CN106549758A - Support the encryption method based on attribute of non-monotonic access structure - Google Patents

Abstract

The invention discloses a kind of encryption method based on attribute for supporting non-monotonic access structure, including initialization, generation private key for user, encryption and decryption.The present invention provide the non-monotonic access structure of support the encryption method based on attribute, to access strategy in institute the attribute for carrying out inverse in need all encode, formation encoded attributes.In non-monotonic access structure tree, every attribute for inverse occur all is substituted with encoded attributes.In the private key subitem of user, the not only corresponding private key subitem of logical attribute, also the key subitem of encoded attributes.Generate different from the private key subitem of logical attribute when private key distributes, the private key subitem of encoded attributes is generated according to the needs dynamic of decryption in decryption phase.The present invention provides the encryption method based on attribute, supports non-monotonic access structure, and will not reduce the safety of AES.

Description

Support the encryption method based on attribute of non-monotonic access structure

Technical field

The present invention relates to file ciphering technology field, and in particular to it is a kind of support non-monotonic access structure based on attribute Encryption method.

Background technology

Due to the advantage that once encryption, many people share, as a kind of Cryptograph Sharing algorithm, the encryption based on attribute (CP-ABE, Cipher Policy Attribute Based Encryption) algorithm is received significant attention.However, may be used The CP-ABE algorithms of enforcement, nearly all only support dull access structure.Only only a few supports the side of non-monotonic access structure Case, as excessively complexity often only cannot application implementation with theory significance.Non-monotonic access structure cannot be supported, it is meant that Access strategy or access logical expression cannot support NOT logic computing.And in many practical applications, NOT logic computing is must Indispensable.Non-monotonic access structure is not supported, the range of application of scheme is seriously limited.

The content of the invention

To be solved by this invention is the problem that the existing AES based on attribute does not support non-monotonic access structure.

The present invention is achieved through the following technical solutions：

A kind of encryption method based on attribute for supporting non-monotonic access structure, including：

Initialization：Security parameter d is set；Authorized organization selects a rank for the Bilinear Groups G of Big prime p₀And G₁, remember G₀Generation Unit is g, and corresponding bilinear map is e:G₀×G₀→G₁；Logical attribute collection needed for definition system is combined into A={ a₁,a₂,…,a_n, it is The corresponding encoded attributes collection of logical attribute set A needed for system is combined into Define a hash function H:{0,1}^*→G₀；Random selectionWherein,For in the residue class set of Big prime p with big element The set that number p coprime element is constituted；By system public key information It is sent to Cloud Server open, the main private key MK={ g of the secret preservation of data owner^α,β₁,β₂}；

Generate private key for user：Define and give user U_iThe logical attribute collection of distribution is combined intoCorresponding encoded attributes set ForRandom selectionFor each element a_j∈ w, random selectionGenerate private key

Encryption：Data owner builds the access knot that all leaf nodes all represent logical attribute according to logical expression is accessed Broussonetia papyrifera T'；It transform access structure tree T' as access structure tree T that leaf node represents logical attribute or encoded attributes；To access knot Broussonetia papyrifera T each leaf node assignmentWherein, L_T'Represent the set of the leaf node of access structure tree T'；Generate plaintext M Shared cryptograph is Wherein, att () is for asking the corresponding attribute of leaf node, NOT_TFor institute in access structure tree T The set for having non-attribute corresponding node to constitute, Q_l(0) it is the polynomial constant term of leaf node l correspondences, Q_x(0) it is leaf node x The polynomial constant term of correspondence；

Decryption：

For logical attribute leaf node x,

For encoded attributes leaf node x,

For NOT node x,Its In, child nodes of the z for NOT node x, whereQ_z(0)=Q_x(0)；

For operator is non-leaf nodes x of AND,

Wherein, s_xFor operator for AND non-leaf nodes x child nodes set, The seniority among brothers and sisters sequence number that index (z) is leaf node z in the brotgher of node, father nodes of the parent (z) for leaf node z, Q_x(0) For the polynomial constant term of non-leaf nodes x correspondence；

Ciphertext data M is as follows：

Optionally, data owner builds the visit that all leaf nodes all represent logical attribute according to logical expression is accessed Ask that structure tree T' includes：

In access structure tree T', each leaf node represents an attribute in community set, and its threshold value is 1；

In access structure tree T', each non-leaf nodes plays thresholding effect.

Optionally, it transform access structure tree T' as access structure trees that leaf node represents logical attribute or encoded attributes T includes：

The leaf node of scanning access structure tree T', it is determined whether there is non-attribute；

If it is non-attribute that leaf node is corresponding, leaf node is substituted with encoded attributes node.

Optionally, the coded system of encoded attributes node is：The corresponding property value of attribute of the entitled B of attribute can be arranged and number For n, 2^k-1≤n≤2^k, k is positive integer, all values of B is carried out with coding successively using k bits and forms coding category Property, encoded attributes is respectively designated as B from low level to a high position₁、B₂、…、B_k。

Optionally, it is each leaf node assignment of access structure tree TIncluding：

A polynomial of one indeterminate function is randomly choosed for non-leaf nodes x of each operator in access structure tree T for AND Q_x(x)；

Random selectionThe corresponding privacy sharing number of root node for making access structure tree T is Q_r(0)=s；

For arbitrary node y and his father's node operator are AND, Q_y(0)=Q_parent(y)(index (y)), wherein, The seniority among brothers and sisters sequence number that index (y) is arbitrary node y in the brotgher of node；

For arbitrary node y and his father's node operator are OR, Q_y(0)=Q_parent(y)(0)。

The present invention compared with prior art, has the following advantages and advantages：

The encryption method based on attribute of the non-monotonic access structure of support that the present invention is provided, can arrange denumerable using property value The characteristics of property value is encoded, form encoded attributes, logic-based attribute and encoded attributes are encrypted.This method is to visiting Ask in strategy the attribute (referred to as non-attribute) for carrying out inverse in need all encoded, form encoded attributes.In non-list Visit and investigate in asking structure tree, every attribute for inverse occur all is substituted with encoded attributes.In the private key subitem of user In, the not only corresponding private key subitem of logical attribute, also the key subitem of encoded attributes.Exist with the private key subitem of logical attribute Difference is generated when private key distributes, the private key subitem of encoded attributes is generated according to the needs dynamic of decryption in decryption phase.The present invention Encryption method based on attribute is provided, is supported non-monotonic access structure, and the safety of AES will not be reduced.

Description of the drawings

Accompanying drawing described herein is used for providing further understanding the embodiment of the present invention, constitutes of the application Point, do not constitute the restriction to the embodiment of the present invention.In the accompanying drawings：

Fig. 1 is the structural representation of logic-based attribute access structure tree；

Fig. 2 is the structural representation of logic-based attribute and encoded attributes access structure tree.

Specific embodiment

To make the object, technical solutions and advantages of the present invention become more apparent, with reference to embodiment and accompanying drawing, to this Invention is described in further detail, and the exemplary embodiment of the present invention and its explanation are only used for explaining the present invention, do not make For limitation of the invention.

Embodiment

Using access structure tree table, up in the AES based on attribute of access strategy, Cryptograph Sharing is by will be secret Close number shares what is realized on the leaf node of tree.It should be noted that each leaf node has and only and represents a category Property value.If occurring in that the non-of certain attribute in the access logical expression for representing access strategy, hereinafter referred to as non-attribute, that Will there is the non-attribute leaf node for representing multiple attribute values in the access structure tree that formed by the expression formula.The node Cannot match with any single attribute, therefore corresponding ciphertext subitem cannot be formed.The direct thinking for solving the problem is by this Property value is substituted with the non-all other property value of the property value is become, the relation of these property values be all logic or.However, category The more value of property causes the method infeasible, and in the case where attribute has 1000 values, the non-of any property value all needs Substituted with 999 property values.Because attribute value is more, it is meant that the memory space that access structure tree and ciphertext need is got over Greatly, encrypt and decrypt the time for spending longer.For this problem, inventor consider with binary coding is carried out to property value with Reduce the quantity of non-property value.

If the corresponding property value of attribute of the entitled B of attribute can be arranged and number is n, if 2^k-1≤n≤2^k, then, it is possible to With k bits all values of B are carried out with coding successively and forms encoded attributes, encoded attributes is ordered to a high position respectively from low level Entitled B₁、B₂、…、B_k, k is positive integer.For example, there are 15 classes in a grade, because of 2^4-1≤15≤2⁴, so representing the category of class Property class encoded attributes name be respectively class1, class2, class3 and class4.The corresponding volumes of attribute class=11 Code attribute is respectively：Class1=1, class2=1, class3=0 and class4=1, are abbreviated as class= Class4class3class2class1=1011.

After using above coded method, the non-of attribute is asked just to become simple.If attribute B=B_k…B₂B₁, then,Due to B_iThe value of (1≤i≤k) is 0 or 1, often Individual non-attribute！B_iLeaf node all corresponds to a property value, can calculate corresponding ciphertext subitem.Attribute class=11's is non- That is class ≠ 11, corresponding encoded attributes is：Class=！class4∪！class3∪！class2∪！Class1=1011. The structural representation of logic-based attribute access structure tree is as shown in figure 1, be changed into logic-based attribute and encoded attributes access The structural representation of structure tree is as shown in Figure 2.Obviously, when attribute value reaches as many as 1000, any non-attribute is all only not Cross and correspond to 10 encoded attributes values and 10 corresponding leaf nodes.

Based on above-mentioned analysis, the present invention will constitute the base attribute of composite attribute when private key for user is generated with cryptogram computation Bound, proposed a kind of encryption method based on attribute for supporting many-valued distribution and combinations of attributes, including initialization, generation are used Family private key, four steps of encryption and decryption.

Initialization：Security parameter d is set；Authorized organization selects a rank for the Bilinear Groups G of Big prime p₀And G₁, remember G₀ Generation unit be g, corresponding bilinear map be e:G₀×G₀→G₁；Logical attribute collection needed for definition system is combined into A={ a₁, a₂,…,a_n, the corresponding encoded attributes collection of logical attribute set A needed for system is combined intoDefine a hash function H:{0,1}^*→G₀； Random selectionWherein,For the set that element coprime with Big prime p in the residue class set of Big prime p is constituted； By system public key informationIt is sent to Cloud Server simultaneously Open, data owner is secret to preserve main private key MK={ g^α,β₁,β₂}.；

Generate private key for user：Define and give user U_iThe logical attribute collection of distribution is combined intoCorresponding encoded attributes set ForRandom selectionFor each element a_j∈ w, random selectionGenerate private key

Encryption：Data owner builds the access knot that all leaf nodes all represent logical attribute according to logical expression is accessed Broussonetia papyrifera T'；It transform access structure tree T' as access structure tree T that leaf node represents logical attribute or encoded attributes；To access knot Broussonetia papyrifera T each leaf node assignmentWherein, L_T'Represent the set of the leaf node of access structure tree T'；Generate plaintext M Shared cryptograph is Wherein, att () is for asking the corresponding attribute of leaf node, NOT_TFor institute in access structure tree T The set for having non-attribute corresponding node to constitute, Q_l(0) it is the polynomial constant term of leaf node l correspondences, Q_x(0) it is leaf node x The polynomial constant term of correspondence.

Specifically, privacy sharing is carried out for convenience, will be accessed logical expression access structure tree T' and is represented.Accessing knot In Broussonetia papyrifera T', each leaf node represents an attribute in attribute space, and its threshold value is 1, and each non-leaf nodes rises Thresholding is acted on.If using num respectively_xAnd k_xRepresent child's number and threshold value of non-leaf nodes x, then there must be 0 ＜ k_x≤ num_x.When the thresholding of non-leaf nodes is prescribed a time limit for AND-gate, its threshold value k_x=num_x；When the thresholding of non-leaf nodes is OR, Threshold value k_x=1.

The leaf node of scanning access structure tree T', it is determined whether there is non-attribute.If certain leaf node is corresponding being Non- attribute, the leaf node is substituted with corresponding encoded attributes node.

If the root node of access structure tree T is r, T_xRepresent subtree of the root node for x, it is clear that have：T=T_r.If property setMeet access control tree T_x, it is designated as T_x(γ)=1.Calculating can be carried out by following mode recurrence：As x is Non-leaf nodes, is that all child nodes x' of the non-leaf nodes calculate T_x'(γ), and if only if at least k_xThe T of individual child_x' (γ) when return value is all 1, T_x(γ)=1；If x is leaf node, when the attribute of and if only if leaf node x belongs to γ, T_x (γ)=1.

For each leaf node assignment of access structure tree TIt is according to carrying out from top to bottom.Specifically, it is to access knot In Broussonetia papyrifera T, each operator randomly chooses a polynomial of one indeterminate function Q for non-leaf nodes x of AND_x(x).Random selectionThe corresponding privacy sharing number of root node for making access structure tree T is Q_r(0)=s.For arbitrary node y and its father node Operator is AND, Q_y(0)=Q_parent(y)(index (y)), wherein, rows of the index (y) for arbitrary node y in the brotgher of node Row sequence number (is numbered by order from left to right)；For arbitrary node y and his father's node operator are OR, Q_y(0)= Q_parent(y)(0)。

Decryption：

For logical attribute leaf node x, a_j=att (x),

For encoded attributes leaf node x,If U_kMeet the coding of access structure tree T Attribute (if multiple encoded attributeses meet a non-attribute, only taking one of them) collection is combined into S', U_kBy private key subitem It is sent to authorized organization's request temporary private subitem and mapping number.Authorized organization randomly choosesFor each element a_j∈ S', random selectionGenerate following temporary private subitem： Mapping number of authorized organization's calculation code attribute to logical attribute：

Then temporary private subitem and mapping number are sent back to into U_k, U_kAccording to same logical attribute leaf node decipherment algorithm one The algorithm decryption encoded attributes leaf node of sample.For encoded attributes leaf node x, its decrypted result is：

For NOT node x,Its In, child nodes of the z for NOT node x, whereQ_z(0)=Q_x(0)；

For operator is non-leaf nodes x of AND,

Wherein, s_xFor operator for AND non-leaf nodes x child nodes set, The seniority among brothers and sisters sequence number for being leaf node z in the brotgher of node, father nodes of the parent (z) for leaf node z, Q_x(0) it is non-leaf The polynomial constant term of node x correspondences；

Ciphertext data M is as follows：

Above-described specific embodiment, has been carried out further to the purpose of the present invention, technical scheme and beneficial effect Describe in detail, the be should be understood that specific embodiment that the foregoing is only the present invention is not intended to limit the present invention Protection domain, all any modification, equivalent substitution and improvements within the spirit and principles in the present invention, done etc. all should include Within protection scope of the present invention.

Claims (5)

1. a kind of encryption method based on attribute for supporting non-monotonic access structure, it is characterised in that include：

Initialization：Security parameter d is set；Authorized organization selects a rank for the Bilinear Groups G of Big prime p₀And G₁, remember G₀Generation unit be G, corresponding bilinear map are e:G₀×G₀→G₁；Logical attribute collection needed for definition system is combined into A={ a₁,a₂,…,a_n, system institute The corresponding encoded attributes collection of logical attribute set A for needing is combined into Define a hash function H:{0,1}^*→G₀；Random selectionWherein,For in the residue class set of Big prime p with big element The set that number p coprime element is constituted；By system public key information It is sent to Cloud Server open, the main private key MK={ g of the secret preservation of data owner^α,β₁,β₂}；

Generate private key for user：Define and give user U_iThe logical attribute collection of distribution is combined intoCorresponding encoded attributes collection is combined intoRandom selectionFor each element a_j∈ w, random selectionGenerate private key

Encryption：Data owner builds the access structure tree that all leaf nodes all represent logical attribute according to logical expression is accessed T'；It transform access structure tree T' as access structure tree T that leaf node represents logical attribute or encoded attributes；For access structure tree T each leaf node assignmentWherein, L_T'Represent the set of the leaf node of access structure tree T'；Generate being total to for plaintext M Enjoying ciphertext is Wherein, att () is for asking the corresponding attribute of leaf node, NOT_TFor institute in access structure tree T The set for having non-attribute corresponding node to constitute, Q_l(0) it is the polynomial constant term of leaf node l correspondences, Q_x(0) it is leaf node x The polynomial constant term of correspondence；

Decryption：

For logical attribute leaf node x,

For encoded attributes leaf node x,

For NOT node x,Wherein, z is The child nodes of NOT node x, whereQ_z(0)=Q_x(0)；

For operator is non-leaf nodes x of AND,

$\begin{array}{c}DecNode\left(x\right)=\underset{z\∈s_x}{\Π}DecNode{\left(z\right)}^{{\mathrm{\Δ}}_{i,s_x^{\′}}\left(0\right)},{\mathrm{where}}_{s_x^{\′}=\{index\left(z\right):z\∈s_x\}}^{i=index\left(z\right)}\\ =\underset{z\∈s_x}{\Π}{\left(e{\left(g,g\right)}^{r_k\·Q_z\left(0\right)}\right)}^{{\mathrm{\Δ}}_{i,s_x^{\′}}\left(0\right)}\\ =\underset{z\∈s_x}{\Π}{\left(e{\left(g,g\right)}^{r_k\·Q_{parent\left(z\right)}\left(index\right(z\left)\right)}\right)}^{{\mathrm{\Δ}}_{i,s_x^{\′}}\left(0\right)}\\ =\underset{z\∈s_x}{\Π}e{(g,g)}^{r_k\·Q_x\left(i\right)\·{\mathrm{\Δ}}_{i,s_x^{\′}}\left(0\right)}\\ =e{(g,g)}^{r_k\·Q_x\left(0\right)}\end{array}$

Wherein, s_xFor operator for AND non-leaf nodes x child nodes set, The seniority among brothers and sisters sequence number that index (z) is leaf node z in the brotgher of node, father nodes of the parent (z) for leaf node z, Q_x(0) For the polynomial constant term of non-leaf nodes x correspondence；

Ciphertext data M is as follows：

$Decrypt(CT,SK)=\frac{\tilde{C}\·DecNode\left(root\right)}{e(C,{\mathrm{SK}}_k^{\left(1\right)})}=\frac{M\·e{(g,g)}^{\mathrm{\α}s}\·e{(g,g)}^{r_{k}s}}{e\left(g^{{\mathrm{\β}}_{1}s},g^{\frac{\mathrm{\α}+r_k}{{\mathrm{\β}}_1}}\right)}=M.$

2. the encryption method based on attribute for supporting non-monotonic access structure according to claim 1, it is characterised in that number Included according to the access structure tree T' that all leaf nodes of access logical expression structure all represent logical attribute according to the owner：

In access structure tree T', each leaf node represents an attribute in community set, and its threshold value is 1；

In access structure tree T', each non-leaf nodes plays thresholding effect.

3. the encryption method based on attribute for supporting non-monotonic access structure according to claim 2, it is characterised in that will Access structure tree T' transform leaf node as and represents logical attribute or the access structure tree T of encoded attributes and includes：

The leaf node of scanning access structure tree T', it is determined whether there is non-attribute；

If it is non-attribute that leaf node is corresponding, leaf node is substituted with encoded attributes node.

4. the encryption method based on attribute for supporting non-monotonic access structure according to claim 3, it is characterised in that compile Code attribute node coded system be：The corresponding property value of attribute of the entitled B of attribute can arrange and number be n, 2^k-1≤n≤2^k, k For positive integer, coding is carried out successively to all values of B using k bits and forms encoded attributes, encoded attributes is from low level B is respectively designated as to a high position₁、B₂、…、B_k。

5. the encryption method based on attribute for supporting non-monotonic access structure according to claim 2, it is characterised in that be Access structure tree T each leaf node assignmentIncluding：

A polynomial of one indeterminate function Q is randomly choosed for non-leaf nodes x of each operator in access structure tree T for AND_x (x)；

Random selectionThe corresponding privacy sharing number of root node for making access structure tree T is Q_r(0)=s；

For arbitrary node y and his father's node operator are AND, Q_y(0)=Q_parent(y)(index (y)), wherein, index (y) The seniority among brothers and sisters sequence number for being arbitrary node y in the brotgher of node；

For arbitrary node y and his father's node operator are OR, Q_y(0)=Q_parent(y)(0)。