CN105978895A

CN105978895A - Attribute-based encryption scheme supporting non-monotonic access structure and fine-granularity cancellation

Info

Publication number: CN105978895A
Application number: CN201610486535.3A
Authority: CN
Inventors: 赵洋; 熊虎; 范鹏程; 蔡浩庭; 孙剑飞; 孙伟
Original assignee: University of Electronic Science and Technology of China
Current assignee: University of Electronic Science and Technology of China
Priority date: 2016-06-28
Filing date: 2016-06-28
Publication date: 2016-09-28

Abstract

The present invention discloses an attribute-based encryption scheme supporting non-monotonic access structure and fine-grained revocation, which is characterized in that the non-monotonic access structure and fine-grained revocation technology are used in the construction, so that the size of the attribute set is smaller than that of the same The efficient attribute-based encryption scheme is small, and at the same time, the fine-grained revocation also supports the management of user rights at the user attribute level, so that the present invention has a certain efficiency improvement and good flexibility. The present invention has the following four algorithms in total: initialization, encryption, private key generation, and decryption.

Description

Attribute-based encryption scheme supporting non-monotonic access structure and fine-grained revocation

技术领域technical field

本发明涉及属性基加密领域，具体讲是一种支持非单调访问结构和细粒度撤销的属性基加密方案的构造方法。The invention relates to the field of attribute-based encryption, in particular to a construction method of an attribute-based encryption scheme supporting non-monotonic access structure and fine-grained revocation.

背景技术Background technique

在互联网和云计算时代，存在海量的数据需要加密、传输、和访问，如何在这种复杂的网络云中保证数据访问的安全性、灵活性，是一个复杂而又亟需解决的问题，此时属性基加密应运而生。属性基加密将用户的身份特征化为一个属性集合，利用属性集合来对数据的加密和访问进行控制，加密者不需知道解密者的具体身份，只需指定相应属性集合和访问策略即可，而对于解密者，只需验证自身具有的属性集合是否满足访问策略即可，因此属性基加密在复杂的网络环境中具有极高的灵活性和安全性。In the era of the Internet and cloud computing, there are massive amounts of data that need to be encrypted, transmitted, and accessed. How to ensure the security and flexibility of data access in this complex network cloud is a complex and urgent problem that needs to be solved. Time attribute based encryption came into being. Attribute-based encryption characterizes the user's identity as an attribute set, and uses the attribute set to control data encryption and access. The encryptor does not need to know the specific identity of the decryptor, but only needs to specify the corresponding attribute set and access strategy. For the decryptor, it only needs to verify whether the attribute set it has meets the access policy. Therefore, attribute-based encryption has extremely high flexibility and security in complex network environments.

在属性基加密实际应用的过程中，常常会伴随着用户的权限变更和撤销，也就是说属性基加密方案需要对用户属性、系统属性进行管理，因而属性撤销成为属性基加密方案中必不可少的部分，而且属性撤销也是近些年来的热点、难点之一。在属性基加密方案当中，可能会存在属性的否定形式，比如：“医生”、“非医生”等，假如属性集合很庞大，并且引入很多属性的否定形式，属性集合势必会很庞大，如何解决属性集合过于庞大的问题也是一个问题。In the process of practical application of attribute-based encryption, it is often accompanied by the change and revocation of user permissions. That is to say, the attribute-based encryption scheme needs to manage user attributes and system attributes, so attribute revocation becomes indispensable in the attribute-based encryption scheme. part, and attribute revocation is also one of the hot spots and difficulties in recent years. In the attribute-based encryption scheme, there may be negative forms of attributes, such as "doctor", "non-doctor", etc. If the attribute set is very large and many negative forms of attributes are introduced, the attribute set will inevitably be very large. How to solve it? The problem of an overly large set of attributes is also a problem.

对于用户权限管理可以利用属性撤销来管理，对于解决含有属性否定形式的属性集过于庞大的问题，可以利用非单调的访问结构来解决。但在现已公开的发明专利中，仅有支持细粒度属性撤销的发明专利，如专利《可撤销的基于密文政策的属性基密码方法、设备和系统》(专利公开号102546161A,申请号201010587247.X)，还未有支持非单调访问结构的发明专利，本发明与上述发明不同之处为同时支持非单调访问结构和细粒度属性撤销。User rights management can be managed by using attribute revocation, and non-monotonic access structure can be used to solve the problem that the attribute set containing attribute negation form is too large. However, among the published invention patents, there are only invention patents that support fine-grained attribute revocation, such as the patent "Revocable ciphertext policy-based attribute-based encryption method, device and system" (Patent Publication No. 102546161A, Application No. 201010587247 .X), there is no invention patent that supports non-monotonic access structure. The difference between the present invention and the above-mentioned invention is that it supports non-monotonic access structure and fine-grained attribute revocation at the same time.

发明内容Contents of the invention

本文旨在提出一个支持非单调访问结构和细粒度撤销的属性基加密方案，利用非单调访问结构，可以不添加任何否定属性来达到相同效果，从而在一定程度上减小属性集合的规模；同时为用户权限的灵活管理提供一种解决方式，本方案可以在用户属性级别达到细粒度的属性撤销。This paper aims to propose an attribute-based encryption scheme that supports non-monotonic access structure and fine-grained revocation. Using non-monotonic access structure, the same effect can be achieved without adding any negative attributes, thereby reducing the size of the attribute set to a certain extent; at the same time To provide a solution for the flexible management of user rights, this scheme can achieve fine-grained attribute revocation at the user attribute level.

本发明的技术方案由四个算法构成：初始化Setup(1^λ，d，n)、加密私钥生成解密Decryption(E，D)。The technical scheme of the present invention is made of four algorithms: initialization Setup (1 ^λ , d, n), encryption private key generation Decrypt Decryption(E, D).

本发明技术方案的四个算法具体描述：The four algorithms of the technical solution of the present invention are described in detail:

初始化Setup(1^λ，d，n)：为系统生成公共参数和主密钥；Initialize Setup(1 ^λ , d, n): generate public parameters and master keys for the system;

加密将明文加密，并生成解密过程需要的信息，根据属性的撤销列表为属性生成用于撤销验证的信息，最后将所有信息整合形成密文；encryption Encrypt the plaintext and generate the information required for the decryption process, generate information for revocation verification for the attribute according to the revocation list of the attribute, and finally integrate all the information into ciphertext;

私钥生成根据积极属性和否定属性为用户分别生成不同部分私钥，并为用户生成用于撤销验证的信息；private key generation Generate different parts of private keys for users according to positive attributes and negative attributes, and generate information for revoking verification for users;

解密Decryption(E，D)：利用加密和私钥生成过程中生成用于撤销验证的信息，验证用户是否为撤销用户，若未被撤销，利用所生成的私钥和密文解密可以得到明文。Decryption Decryption (E, D): Use the information for revocation verification generated during encryption and private key generation to verify whether the user is a revocation user. If not, use the generated private key and decrypt the ciphertext to obtain the plaintext.

附图说明Description of drawings

本发明可以通过参考下文中结合附图所给出的详细描述而得到更好的理解，下述附图和详细说明为本说明书的一部分，用于结合来描述本发明的原理以及优点，附图说明如下：The present invention can be better understood by referring to the detailed description given below in conjunction with the accompanying drawings. The following drawings and detailed descriptions are part of this specification and are used to describe the principles and advantages of the present invention in conjunction with the accompanying drawings. described as follows:

图1示出本发明的初始化流程图；Fig. 1 shows the initialization flowchart of the present invention;

图2示出本发明加密的流程图；Fig. 2 shows the flowchart of encryption of the present invention;

图3示出本发明用户密钥生成的流程图；Fig. 3 shows the flowchart of user key generation of the present invention;

图4示出本发明用户解密的流程图。Fig. 4 shows the flowchart of user decryption in the present invention.

具体实施方式detailed description

图1示出本发明的初始化流程图。Fig. 1 shows the initialization flowchart of the present invention.

初始化Setup(1^λ，d，n)：该算法接受三个输入参数：安全参数1^λ，属性个数d，用户个数n；令积极属性(非否定属性)集并且令用户ID集合U＝{1，2，...，n}，随机选择对于任意属性计算随机选择对于任意的i∈{1，2，...，n，n+2，...，2n}，计算随机选取两个秘密值计算g₁＝g^α，g₂＝g^β；随机选取两个d阶的多项式h(x)，q(x)，约束条件是q(0)=β,最后随机选取a∈Z_p1；公共参数为：Initialization Setup(1 ^λ , d, n): The algorithm accepts three input parameters: security parameter 1 ^λ , number of attributes d, number of users n; let positive attribute (non-negative attribute) set And let the user ID set U={1, 2,...,n}, choose randomly for any attribute calculate random selection For any i ∈ {1, 2, ..., n, n+2, ..., 2n}, compute Randomly pick two secret values Calculate g ₁ =g ^α , g ₂ =g ^β ; randomly select two d-order polynomials h(x), q(x), the constraint condition is q(0)=β, and finally randomly select a∈Z _p1 ; public The parameters are:

PK＝(N，g，g^a，g₁，g₂；g^q(1)，g^q(2)，...，g^q(d)；g^h(0)，g^h(1)，...，g^h(d)；PK=(N, g, g ^a , g ₁ , g ₂ ; g ^q(1) , g ^q(2) ,..., g ^q(d) ; g ^h(0) , g ^h(1) , ...,g ^h(d) ;

主密钥为：函数是在公共参数中定义的，是公开的、可计算的，函数定义为： The master key is: function is defined in the public parameter, is public and computable, and the function is defined as:

$T T ((x x)) = = {g g}_{22}^{{x x}^{d d}} \cdot \cdot {g g}^{h h ((x x))},, V V ((x x)) = = {g g}^{q q ((x x))} . .$

图2示出本发明加密的流程图。Fig. 2 shows the flow chart of the encryption of the present invention.

加密该算法接受三个参数：明文M，属性集合公共参数PK；明文利用属性集合加密明文，随机选择计算：E⁽¹⁾＝Me(g₁，g₂)^s·e(f₁，f_n)^y，E⁽²⁾＝g^s，E⁽³⁾＝(g^a)^y；对于任意的计算：随机选择一个d阶多项式l(x)，约束条件为：l(0)＝y；对于任意的属性S_x为每个属性的非撤销列表，R_x为撤销列表，令计算：如果S_x≠U，也就是说随机选择并且计算：其中是用于随机化防止e(g₁，g_n)^l(x)被潜在的敌手计算得到；如果S_x＝U，也就是说计算：即η_x＝s_x＝0，接着输出密文：encryption The algorithm accepts three parameters: plaintext M, attribute set Public parameter PK; plaintext Using attribute collections Encrypted plaintext, randomly selected Calculation: E ⁽¹⁾ = Me(g ₁ , g ₂ ) ^s e(f ₁ , f _n ) ^y , E ⁽²⁾ = g ^s , E ⁽³⁾ = (g ^a ) ^y ; for any calculate: Randomly select a d-order polynomial l(x), the constraints are: l(0)=y; for any attribute S _x is the non-revocation list of each attribute, R _x is the revocation list, let calculate: If S _x ≠ U, that is random selection and calculate: in is used for randomization Prevent e(g ₁ , g _n ) ^l(x) from being calculated by potential adversaries; if S _x = U, that is to say calculate: That is, η _x =s _x =0, and then output the ciphertext:

$E E. = = ((γ γ,, {E E.}^{((11))},, {E E.}^{((22))},, {{{E E.}_{x x}^{((33))},, {E E.}_{x x}^{((44))} {E E.}_{x x}^{((55))},, {E E.}_{x x}^{((66))},, {E E.}_{x x}^{((77))},, {E E.}_{x x}^{((88))},, {E E.}_{x x}^{((99))},, {E E.}_{x x}^{((1010))}}}_{x x &Element; &Element; \overset{~ ~}{S S}})) . .$

图3示出本发明用户密钥生成的流程图。Fig. 3 shows a flowchart of user key generation in the present invention.

私钥生成该算法接受三个参数：非单调访问结构主密钥MK,公共参数PK；除了中的属性(假如可以高效的查询)，剩下的属性的否定形式在中，则该算法将为用户生成私钥，利用线性秘密分享技术(LSSS)可以获得秘密α的分享值{λ_i}，并且为每个属性标志i选择对于任意的i，属性是积极的，计算：细粒度撤销是作用于积极属性集合上；随机选择计算：接着输出积极属性x的部分私钥：对于任意的i，属性是否定的，计算：接着输出否定属性x′的部分私钥：对所有的i，私钥D是由所有的D_i组成。private key generation The algorithm accepts three parameters: non-monotonic access structure Master key MK, public parameter PK; except Attributes in (if they can be queried efficiently), the negative forms of the remaining attributes are in , then the algorithm will generate a private key for the user, and use the linear secret sharing technique (LSSS) to obtain the shared value {λ _i } of the secret α, and select For any i, the property is active, calculate: Fine-grained undo is applied to active attribute sets; random selection calculate: Then output the partial private key of positive attribute x: For any i, the property is negative, compute: Then output the partial private key of the negated attribute x′: For all i, the private key D is composed of all D _i .

解密Decryption(E，D)：该算法接受两个参数：密文E，密钥D；Decryption Decryption(E, D): This algorithm accepts two parameters: ciphertext E, key D;

令利用LSSS可以得到一个系数集合Ω＝{ω_i}_i∈I，满足Σ_i∈Iω_iλ_i＝α(λ_i，α在解密部分是未知的)。make Using LSSS, a coefficient set Ω={ω _i } _i∈I can be obtained, which satisfies Σ _i∈I ω _i λ _i =α(λ _i , α is unknown in the decryption part).

对于任意积极属性i，即计算：对于任意否定属性i，即令有计算拉格朗日系数该系数集合满足然后计算：For any positive attribute i, that is calculate: For any negative attribute i, that is make Have Calculate Lagrangian coefficients The set of coefficients satisfies Then calculate:

$\begin{matrix} {Z Z}_{i i} = = \frac{e e (({D D.}_{i i}^{((66))},, {E E.}^{((22))}))}{e e (({D D.}_{i i}^{((88))},, \underset{x x &Element; &Element; \overset{~ ~}{S S}}{Π Π} {(({E E.}_{x x}^{((55))}))}^{{σ σ}_{x x}})) \cdot &Center Dot; e e {(({D D.}_{i i}^{((77))},, {E E.}^{((22))}))}^{{σ σ}_{{x x}_{i i}}}} = = \frac{e e (({g g}_{22}^{{λ λ}_{i i} + + {r r}_{i i}},, {g g}^{s the s}))}{e e (({g g}^{{r r}_{i i}},, \underset{x x &Element; &Element; \overset{~ ~}{S S}}{Π Π} {((V V {((x x))}^{s the s}))}^{{σ σ}_{x x}})) \cdot \cdot e e {((V V {(({x x}_{i i}))}^{{r r}_{i i}},, {g g}^{s the s}))}^{{σ σ}_{{x x}_{i i}}}} \\ = = \frac{e e (({g g}_{22}^{{λ λ}_{i i}},, {g g}^{s the s})) \cdot &Center Dot; e e (({g g}_{22}^{{λ λ}_{i i}},, {g g}^{s the s}))}{e e (({g g}^{{r r}_{i i}},, {g g}^{{sΣ sΣ}_{x x &Element; &Element; \overset{~ ~}{S S}} {σ σ}_{x x} q q ((x x))})) \cdot \cdot e e (({g g}^{{r r}_{i i} {σ σ}_{{x x}_{i i}} q q (({x x}_{i i}))},, {g g}^{s the s}))} = = \frac{e e {(({g g}_{22},, g g))}^{{sλ sλ}_{i i}} \cdot \cdot e e {((g g,, g g))}^{{r r}_{i i} s the s β β}}{e e {((g g,, g g))}^{{r r}_{i i} {sΣ sΣ}_{x x &Element; &Element; N N ((\overset{~ ~}{S S}))} {σ σ}_{x x} q q ((x x))}} = = e e {(({g g}_{22},, g g))}^{{sλ sλ}_{i i}} \end{matrix} . .$

进行撤销验证计算，令对于任意x∈L，计算：To perform the revocation verification calculation, let For any x ∈ L, compute:

${X x}_{i i} = = \frac{e e (({D D.}_{i i}^{((44))},, {E E.}_{x x}^{((66))})) e e (({E E.}_{x x}^{((66))},, \underset{j j &Element; &Element; {S S}_{x x},, j j &NotEqual; &NotEqual; I I D D.}{Π Π} {f f}_{n no + + 11 - - j j + + I I D D.})) e e (({f f}_{I I D D.},, {E E.}_{x x}^{((1010))}))}{e e (({D D.}_{i i}^{((55))},, {E E.}_{x x}^{((77))})) e e (({f f}_{I I D D.},, {E E.}_{x x}^{((88))})) e e (({E E.}_{x x}^{((99))},, \underset{j j &Element; &Element; {R R}_{x x}}{Π Π} {f f}_{n no + + 11 - - j j + + I I D D.}))} = = \frac{e e (({g g}^{a a t t},, {g g}^{l l ((x x))}))}{e e {(({f f}_{11},, {f f}_{n no}))}^{l l ((x x))}} . .$

最后利用上述计算结果进行解密，令计算：Finally, the above calculation results are used to decrypt, so that calculate:

$\frac{{E E.}^{((11))}}{\underset{i i &Element; &Element; I I}{Π Π} {Z Z}_{i i}} \cdot \cdot \frac{\underset{i i &Element; &Element; A A}{Π Π} {X x}_{i i}}{e e (({D D.}_{i i}^{((33))},, {E E.}^{((33))}))} = = \frac{M m e e {(({g g}_{11},, {g g}_{22}))}^{s the s} e e {(({f f}_{11},, {f f}_{n no}))}^{y the y} \cdot &Center Dot; e e (({g g}^{a a t t},, {g g}^{y the y}))}{e e {(({g g}_{22},, g g))}^{s the s α α} \cdot &Center Dot; e e {(({f f}_{11},, {f f}_{n no}))}^{y the y} e e (({g g}^{t t},, {g g}^{a a y the y}))} = = M m . .$

Claims

1. the attribute base encryption system supporting non-monotonic access structure and fine granularity to cancel, is characterized in that utilizing in structure Non-monotonic access structure and fine granularity cancel technology so that it is control in terms of motility and cryptographic attributes collection scale respectively accessing Being better than existing cancelling and the attribute base encipherment scheme of dull access structure based on coarseness, this programme has following four step Rapid:

(1) Setup (1 is initialized^λ, d, n): generate common parameter and master key for system；

(2) encryptionBy plain text encryption, and generate the information that decrypting process needs, according to attribute Revocation list is the information that attribute generates for cancelling checking, finally all information integration is formed ciphertext；

(3) private key generatesIt is that user generates respectively according to positive attribute and negative attribute Different piece private key, and generate the information for cancelling checking for user；

(4) deciphering Decryption (E, D): utilize encryption and private key to generate the information for cancelling checking during generating, test Whether card user is for cancelling user, if not being revoked, utilizes the private key generated and ciphertext deciphering can obtain in plain text.

The attribute base encryption system that the non-monotonic access structure of support the most according to claim 1 and fine granularity are cancelled, it is special Levying and be, described scheme specifically comprises the steps of

(1) Setup (1 is initialized^λ, d, n): three input parameters of this algorithm acceptance: security parameter 1^λ, attribute number d, user Number n；Make positive property setAnd make ID set U={1,2 ..., n}, randomly choose For any attributeCalculateRandomly chooseFor arbitrary i ∈ 1,2 ... n, n+ 2 ..., 2n}, calculateRandomly select two secret valueCalculate g₁=g^α, g₂=g^β；Randomly select two Multinomial h (x) on d rank, q (x), constraints is q (0)=β；Finally randomly selectThen common parameter is: {f_i}_{I ∈ 1,2 ..., n, n+2 ..., 2n}}), master key is:Function Defined in common parameter, being disclosed, computable, function is defined as:V (x)=g^q(x)；

(2) encryptionThis algorithm three parameters of acceptance: plaintext M, community setCommon parameter PK； In plain textUtilize community setEncrypting plaintext, randomly choosesCalculate: E⁽¹⁾=Me (g₁, g₂)^s·e(f₁, f_n)^y, E⁽²⁾=g^s, E⁽³⁾=(g^a)^y；For arbitrarilyCalculate:Randomly choose One d rank multinomial l (x), constraints is: l (0)=y；For arbitrary attributeS_xNon-for each attribute is removed Pin list, R_xFor revocation list, orderCalculate:If S_x≠ U, That isRandomly chooseAnd calculate: Wherein η_x, s_x,It is for randomizationPrevent e (g₁, g_n)^l(x)By potential Opponent is calculated；If S_x=U, say, thatCalculate: I.e. η_x=s_x=0, then export ciphertext:

(3) private key generatesThis algorithm three parameters of acceptance: non-monotonic access structureMain Key MK, common parameter PK；ExceptIn attribute (if can inquire about efficiently), the negative form of remaining attribute existsIn, then this algorithm will generate private key for user, utilize linear secret sharing technology (LSSS) can obtain dividing of secret α Enjoy value { λ_i, and be that each attribute mark i selectsFor arbitrary i, attributeIt is positive, calculates:It is to act on positive community set that fine granularity is cancelled, and first, randomly choosesCalculate:The most defeated Go out the part private key of positive attribute x:For arbitrary i, attributeIt is negative, Calculate:The part private key of then output negative attribute x ':It is by all of D to all of i, private key D_iComposition；

(4) deciphering Decryption (E, D): this algorithm two parameters of acceptance: ciphertext E, key D；OrderUtilize LSSS can obtain a coefficient sets Ω={ ω_i}_i∈I, meet Σ_i∈Iω_iλ_i=α (λ_i, α is unknown in decryption portion)；For appointing Anticipate positive attribute i, i.e. Calculate: For arbitrarily negative attribute i, i.e.OrderHaveAccording to function V (x) andCalculate Lagrange coefficientThis coefficient sets meetsThen calculate:

Then carry out cancelling checking to calculate, orderFor any x ∈ L, calculate:? After utilize above-mentioned result of calculation to be decrypted, orderCalculate: