CN106503994A - Block chain private data access control method based on encryption attribute - Google Patents

Abstract

The invention discloses a kind of block chain private data access control method based on encryption attribute; mainly solving prior art only carries out anonymous protection to the true identity of user in block chain; the privacy leakage problem that protects and cause is not encrypted to privacy information of concluding the business, implementation step is：1. system initialization；2. user's registration obtains attribute information；3. authoritative center is according to customer attribute information dispatch user private key；4. counterparty encrypts transaction private data and is uploaded to block chain；5. bookkeeper is verified to Transaction Information and is executed transaction；6. authorize supervision center to check transaction ciphertext using mandate private key decryption.The present invention passes through to be encrypted transaction privacy information, it is to avoid data-privacy leakage, can be used for the secret protection to fictitious assets transaction data in block chain.

Description

Block chain private data access control method based on encryption attribute

Technical field

The invention belongs to art of cryptography, and in particular to a kind of private data access control method, block is can be applicable to In chain, different stage mandate supervision center and user are effectively accessed to the encrypting transactions data in block chain.

Background technology

Block chain is substantially the data base of a decentration, just as a shared account book, records all of bit coin Transaction Information.Used as the Floor layer Technology of bit coin, block chain has decentration, opening, anonymity and the spy such as can not distort Point.In traditional publicly-owned block chain, the data such as accounts information and transaction content of user are all disclosed, and any user may be used To participate in book keeping operation and check transaction data, the mode only by " pseudo- anonymous " protects privacy of user.Although this increased user The confidence true and reliable to data, but for financial industry, the full disclosure of data is related to a large amount of trade secrets and profit Benefit, it is therefore necessary to protect data-privacy using encryption technology, while ensure supervision center such as government and bank's energy again Transaction content is enough checked, to prevent the carrying out of contraband in block chain.This is accomplished by flexible access control policy to realize Control to different user access rights.And with customer volume sharp increase in block chain, it will substantial amounts of Transaction Information is produced, from And causing supervision inconvenience, it is therefore desirable to the supervision center for setting different stage supervises the carrying out that concludes the business in block chain to be layered.

Sahai and Waters in 2005 proposes the concept of encryption attribute ABE, and ABE point is encrypted CP- for ciphertext policy ABE ABE and key policy attribute encryption KP-ABE.In CP-ABE, ciphertext is related to access strategy, and key is related to user property, When the attribute of only user meets the access control policy of ciphertext, user just can be with decrypting ciphertext.CP-ABE has flexible visit Ask control strategy, solve the problems, such as the access control of many-many communication well, but it does not account for mutual between attribute Relation, is not suitable between different stage authorized user's authority the presence of the situation that higher level's authority covers subordinate right.Then 2009 Year Jin Li etc. propose the concept that hierarchical attribute encrypts HABE, the program according to the dependency between attribute to community set in Attribute be layered, cover the property of lower property so as to be provided with upper strata attribute, but the program be based on basic ABE, lack Weary fine-grained access control.

Patent " a kind of hierarchical attribute encipherment scheme " (publication number that Xian Electronics Science and Technology University applies at which： 105406967A, application number：201510908416.8, the applying date：On 03 16th, 2016) in disclose a kind of hierarchical attribute and add Close scheme.The program encryption when for layering each attribute the corresponding row of the access structure of layering is embedded in into, from And realize that layering and access control combine.The weak point that the method is present is which to be layered only for the importance of attribute, For the consideration of dependency between attribute is not detailed enough, it is not suitable for needing to carry out carefully user rights at different levels in following block chain The situation of granularity hierarchical access control.

Content of the invention

Present invention aims to above-mentioned existing deficiency, proposes a kind of block chain privacy number based on encryption attribute According to access control method, to strengthen the protection to private data in block chain, at the same ensure different stage mandate supervision center and User can be effectively accessed to the private data in block chain.

The technical scheme is that, application for registration is proposed from user to system, obtain with user identity information only One corresponding identity ID and user attributes set S_u；Authoritative center CA distributes private key according to user attributes information for which SK；Counterparty A is carried out to the sensitive information that will be concluded the business using hierarchical attribute encryption technology when being traded with counterparty B Encryption, to ensure that counterparty B and mandate supervision center at different levels can decrypting ciphertexts；In block chain, other unauthorized users do not have Authority checks the Transaction Information of encryption, but the effectiveness of the checking information checking transaction that can pass through to add behind transaction ciphertext, Implementation step includes as follows：

(1) initialize：

(1a) input system security parameter 1^λ, generate first multiplication loop group G of the rank for prime number p₀, the second multiplication loop group G₁With finite field Z_p, randomly choose the first multiplication loop group G₀Generation unit g, define bilinear map e:G₀×G₀→G₁；

(1b) from finite field Z_pMiddle choose N number of element as system property, constitute system property set S, according to attribute it Between dependency by the Attribute transposition in S to n tree in, if i-th tree depth be l_i, define l=max { l_i}_i∈[1,n]Represent The depth capacity of n tree, i ∈ [1, n]；

(1c) primary vector U=(u are randomly choosed_θ)_1≤θ≤lWith secondary vector U '=(u '_θ′)_{1≤θ′≤n}, wherein, u_θRepresent category Property tree the corresponding open parameter of θ layers, u_θ∈G₀, u '_θ′Represent the corresponding open parameter of the θ ' attribute tree, u '_θ′∈G₀；Fixed JusticeFor finite field Z_pIn coprime with the p element set,Middle selection two random number α and β of different sizes, calculate open Parameter Y=e (g, g)^α, generate systematic parameter PK and main private key MK：

PK=(G₀,g,g^β, Y, U, U '),

MK=(α, β)；

(2) identity registration：

(2a) user proposes application for registration to system, obtains identity ID corresponding with its true identity information and makes User community set S_u, and authoritative center CA is submitted to, wherein user includes that domestic consumer and supervision center, supervision center are obtained Property rights of the property rights for taking higher than domestic consumer in its compass of competency,

(2b) authoritative center CA verifies the identity ID and user attributes set S of user_uCorrectness, if just Really, execution step (3), otherwise, terminate registration；

(3) key distribution：

(3a) authoritative center CA is to user attributes set S_uIn j-th attribute a_j, calculate its attribute private key d_j, private key ginseng Number D_jWith rights parameters set D '_j；

(3b) authoritative center CA calculates the private key SK of the user：

Wherein, D=g^(α+r)/βBe the user private key SK in part of key；

(3c) the private key SK of the user is sent to the secret preservation of the user by safe lane by authoritative center CA；

(4) encryption transaction private data：

(4a) counterparty A formulates access control policy P, and constructs access control knot by linear On Secret Sharing Schemes LSSS Structure (M, ρ), wherein M are the generator matrixes of c rows d row, and ρ is that the element in set { 1,2 ..., δ ..., d } is mapped to ciphertext The mapping of attribute in policy attribute collection L, ciphertext policy ABE collection L are the set of all properties in access control policy P；

(4b) random secret value is selectedGenerate d secret shadow { s of secret value s_δ}_δ∈[1,d], wherein, s_δIt is secret The δ secret shadow of close value s, δ ∈ [1, d]；

(4c) for the individual attribute a of jth ' in ciphertext policy ABE collection L_j′, calculate its attribute ciphertext C_j′And policing parameter C′_j′；

(4d) counterparty A is input into transaction cleartext information m to be encrypted, and generates ciphertext E：

Wherein,Be comprising transaction cleartext information m part ciphertext, C=g^βsIt is that the part comprising secret value s is close Text；

(5) transaction data is uploaded：

(5a) counterparty A is signed to ciphertext E and additional identification information M ' by security signature algorithm Sig, will be generated Preliminary signature file σ_AIssue counterparty B；

(5b) counterparty B receives preliminary signature file σ_A, ciphertext E therein is decrypted, after checking that Transaction Information is correct, To preliminary signature file σ_ASigned, generated final signature file σ_B, and broadcast to block chain；

(6) transaction is executed：

(6a) system selects the most best soon bookkeeper F of book keeping operation within a period of time；

(6b) data block comprising All Activity information in this period is broadcasted in block chain by bookkeeper F, block In chain, each node can be verified to the Transaction Information in the data block, if Transaction Information is authentic and valid, just will The block is added in block chain；

(6c) bookkeeper F is changed to the account balance of both parties A and B using additive homomorphism algorithm；

(7) ciphertext is accessed：

(7a) user or supervision center first verify that the property set of oneself before the particular content for checking certain Transaction Information Close S_uWhether access control policy P is met：

If being unsatisfactory for, decryption oprerations cannot be correctly executed；

If meeting, the sets of authorizations S ' for meeting access control policy P is selected_u, execution step (7b), wherein,

(7b) in sets of authorizations S '_uIn select and can cover ciphertext policy ABE a_j′User attributes a_j, wherein a_j∈S_u；

(7c) user attributes a is calculated_jDecrypted rights value d '_jAnd Bilinear map

(7d) the ciphertext E decryption to Transaction Information in block chain, obtains the cleartext information m that concludes the business.

The present invention compared with prior art, with advantages below：

First, the present invention is solved traditional due to being encrypted to the transaction private data in block chain using encryption technology In publicly-owned block chain, all data disclose the privacy leakage problem that brings, it is achieved that the privacy to transaction sensitive information in block chain Protection；

Second, the present invention is realized due to being combined with linear On Secret Sharing Schemes LSSS using hierarchical attribute encryption technology Fine granularity hierarchical access control to ciphertext of concluding the business in block chain, as long as counterparty adds oneself in access control policy Authority, so that it may so that the supervision center belonging to which has the authority for accessing the transaction ciphertext, using so as to avoid counterparty The situation for deliberately not allowing supervision center to be checked during access control policy encrypted transaction message occurs.

Description of the drawings

Fig. 1 be the present invention realize general flow chart；

Fig. 2 is the sub-process figure of encryption transaction private data in the present invention.

Specific embodiment

The present invention will be further described below in conjunction with the accompanying drawings.

Referring to the drawings 1, the present invention realizes that step is as follows.

Step 1, initialization.

Input system security parameter 1^λ, generate first multiplication loop group G of the rank for prime number p₀, the second multiplication loop group G₁With Finite field Z_p, randomly choose the first multiplication loop group G₀Generation unit g, define bilinear map e:G₀×G₀→G₁；

From finite field Z_pMiddle choose N number of element as system property, constitute system property set S, according between attribute During Attribute transposition in S to n is set by dependency, if the depth of i-th tree is l_i, define l=max { l_i}_i∈[1,n]Represent n The depth capacity of tree, i ∈ [1, n]；

Random selection primary vector U=(u_θ)_1≤θ≤lWith secondary vector U '=(u '_θ′)_{1≤θ′≤n}, wherein, u_θRepresent attribute tree The corresponding open parameter of θ layers, u_θ∈G₀, u '_θ′Represent the corresponding open parameter of the θ ' attribute tree, u '_θ′∈G₀；Definition For finite field Z_pIn coprime with the p element set,Middle selection two random number α and β of different sizes, calculate open parameter Y=e (g, g)^α, generate systematic parameter PK and main private key MK：

PK=(G₀,g,g^β, Y, U, U '),

MK=(α, β).

Step 2, identity registration.

User proposes application for registration to system, obtains identity ID corresponding with user true identity information and makes User community set S_u, and authoritative center CA is submitted to, whereinUser is included in domestic consumer and supervision at different levels The heart, property rights of the property rights that supervision center is obtained higher than domestic consumer in its compass of competency；

Authoritative center CA verifies the identity ID and user attributes set S of user_uCorrectness, if correctly, hold Row step 3, otherwise, terminates registration.

Step 3, key are distributed.

(3a) user attributes set S is set_uIn j-th user attributes a_jI-th attribute tree is located at, its depth is h, its Path is R_j=(a_j0,a_j1...,a_jk,...,a_jh), wherein, k ∈ [0, h], a_jkIt is user attributes a_jPath R_jMiddle kth layer Respective attributes, authoritative center CA selected for resisting the random number of collusion attackFor user attributes a_j, select Attribute random number r_j∈Z_p, and calculate its attribute private key d_j, private key parameter D_jWith rights parameters set D '_j：

Wherein, u '_iThe corresponding open parameter of i-th attribute tree of expression, u_kIt is the open parameter of attribute tree kth layer,It is attribute tree h+1 layers to l_iThe open parameter of layer；

(3b) authoritative center CA calculates the private key SK of the user：

Wherein, D=g^(α+r)/βBe the user private key SK in part of key.

(3c) the private key SK of the user is sent to the user by safe lane and is preserved by authoritative center CA.

Step 4, encryption transaction private data.

Referring to the drawings 2, this step is as follows：

(4a) counterparty A formulates access control policy P, constructs access control structure by linear On Secret Sharing Schemes LSSS (M, ρ), wherein M are the generator matrixes of c rows d row, and ρ is that the element in set { 1,2 ..., δ ..., d } is mapped to ciphertext plan The mapping of attribute in slightly property set L, ciphertext policy ABE collection L is the set of all properties in access control policy P；

(4b) random secret value is selectedFrom finite field Z_pC-1 random number v of middle random selection₂,...,v_c, construction Random vector v=(s, v₂,...,v_c)^T, generate d secret shadow { s of secret value s_δ}_δ∈[1,d]：

s_δ=M_δV,

Wherein, M_δIt is the δ rows of generator matrix M, δ ∈ [1, d], s_δIt is and policy attribute a_j′The δ of corresponding secret value s Individual secret shadow；

(4c) the individual policy attribute a of jth ' in ciphertext policy ABE collection L is set_j′The i-th ' attribute tree is located at, its depth is h ', Its path is R_j′=(a_j′0,a_j′1,...,a_j′k′,...,a_j′h′), wherein, k ' ∈ [0, h '], a_j′k′It is policy attribute a_j′Road Footpath R_j′The respective attributes of middle kth ' layer, for policy attribute a_j′, its corresponding secret shadow s is selected according to mapping ρ_δ, and calculate Its attribute ciphertext C_j′With policing parameter C '_j′：

Wherein, u '_i′The corresponding open parameter of the i-th ' attribute tree of expression, u_k′It is the open parameter of attribute tree kth ' layer；

(4d) counterparty A is input into transaction cleartext information m to be encrypted, and generates ciphertext E：

Wherein,Be comprising transaction cleartext information m part ciphertext, C=g^βsIt is that the part comprising secret value s is close Text.

Step 5, uploads transaction data.

(5a) counterparty A is signed to ciphertext E and additional identification information M ' by security signature algorithm Sig：

Wherein, σ_AIt is the preliminary signature file after counterparty A signatures, additional identification information M ' contains the amount of money of bit coin Quantity and source-information, s_AIt is the signature private key of counterparty A, | | represent cascaded operational, ID_AIt is the identity of counterparty A；

(5b) counterparty A is by preliminary signature file σ_ACounterparty B is issued, counterparty B receives preliminary signature file σ_AAfterwards, right Ciphertext E decryption therein, after checking that Transaction Information is correct, counterparty B runs signature algorithm Sig to preliminary signature file σ_A Signed, generated final signature file σ_B：

Wherein, s_BIt is the signature private key of counterparty B, ID_BIt is the identity of counterparty B；

(5c) counterparty B is by final signature file σ_BBroadcast to block chain.

Step 6, executes transaction.

System selects the most best soon bookkeeper F of book keeping operation within a period of time；

Data block comprising All Activity information in this period is broadcasted in block chain by bookkeeper F, in block chain Each node can be verified to the Transaction Information in the data block, if Transaction Information is authentic and valid, just by the area Block is added in block chain；

Bookkeeper F is changed to the remaining sum of both parties A and B using additive homomorphism algorithm.

Step 7, accesses ciphertext.

(7a) user or supervision center first verify that the property set of oneself before the particular content for checking certain Transaction Information Close S_uWhether access control policy P is met：

If being unsatisfactory for, decryption oprerations cannot be correctly executed；

If meeting, the sets of authorizations S ' for meeting access control policy P is selected_u, wherein

(7b) in sets of authorizations S '_uIn select while meeting the energy overlay strategy attribute a of following 3 conditions_j′User Attribute a_j：

User attributes a_jIn i-th attribute tree, policy attribute a_j′In the i-th ' attribute tree, the two meets i=i '；

User attributes a_jDepth h and policy attribute a_j′Depth h ' between meet：h≤h′；

User attributes a_jPath R_j=(a_j0,a_j1,...,a_jk,...,a_jh) and policy attribute a_j′Path R_j′= (a_j′0,a_j′1,...,a_j′k′,...,a_j′h′) between meet：As k=k ', a_jk=a_j′k′, wherein k ∈ [0, h], k ' ∈ [0, h′]；

(7c) for overlay strategy attribute a_j′User attributes a_j, calculate its decrypted rights value d '_jAnd Bilinear map

Wherein, d_jIt is attribute private key,It is rights parameters set D '_jIn element, represent user attributes a_jRights parameters, a_j′,h+1,a_j′,h+2,...,a_j′h′It is ciphertext policy ABE a_j′Path R_j′In h+1 layers to the h ' layers Respective attributes, C_j′It is policy attribute a_j′Attribute ciphertext, D_jIt is policy attribute a_j′Private key parameter, C '_j′It is policy attribute a_j′'s Policing parameter, u '_i′The corresponding open parameter of the i-th ' attribute tree of expression, u_k′It is the open parameter of attribute tree kth ' layer, a_j′k′It is Policy attribute a_j′Path R_j′The respective attributes of middle kth ' layer, k ' ∈ [0, h ']；

(7d) ciphertext E of Transaction Information in block chain is decrypted, the transaction cleartext information m after being decrypted：

Wherein,It is the part ciphertext comprising transaction cleartext information m, C is the part ciphertext comprising secret value s, and D is to use Part of key in person private key SK, λ_δFor gathering { λ_δ}_δ∈IIn the δ parameter, λ_δ∈Z_p, gather { λ_δ}_δ∈IIt is according to LSSS schemes The parameter sets that obtain of reconstruction nature, I={ δ:ρ(δ)∈S′_u, ρ (δ) expression maps ρ and δ is mapped to Ciphertext policy category Policy attribute a in property collection L_j′, s_δIt is and policy attribute a_j′The δ secret shadow of corresponding secret value s.

By above step, the ciphertext policy ABE encryption technology of layering is tied with linear On Secret Sharing Schemes LSSS phases Close, and be applied in the process of exchange of block chain, it is achieved thereby that to the encipherment protection of transaction sensitive information in block chain and point Layer access control.

Claims (9)

1. a kind of block chain private data access control method based on encryption attribute, comprises the steps：

(1) initialize：

(1a) input system security parameter 1^λ, generate first multiplication loop group G of the rank for prime number p₀, the second multiplication loop group G₁With Finite field Z_p, randomly choose the first multiplication loop group G₀Generation unit g, define bilinear map e:G₀×G₀→G₁；

(1b) from finite field Z_pMiddle choose N number of element as system property, constitute system property set S, according to the phase between attribute During Attribute transposition in S to n is set by closing property, if the depth of i-th tree is l_i, define l=max { l_i}_i∈[1,n]Represent n tree Depth capacity, i ∈ [1, n]；

(1c) primary vector U=(u are randomly choosed_θ)_1≤θ≤lWith secondary vector U '=(u '_θ′)_{1≤θ′≤n}, wherein, u_θRepresent attribute tree The corresponding open parameter of θ layers, u_θ∈G₀, u '_θ′Represent the corresponding open parameter of the θ ' attribute tree, u '_θ′∈G₀；Definition For finite field Z_pIn coprime with the p element set,Middle selection two random number α and β of different sizes, calculate open parameter Y=e (g, g)^α, generate systematic parameter PK and main private key MK：

PK=(G₀,g,g^β, Y, U, U '),

MK=(α, β)；

(2) identity registration：

(2a) user proposes application for registration to system, obtains identity ID corresponding with its true identity information and user Community set S_u, and authoritative center CA is submitted to, wherein user includes that domestic consumer and supervision center, supervision center are obtained Property rights of the property rights higher than domestic consumer in its compass of competency,

(2b) authoritative center CA verifies the identity ID and user attributes set S of user_uCorrectness, if correctly, execute Step (3), otherwise, terminates registration；

(3) key distribution：

(3a) authoritative center CA is to user attributes set S_uIn j-th attribute a_j, calculate its attribute private key d_j, private key parameter D_jWith Rights parameters set D '_j；

(3b) authoritative center CA calculates the private key SK of the user：

$SK=(D,{\{d_j,D_j,D_j^{\′}\}}_{a_j\∈S_u}),$

Wherein, D=g^(α+r)/βBe the user private key SK in part of key；

(3c) the private key SK of the user is sent to the secret preservation of the user by safe lane by authoritative center CA；

(4) encryption transaction private data：

(4a) counterparty A formulates access control policy P, and constructs access control structure by linear On Secret Sharing Schemes LSSS (M, ρ), wherein M are the generator matrixes of c rows d row, and ρ is that the element in set { 1,2 ..., δ ..., d } is mapped to Ciphertext policy The mapping of attribute in property set L, ciphertext policy ABE collection L are the set of all properties in access control policy P；

(4b) random secret value is selectedGenerate d secret shadow { s of secret value s_δ}_δ∈[1,d], wherein, s_δIt is secret value s The δ secret shadow, δ ∈ [1, d]；

(4c) for the individual attribute a of jth ' in ciphertext policy ABE collection L_j′, calculate its attribute ciphertext C_j′With policing parameter C '_j；

(4d) counterparty A is input into transaction cleartext information m to be encrypted, and generates ciphertext E：

$E=(P,\tilde{C},C,{\{C_{j^{\′}},C_{j^{\′}}^{\′}\}}_{a_{j^{\′}}\∈L}),$

Wherein,Be comprising transaction cleartext information m part ciphertext, C=g^βsIt is the part ciphertext comprising secret value s；

(5) transaction data is uploaded：

(5a) counterparty A is signed to ciphertext E and additional identification information M ' by security signature algorithm Sig, first by generated Step signature file σ_AIssue counterparty B；

(5b) counterparty B receives preliminary signature file σ_A, ciphertext E therein is decrypted, after checking that Transaction Information is correct, to first Step signature file σ_ASigned, generated final signature file σ_B, and broadcast to block chain；

(6) transaction is executed：

(6a) system selects the most best soon bookkeeper F of book keeping operation within a period of time；

(6b) data block comprising All Activity information in this period is broadcasted in block chain by bookkeeper F, in block chain Each node can be verified to the Transaction Information in the data block, if Transaction Information is authentic and valid, just by the area Block is added in block chain；

(6c) bookkeeper F is changed to the account balance of both parties A and B using additive homomorphism algorithm；

(7) ciphertext is accessed：

(7a) user or supervision center first verify that the community set S of oneself before the particular content for checking certain Transaction Information_u Whether access control policy P is met：

If being unsatisfactory for, decryption oprerations cannot be correctly executed；

If meeting, the sets of authorizations S ' for meeting access control policy P is selected_u, execution step (7b), wherein,

(7b) in sets of authorizations S '_uIn select and can cover ciphertext policy ABE a_j′User attributes a_j, wherein a_j∈S_u；

(7c) user attributes a is calculated_jDecrypted rights value d '_jAnd Bilinear map

(7d) the ciphertext E decryption to Transaction Information in block chain, obtains the cleartext information m that concludes the business.

2. method according to claim 1, it is characterised in that computation attribute private key d in step (3a)_j, private key parameter D_jWith Property rights parameter sets D '_j, calculate according to equation below：

$d_j=g^r{\left(u_i^{\′}{\Π}_{k=1}^h{u_k}^{a_{jk}}\right)}^{r_j}$

$D_j=g^{r_j}$

$D_j^{\′}=\{u_{h+1}^{r_j},u_{h+2}^{r_j},...,u_{l_i}^{r_j}\},$

Wherein, g is the first multiplication loop group G₀Generation unit, r is the random number for resisting collusion attack,u′_iRepresent The corresponding open parameter of i-th attribute tree, h is user attributes a_jDepth in attribute tree, u_kIt is the public affairs of attribute tree kth layer Open parameter, a_jkIt is user attributes a_jPath R_j=(a_j0,a_j1…,a_jk,…,a_jh) in kth layer respective attributes, k ∈ [0, H], r_jIt is attribute random number, r_j∈Z_p,It is attribute tree h+1 layers to l_iThe open parameter of layer.

3. method according to claim 1, it is characterised in that calculate d secret shadow of secret value s in step (4b) {s_δ}_δ∈[1,d], calculate according to equation below：

s_δ=M_δV,

Wherein, s_δIt is and policy attribute a_j′The δ secret shadow of corresponding secret value s, M_δIt is the δ rows of generator matrix M, δ ∈ [1, d], random vector v=(s, v₂,…,v_c)^T, s is randomly selected secret value, v₂,…,v_cIt is from finite field Z_pIn select at random The c-1 random number that selects.

4. method according to claim 1, it is characterised in that computation attribute ciphertext C in step (4c)_j′And policing parameter C′_j′, calculate according to equation below：

$C_{j^{\′}}={\left(u_{i^{\′}}^{\′}{\Π}_{k^{\′}=1}^{h^{\′}}{u_{k^{\′}}}^{a_{j^{\′}{k}^{\′}}}\right)}^{s_{\mathrm{\δ}}}$

$C_{j^{\′}}^{\′}=g^{s_{\mathrm{\δ}}},$

Wherein, u '_i′The corresponding open parameter of the i-th ' attribute tree of expression, h ' is policy attribute a_j′Depth in attribute tree, u_k′ It is the open parameter of attribute tree kth ' layer, a_j′k′It is policy attribute a_j′Path R_j′=(a_j′0,a_j′1,…,a_j′k′,...,a_j′h′) The respective attributes of middle kth ' layer, k ' ∈ [0, h '], g are the first multiplication loop group G₀Generation unit, s_δIt is and policy attribute a_j′Right The δ secret shadow of secret value s that answers, δ ∈ [1, d].

5. method according to claim 1, it is characterised in that the counterparty A in step (5a) passes through security signature algorithm Sig signs to ciphertext E and additional identification information M ', carries out according to equation below：

${\mathrm{\σ}}_A={\mathrm{Sig}}_{s_A}\left(E\right|\left|M^{\′}\right)\left|\right|{\mathrm{ID}}_A,$

Wherein, σ_AIt is the preliminary signature file after counterparty A signatures, additional identification information M ' contains the dollar amount of bit coin And source-information, s_AIt is the signature private key of counterparty A, | | represent cascaded operational, ID_AIt is the identity of counterparty A.

6. method according to claim 1, it is characterised in that to preliminary signature file σ in step (5b)_ASigned, pressed Carry out according to equation below：

${\mathrm{\σ}}_B={\mathrm{Sig}}_{s_B}\left({\mathrm{\σ}}_A\right)\left|\right|{\mathrm{ID}}_B\left|\right|{\mathrm{ID}}_A,$

Wherein, σ_BBe counterparty B generate final signature file, s_BIt is the signature private key of counterparty B, ID_AIt is the body of counterparty A Part mark, ID_BIt is the identity of counterparty B, | | represent cascaded operational.

7. method according to claim 1, it is characterised in that in sets of authorizations S in step (7b)_u' in select and can cover plan Slightly attribute a_j′User attributes a_j, following condition need to be met simultaneously：#

User attributes a_jIn i-th attribute tree, policy attribute a_j′In the i-th ' attribute tree, meet therebetween：I= i′；

User attributes a_jDepth h and policy attribute a_j′Depth h ' between meet：h≤h′；

User attributes a_jPath R_j=(a_j0,a_j1,…,a_jk,…,a_jh) and policy attribute a_j′Path R_j′=(a_j′0, a_j′1,…,a_j′k′,...,a_j′h′) between meet：As k=k ', a_jk=a_j′k′, wherein k ∈ [0, h], k ' ∈ [0, h '].

8. method according to claim 1, it is characterised in that calculate decrypted rights value d ' in step (7c)_jAnd Bilinear map A_jδ, it is calculated as follows：

$d_j^{\′}=d_j\·{\left(u_{h+1}^{r_j}\right)}^{a_{j^{\′},h+1}}{\left(u_{h+2}^{r_j}\right)}^{a_{j^{\′},h+2}}...{\left(u_{h^{\′}}^{r_j}\right)}^{a_{j^{\′}{h}^{\′}}}=g^r{\left(u_i^{\′}{\Π}_{k^{\′}=1}^{h^{\′}}{u_{k^{\′}}}^{a_{j^{\′}{k}^{\′}}}\right)}^{r_j}$

$A_{j\mathrm{\δ}}=e(d_j^{\′},C_{j^{\′}}^{\′})/e(D_j,C_{j^{\′}})=e{(g,g)}^{{\mathrm{rs}}_{\mathrm{\δ}}},$

Wherein, d_jIt is attribute private key,It is rights parameters set D '_jIn element, represent user attributes a_j's Rights parameters, a_j′,h+1,a_j′,h+2,...,a_j′h′It is ciphertext policy ABE a_j′Path R_j′=(a_j′0,a_j′1,…,a_j′k′,..., a_j′h′) in h+1 layers to the h ' layers respective attributes, r_jIt is random number, r_j∈Z_p, C_j′It is policy attribute a_j′Attribute ciphertext, D_j It is policy attribute a_j′Private key parameter, C '_j′It is policy attribute a_j′Policing parameter, s_δIt is and policy attribute a_j′Corresponding secret The δ secret shadow of value s.

9. method according to claim 1, it is characterised in that ciphertext E in step (7d) to Transaction Information in block chain Decryption, is calculated as follows：

$m=\frac{\tilde{C}}{e(C,D)\·{\Π}_{\mathrm{\δ}\∈I}{A}_{j\mathrm{\δ}}^{{\mathrm{\λ}}_{\mathrm{\δ}}}},$

Wherein, m is the transaction cleartext information after decryption,It is the part ciphertext comprising transaction cleartext information m, C is comprising secret value The part ciphertext of s, D is the part of key in user private key SK, λ_δFor gathering { λ_δ}_δ∈IIn the δ parameter, λ_δ∈Z_p, set {λ_δ}_δ∈IIt is the parameter sets obtained according to the reconstruction nature of LSSS schemes, I={ δ:ρ(δ)∈S′_u, ρ (δ) is represented with mapping ρ δ is mapped to the policy attribute a in ciphertext policy ABE collection L_j′.