm{\&alpha;}}_2},...,g^{{\mathrm{\&alpha;}}_n})}^T={(h_1,...,h_n)}^T,$ $\stackrel{\&RightArrow;}{F}=g^{\stackrel{\&RightArrow;}{\mathrm{\&beta;}}}={(f_1,...,f_n)}^T={(g^{{\mathrm{\&beta;}}_1},g^{{\mathrm{\&beta;}}_2},...,g^{{\mathrm{\&beta;}}_n})}^T,$ Then random selecting { t _{0, i}∈ G ₁, t _{1, i}∈ G ₁, t _{2, i}∈ G ₁, t _{3, i}∈ G ₁| _{i=0,1 ..., m}, and define four function T _k(x): Z _p→ G ₁, wherein k={0,1,2,3}, have $T_k\left(x\right)={\&Pi;}_{i=0}^m{t}_{k,i}^{x^i}\&Element;G_1;$

Step (1.3), construct main private key and corresponding common parameter

3. the encryption attribute method of the key strategy of revocable two attributes according to claim 1, it is characterized in that, the process of described step 2 is for be converted to access structure (M by access strategy by LSSS, ρ), generate user ID at access structure (M, private key ρ), specifically implement according to following steps:

Step (2.1), access strategy is converted to access structure (M, ρ) by LSSS, matrix M is the matrix of a l × k, M _ibe corresponding i-th row of matrix M, map ρ by M _ibe mapped to attribute ρ (i) ∈ [1, m];

Step (2.2), first according to input identity ID ∈ Z _pdefine vectorial X=(x ₁..., x _n) ^tmeet: x _i=ID ^i-1modp, i={1 ..., n}; Random selecting { z _{i, 0}} _{i ∈ 2 ..., k}}, { z _{i, 1}} _{i ∈ 2 ..., k}}, { z _{i, 2}} _{i ∈ 2 ..., k}}, { z _{i, 3}} _{i ∈ 2 ..., k}}∈ Z _pwith r ∈ Z _p, definition vector ${\stackrel{\&RightArrow;}{v}}_0={(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1+{\mathrm{r\&beta;}}_1,z_{2,0},...,z_{k,0})}^T,$ Vector ${\stackrel{\&RightArrow;}{v}}_1={(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1,z_{2,1},...,z_{k,1})}^T,$ And vector ${\stackrel{\&RightArrow;}{v}}_2={(\mathrm{\&alpha;}+{\mathrm{r\&beta;}}_1,z_{2,2},...,z_{k,2})}^T$ And vector ${\stackrel{\&RightArrow;}{v}}_3={(\mathrm{\&alpha;},z_{2,3},...,z_{k,3})}^T,$ Here k is the columns of matrix M.For any i ∈ 1 ..., l} and j={0,1,2,3}, calculate corresponding inner product

Step (2.3), Stochastic choice { r _{i, 0}} _{i ∈ [l]}, { r _{i, 1}} _{i ∈ [l]}, { r _{i, 2}} _{i ∈ [l]}, { r _{i, 3}} _{i ∈ [l]}∈ Z _p, thus export the private key of ID under (M, ρ):

$sk=(D_{1,0},D_{1,1},D_{1,2},D_{1,3},D_{2,0},D_{2,1},D_{2,2},D_{2,3},D_3,K_X^{\left(1\right)},K_X^{\left(2\right)}),$

Wherein $D_{1,0}=\{D_{1,0}^{\left(1\right)},...,D_{1,0}^{\left(l\right)}\}\&Element;G_1^l,D_{1,0}^{\left(i\right)}=g^{{\mathrm{\&lambda;}}_{i,0}}{T}_0{\left(\mathrm{\&rho;}\right(i\left)\right)}^{r_{i,0}},D_{2,0}=\{g^{r_{1,0}},...,g^{r_{l,0}}\}\&Element;G_1^l$

$D_{1,1}=\{D_{1,1}^{\left(1\right)},...,D_{1,1}^{\left(l\right)}\}\&Element;G_1^l,D_{1,1}^{\left(i\right)}=g^{{\mathrm{\&lambda;}}_{i,1}}{T}_1{\left(\mathrm{\&rho;}\right(i\left)\right)}^{r_{i,1}},D_{2,1}=\{g^{r_{1,1}},...,g^{r_{l,1}}\}\&Element;G_1^l$

$D_{1,2}=\{D_{1,2}^{\left(1\right)},...,D_{1,2}^{\left(l\right)}\}\&Element;G_1^l,D_{1,2}^{\left(i\right)}=g^{{\mathrm{\&lambda;}}_{i,2}}{T}_2{\left(\mathrm{\&rho;}\right(i\left)\right)}^{r_{i,2}},D_{2,2}=\{g^{r_{1,2}},...,g^{r_{l,2}}\}\&Element;G_1^l$

$D_{1,3}=\{D_{1,3}^{\left(1\right)},...,D_{1,3}^{\left(l\right)}\}\&Element;G_1^l,D_{1,3}^{\left(i\right)}=g^{{\mathrm{\&lambda;}}_{i,3}}{T}_3{\left(\mathrm{\&rho;}\right(i\left)\right)}^{r_{i,3}},D_{2,3}=\{g^{r_{1,3}},...,g^{r_{l,3}}\}\&Element;G_1^l$

D ₃＝g ^r，

$K_X^{\left(1\right)}=(K_2^{\left(1\right)},...,K_n^{\left(1\right)}),$ Wherein $K_k^{\left(1\right)}={\left({h_1}^{-\frac{x_k}{x_1}}\&CenterDot;h_k\right)}^r,k=2,...,n,$

$K_X^{\left(2\right)}=(K_2^{\left(2\right)},...,K_n^{\left(2\right)}),$ Wherein $K_l^{\left(2\right)}={\left({f_1}^{-\frac{x_k}{x_1}}\&CenterDot;f_k\right)}^r,k=2,...,n,$

Will by matrix M _xcan be designated as $K_X^{\left(1\right)}=(K_2^{\left(1\right)},...,K_n^{\left(1\right)})=g^{r\&CenterDot;M_X^T\&CenterDot;\stackrel{\&RightArrow;}{\mathrm{\&alpha;}}},$

$K_X^{\left(2\right)}=(K_2^{\left(2\right)},...,K_n^{\left(2\right)})=g^{r\&CenterDot;M_X^T\&CenterDot;\stackrel{\&RightArrow;}{\mathrm{\&beta;}}},$ Wherein matrix M _x∈ (Z _p) ^{n × (n-1)}concrete structure be:

$M_X=\left(\begin{array}{c}-\frac{x_2}{x_1}-\frac{x_3}{x_1}...-\frac{x_n}{x_1}\\ I_{n-1}\end{array}\right).$

4. the encryption attribute method of the key strategy of revocable two attributes according to claim 1, is characterized in that, the process of described step 3 is the user's revocation list R for attribute i _i(| R _i| <n) and user's revocation list R of attribute j _j(| R _j| <n), wherein i, j ∈ ω, to message under property set ω be encrypted, specifically implement according to following steps:

Step (3.1), according to revocation list R _ithe interior user that cancels collects definition Y _i=(y _{i, 1}..., y _i,n) ^tas the coefficient vector of formula;

Step (3.2), according to revocation list R _jthe interior user that cancels defines Y _j=(y _{j, 1}..., y _j,n) ^t, and by Y _j=(y _{j, 1}..., y _j,n) ^tas the coefficient vector of formula;

Step (3.3), choose random value s ∈ Z _p, under property set ω, for the user's revocation list R comprising i attribute _iwith the user's revocation list R comprising j attribute _jstructure ciphertext:

$ct=(C,C_1,C_{2,0},C_{2,1},C_{2,2},C_{2,3},C_3^{\left(1\right)},C_3^{\left(2\right)}),$

Wherein:

C ₁＝g ^s，

$C_{2,0}=\left\{C_{2,0}^{\left(x\right)}\right|C_{2,0}^{\left(x\right)}=T_0{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}\},$

$C_{2,1}=\left\{C_{2,1}^{\left(x\right)}\right|C_{2,1}^{\left(x\right)}=T_1{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}-\left\{j\right\}\}$

$C_{2,2}=\left\{C_{2,2}^{\left(x\right)}\right|C_{2,2}^{\left(x\right)}=T_2{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}-\left\{i\right\}\},$

$C_{2,3}=\left\{C_{2,3}^{\left(x\right)}\right|C_{2,3}^{\left(x\right)}=T_3{\left(x\right)}^s,\&ForAll;x\&Element;\mathrm{\&omega;}-\left\{j\right\}-\left\{i\right\}\}$

$C_3^{\left(1\right)}=\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{s\&CenterDot;y_{i,k}},$

5. the encryption attribute method of the key strategy of revocable two attributes according to claim 1, it is characterized in that, the process of described step 4 is for establishing user ID at access structure (M, the private key sk formed ρ), and the revocation list R of the ciphertext ct encrypted under property set ω and user _iand R _j, need to judge that whether ID is at revocation list R _iand R _jin, specifically implement according to following steps:

Step (4.1) if then make ω '=ω;

If then ω '=ω-{ j};

If then ω '=ω-{ i};

If then ω '=ω-{ i}-{j};

Step (4.2), and if only if when property set ω ' meets access structure (M, the ρ) in the private key of user, and user could successful decryption, in conjunction with $sk=(D_{1,0},D_{1,1},D_{1,2},D_{1,3},D_{2,0},D_{2,1},D_{2,2},D_{2,3},D_3,K_X^{\left(1\right)},K_X^{\left(2\right)}),$ Specifically decipher, process is as follows:

If first according to ID define X=(1, ID ..., ID ^n-1) ^t=(x ₁..., x _n) ^t, according to revocation list R _idefinition Y _i=(y _{i, 1}..., y _i,n) ^tas the coefficient vector of formula, and revocation list R _jdefinition Y _j=(y _{j, 1}..., y _j,n) ^tas the coefficient vector of formula, calculates:

$K^{\left(1\right)}=\underset{k=2}{\overset{n}{\&Pi;}}{\left(K_k^{\left(1\right)}\right)}^{y_{i,k}}={\left({h_1}^{-\frac{<X,Y_i>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{h}_k^{y_{i,k}}\right)}^r$

$K^{\left(2\right)}=\underset{k=2}{\overset{n}{\&Pi;}}{\left(K_k^{\left(2\right)}\right)}^{y_{j,k}}={\left({f_1}^{-\frac{<X,Y_j>}{x_1}}\&CenterDot;\underset{k=1}{\overset{n}{\&Pi;}}{f}_k^{y_{j,k}}\right)}^r$

Work as <X, Y _i> ≠ 0 and <X, Y _jduring > ≠ 0, namely have:

${\mathrm{\&tau;}}_0={\left(\frac{e(K^{\left(1\right)},C_1)}{e(C_3^{\left(1\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_i>}}\&CenterDot;{\left(\frac{e(K^{\left(2\right)},C_1)}{e(C_3^{\left(2\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_j>}}=e{(g,g)}^{rs({\mathrm{\&alpha;}}_1+{\mathrm{\&beta;}}_1)},$

Make I={i: ρ (i) ∈ ω ' }, then according to known matrix M, within the probabilistic polynomial time, find out constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), calculate:

${\mathrm{\&phi;}}_0=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,0}^{\left(i\right)})}{e(C_{2,0}^{\mathrm{\&rho;}\left(i\right)},D_{2,0}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1+{\mathrm{r\&beta;}}_1)},$

In conjunction with τ ₀value, calculate known utilize division arithmetic, can successful decryption outbound message

If calculate:

${\mathrm{\&tau;}}_1={\left(\frac{e(K^{\left(1\right)},C_1)}{e(C_3^{\left(1\right)},D_3)}\right)}^{\frac{x_1}{<X,Y_i>}}=e{(g,g)}^{{\mathrm{rs\&alpha;}}_1}$

Make I={i: ρ (i) ∈ ω ' }, there is constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), thus calculate:

${\mathrm{\&phi;}}_1=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,1}^{\left(i\right)})}{e(C_{2,1}^{\mathrm{\&rho;}\left(i\right)},D_{2,1}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&alpha;}}_1)}$

Obtain in conjunction with C, can go out by successful decryption

If have:

${\mathrm{\&tau;}}_2={\left(\frac{e(K^{\left(2\right)},C_1)}{e(C_3^{\left(2\right)},D_3)}\right)}^{-\frac{x_1}{<X,Y_j>}}=e{(g,g)}^{{\mathrm{rs\&beta;}}_1}$

Make I={i: ρ (i) ∈ ω ' }, there is constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), thus calculate:

${\mathrm{\&phi;}}_2=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,2}^{\left(i\right)})}{e(C_{2,2}^{\mathrm{\&rho;}\left(i\right)},D_{2,2}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;(\mathrm{\&alpha;}+{\mathrm{r\&beta;}}_1)}$

Obtain in conjunction with C, can go out by successful decryption

If make I={i: ρ (i) ∈ ω ' }, there is constant collection { μ _i∈ Z _p} _{i ∈ I}, meet Σ _{i ∈ I}μ _im _i=(1,0 ..., 0), thus calculate:

${\mathrm{\&phi;}}_3=\underset{i\&Element;I}{\&Pi;}{\left(\frac{e(C_1,D_{1,3}^{\left(i\right)})}{e(C_{2,2}^{\mathrm{\&rho;}\left(i\right)},D_{2,3}^{\left(i\right)})}\right)}^{{\mathrm{\&mu;}}_i}=e{(g,g)}^{s\&CenterDot;\mathrm{\&alpha;}}$

In conjunction with C, pass through successful decryption goes out

6. the encryption attribute method of the key strategy of revocable two attributes according to claim 1, it is characterized in that, described step 5 is specially:

Order $sk=(D_{1,0},D_{1,1},D_{1,2},D_{1,3},D_{2,0},D_{2,1},D_{2,2},D_{2,3},D_3,K_X^{\left(1\right)},K_X^{\left(2\right)})$ Effective decruption key, then a tracing computation:

${\mathrm{\&psi;}}_1=\frac{e(g,K_2^{\left(1\right)})}{e(h_2,D_3)}=e{(g,h_1)}^{-r\&CenterDot;ID}$

${\mathrm{\&psi;}}_2=\frac{e(g,K_2^{\left(2\right)})}{e(f_2,D_3)}=e{(g,f)}^{-r\&CenterDot;ID}$

This tracking is for determining whether existence user ID ∈ U={ID ₁..., ID _k, make wherein i={1,2}, if there is such user, then illustrate that this user and private key are relevant, otherwise then this user and private key has nothing to do, thus obtains the user responsibility in scheme.