CN105978895A - Attribute-based encryption scheme supporting non-monotonic access structure and fine-granularity cancellation - Google Patents

Abstract

The invention discloses an attribute-based encryption scheme supporting non-monotonic access structure and fine-granularity cancellation. The scheme is characterized in that the non-monotonic access structure and fine-granularity cancellation technology is utilized in the construction, so that the attribute set scale of the attribute-based encryption scheme supporting the non-monotonic access structure and fine-granularity cancellation is less than that of the attribute-based encryption scheme achieving the same efficacy; and meanwhile, the attribute-based encryption scheme further supports the management on the user right at the user attribute level through the fine-granularity cancellation; the scheme provided by the invention has a certain efficiency promotion and good flexibility. The encryption scheme totally has the following four algorithms: initialization, encryption, key generation and decryption.

Description

Support the attribute base encipherment scheme that non-monotonic access structure and fine granularity are cancelled

Technical field

The present invention relates to attribute base field of encryption, be especially and a kind of support what non-monotonic access structure and fine granularity were cancelled The building method of attribute base encipherment scheme.

Background technology

In the Internet and cloud computing epoch, the data that there is magnanimity need encryption, transmission and access, how this multiple Miscellaneous network cloud ensures the safety of data access, motility, is a complexity and the problem needing solution badly, now attribute Base encryption is arisen at the historic moment.The identity characteristic of user is turned to a community set by the encryption of attribute base, utilizes the incompatible logarithm of property set According to encryption and access be controlled, encipherer is not required to know the concrete identity of deciphering person, only need to specify respective attributes set and Access strategy, and for deciphering person, only need to verify whether the community set self having meets access strategy, therefore Attribute base is encrypted in the network environment of complexity has high motility and safety.

During the encryption reality application of attribute base, usually can be along with the permission modification of user with cancel, namely Say attribute base encipherment scheme to need user property, system property to be managed, thus attribute is cancelled and become attribute base encryption side Requisite part in case, and attribute to cancel also be one of focus in the last few years, difficult point.Work as at attribute base encipherment scheme In, the negative form of attribute may be there is, such as: " doctor ", " non-physician " etc., if community set is the hugest, and draw Entering the most multiattribute negative form, community set will certainly be the hugest, and the problem how solving community set the hugest is also One problem.

Attribute can be utilized to cancel for user authority management to manage, for solving the attribute containing attribute negative form Collect the hugest problem, it is possible to use nonmonotonic access structure solves.But in invention disclosed patent, only have Support the patent of invention that fine granularity attribute is cancelled, such as patent " voidable attribute base cryptographic methods based on ciphertext policy, equipment And system " (patent publication No. 102546161A, application number 201010587247.X), also do not have and support non-monotonic access structure Patent of invention, the present invention and foregoing invention difference are for support that non-monotonic access structure and fine granularity attribute are cancelled simultaneously.

Summary of the invention

It is intended to propose an attribute base encipherment scheme supporting non-monotonic access structure and fine granularity to cancel, utilizes non- Dull access structure, can reach same effect without any negative attribute, thus reduce property set to a certain extent The scale closed；Flexible management for user right provides a kind of settling mode simultaneously, and this programme can reach in user property rank Cancel to fine-grained attribute.

Technical scheme is by four Algorithm constitutions: initialize Setup (1^λ, d, n), encrypts Private key generatesDeciphering Decryption (E, D).

Four algorithms of technical solution of the present invention specifically describe:

Initialize Setup (1^λ, d, n): generate common parameter and master key for system；

EncryptionBy plain text encryption, and generate the information that decrypting process needs, according to attribute Revocation list is the information that attribute generates for cancelling checking, finally all information integration is formed ciphertext；

Private key generatesIt is that user generates respectively according to positive attribute and negative attribute Different piece private key, and generate the information for cancelling checking for user；

Deciphering Decryption (E, D): utilize encryption and private key to generate the information for cancelling checking during generating, test Whether card user is for cancelling user, if not being revoked, utilizes the private key generated and ciphertext deciphering can obtain in plain text.

Accompanying drawing explanation

The present invention can be following by with reference to being better understood below in association with the detailed description given by accompanying drawing Drawings and detailed description are the part of this specification, for combining principle and the advantage describing the present invention, accompanying drawing explanation As follows:

Fig. 1 illustrates the initialization flowchart of the present invention；

Fig. 2 illustrates the flow chart that the present invention encrypts；

Fig. 3 illustrates the flow chart that user key of the present invention generates；

Fig. 4 illustrates the flow chart that user of the present invention deciphers.

Detailed description of the invention

Fig. 1 illustrates the initialization flowchart of the present invention.

Initialize Setup (1^λ, d, n): three input parameters of this algorithm acceptance: security parameter 1^λ, attribute number d, user Number n；Positive attribute (non-negative attribute) is made to collectAnd make ID set U={1,2 ..., n}, at random SelectFor any attributeCalculateRandomly chooseFor arbitrary i ∈ 1,2 ..., n, n+2 ..., 2n}, calculateRandomly select two secret valueCalculate g₁=g^α, g₂=g^β；Randomly selecting multinomial h (x) on two d rank, q (x), constraints is q (0)=β, finally randomly selects a ∈ Z_p1；Public ginseng Number is:

PK=(N, g, g^a, g₁, g₂；g^q(1), g^q(2)..., g^q(d)；g^h(0), g^h(1)..., g^h(d)；

Master key is:Letter NumberDefined in common parameter, being disclosed, computable, function is defined as:

$T\left(x\right)=g_2^{x^d}\·g^{h\left(x\right)},V\left(x\right)=g^{q\left(x\right)}.$

Fig. 2 illustrates the flow chart that the present invention encrypts.

EncryptionThis algorithm three parameters of acceptance: plaintext M, community setCommon parameter PK； In plain textUtilize community setEncrypting plaintext, randomly choosesCalculate: E⁽¹⁾=Me (g₁, g₂)^s·e(f₁, f_n)^y, E⁽²⁾=g^s, E⁽³⁾=(g^a)^y；For arbitrarilyCalculate:Randomly choose One d rank multinomial l (x), constraints is: l (0)=y；For arbitrary attributeS_xNon-for each attribute is removed Pin list, R_xFor revocation list, orderCalculate:If S_x≠ U, say, thatRandomly chooseAnd calculate: WhereinIt is for randomizationPrevent e (g₁, g_n)^l(x)Dived Opponent be calculated；If S_x=U, say, thatCalculate: I.e. η_x=s_x=0, then export ciphertext:

$E=(\mathrm{\γ},E^{\left(1\right)},E^{\left(2\right)},{\{E_x^{\left(3\right)},E_x^{\left(4\right)}{E}_x^{\left(5\right)},E_x^{\left(6\right)},E_x^{\left(7\right)},E_x^{\left(8\right)},E_x^{\left(9\right)},E_x^{\left(10\right)}\}}_{x\∈\tilde{S}}).$

Fig. 3 illustrates the flow chart that user key of the present invention generates.

Private key generatesThis algorithm three parameters of acceptance: non-monotonic access structure Master key MK, common parameter PK；ExceptIn attribute (if can inquire about efficiently), the negative form of remaining attribute existsIn, then this algorithm will generate private key for user, utilize linear secret sharing technology (LSSS) can obtain dividing of secret α Enjoy value { λ_i, and be that each attribute mark i selectsFor arbitrary i, attributeIt is positive, calculates:It is to act on positive community set that fine granularity is cancelled；Randomly chooseCalculate: Then export The actively part private key of attribute x:For arbitrary i, attributeIt is negative, Calculate:The part private key of then output negative attribute x ':It is by all of D to all of i, private key D_iComposition.

Fig. 4 illustrates the flow chart that user of the present invention deciphers.

Deciphering Decryption (E, D): this algorithm two parameters of acceptance: ciphertext E, key D；

OrderUtilize LSSS can obtain a coefficient sets Ω={ ω_i}_i∈I, meet Σ_i∈I ω_iλ_i=α (λ_i, α is unknown in decryption portion).

For the most actively attribute i, i.e.Calculate: For arbitrarily negative attribute i, i.e.OrderHaveCalculate Lagrange system NumberThis coefficient sets meetsThen calculate:

$\begin{array}{c}{Z}_i=\frac{e(D_i^{\left(6\right)},E^{\left(2\right)})}{e(D_i^{\left(8\right)},\underset{x\∈\tilde{S}}{\Π}{\left(E_x^{\left(5\right)}\right)}^{{\mathrm{\σ}}_x})\·e{(D_i^{\left(7\right)},E^{\left(2\right)})}^{{\mathrm{\σ}}_{x_i}}}=\frac{e(g_2^{{\mathrm{\λ}}_i+r_i},g^s)}{e(g^{r_i},\underset{x\∈\tilde{S}}{\Π}{\left(V{\left(x\right)}^s\right)}^{{\mathrm{\σ}}_x})\·e{(V{\left(x_i\right)}^{r_i},g^s)}^{{\mathrm{\σ}}_{x_i}}}\\ =\frac{e(g_2^{{\mathrm{\λ}}_i},g^s)\·e(g_2^{{\mathrm{\λ}}_i},g^s)}{e(g^{r_i},g^{{\mathrm{s\Σ}}_{x\∈\tilde{S}}{\mathrm{\σ}}_{x}q\left(x\right)})\·e(g^{r_i{\mathrm{\σ}}_{x_i}q\left(x_i\right)},g^s)}=\frac{e{(g_2,g)}^{{\mathrm{s\λ}}_i}\·e{(g,g)}^{r_{i}s\mathrm{\β}}}{e{(g,g)}^{r_i{\mathrm{s\Σ}}_{x\∈N\left(\tilde{S}\right)}{\mathrm{\σ}}_{x}q\left(x\right)}}=e{(g_2,g)}^{{\mathrm{s\λ}}_i}\end{array}.$

Carry out cancelling checking to calculate, orderFor any x ∈ L, calculate:

$X_i=\frac{e(D_i^{\left(4\right)},E_x^{\left(6\right)})e(E_x^{\left(6\right)},\underset{j\∈S_x,j\≠ID}{\mathrm{\Π}}{f}_{n+1-j+ID})e(f_{ID},E_x^{\left(10\right)})}{e(D_i^{\left(5\right)},E_x^{\left(7\right)})e(f_{ID},E_x^{\left(8\right)})e(E_x^{\left(9\right)},\underset{j\∈R_x}{\mathrm{\Π}}{f}_{n+1-j+ID})}=\frac{e(g^{at},g^{l\left(x\right)})}{e{(f_1,f_n)}^{l\left(x\right)}}.$

Above-mentioned result of calculation is finally utilized to be decrypted, orderCalculate:

$\frac{E^{\left(1\right)}}{\underset{i\∈I}{\Π}{Z}_i}\·\frac{\underset{i\∈A}{\Π}{X}_i}{e(D_i^{\left(3\right)},E^{\left(3\right)})}=\frac{Me{(g_1,g_2)}^{s}e{(f_1,f_n)}^y\·e(g^{at},g^y)}{e{(g_2,g)}^{s\mathrm{\α}}\·e{(f_1,f_n)}^{y}e(g^t,g^{ay})}=M.$

Claims (2)

1. the attribute base encryption system supporting non-monotonic access structure and fine granularity to cancel, is characterized in that utilizing in structure Non-monotonic access structure and fine granularity cancel technology so that it is control in terms of motility and cryptographic attributes collection scale respectively accessing Being better than existing cancelling and the attribute base encipherment scheme of dull access structure based on coarseness, this programme has following four step Rapid:

(1) Setup (1 is initialized^λ, d, n): generate common parameter and master key for system；

(2) encryptionBy plain text encryption, and generate the information that decrypting process needs, according to attribute Revocation list is the information that attribute generates for cancelling checking, finally all information integration is formed ciphertext；

(3) private key generatesIt is that user generates respectively according to positive attribute and negative attribute Different piece private key, and generate the information for cancelling checking for user；

(4) deciphering Decryption (E, D): utilize encryption and private key to generate the information for cancelling checking during generating, test Whether card user is for cancelling user, if not being revoked, utilizes the private key generated and ciphertext deciphering can obtain in plain text.

The attribute base encryption system that the non-monotonic access structure of support the most according to claim 1 and fine granularity are cancelled, it is special Levying and be, described scheme specifically comprises the steps of

(1) Setup (1 is initialized^λ, d, n): three input parameters of this algorithm acceptance: security parameter 1^λ, attribute number d, user Number n；Make positive property setAnd make ID set U={1,2 ..., n}, randomly choose For any attributeCalculateRandomly chooseFor arbitrary i ∈ 1,2 ... n, n+ 2 ..., 2n}, calculateRandomly select two secret valueCalculate g₁=g^α, g₂=g^β；Randomly select two Multinomial h (x) on d rank, q (x), constraints is q (0)=β；Finally randomly selectThen common parameter is: {f_i}_{I ∈ 1,2 ..., n, n+2 ..., 2n}}), master key is:Function Defined in common parameter, being disclosed, computable, function is defined as:V (x)=g^q(x)；

(2) encryptionThis algorithm three parameters of acceptance: plaintext M, community setCommon parameter PK； In plain textUtilize community setEncrypting plaintext, randomly choosesCalculate: E⁽¹⁾=Me (g₁, g₂)^s·e(f₁, f_n)^y, E⁽²⁾=g^s, E⁽³⁾=(g^a)^y；For arbitrarilyCalculate:Randomly choose One d rank multinomial l (x), constraints is: l (0)=y；For arbitrary attributeS_xNon-for each attribute is removed Pin list, R_xFor revocation list, orderCalculate:If S_x≠ U, That isRandomly chooseAnd calculate: Wherein η_x, s_x,It is for randomizationPrevent e (g₁, g_n)^l(x)By potential Opponent is calculated；If S_x=U, say, thatCalculate: I.e. η_x=s_x=0, then export ciphertext:

(3) private key generatesThis algorithm three parameters of acceptance: non-monotonic access structureMain Key MK, common parameter PK；ExceptIn attribute (if can inquire about efficiently), the negative form of remaining attribute existsIn, then this algorithm will generate private key for user, utilize linear secret sharing technology (LSSS) can obtain dividing of secret α Enjoy value { λ_i, and be that each attribute mark i selectsFor arbitrary i, attributeIt is positive, calculates:It is to act on positive community set that fine granularity is cancelled, and first, randomly choosesCalculate:The most defeated Go out the part private key of positive attribute x:For arbitrary i, attributeIt is negative, Calculate:The part private key of then output negative attribute x ':It is by all of D to all of i, private key D_iComposition；

(4) deciphering Decryption (E, D): this algorithm two parameters of acceptance: ciphertext E, key D；OrderUtilize LSSS can obtain a coefficient sets Ω={ ω_i}_i∈I, meet Σ_i∈Iω_iλ_i=α (λ_i, α is unknown in decryption portion)；For appointing Anticipate positive attribute i, i.e. Calculate: For arbitrarily negative attribute i, i.e.OrderHaveAccording to function V (x) andCalculate Lagrange coefficientThis coefficient sets meetsThen calculate:

Then carry out cancelling checking to calculate, orderFor any x ∈ L, calculate:? After utilize above-mentioned result of calculation to be decrypted, orderCalculate: