CN106127075A - The encryption method of can search for based on secret protection under a kind of cloud storage environment - Google Patents

The encryption method of can search for based on secret protection under a kind of cloud storage environment Download PDF

Info

Publication number
CN106127075A
CN106127075A CN201610472300.9A CN201610472300A CN106127075A CN 106127075 A CN106127075 A CN 106127075A CN 201610472300 A CN201610472300 A CN 201610472300A CN 106127075 A CN106127075 A CN 106127075A
Authority
CN
China
Prior art keywords
document
data
search
index
ibs
Prior art date
Application number
CN201610472300.9A
Other languages
Chinese (zh)
Other versions
CN106127075B (en
Inventor
胡玉鹏
马梦怡
皮玲
温冠超
高子文
Original Assignee
湖南大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 湖南大学 filed Critical 湖南大学
Priority to CN201610472300.9A priority Critical patent/CN106127075B/en
Publication of CN106127075A publication Critical patent/CN106127075A/en
Application granted granted Critical
Publication of CN106127075B publication Critical patent/CN106127075B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Abstract

The invention discloses the encryption method of can search for based on secret protection under a kind of cloud storage environment, make L={li| 1≤i≤card (L) } represent IBS SSE system model in all of card (L) plant user identity type, each data consumer belongs to one of which identity type, 1≤x≤card (L);For document F, if document owner specifies the identity type of the data consumer of addressable document F to belong to the set that radix is xThen by the h of Bloom Filter independent hash function HASH={H1,H2,...HhWillIn x element map in the bit string vector P of a length of q, P is the access control policy being bound to document F;When certain data consumer want access F time, access control executor by Bloom Filter, judge according to P whether identity type l of this data consumer belongs to sets of authorizationsIf belonging to, the match is successful, is not belonging to then that it fails to match.The present invention solves existing symmetry and can search for encipherment scheme and be difficult to be applicable to efficiently and safely multi-source data user model and conduct interviews the problem controlled for diversiform data user.

Description

The encryption method of can search for based on secret protection under a kind of cloud storage environment
Technical field
The present invention relates to the encryption method of can search for based on secret protection under a kind of cloud storage environment.
Background technology
Along with the increase of the network bandwidth and popularizing of mobile Internet, motility and economy that cloud storage is good are inhaled Draw the individual sight with enterprise, allowed them that local complicated data management system is contracted out to cloud.Cloud storage has become as cloud Calculate one of widest application, the user of the application of public cloud storage such as Dropbox, Google Drive, Kingsoft fast disk, micro-dish Quantity is skyrocketed through (wherein the number of users of Dropbox has broken through 500,000,000), Eucalyptus, 3A Cloud, minicloud etc. Platform the most provides the safety privately owned cloud of office for increasing enterprise.Cloud storage user can utilize in different places Different terminals (such as desktop computer, notebook computer, panel computer, smart mobile phone etc.) accesses data, and cloud storage is that these set Standby data sharing provides a kind of optimal solution.
But, due to data ownership and the separation of administrative power, the hidden danger of some data safety is emerged in large numbers the most therewith, cloud user Distrust to cloud storage service provider has become cloud storage at the important restriction factor promoted on way.In cloud storage pattern Under, the data of user (include that government and the financial data of company, the medical information of individual, mail, photograph album, financial transaction etc. are quick Sense data) completely it is managed by cloud service provider (Cloud Service Provider, CSP) and is stored.CSP can obtain Take, search for user and be stored in the sensitive data in high in the clouds;Due to the system failure, CSP may lose the data of user;Assailant also may be used The data that can obtain user by attacking the server of CSP cause information leakage.These potential safety hazards make the safety of cloud storage Property becomes a problem that can not be ignored.
In order to protect data-privacy, before uploading the data to CSP, it is necessary to by data owner, it is encrypted. But, this makes the data based on plaintext keyword search that some are traditional use service to be normally carried out undoubtedly.There is one Solution is to download all data and decipher in this locality, will produce huge bandwidth cost yet with in cloud system, should Scheme is the most unpractiaca.Furthermore, put aside for the time being alleviating locally stored administrative burden, if can not be conveniently and efficiently Search for, utilize and share data, then storing data into high in the clouds will be nonsensical.Therefore, for adding Miyun Data Mining Effective percentage and ensure that the encipherment scheme that can search for of its personal secrets can not be ignored and extremely have realistic meaning.In view of cloud Hold potential a large number of users and outsourcing data, meet simultaneously privacy, system availability, extensibility and high efficiency will Asking, this research topic will be extremely difficult, the most challenging.
The cipher text searching system typically possessing privacy protection function includes data owner, data consumer and CSP tri- Individual participant.The cryptographic algorithm generally using AES (Advanced Encryption Standard) etc carrys out encryption data, adopts Security Index is generated with the special encipherment scheme that can search for.Can search for encipherment scheme and mainly include two classes: be based on symmetric key Can search for encrypting (Searchable Symmetric Encryption, SSE) and based on unsymmetrical key can search for is encrypted (Searchable Asymmetric Encryption, SAE).
It is that data owner shares indiscriminate key with data consumer that symmetry can search for the basic model of encipherment scheme. Single key word be can search for encryption would generally set up one encryption can search for index, server is hidden index content, Unless server has obtained the suitable trapdoor generated by key.This kind of scheme is proposed first by Song et al., and they are with a kind of The special each word in double-decker encryption method encrypted document one by one, need to travel through whole document during search ciphertext and confirm Whether there is required key word, search efficiency is that comparison is low thus.Afterwards, Goh, Chang and Curtmola et al. For SSE give deeper into security definitions.The scheme that Goh proposes uses pseudo-random function (Pseudorandom Function) and Bloom Filter (Bloom Filter) be each document build a Security Index, search time with literary composition Gear number amount is directly proportional, but the correctness that the error caused due to Bloom Filter makes Search Results is the most complete.Chang Et al. and Curtmola et al. almost to propose employing pseudo random techniques in the same time be that key word generates index, raw for user Become the scheme of inquiry request, improve search efficiency, but the renewal of data is supported deficiency by scheme, need very big amount of calculation to carry out more Newly, in some instances it may even be possible to reconstruct all indexes.Afterwards, Kamara et al. proposes the cipher text retrieval method that can support that document updates. Wang et al. have studied the keyword search problem supporting safe ranking, utilizes reverse indexing (Inverted Index) and order-preserving Key word frequency in encryption (Order Preserving Encryption) technology secrecy document, according to keyword frequency sorts Search Results rather than return indiscriminate result.Recently, the one that Naveed et al. proposes is based on blind storage (Blind Storage) can search for encipherment scheme and can be greatly promoted search efficiency of mechanism, it is often more important that, the utilization of blind storage makes The search pattern (Access Pattern) of data consumer is hidden, and this is that overwhelming majority existing program cannot realize. Artificial each document index building such as Cao vector, is used matrix encryption and is added by the size of vector inner product value after inquiry The multi-key word search of ciphertext data, and front n the document in Query Result is returned, but owing to all documents need to be traveled through, search Efficiency and searching accuracy are relatively low.
The asymmetric basic model that can search for encipherment scheme is that any people holding public keys can write and is stored in The data of server, but the authorized user only holding private key can carry out cipher text searching.Boneh et al. first proposed based on non- Symmetric key can search for encipherment scheme, SAE is improved by rear Abdalla et al..Followed by, Boolean key word inquiry, Subset inquiry, range query etc. can search for encryption technology to be occurred in succession.Kerschbaum et al. proposes Identity-based encryption Asymmetric can search for encryption technology.Lin et al. decreases inevitable two-wire in unsymmetrical key can search for encipherment scheme The use of property pair, it is proposed that support single keyword search, be applicable to the cipher text searching scheme that network is discerned.Hwang et al. carries Go out to meet can search for encipherment scheme and allowing server to pass through user list control of fixed keyword (non-free) union inquiry Search permission processed, the program is applicable to the multi-user scene under corporate environment, and regrettably extensibility is relatively low, when reply is big During amount user, efficiency will decline to a great extent.Li et al. uses predicate encryption to propose to meet multi-user scene delegatable asymmetric Can search for encipherment scheme, but in the program, the inquiry request of data consumer need to be generated by trusted third party, inefficient. Sun et al. proposes a kind of mandate based on attribute encryption technology first and can search for encipherment scheme, and data owner uses access Control strategy generates index, and the user attributes only implied when the trapdoor of data consumer meets the access that index is comprised During the key word that strategy and this index are searched for corresponding to user, destination document could be accessed.The program is supported single simultaneously Key word and the union search of fixing multi-key word, extensibility is stronger.
In summary, it is higher that existing symmetry can search for encryption technology efficiency, can meet freely inquiring about multi-key word, But due to the Authentication theory of symmetric cryptography, traditional based on symmetric key realization can search for encrypts scarcely support complexity Multi-user scene, huge at number of users and have that to access the motility exposed in the case of demand for control relatively low with extensibility Problem, result in its application situation limitation.Relatively, the asymmetric encryption technology that can search for is more suitable for the multiplex of complexity Family model, and Bilinear map (Bilinear Paring) can be utilized to calculate the range data being represented as keyword vector Realize the ciphertext scope of data function of search that symmetric cryptography is generally difficult to support, exactly because but also Bilinear map can not be kept away The use exempted from, result in the problem that search efficiency is low, and major part scheme cannot meet freely inquiring about of multi-key word, also in addition Have impact on the actual application of such scheme.Sum it up, existing research lack " many data owners-many data consumers " this Complex query condition, ciphertext data are updated and access the support controlled, or realize cost simultaneously under one complicated user model Too high, efficiency is on the low side with availability.
Summary of the invention
The technical problem to be solved is, not enough for prior art, it is provided that under a kind of cloud storage environment based on Secret protection can search for encryption method.
For solving above-mentioned technical problem, the technical solution adopted in the present invention is: based on privacy under a kind of cloud storage environment That protects can search for encryption method, and it is as follows that the method mainly realizes process: makes L={li| 1≤i≤card (L) } represent IBS- In the system model of SSE, all of card (L) plants user identity type, and card (L) represents the radix of set L;Each data make User belongs to one of which identity type, 1≤x≤card (L);For document F, if document owner specifies addressable document The identity type of the data consumer of F belongs to the set that radix is xThen by the h of Bloom Filter independent Kazakhstan Uncommon function HASH={H1,H2,...HhWillIn x element map in the bit string vector P of a length of q, P is and is bound to The access control policy of document F, P writes index document with the identifier of F and is stored in IBS-SSE system model;When certain When individual data consumer wants to access F, the executor that access controls is after getting the relevant index document of F, by Broome mistake Filter, judge according to P whether identity type l of this data consumer belongs to sets of authorizationsIf belonging to, the match is successful, does not belongs to In then it fails to match.
The generation process of access control policy P includes: initially set up the bit string vector P of an a length of q, and by bit string to Amount everybody value of P is initialized as 0;For either elementUtilize each function in hash function group HASH One a pair liCarry out Hash and obtain h Hash Round Robin data partition H1(li), H2(li) ... Hh(li), update cloth Shandong according to this h address Nurse filter vector, makes the value of these positions of Bloom Filter vector be changed by 0 and is set to 1, finally return that the Bu Lu being updated successfully Nurse filter vector is as access control policy;
Access the process that implements controlling to mate to include: firstly generate integer number flag=0, for the identity of visitor Type l, utilizes a pair identity type of each function 1 in hash function group HASH carry out Hash and obtain h Hash Round Robin data partition H1 (l), H2(l) ... Hh(l);One by one check vector P in by these allocation indexs to place value, if value is 1, then flag+=1;If Value is 0, then it fails to match.Finally, if flag=h, then the match is successful.
DocumentComprise document identifier ID, document properties combined arrangementWith document common content f, literary composition Shelves combinations of attributesDimension be designated as Dim=n+m,It is made up of Dim Attribute domain and each genus Property territory all comprises a property value, wherein rkRepresent scope generic attribute RkProperty value, wyThen represent key word generic attribute WyGenus Property value;Order | Rk| represent RkTerritory all possible property value number, | Wy| represent WyField all possible property value number, that In collection of document FILE, make Α be all document properties combination set, then the radix of Α be card (Α)=| R1|×| R2|×...×|Rn|×|W1|×|W2|×...×|Wm|;Wherein, 1≤k≤n;1≤y≤n.
The detailed process obtaining index document relevant for F includes:
1) the access trapdoor from data user is being receivedQ retouches State the data search condition of data consumer, whereinDescribe data consumer to target literary composition The different requirements of each attribute thresholding of shelves, UID then indicates the identity of access requestor, specifically, DRDescribe a model Enclosing the requirement of the value of generic attribute, it can be a numerical value or a numerical range;And DWDescribe a key word generic The requirement of the value of property, it can be any number of key word.When data consumer is with [rx1,rx2](rx1≤rx2) defined attribute Field RxTime,Utilize order preserving transformation function X pairMake conversion and can obtain its encrypted formWhen data consumer is with z key definition attribute field WxTime,Utilize universe pseudo-random function Ψ pairIt is encrypted and can obtain its encrypted formAfter), accessing the executor CA controlled can inquire about in two-dimensional polling list according to Q Qualified index document identifier (IID) s, and by all corresponding tuple (addr) s combination producing subsets By SQThe data block total number indexed is designated as sizeQ;When the scope generic attribute territory condition in QAt least During one non-NULL, select the attribute R that given range codomain is minimummin, 1≤min≤n;CA is according to given minimum value scope R is pressed in locationminThe two-dimensional polling list T of sequenceminIn meetTuple, recycling Carry out the coupling of other Attribute domains;When the scope generic attribute territory condition in QDuring all skies, the most directly UtilizeThe tuple of arbitrary table in two-dimensional polling list collection T is mated;
2) S is drawnQAfter, CA selects a random number τ and generates a pseudorandom integer ordered series of numbers V ← Γ (τ), before V β·sizeQIndividual different integer array becomes pseudorandom subsetVQIt is to operate the mixed of preparation for accessing of access trapdoor Q Confuse subset;Γ is PRNG;nB=α bmax;α and β is spreading factor and the confounding factors of IBS respectively, bmaxIt is Array B is available for the number of data blocks upper limit of storage.
3) CA will be by SQAnd VQThis locality is upset and be jointly downloaded to the data block indexed, and utilizes Deciphering is by SQThe data block that indexes also recovers and indexes document accordingly;B [i] is the i-th data block in B, and B is containing nB =α bmaxThe array of individual data block;Φ is pseudo-random function, KΦIt is the key for Φ, viIt it is the version of i-th data block Number,I.e. utilize Φ and KΦTo character string (vi| | i) make pseudo-random process.
4) after recovering the index document that identifier is (IID) s, CA travels through terminal list FS according to (IID) s, if FS exists to certain part index document more newly requested, the most first it is updated, remove this request, then will update after rope Quotation shelves are as indexing document accordingly;
5) when needing to add new index document, first check whether index document identifier to be added is present in T In, if existing, then perform write operation;If not existing, adding the most in the steps below and indexing document:
5a) will index document sets IND, number of data blocks upper limit bmax, two-dimensional polling list collection T and KIBSAs input, by rope Draw every part of index document I in document sets INDiIt is split as sizeiIndividual data block, as index document IiTotal byte length lengthiWhen can not be divided exactly by ω, front lengthi/ ω data block size is ω, last size data block less than ω Being filled to ω by 0s, all data blocks all comprise two head fields, and one of them is responsible for recording IIDi, another is then responsible for record IiVersion number vi, viIt is initialized as 0;
5b) making B is containing nB=α bmaxData blocks all in B are also initialized as 0s, to IND by the array of individual data block In each index document Ii, with σ=IIDiFor seed, generate an integer Number Sequence S ← Γ (σ), from the beginning of sequence S Select sizeiIndividual different integer number, and guarantee that the data block in the B indexed by these integer numbers is sky;With Represent before being generated by σ and PRNG ΓIndividual integer number, creates a pseudorandom subsetSi=Λ [σ,sizei];
5c) will be by I by ascending orderiThe size splitiIndividual data block writes by SiData block in the B indexed, these Data block is marked as non-NULL;
5d) by two-dimensional polling list collection T with IiThe addr of corresponding tupleiField is updated to Si
Pseudo-random function Φ 5e) is utilized all data blocks in B to be encrypted.
Compared with prior art, the had the beneficial effect that present invention of the present invention solves existing symmetry and can search for adding Close scheme is difficult to the problem simultaneously supporting any multidimensional keyword query with the complex conditions search of range query;Solve Existing symmetry can search for encipherment scheme and is difficult to be applicable to multi-source data user model efficiently and safely and make for diversiform data User conduct interviews control problem.
Accompanying drawing explanation
Fig. 1 is that the data of one embodiment of the invention upload model;
Fig. 2 is data search (access) model of one embodiment of the invention;
Fig. 3 is index storage model different from IBS for BS;
Fig. 4 is the IBS scheme of the present invention key operation flow process in the data search stage;
Fig. 5 is for when attribute dimensions is fixed, and data set sets up index experimental result picture;
Fig. 6 is when initiating searching request with same inquiry trapdoor Q, the computing cost that index obtains and data set size Relation;
Fig. 7 is when the attribute dimensions of data set document is fixed as Dim=9, with different trapdoor Q1、Q2With Q3To difference Calculating time overhead when the data set of size scans for;
Fig. 8, for when data set attribute dimension is Dim=9, updates portion index document in a secondary index obtains operation Required time overhead accounts for the proportion that index obtains the overhead of operation;
Fig. 9 illustrates and completes once to access the time controlling coupling under the data set of different attribute dimension and data volume;
Figure 10 illustrates the pass calculated between time overhead and data set attribute dimension and data volume adding a document System.
Detailed description of the invention
The system model of IBS-SSE is made up of four entities: data owner, data consumer, authority central authority CA And cloud service provider CSP, Fig. 1 and Fig. 2 respectively show the data of the program and upload model and data search (access) mould Type.IBS-SSE mainly by IBS-SSE.Setup, IBS-SSE.IndexGen, IBS-SSE.Enc, IBS-SSE.Trapdoor, IBS-SSE.Search, IBS-SSE.Dec and IBS-SSE.AddUser, eight polynomial time algorithms of IBS-SSE.AddDoc Composition.In order to realize complex conditions search and user access control under multi-source data user model efficiently and safely simultaneously, this Invention design also have employed two key technologies in these main algorithm: indexes blind storage IBS (Index Blind Storage) and the relevant user identity access control method of ciphertext, first the present invention will introduce both key technologies, then explain State the algorithm definition of IBS-SSE.
1.IBS memory mechanism
IBS is affected by the inspiration of blind memory mechanism BS, and for index document, the storage management design of non-document itself, causes Power provides answering including any multidimensional keyword query and range query in the encipherment scheme that can search for for setting up based on IBS The encryption memory mechanism of miscellaneous conditional search.For realizing this target, the present invention realizes details to the framework of BS with algorithm and carries out Amendment, have employed a series of pseudo-random function, and introduce realized by MySQL two-dimensional polling list set T, access trapdoor Q, mixed Confuse factor-beta and terminal list FS.IBS be made up of three polynomial time algorithms running on CA end (scheme former from BS is different, In order to adapt to the complicated user model of " multiple-owner-multi-user " in enterprise-class environment, in IBS, these algorithms main Execution side and related parameter choosing side are changed to the client of authority central authority CA by the client of data owner itself, by CA end is to set up index from the possessory data of many data are unified and process the data search request from many data consumers, Fig. 3 illustrates index storage models different for BS from IBS.
IBS.KeyGen (λ):
Safety coefficient λ as input, is exported key K for pseudo-random function PRF by key scheduleΦ, for universe pseudo-with Machine function FD-PRF exports key KΨ.Finally export KIBS=(KΦ, KΨ) and by KIBSIt is stored in CA client.
IBS.Initial(IND,bmax,T,KIBS):
Initialization algorithm will index document sets IND, number of data blocks upper limit bmax, two-dimensional polling list collection T and KIBSAs defeated Enter.By every part of index document I in index document sets INDiIt is split as sizeiIndividual data block, the size of each data block is ω, sizeiComputational methods as follows:
size i = { length i / ω i f length i mod ω = 0 ( length i / ω ) + 1 i f length i mod ω ≠ 0 }
As index document IiTotal byte length lengthiWhen can not be divided exactly by ω, front lengthi/ ω data block size For ω, last size data block less than ω is filled to ω by 0s.All data blocks all comprise two head fields, Qi Zhongyi Individual responsible record IIDi, another is then responsible for record IiVersion number vi, viIt is initialized as 0.
Making B is containing nB=α bmaxData blocks all in B are also initialized as 0s by the array of individual data block.To in IND Each index document IiOperation below performing:
(1) with σ=IIDiFor seed, generate a sufficiently long integer Number Sequence S ← Γ (σ), from the beginning of sequence S Select sizeiIndividual different integer number, and guarantee that the data block in the B indexed by these integer numbers is sky.With Represent before being generated by σ and PRNG ΓIndividual such integer number, creates a pseudorandom subsetSi =Λ [σ, sizei]。
(2) will be by I by ascending orderiThe size splitiIndividual data block writes by SiData block in the B indexed, these Block is marked as non-NULL.
(3) by two-dimensional polling list collection T with IiThe addr of corresponding tupleiField is updated to Si
Afterwards, CA utilizes pseudo-random function Φ all data blocks in B to be encrypted, and is sent extremely by the B after encryption CSP.For the i-th data block in B, its encrypted form is
IBS.Access(Q,op,T,KIBS):
Data access algorithm will access trapdoor Q, operating instruction symbol op, two-dimensional polling list collection T and KIBSAs input.? All document function op ∈ in read, write, alter, delete}, write operation write, amendment operation alter and deletion Operation delete is all attached in read operation read by time delay laziness update method, to slow down the operation burden of CA.
(1) receiving from data user'sAfterwards, CA can root In two-dimensional polling list, qualified (IID) s is inquired about and by all corresponding (addr) s combination producing subsets according to QCan be by SQThe data block total number indexed is designated as sizeQ.Specifically, when the scope generic attribute territory condition in QAt least during a non-NULL, select the attribute R that given range codomain is minimummin(1≤min≤n), due to TminIn Tuple is according to property valueBy ascending order arrangement, CA can be according to given minimum value scopeQuickly position TminIn MeetTuple, then on the premise of decreasing tuple query context, recycling Carry out the coupling of other Attribute domains;When the scope generic attribute territory condition in QDuring all skies, the most directly UtilizeThe tuple of arbitrary table in T is mated.The matching operation in this stage is mainly complete by MySQL Become.
(2) S is being drawnQAfter, CA selects a random number τ and generates a sufficiently long pseudorandom integer ordered series of numbers V ← Γ (τ).Front β size with VQIndividual different integer array becomes pseudorandom subsetVQIt it is the access operation for trapdoor Q Prepare obscures subset.
(3) CA will be by SQAnd VQThis locality is upset and be jointly downloaded to the data block indexed, and utilizes Deciphering is by SQThe data block that indexes also recovers and indexes document accordingly.
(4) after recovering the index document that identifier is (IID) s, CA can travel through terminal list FS according to (IID) s. If FS exists to certain part index document more newly requested, the most first it is updated, remove this request, then will update after Index document puts in ensuing task.To IiWrite operation write in can encounter two kinds of situations:
If I after (a) renewali' number of data blocks sizei' with update before consistent, data that CA only need to be written into datanewWrite IiLast data block, make IiAll data block version number vi=vi+ 1, then encrypt these data blocks And return B to complete to update with obscuring block together foldback.
If I after (b) renewali' number of data blocks sizei' more than update beforeCA then needs to calculate subsetFetch by S at BnewThe empty data block indexed and (β-1) (sizei'- sizei) individual obfuscated data block (SnewGeneration method see IBS.Initial step 1).By SwenWith SiMerge and obtain Si'=Si∨ Snew, I will be belonged to after the encryption completing the write of data, the renewal of version number and data blocki' data block together with obscuring block Together foldback returns B.Finally, by IiAddr in TiField is updated to Si'。
Amendment operation alter and deletion action delete realize step and write operation write is basically identical, difference It is the difference (data block contents 0s is replaced and is labeled as sky by deletion action) of update content.Fig. 4 illustrates IBS scheme and exists The key operation flow process in this stage of data search.
It addition, when needing to add new index document, only need to first check index document identifier to be added the most It is present in T.If existing, then perform write operation write;If not existing, then the step pressing IBS.Initial adds index literary composition Shelves can (when it should be noted that execution initialization algorithm, B be in this locality, and adds document I the most againiTime B be stored in CSP, Now need to calculate S ← Γ (IIDi) and from S, determine a length of sizeiSubsetWith a length of α·sizeiSubsetDownload from B byThe data block of index goes back to this locality, then by data pair to be added By SiThe block of index covers).
2. the user identity access control method that ciphertext is relevant
Can relate to the data consumer of different identity type in system design based on IBS-SSE, data owner has Weigh and specify access control policy for its document.The present invention designs the relevant user identity of an easy Ciphertext policy for this and accesses Control method, the method is mainly with Bloom Filter (Bloom Filter) for the core realized.Make L={li|1≤i≤ Card (L) } represent IBS-SSE system model in all of card (L) plant user identity type, each data consumer all belongs to In one of which identity type.For document F, if document owner specifies the identity class of the data consumer of addressable the document Type belongs to the set that radix is x (1≤x≤card (L))Then by the h of Bloom Filter independent hash function HASH={H1,H2,...HhWillIn x element map in the bit string vector P of a length of q, P is and is bound to document F's Access control policy, will write index document with the identifier of F and is stored in IBS.When certain data consumer wants to access F Time, the executor CA that access controls, after operation IBS.Access gets the relevant index document of F, can be filtered by Broome Device, judge according to P whether identity type l of this data consumer belongs to sets of authorizationsIf belonging to, the match is successful, is not belonging to Then it fails to match.The generation of access control policy P and access control the concrete methods of realizing of coupling respectively such as algorithm 1, algorithm 2 institute Show:
3.IBS-SSE scheme
Dynamic symmetry can search for encipherment scheme IBS-SSE and is mainly made up of, by them following 8 polynomial time algorithms Interact with blind destination server.This programme uses the blind memory mechanism IBS of index to be indexed the storage and management of document, logical Cross it and realize the search of complex conditions.
IBS-SSE.Setup: run on CA end.Using security parameter as input, defeated for cryptographic primitive all in scheme Go out key KSSE;Create user list, for existing subscriber's distributing user ID and formulate identity type.
IBS-SSE.IndexGen: run on CA end.By a collection of document and Qi Nei all possible document properties group Cooperation, for inputting, for every part of document distribution document identifier and generates access by the user identity access control method that ciphertext is relevant Control strategy;Generate index document sets merging and process index document with IBS.Initial algorithm initialization IBS mechanism.
IBS-SSE.Enc: CA end or user side may be run on.The document that need to add is encrypted and sends to CSP; The identifier of the document, document properties and access control policy are sent to CA to update index (when running on user side simultaneously Time).
IBS-SSE.Trapdoor: run on user side.Visitor utilizes search condition and my identity to generate search and falls into Q is also sent to CA by door Q.
IBS-SSE.Search: run on CA end.CA runs IBS.Access algorithm to obtain and search condition after receiving Q Corresponding index document, and carry out authorizing coupling, final requirement to visitor's identity and destination document according to access control method CSP returns the destination document that the match is successful.
IBS-SSE.Dec: run on user side.Using ciphertext as input, decipher and restore document in plain text.
IBS-SSE.AddUser: run on CA end.First check for new user the most existed with in user list, if nothing, Then for its distributing user ID specify identity type.
IBS-SSE.AddDoc: run on user side and CA end.Wherein user side is responsible for encryption and uploads new document, and will The new identifier of document, document properties and access control policy inform CA;CA end is responsible for indexing according to gained information updating.
Compare existing symmetry and can search for encipherment scheme, first, the invention provides and include any multidimensional keyword query With range query in interior complex conditions search, improve the defect that existing scheme search condition is single;Second, ensureing search The while of with other key operations high efficiency, present the enhanced scalability of reply mass data;3rd, it is possible to be applicable to The complicated applications model of " many data owners-many data consumers ", it is ensured that data content, search trapdoor and user identity Privacy, hiding data accesses access module, and allows data owner to specify access delegated strategy.
The advantage proving this technology here mainly by functional contrast and experimental data.Test and running Windows7 Realizing on the notebook computer of operating system, outfit Intel Core i5-3210M processor and 4G internal memory, code is by Java language Speech, sql like language and storehouse of increasing income are write, and wherein Crypto++ is applied to block cipher (AES) and impact resistance hash function (SHA256) realization.
Table 1 gives the BSTORE-SSE that the IBS-SSE scheme of present invention proposition, Naveed et al. propose[11]Scheme and The EMRS scheme that Li et al. proposes[56]Between functional contrast.These three scheme is all based on the design of blind memory mechanism. BSTORE-SSE conceals access module by the utilization of blind storage, but the program only allows single keyword search, therefore difficult With diversified search need in satisfied actual application.On the basis of BSTORE-SSE, EMRS achieves the row of multi-key word Name search and access control, but the program all cannot meet the application feelings of many data owners (i.e. multiple data origin) with the former Border.Having drawn the elite of Naveed et al. scheme, IBS-SSE scheme proposed by the invention not only conceals access mould to CSP Formula, also achieves the complex conditions search including any multidimensional keyword query and range query.Additionally, with IBS-SSE The EMRM system set up can be flexibly applied to the user model of " multiple-owner-multi-user ", and provides solution dissimilar The requirements for access of user and the access control method of privacy requirements.
Table 1
Followed by experimental result, just index foundation, search access and document and add three parts and IBS-SSE is commented Estimate.In an experiment: make α=β=4 to ensure that IBS mechanism the most occupied number of data blocks in array B is less than nBThe situation of/4 Lower unexpected probability p stoppederr≤2-40;Make function number h=7 of hash function group HASH, to ensure at card (L)=3 Minimum with the probability of miscarriage of justice of Bloom Filter in access control method in the case of vector a length of 32 of P.Experiment is respectively The data set that document properties dimension is Dim=3, Dim=6, Dim=9 is carried out, and takes respectively from this three classes data set The subset of 128MB, 256MB, 512MB, 1G, 2G carrys out survey calculation expense, makes nB=2 × 104
1. index is set up:
The performance measurement of index establishment stage covers in IBS-SSE.IndexGen algorithm and generates (containing step except indexing in plain text Suddenly all operations outside (1)), mainly includes indexing document name and IBS.Initial algorithm (includes indexing piecemeal, two dimension Inquiry table write and encryption of blocks of data).The index generation performance generating with can search for encipherment scheme of index is unrelated in plain text, and institute The work of other correlational studyes is had all to give tacit consent to this operation of ignorance.In this stage, index document name is the most less, time complexity For O (card (Α)), only with data set attribute combined number (i.e. index document number) linear correlation;IBS.Initial(IND, T,KIBS) occupying major part computing cost, its time complexity can be designated as O (card (Α)+nB), only with data set attribute group Close number card (Α) and length n of BBRelevant, and unrelated with the data volume of data set.Fig. 5 demonstrates this point: card (Α) It is doubled and redoubled with the increase of document properties dimension Dim, the increase linear increase of personal attendant card (Α) when index is set up;Work as card (Α) certain and time data set varies in size, it is basically identical that duration set up in index, as it can be seen, as Dim=6, index is set up Required time maintains essentially between 13s~15s.Visible, when attribute dimensions is fixed, this programme can be with a length of time stable Different magnitude data sets set up index.
2. search accesses:
Search dial-tone stage mainly comprises index acquisition and access controls two primary operational and (notes the most only considering The operation of Situation-1, because the document acquisition operation in Situation-2 is unrelated with the search performance that the present invention pays close attention to, And its time overhead is the most negligible).
Index obtains the search reduction (containing updating) of generation and the index including trapdoor in operation: the former is by IBS- SSE.Trapdoor completes, and time complexity is O (Dim), and the latter is mainly completed by IBS.Access algorithm, and both of which is not counted According to collection size impact.Fig. 6 illustrates when initiating to search with same inquiry trapdoor Q (containing multidimensional keyword query and range query condition) During rope request, the computing cost that index obtains is unrelated with data set size, is affected the most little by attribute dimensions.It addition, with regard to this Bright known, the experimental result of encipherment scheme is can search for about the complex conditions supporting any multidimensional keyword query and range query Extremely limited, that comparing function is similar APKS scheme, when Dim=9 and index number are consistent, APKS needs 42s to complete rope Draw and search for and IBS-SSE only needs 0.5s (and IBS-SSE has also counted trapdoor generation, index reduction and the expense updated).Therefore, When Q fixes, this programme shown when searching for the data set of different pieces of information amount size and attribute dimensions enhanced scalability and Efficientibility.
Fig. 7 illustrates when the attribute dimensions of data set document is fixed as Dim=9, with different trapdoor Q1、Q2With Q3Right Calculating time overhead when different size of data set scans for, is wherein described in Q1, Q2And Q3Search condition respectively For: During as it can be seen, data set varies in size when search condition is certain, rope The time overhead drawing acquisition is basically identical;When search condition is different, data set size is identical, the time overhead that index obtains Also about 0.5s is maintained.Therefore, when attribute dimensions is fixed, this programme can be with stable efficiency in different size of data Search is completed according to different Q on collection.
Due to the time delay laziness update method used in IBS.Access, the index acquisition stage also needs to undertake index upgrade Computing cost.In this programme, index upgrade is time-consumingly grown and is only asked number relevant to pending corresponding renewal.Fig. 8 shows When data set attribute dimension is Dim=9, in a secondary index obtains operation, updates portion index document (add a line number According to) needed for time overhead account for index and obtain the proportion of overhead of operation, it is seen that update operation accounting seldom and not with data Collection size variation, the time overhead obtained substantially without impact index.
Reduction index document after, document need by access control method complete authorize coupling.Fig. 9 illustrates and is not belonging to together Property dimension and data volume data set under complete once to access the time controlling coupling, total divided by coupling document by mating total duration Number gained, consumed computing cost is almost in 0, negligible.
3. document adds:
When adding a document F to data setnewTime, the data side of uploading needs for FnewDistribution FIDnew, generate be used for updating The trapdoor of requestAnd formulate access delegated strategy P by access control methodnew, CA needs content to be updated is write FS List, required amount of calculation data volume with data set own is unrelated.Figure 10 illustrate the calculating time overhead adding a document with Relation between data set attribute dimension and data volume, it is seen that it is time-consuming not by the shadow of the size of data set own that document adds operation Ring, affected by attribute dimensions the most little, be substantially maintained near 0.2s.
Symmetry based on the design of IBS memory mechanism can search for encipherment scheme IBS-SSE and can be combined sql like language by Java language Completion code realizes.In case of target storage document is for electronic health record data set FILE, the document of composition FILETopology example as shown in table 1, can present with the file format of xml, whereinIt is to share Content, f represents case history content,Represent case history property content;It is the private identity information of document owner, the only owner I and the data consumer authorized could conduct interviews under specific security mechanism.Α is all possible attribute in FILE CombinationSet,By Dim=n+m, Dim dimension attribute territory is constituted and each Attribute domain all wraps altogether Containing a property value.Wherein rxRepresent scope generic attribute RxProperty value, scope generic attribute generally refers to such as " age ", " day Phase " etc. the Numeric Attributes that can arrange in order of property value;wxThen represent key word generic attribute WxProperty value, key word generic Property generally refers to such as the character type attribute such as " sex ", " position ".The attribute dimensions of F can spread, hereinafter simplify statement, F is made to be made up of three-dimensional properties territory, then temporarilyWherein r is the property value of Attribute domain R (representing " age "), w1And w2 It is respectively Attribute domain W1(representing " sex ") and Attribute domain W2The property value of (representing " disease type "), now card (Α)=| R | ×|W1|×|W2|。
Table 1
From the point of view of the identity of data access person with data access purpose, at IBS-SSE.Trapdoor, IBS- To there are two kinds of data access situations in the SSE.Search scheduling algorithm stage: make the Situation-1 person U that represents data accessiFor going out Individual or mechanism according to ad hoc inquiry conditional search data is needed rather than the situation of data owner, order in just cause Situation-2 represents data access person UiFor data owner or the authorized situation directly obtaining data person.IBS- The detailed description of the invention of SSE main algorithm is as follows:
IBS-SSE.Setup (λ):
At system establishment stage, CA is using safety coefficient λ as input.
(1) utilize Crypto++ storehouse of increasing income, for system, the cryptographic primitive used is generated key KSSE=KIBS
(2) creating user list UL according to known users set, list length is designated as | UL |.I-th node generation in UL Table user Ui=< UIDi,UNi,BIi,TSii>, wherein UIDiIt is set as UiID, UNiFor UiUser name, BIiBag Include UiEssential information (including name, age, address, contact method, work etc.), TSiIt is at UiGenerate every time and upload new The timetable of document, εiIt is belonging to UiRandom factor.UIDiBy to UiUnique identification card number idiMake universe impact resistance Connecting with l after hash conversion Η generation, mode is as follows:
si←H(idi) (1)
UIDi=< si| | l > (2)
siIt is idiReformulations (this sentences a length of | si| string representation), l ∈ L be mark UiUser identity class The character of type.
(3) by < UIDi,TSii> it is sent to user Ui
UIDiUsing as user's identification in systems and encryption and decryption privacy of user identity dataKey, it is only Can be by UiI holds (certain CA also needs to preserve portion).In actual applications, UIDiCan be identified by scanning and make With, if conditions permit, the available bio information such as fingerprint or iris is as siReplace idiGenerate UIDi, strengthen safety with this Property.
IBS-SSE.IndexGen (FILE, Α):
Index generating algorithm is by the set FILE combinations of attributes all possible with it of document FSet Α as input, Operation below performing:
(1) it is every a document Fj∈ FILE generates document identifier FID in the following mannerj:
FID j &LeftArrow; H ( U I D | | t ) &CirclePlus; &epsiv;
Wherein UID is FjPossessory ID, t is FjThe generation time, ε is the random factor that document owner is exclusive. Meanwhile, according to FjThe access rights that the owner specifies for it, are generated by the user identity access control method that ciphertext is relevant and visit Ask strategy Pj, PjIt it is the bit string vector of 32.
(2) being that FILE initializes and set up index collection of document IND and two-dimensional polling list T, algorithm 3 describes to be set up Journey:
For arbitraryCreate portion index document Ii.WillIt is designated as meeting document propertiesAll literary compositions The set of shelves identifier.T={Tj| 1≤j≤card (Α) } it is one and will be used for indexing the 3 row × card (Α) of document searching The two-dimensional polling list collection of row, often row tuple both corresponds to a index document Ii, it is represented byWherein wrap Containing IiIdentifier IIDi, jth scope generic attribute thresholding after order preserving transformationAnd record is by IiSplit by form Data block character string addr of address in IBSi(being initialized as sky).T is reduced to T={T} herein, and its tuple is designated asAll tuples are according to ErSize by ascending order arrange.
(3) IBS.Initial (IND, T, K are runIBS) to initialize IBS.
(4) the index collection of document IND being stored into IBS sends to CSP and takes care of in CA local by T.Due at this programme Middle CSP is only responsible for uploading download work and not performing calculating task, and therefore CSP end can be directly by cloud storages such as such as Dropbox Application realizes.
IBS-SSE.Enc (FILE):
Encrypting stage is with collection of document FILE for input.To arbitrary documentAdd by following subregion Close mode is encrypted:
SE F I D ( F &CenterDot; ) &RightArrow; C &CenterDot;
SE U I D ( F &CenterDot;&CenterDot; ) &RightArrow; C &CenterDot;&CenterDot;
After willSend and be stored in CSP.
To shareable dataWith privacy of identities dataThe method carrying out subregion encryption is protection user's body Part privacy also meets the requirements for access of dissimilar user and lays a good foundation.Calculate it addition, be used here traditional symmetric cryptography Method AES carrys out encrypted document, it is also possible to use more complicated encryption mechanism (such as BS) to seek higher safety neatly.
IBS-SSE.Trapdoor ():
(1) in Situation-1, UiSearch trapdoor should be submitted to CAWherein Describe UiThe different of attribute thresholding each to destination document require (i.e. querying condition), UIDiThen indicate UiIdentity.Require emphasis , in order to ensure the accurate description to different attribute territory,Pattern of the input must be fixing, but describe then can be very Flexibly.Specifically, UiCan be that scope generic attribute specifies a numerical value or a numerical range (such as to would indicate that the D at ageR It is set to " 5 " or " 1~5 "), when data consumer is to Attribute domain RxSearch condition beTime, utilize Order preserving transformation function X is to DRMake conversion and can obtain its encrypted formCan be to close Keyword generic attribute specifies any number of key word (such as to would indicate that disease typeBe set to " catch a cold, fever, cough " or " hypoglycemia "), when data consumer is with z key definition attribute field WxTime,Utilize universe Pseudo-random function Ψ is to DWIt is encrypted and can obtain its encrypted formIf it is right Certain attribute field is without particular/special requirement, it is allowed to property value is empty.If the value of each attribute field is sky, then destination document is whole Individual set.
(2) in Situation-2, data owner UiDestination document can be known by subscription client local information FID.Specifically, UID is i.e. utilizedi、TSiIn generation time t and εiCalculate FID.
IBS-SSE.Search(Q,T,KIBS):
(1) in Situation-1, CA will receive from UiSearch trapdoor Q after run IBS.Access, use SQL Inquire about, obtain with Q described in index document corresponding to search condition decipher reduction.Then, CA can be controlled by access Method processed is to UIDiMake to access mandate coupling with (FID, the P) s that own comprised in index document, and finally request is returned at CSP Return the ciphertext block data of the identified document of FID that the match is successful.
(2) in Situation-2, UiDirectly can return the ciphertext block data of destination document to CSP request according to FID.
IBS-SSE.Dec (C):
Decipherment algorithm is with ciphertextAs input, UiCan pass throughObtain shared with the portion in F Point.Only data owner can pass through with authorized personObtain privacy of identities part.
IBS-SSE.AddUser (s', l', UN', BI', TS'):
After receiving the request adding a new user, first check in user list UL according to s' and the most there is this use Family.If nothing, CA then distributes UID for new user|UL|+1=<s'| | l'>, and by U|UL|+1=< UID|UL+1|,UN',BI',TS',ε'> It is linked into UL, | UL |=| UL |+1.It then informs new user is with < UID|UL+1|,TS',ε'>。
IBS-SSE.AddDoc(Fnew):
(1) first, the data side of uploading performs Enc algorithm and by the F after encryptionnewIt is uploaded to CSP.Meanwhile, F is sentnew's Document identifier, the trapdoor describing its attribute and owner's identity and access control policyTo CA End.
(2) CA need to check FnewThe owner whether be present in user list UL, if nothing, then then first carry out AddUser algorithm.
(3) CA calls in good timeAlgorithm is to complete the renewal of relative index document.
In the present invention, the assignment of relevant parameter symbol is described as follows shown in table:

Claims (4)

1. the encryption method of can search for based on secret protection under a cloud storage environment, it is characterised in that the method mainly realizes Process is as follows: make L={li| 1≤i≤card (L) } represent IBS-SSE system model in all of card (L) plant user's body Part type, card (L) represents user identity type liThe radix of set L, each data consumer belongs to one of which body Part type;For document F, if it is x that document owner specifies the identity type of the data consumer of addressable document F to belong to radix SetThen by the h of Bloom Filter independent hash function HASH={H1,H2,...HhWillIn x Element maps in the bit string vector P of a length of q, and P is the access control policy being bound to document F, and P is with the identifier one of F Play write index document and be stored in IBS-SSE system model;When certain data consumer wants to access F, access holding of control Passerby is after getting the relevant index document of F, by Bloom Filter, the identity class that judges this data consumer according to P Whether type l belongs to sets of authorizationsIf belonging to, the match is successful, is not belonging to then that it fails to match;1≤x≤card(L).
The encryption method of can search for based on secret protection under cloud storage environment the most according to claim 1, it is characterised in that The generation process of access control policy P includes: initially set up the bit string vector P of an a length of q, and bit string vector P is every Value be initialized as 0;For either elementUtilize each function in hash function group HASH one a pair liCarry out Hash and obtain h Hash Round Robin data partition H1(li), H2(li) ... Hh(li), update Broome according to this h address and filter Device vector, makes the value of these positions of Bloom Filter vector be changed by 0 and is set to 1, finally return that the Broome being updated successfully filters Device vector is as access control policy;
Access the process that implements controlling to mate to include: firstly generate integer number flag=0, for the identity type of visitor L, utilizes a pair identity type of each function 1 in hash function group HASH carry out Hash and obtain h Hash Round Robin data partition H1(l), H2(l) ... Hh(l);One by one check vector P in by these allocation indexs to place value, if value is 1, then flag+=1;If value is 0, then it fails to match.Finally, if flag=h, then the match is successful.
The encryption method of can search for based on secret protection under cloud storage environment the most according to claim 1, it is characterised in that DocumentComprise document identifier ID, document properties combined arrangementWith document common content f, document properties CombinationDimension be designated as Dim=n+m,It is made up of Dim Attribute domain and each Attribute domain is equal Comprise property value, wherein a rkRepresent scope generic attribute RkProperty value, wyThen represent key word generic attribute WyProperty value; Order | Rk| represent RkTerritory all possible property value number, | Wy| represent WyField all possible property value number, then at literary composition Shelves set FILE in, make A be all document properties combination set, then the radix of A be card (A)=| R1|×|R2|×...× |Rn|×|W1|×|W2|×...×|Wm|;Wherein, 1≤k≤n;1≤y≤m.
The encryption method of can search for based on secret protection under cloud storage environment the most according to claim 1, it is characterised in that The detailed process obtaining index document relevant for F includes:
1) the access trapdoor from data user is being receivedQ describes data The data search condition of user, whereinDescribe data consumer to each attribute of destination document The different requirements of thresholding, UID then indicates the identity of access requestor, specifically, DRDescribe the value to a scope generic attribute Requirement;DWDescribe the requirement of value to a key word generic attribute;When data consumer is with [rx1,rx2],rx1≤rx2Definition belongs to Property field RxTime,Utilize order preserving transformation function X pairConvert to obtain its encrypted formWhen data consumer is with z key definition attribute field WxTime, Utilize universe pseudo-random function Ψ pairIt is encrypted to obtain its encrypted form Afterwards, access the executor CA controlled and can inquire about qualified index document identifier (IID) in two-dimensional polling list according to Q S, and by all corresponding tuple (addr) s combination producing subsetsBy SQThe data block total number indexed is designated as sizeQ, nB=α bmax;α is the spreading factor of IBS, bmaxBeing the number of data blocks upper limit being available for storage in array B, B is for containing nB=α bmaxThe array of individual data block;When the scope generic attribute territory condition in QAt least one non- Time empty, select the attribute R that given range codomain is minimummin, 1≤min≤n;CA is according to given minimum value scopeLocation By RminThe two-dimensional polling list T of sequenceminIn meetTuple, recyclingCarry out The coupling of other Attribute domains;When the scope generic attribute territory condition in QDuring all skies, then directly utilizeThe tuple of arbitrary table in two-dimensional polling list collection T is mated;
2) CA selects a random number τ and generates a pseudorandom integer ordered series of numbers V ← Γ (τ), with the front β size of VQIndividual difference Integer array become pseudorandom subsetVQBe for access trapdoor Q access operation prepare obscure subset;Γ is pseudo- Random number generator;β is the confounding factors of IBS;
3) CA will be by SQAnd VQThis locality is upset and be jointly downloaded to the data block indexed, and utilizes Deciphering is by SQThe data block that indexes also recovers and indexes document accordingly;B [i] is the i-th data block in B;Φ be pseudo-with Machine function, KΦIt is the key for Φ, viIt is the version number of i-th data block,I.e. utilize Φ and KΦTo character string (vi| | i) make pseudo-random process;
4) after recovering the index document that identifier is (IID) s, CA travels through terminal list FS according to (IID) s, if in FS Exist to certain part index document more newly requested, the most first it is updated, remove this request, then will update after index literary composition Shelves are as indexing document accordingly;
5) when needing to add new index document, first check whether index document identifier to be added is present in T, if Exist, then perform write operation;If not existing, adding the most in the steps below and indexing document:
5a) will index document sets IND, number of data blocks upper limit bmax, two-dimensional polling list collection T and KIBSAs input, will index literary composition Every part of index document I in shelves collection INDiIt is split as sizeiIndividual data block, as index document IiTotal byte length lengthiNo When can be divided exactly by ω, front lengthi/ ω data block size is ω, and last size data block less than ω is filled by 0s To ω, all data blocks all comprise two head fields, and one of them is responsible for recording IIDi, another is then responsible for record IiVersion Number vi, viIt is initialized as 0;
5b) data blocks all in B are initialized as 0s, to each index document I in INDi, IIDiFor index document IiID, With σ=IIDiFor seed, generate an integer Number Sequence S ← Γ (σ), from the beginning of sequence S, select sizeiIndividual different whole Type number, and guarantee that the data block in the B indexed by these integer numbers is sky;WithRepresent raw by σ and pseudo random number Before the Γ that grows up to be a useful person generatesIndividual integer number, creates a pseudorandom subsetSi=Λ [σ, sizei];
5c) will be by I by ascending orderiThe size splitiIndividual data block writes by SiData block in the B indexed, these data Block is marked as non-NULL;
5d) by two-dimensional polling list collection T with IiThe addr of corresponding tupleiField is updated to Si
Pseudo-random function Φ 5e) is utilized all data blocks in B to be encrypted.
CN201610472300.9A 2016-06-27 2016-06-27 Encryption method can search for based on secret protection under a kind of cloud storage environment Active CN106127075B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610472300.9A CN106127075B (en) 2016-06-27 2016-06-27 Encryption method can search for based on secret protection under a kind of cloud storage environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610472300.9A CN106127075B (en) 2016-06-27 2016-06-27 Encryption method can search for based on secret protection under a kind of cloud storage environment

Publications (2)

Publication Number Publication Date
CN106127075A true CN106127075A (en) 2016-11-16
CN106127075B CN106127075B (en) 2019-11-08

Family

ID=57269235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610472300.9A Active CN106127075B (en) 2016-06-27 2016-06-27 Encryption method can search for based on secret protection under a kind of cloud storage environment

Country Status (1)

Country Link
CN (1) CN106127075B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685636A (en) * 2017-03-22 2017-05-17 电子科技大学 Frequency analysis method combined with data locality features
CN106789039A (en) * 2017-01-25 2017-05-31 武汉大学 A kind of storage method of confidential data
CN106778352A (en) * 2017-01-13 2017-05-31 广西师范大学 Collection Value Data and the multi-source method for secret protection of community network data aggregate issue
CN106874379A (en) * 2017-01-05 2017-06-20 中国科学院软件研究所 A kind of multidimensional interval search method and system towards ciphertext cloud storage
CN107046548A (en) * 2017-05-22 2017-08-15 东莞理工学院 A kind of packet filtering method under secret protection
CN107273467A (en) * 2017-06-06 2017-10-20 南京搜文信息技术有限公司 A kind of Security Index structure and its building method for supporting to can search for encryption
CN107342857A (en) * 2017-07-04 2017-11-10 微鲸科技有限公司 Group technology and device
CN107454059A (en) * 2017-07-05 2017-12-08 广东工业大学 Search encryption method based on stream cipher under a kind of cloud storage condition
CN107889068A (en) * 2017-12-11 2018-04-06 成都欧督系统科技有限公司 Message broadcast controlling method based on radio communication
CN107908732A (en) * 2017-11-14 2018-04-13 北京恺思睿思信息技术有限公司 A kind of mutually isolated multi-source big data convergence analysis method and system
CN109002729A (en) * 2018-07-09 2018-12-14 福建省农村信用社联合社 A kind of customer privacy data managing method based on financial block chain
CN109088719A (en) * 2018-08-14 2018-12-25 重庆第二师范学院 Outsourced database multi-key word can verify that cipher text searching method, data processing system
CN109829320A (en) * 2019-01-14 2019-05-31 珠海天燕科技有限公司 A kind for the treatment of method and apparatus of information
CN110210249A (en) * 2019-06-13 2019-09-06 上海富数科技有限公司 The system and method for track query function of hideing are realized based on data obfuscation
CN111506918A (en) * 2020-04-09 2020-08-07 南京邮电大学 Mobile track privacy protection matching method based on Bloom filter
CN111930688A (en) * 2020-09-23 2020-11-13 西南石油大学 Method and device for searching secret data of multi-keyword query in cloud server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103345526A (en) * 2013-07-22 2013-10-09 武汉大学 Efficient privacy protection encrypted message querying method in cloud environment
CN103973668A (en) * 2014-03-27 2014-08-06 温州大学 Server-side personal privacy data protecting method in network information system
CN104780161A (en) * 2015-03-23 2015-07-15 南京邮电大学 Searchable encryption method supporting multiple users in cloud storage
CN105069358A (en) * 2015-07-13 2015-11-18 西安理工大学 Keyword searchable encryption method based on Bloom filter with storage structure

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103345526A (en) * 2013-07-22 2013-10-09 武汉大学 Efficient privacy protection encrypted message querying method in cloud environment
CN103973668A (en) * 2014-03-27 2014-08-06 温州大学 Server-side personal privacy data protecting method in network information system
CN104780161A (en) * 2015-03-23 2015-07-15 南京邮电大学 Searchable encryption method supporting multiple users in cloud storage
CN105069358A (en) * 2015-07-13 2015-11-18 西安理工大学 Keyword searchable encryption method based on Bloom filter with storage structure

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张朋: "云计算中用户数据隐私保护关键技术的研究与应用", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106874379B (en) * 2017-01-05 2021-01-12 中国科学院软件研究所 Ciphertext cloud storage-oriented multi-dimensional interval retrieval method and system
CN106874379A (en) * 2017-01-05 2017-06-20 中国科学院软件研究所 A kind of multidimensional interval search method and system towards ciphertext cloud storage
CN106778352A (en) * 2017-01-13 2017-05-31 广西师范大学 Collection Value Data and the multi-source method for secret protection of community network data aggregate issue
CN106778352B (en) * 2017-01-13 2020-04-07 广西师范大学 Multisource privacy protection method for combined release of set value data and social network data
CN106789039A (en) * 2017-01-25 2017-05-31 武汉大学 A kind of storage method of confidential data
CN106789039B (en) * 2017-01-25 2020-12-08 武汉大学 Method for storing secret data
CN106685636A (en) * 2017-03-22 2017-05-17 电子科技大学 Frequency analysis method combined with data locality features
CN107046548A (en) * 2017-05-22 2017-08-15 东莞理工学院 A kind of packet filtering method under secret protection
CN107046548B (en) * 2017-05-22 2020-04-28 东莞理工学院 Data packet filtering method under privacy protection
CN107273467A (en) * 2017-06-06 2017-10-20 南京搜文信息技术有限公司 A kind of Security Index structure and its building method for supporting to can search for encryption
CN107342857B (en) * 2017-07-04 2020-06-23 微鲸科技有限公司 Grouping method and device
CN107342857A (en) * 2017-07-04 2017-11-10 微鲸科技有限公司 Group technology and device
CN107454059B (en) * 2017-07-05 2020-07-17 广东工业大学 Search encryption method based on sequence cipher in cloud storage environment
CN107454059A (en) * 2017-07-05 2017-12-08 广东工业大学 Search encryption method based on stream cipher under a kind of cloud storage condition
CN107908732B (en) * 2017-11-14 2020-02-07 北京恺思睿思信息技术有限公司 Mutually isolated multi-source big data fusion analysis method and system
CN107908732A (en) * 2017-11-14 2018-04-13 北京恺思睿思信息技术有限公司 A kind of mutually isolated multi-source big data convergence analysis method and system
CN107889068A (en) * 2017-12-11 2018-04-06 成都欧督系统科技有限公司 Message broadcast controlling method based on radio communication
CN109002729A (en) * 2018-07-09 2018-12-14 福建省农村信用社联合社 A kind of customer privacy data managing method based on financial block chain
CN109088719A (en) * 2018-08-14 2018-12-25 重庆第二师范学院 Outsourced database multi-key word can verify that cipher text searching method, data processing system
CN109829320B (en) * 2019-01-14 2020-12-11 珠海天燕科技有限公司 Information processing method and device
CN109829320A (en) * 2019-01-14 2019-05-31 珠海天燕科技有限公司 A kind for the treatment of method and apparatus of information
CN110210249A (en) * 2019-06-13 2019-09-06 上海富数科技有限公司 The system and method for track query function of hideing are realized based on data obfuscation
CN111506918A (en) * 2020-04-09 2020-08-07 南京邮电大学 Mobile track privacy protection matching method based on Bloom filter
CN111930688A (en) * 2020-09-23 2020-11-13 西南石油大学 Method and device for searching secret data of multi-keyword query in cloud server
CN111930688B (en) * 2020-09-23 2021-01-08 西南石油大学 Method and device for searching secret data of multi-keyword query in cloud server

Also Published As

Publication number Publication date
CN106127075B (en) 2019-11-08

Similar Documents

Publication Publication Date Title
US10474835B2 (en) Zero-knowledge databases
Zhang et al. Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing
Wang et al. Secure cloud-based EHR system using attribute-based cryptosystem and blockchain
CN107483198B (en) A kind of block catenary system supervised and method
CN106503574B (en) Block chain method for secure storing
CN106534085B (en) A kind of method for secret protection based on block chain technology
US10425402B2 (en) Cloud key directory for federating data exchanges
CN104765848B (en) What support result efficiently sorted in mixing cloud storage symmetrically can search for encryption method
Koo et al. Secure and efficient data retrieval over encrypted data using attribute-based encryption in cloud storage
CN105453105B (en) System and method for cloud data safety
di Vimercati et al. Managing and accessing data in the cloud: Privacy risks and approaches
Wan et al. HASBE: A hierarchical attribute-based solution for flexible and scalable access control in cloud computing
US20160092374A1 (en) Chunk-level client side encryption in hierarchical content addressable storage systems
CN106302449B (en) A kind of storage of ciphertext and the open cloud service method of searching ciphertext and system
CN103345526B (en) A kind of efficient secret protection cryptogram search method under cloud environment
CN104580205B (en) Fixation ciphertext length proxy re-encryption system and method based on CP-ABE in a kind of cloud computing
KR100960578B1 (en) Identity-based key generating methods and devices
CN102236766B (en) Security data item level database encryption system
CN101939946B (en) Systems and methods for securing data using multi-factor or keyed dispersal
CN102713995B (en) Confidential search system and encryption processing system
CN103563325B (en) Systems and methods for securing data
CN104079574B (en) User privacy protection method based on attribute and homomorphism mixed encryption under cloud environment
CN102916954B (en) Attribute-based encryption cloud computing safety access control method
CN109643285A (en) The user data transmission and storage of encryption
CN103179114B (en) Data fine-grained access control method during a kind of cloud stores

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
GR01 Patent grant