CN107154845B - BGN type ciphertext decryption outsourcing scheme based on attributes - Google Patents
BGN type ciphertext decryption outsourcing scheme based on attributes Download PDFInfo
- Publication number
- CN107154845B CN107154845B CN201710233091.7A CN201710233091A CN107154845B CN 107154845 B CN107154845 B CN 107154845B CN 201710233091 A CN201710233091 A CN 201710233091A CN 107154845 B CN107154845 B CN 107154845B
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- cloud
- key
- homomorphic
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
- H04L9/3073—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Power Engineering (AREA)
- Other Investigation Or Analysis Of Materials By Electrical Means (AREA)
- Medicines Containing Antibodies Or Antigens For Use As Internal Diagnostic Agents (AREA)
- Storage Device Security (AREA)
Abstract
The invention particularly relates to an attribute-based BGN type ciphertext decryption outsourcing scheme, which comprises the following steps of: (1) setting system parameters and generating an encryption key; (2) the sender selects an access structure, encrypts the message and generates a ciphertext; (3) the receiving party inputs the master key and the attributes and outputs the conversion key and the private key; (4) the sender sends the ciphertext to the cloud; (5) the receiving side sends the conversion key to the cloud side; (6) the cloud end converts the ciphertext by using the conversion key to obtain a part of ciphertext and sends the part of ciphertext to the receiver; (7) the receiving party decrypts part of the ciphertext by using the private key to obtain a message; and (5) a homomorphic calculation operation step of the cloud end on the ciphertext is further included between the step (4) and the step (5). The outsourcing decryption scheme not only improves the decryption efficiency of the system, but also reduces the storage overhead of a receiver; according to the cipher text obtained by the encryption method, the server can be allowed to carry out multiple times of addition homomorphic operation and one time of multiplication homomorphic operation on the cipher text data, and the CPA security of the user information is greatly improved under the condition that the decryption difficulty is not increased.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a BGN type ciphertext decryption outsourcing scheme based on attributes.
Background
The cloud computing concept brings the development of the information industry into a motorway. The cloud service provides massive storage service and strong computing capability for users, and meanwhile, economic development is promoted, public clouds are mainly maintained and operated by untrusted third-party service providers, and security problems associated with cloud computing are increasingly highlighted. The security problem of the cloud is considered as the biggest challenge in many difficulties in practical application of the cloud service, and is also the biggest problem to be solved urgently by the cloud service. If the user stores sensitive data in a clear text form to the cloud server, the cloud cannot be unconditionally trusted because the cloud may copy and even tamper with the information, and the user cannot know unauthorized behaviors of the cloud at all, thereby causing unpredictable loss. In order to prevent malicious leakage and illegal access of sensitive data, a user can outsource the data in a ciphertext form.
The traditional cloud computing encryption and decryption model cannot realize fine-grained access control on a computing result. Shamir proposed identity-based encryption in 1984, where the public key of the user is generated from a unique identifier associated with the user's identity, and the server side does not need to query the user's public key certificate when accessing the public key. The encryption based on the attribute is proposed by Sahai and Waters, which can be regarded as popularization of the encryption based on the identity.
In an attribute-based encryption system, a user's key and ciphertext are associated with a set of descriptive attributes and an access policy, respectively. A particular key can decrypt a particular ciphertext only if the associated attribute and access policy match. Currently, two attribute-based encryption methods have been proposed, including attribute-based encryption by key policy (KP-ABE) and attribute-based encryption by ciphertext policy (CP-ABE). In KP-ABE, the access policy is embedded in the private key, while in CP-ABE, the access policy is embedded in the ciphertext. Attribute-based encryption ABE provides a secure way for data owners to share outsourced data on untrusted servers, rather than on trusted servers with specific users. This advantage makes ABE a popular approach to cloud storage, which provides secure access control to a large number of users belonging to different organizations.
Nevertheless, the attribute-based encryption ABE has a major drawback in efficiency, i.e. the computational cost of the key distribution and decryption stages grows with the complexity of the access pattern. The ciphertext size and the time required for decryption increase with the complexity of the access formula, which is clearly a huge challenge for resource-constrained mobile users. In order to ensure that the remote resource-limited mobile user can also decrypt safely and efficiently, the concept of outsourced ABE is proposed, which enables encryption and decryption to be outsourced to third party service providers. The core of the ABE decryption outsourcing is to modify a key generation algorithm to generate two keys, namely a short ElGamal key stored by a user and a deformed key TK. For ciphertext CT satisfying the access function, TK can be used in the cloud to convert CT into simple and short ElGamal ciphertext CT'. The user only needs a simple exponential operation to decrypt. Compared with the traditional encryption scheme based on attributes, the outsourcing decryption scheme improves the decryption efficiency of the system and reduces the storage overhead of a receiver. However, in this scheme, a part of decryption of the ciphertext is performed by the cloud, which requires trust of the outsourcing server, and both the ciphertext and the transformation key TK may be illegally read.
Therefore, the ciphertext decryption outsourcing scheme which can improve the information security in the decryption outsourcing process and does not increase the decryption difficulty of the user has important value.
Disclosure of Invention
In order to improve the information security in the decryption outsourcing process of the decryption outsourcing scheme of the CP-ABE scheme in the prior art and simultaneously not increase the decryption difficulty of a user, the invention provides an attribute-based BGN type ciphertext decryption outsourcing scheme. The invention provides an attribute-based BGN type ciphertext decryption outsourcing scheme, and the ciphertext obtained by the encryption method according to the scheme can allow a server to carry out multiple addition homomorphic and multiplication homomorphic operations on ciphertext data, so that the CPA security of user information is greatly improved without increasing the decryption difficulty of a user.
The technical problem to be solved by the invention is realized by the following technical scheme:
a BGN type ciphertext decryption outsourcing scheme based on attributes comprises the following steps:
step (1): setting system parameters, and generating an encryption key, a master key MSK and a public key PK;
step (2): the sender selects an access structure, encrypts the message and outputs a ciphertext CT;
and (3): the receiving party inputs a master key MSK and an attribute S, randomly selects parameters and outputs a transformed key TK and a private key SK;
and (4): a sender sends ciphertext data CT to a cloud through a public channel;
and (5): the receiving side sends a TK to the cloud side;
and (6): the cloud end carries out conversion calculation on the ciphertext CT by using the conversion key TK to obtain a part of ciphertext CT 'and sends the part of ciphertext CT' to the receiving party;
and (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain a message;
and (5) between the step (4) and the step (5), a homomorphic computing operation step of the cloud end on the ciphertext is further included.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (1) is specifically:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*;
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bilinear map e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2A group of (1);
step (1-3): randomly selecting generator k, u in group G, and enablingThen h isQ1 subgroup generator of group G, and prime number order groups G ' and G ' of order p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T;
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function mapping to (0,1), randomly choosing coefficients α, a ∈ Zp,ZpI.e. the integer field modulo p, the master key of the algorithm is expressed as: MSK ═ gαPK); the public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1)。
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (2) is specifically:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiThe function of correlation, i ═ 1,2, …, l;
step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Where s is a secret sharing parameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpAnd outputting a ciphertext CT, wherein the ciphertext CT comprises the following three parts:
more specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (3) is specifically:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpOutput of
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S)
Step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
TK is:
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (6) is specifically:
step (6-1): the cloud side carries out conversion calculation on the ciphertext CT by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), definingAnd I ═ I:ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈IFor { λiAll of them are calculated ∑i∈IωiλiThe secret shared parameter s can be recovered as s, then the conversion algorithm is operated to calculate, and partial cipher text CT' is obtained,
the conversion algorithm is specifically calculated as follows:
step (6-2): the cloud returns the partial ciphertext CT ═ c, Q to the recipient.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (7) is specifically:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to compute e' (g, g)sα=Qz;
Step (7-2): receiver reusing part of private key q1Computing
Step (7-3): the receiving party decrypts through Pollard's lambda algorithm toIs a bottomThe plaintext message m can be obtained by the discrete logarithm of the number.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the homomorphic calculation operation steps are at least one addition homomorphic operation and at most one multiplication homomorphic operation.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, step (4): after the sender sends the ciphertext data CT to the cloud through the public channel, the homomorphic calculation operation step of the cloud to the ciphertext is at least one addition homomorphic operation,
the cloud-received ciphertext data comprises c1 and c 2:
The ciphertext after the homomorphic calculation by the addition is:
C=gs,
and (5): the receiving side sends a TK to the cloud side;
and (6): the cloud end performs conversion calculation on the ciphertext subjected to the homomorphic operation by using the TK, and sends part of the ciphertext to the receiving party, wherein the specific process in the step (6) is as follows:
step (6-1): the cloud end performs conversion calculation on the ciphertext by using the TK sent by the receiving party,
when the attribute S of the receiving party satisfies the access structure (M, rho), definingAnd I ═ I:ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈I∑ are calculatedi∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial cipher text,
the conversion algorithm is specifically calculated as follows:
step (6-2): the cloud returns partial ciphertext CT' ═ c, Q to the receiver;
and (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation to compute e' (g, g)sα=QzObtaining e' (g, g)sαThus obtaining H (e' (g, g)sα) A value of (d);
step (7-2): receiver reusing part of private key q1And (3) calculating:
step (7-3): the receiving party passes through Pollard' sDecrypted by the lambda algorithmIs a bottomDiscrete logarithm of (m), the plaintext message m can be obtained1+m2。
Because c' is E G in the ciphertext obtained through one-time addition homomorphism, the cloud can perform multiple-time addition homomorphism operation after receiving the ciphertext CT.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, step (4): after the sender sends the ciphertext data CT to the cloud through the public channel, the homomorphic calculation operation step of the cloud to the ciphertext is a multiplication homomorphic operation,
let k1=e(k,k),h1E (k, h), the order of k1 is n, the order of h1 is q1, and β∈ Z must be present, such thatz is a finite integer field, compute
C=gs,
and (5): the receiving side sends a TK to the cloud side;
and (6): the cloud end carries out conversion calculation on the ciphertext by using the TK to obtain a part of ciphertext, and sends the part of ciphertext to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1)): the cloud end carries out conversion calculation on the ciphertext by using the TK sent by the receiving party, and when the attribute S of the receiving party meets the access structure (M, rho), the definition is carried outAnd I ═ I:ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈I∑ are calculatedi∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial ciphertext CT',
the conversion algorithm is specifically calculated as follows:
step (6-2): the cloud returns partial ciphertext CT' ═ c, Q to the receiver;
and (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain the message, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)sα=QzObtaining e' (g, g)sαThus obtaining H (e' (g, g)sα)2A value of (d);
step (7-2): receiver reusing part of private key q1And (3) calculating:
step (7-3): the receiving party decrypts through Pollard's lambda algorithm toIs a bottomDiscrete logarithm of (m), the plaintext message m can be obtained1m2。
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the parameter generation algorithm for random selection specifically uses a pseudo random number generator to randomly select two large prime numbers q with 512 bits1、q2,G、G1Are all of order n ═ q1q2Group (e) G × G → G1Is a bilinear map.
The following is a description of the mathematical theory applied by the present invention:
the bilinear mapping, namely bilinear pairings, is a function mapping for mapping elements in a group G to the group GTThe meaning of (1) is as follows:
G,GTtwo multiplication cyclic groups with order p, and G is the generator of G, then the bilinear map e is G × G → GTThe following properties are satisfied:
(1) bilinear for arbitrary u, k ∈ G and a, b ∈ ZpAll have e (u)a,kb)=e(u,k)ab。
(2) Non-degradability: there is u, k ∈ G, so that e (u, k) ≠ 1.
(3) Calculability: there are efficient algorithms that allow e (u, k) to be calculated for any u, k ∈ G.
Wherein Z ispAn integer field modulo p;
the "access structure" described in the present invention has the following meaning:
suppose { P1,P2,…,PnIs a secret shared set of participants, defining P-2 { P ═ P1,P2,…,PnIs the access structure { P }1,P2,…,PnA non-empty subset of i.e.The monotonicity of the access structure is defined as follows if A ∈ andb ∈. at the same time, the subset is referred to as an authorized subset, and the subset for which the shared secret cannot be reconstructed is an unauthorized subset.
The "LSSS (Linear Secret Sharing scheme) access structure" in the invention has the following meanings:
a Linear secret sharing mechanism (LSSS) Π defined on the secret sharing participant set P means:
(1) all participants' shares make up one ZpThe vector of (c).
(2) There is a matrix M of l × n, which is a shared generator matrix for pi, the ith row of M corresponds to the entity ρ (i), where i is 1,2, …, l, ρ is a mapping function from {1,2, …, l } to PWhere s is the shared secret, then M.v is the vector of l shared components for s obtained using Π, and (M.v)iBelonging to the entity p (i).
Linear reconstructability assuming pi is an LSSS on the access structure, let grant set S ∈, define I ═ I: ρ (I) ∈ S } andthen there must be such a set of constants wi∈Zp}i∈ISo that ∑i∈ IwiMiTrue for (1,0, …,0), thus ∑i∈IwiMiv ═ s; for the unauthorized set, however, there is no such wi∈Zp}i∈I。
The invention has the beneficial effects that:
1. in the decryption outsourcing scheme, a ciphertext generated in the encryption process of the information comprises three parts, wherein one part of the ciphertext is embedded into a BGN type ciphertext, the server can be allowed to carry out multiple times of addition homomorphic operation and one time of multiplication homomorphic operation on the part of the ciphertext, and the processing result is the same as that of directly carrying out the same operation on a plaintext and then encrypting the result; therefore, after the ciphertext is subjected to the similar-state operation, the data security can be greatly improved, and the difficulty of the user decryption process is not increased.
2. Homomorphic computing operations can perform operations such as retrieval, comparison, etc. on encrypted data to obtain correct results, without decrypting the data during the entire process, i.e., the server can process the data information without reading user sensitive data.
3. The decryption outsourcing scheme of the invention utilizes a bilinear mapping technology and uses a domestic hash function SM3 algorithm to reduce the security of the scheme to the difficult hypothesis of subgroup judgment, so that the CPA security is achieved.
4. In the access control of the cloud computing result, an attribute-based encryption method is added to realize attribute-based fine-grained access control of the decryption authority of the homomorphic operation result; the access rule is specified by a user, and the access right can be changed at any time, namely the shared generation matrix and the message are bound together to generate a ciphertext, so that the identity feature set associated with the shared generation matrix can be changed at any time, and the private key of the user is only related to the identity feature set.
5. In the aspect of efficiency, under the mobile cloud storage environment, a user embeds attribute control into a BGN (BGN) ciphertext after hash processing, uploads the attribute control to a cloud storage, outsourcing partial decryption of the ciphertext to the cloud for storage through a ciphertext conversion step, ensures the safety of data at the cloud, borrows the powerful computing capacity of an outsourcing decryption agent on the premise of not revealing plaintext data, accelerates decryption speed, reduces storage and decryption overhead of a receiver, and improves the decryption efficiency of the system.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Drawings
Fig. 1 is a schematic flow chart of the attribute-based BGN type ciphertext decryption outsourcing scheme of the present invention.
Detailed Description
To further explain the technical means and effects of the present invention adopted to achieve the intended purpose, the following detailed description of the embodiments and structural features of the present invention is provided with reference to the accompanying drawings and examples.
Example 1: BGN type ciphertext decryption outsourcing scheme based on attributes
The attribute-based BGN type ciphertext decryption outsourcing scheme shown in fig. 1 specifically includes the following steps:
step (1): setting system parameters, generating an encryption key, a master key MSK and a public key PK, wherein the specific process of the step (1) is as follows:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*(ii) a The value of the input security parameter λ is relatively large, and in this embodiment, the value of λ is 1024 bits, which is enough to ensure the security of the scheme.
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bilinear map e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2ξ (lambda) is a published parameter generation algorithm, q1,q2For large prime numbers, q is selected in this example1,q2Is a prime number of 512bit size.
Step (1-3): randomly selecting generator k, u in group G, and enablingThen h is q of group G1Generating element of subgroup of order, and randomly selecting prime order groups G ' and G ' with order of p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T。
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function H mapped to (0,1), randomly chosen coefficients α, a ∈ ZpI.e. α, a are both randomly chosen in the integer domain modulo p, ZpI.e. the integer field modulo p, the master key of the algorithm is expressed as: MSK ═ gα,PK);
The public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1)。
The hash function F and the hash function H used in the step (1) are public domestic hash function SM3 algorithms.
Step (2): the sender selects an access structure, encrypts the message and generates a ciphertext CT, and the specific process of the step (2) is as follows:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiThe associated function, which represents a mapping that may correspond each row of matrix M to an element in the access structure, i ═ 1,2, …, l.
Step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Where s is a secret sharing parameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpI.e. randomly selecting R, R in the integer domain modulo p1,…,rlAnd outputting a ciphertext CT, wherein the CT comprises the following three parts:
and (3): the receiving party inputs the master key MSK and the attribute S, selects random parameters and outputs the TK and the SK, and the specific process of the step (3) is as follows:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpAnd outputting:
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S)。
step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
SK=(q1,z)。
and (4): and the sender sends the ciphertext data CT to the cloud through the public channel.
After the cloud receives ciphertext data CT sent by the sender; the homomorphic calculation operation steps can be carried out on the ciphertext, and the homomorphic calculation operation steps comprise at least one addition homomorphic operation and at most one multiplication homomorphic operation; the ciphertext CT received by the cloud and encrypted according to the scheme of the embodiment includes three parts, wherein the first part of the ciphertext c is embedded into the BGN, so that the server can be allowed to perform multiple addition homomorphic operations and one multiplication homomorphic operation on the part of the ciphertext.
And (5): and the receiving side sends the TK to the cloud.
And (6): the cloud end carries out conversion calculation on the ciphertext CT by using the conversion key TK to obtain a part of ciphertext CT ', and sends the part of ciphertext CT' to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1): the cloud side carries out conversion calculation on the ciphertext CT by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), definingAnd I ═ I:ρ (I) ∈ S }, i.e. all elements ρ (I) ∈ S in the attribute set S correspond to the set of row labels I of the matrix M by mapping ρ (), then there exists a constant set { ωi∈Zp}i∈ISo that ∑i∈IwiMi(1,0, …,0) for { λiAll values in { lambda }, are used as the reference valueiIs the valid part of the secret s, ∑ is calculatedi∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial ciphertext CT',
the conversion algorithm is specifically calculated as follows:
step (6-2): the cloud returns the partial ciphertext CT ═ c, Q to the recipient.
And (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain the message, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)sα=Qz。
Step (7-2): receiver reusing part of private key q1And (3) calculating:
step (7-3): the receiving party decrypts through Pollard's lambda algorithm toIs a bottomThe plaintext message m can be obtained by the discrete logarithm of the number.
In the ciphertext decryption outsourcing scheme of the embodiment, the operation subject of step (3) is the receiving party, which is different from step (2) and step (4), so the order of step (3) may be changed, and step (3) does not need to be between step (2) and step (4), as long as it is after step (1) and before step (5). The parameter generation algorithm referred to by the random selection in the scheme of the invention specifically uses a pseudo-random generator to randomly select two large prime numbers q with the size of 512 bits1、q2,G、G1Are all of order n ═ q1q2Group (e) G × G → G1Is a bilinear map. The pseudo-random number generator is not specifically specified as long as it can achieve the purpose of random selection, and as long as random selection can be achieved, no influence is exerted on the scheme security.
Example 2: BGN type ciphertext decryption outsourcing scheme based on attributes
The specific scheme is as follows:
step (1): setting system parameters, generating an encryption key, a master key MSK and a public key PK, wherein the specific process of the step (1) is as follows:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*(ii) a The value of the input security parameter λ is relatively large, and in this embodiment, the value of λ is 1024 bits, which is enough to ensure the security of the scheme.
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bilinear map e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2ξ (lambda) is a published parameter generation algorithm, q1,q2For large prime numbers, q is selected in this example1,q2Is a prime number of 512bit size.
Step (1-3): randomly selecting generator k, u in group G, and enablingThen h is q of group G1Generating element of subgroup of order, and randomly selecting prime order groups G ' and G ' with order of p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T。
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function H mapped to (0,1), randomly chosen coefficients α, a ∈ ZpI.e. α, a are both randomly chosen in the integer domain modulo p, ZpI.e. the integer field modulo p, the master key of the algorithm is expressed as: MSK ═ gα,PK);
The output public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1)。
The hash function F and the hash function H used in the step (1) are public domestic hash function SM3 algorithms.
Step (2): the sender selects an access structure, encrypts the message and generates a ciphertext CT, and the specific process of the step (2) is as follows:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiThe associated function, which represents a mapping that may correspond each row of matrix M to an element in the access structure, i ═ 1,2, …, l.
Step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Where s is a secret sharing parameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpI.e. randomly selecting R, R in the integer domain modulo p1,…,rlAnd outputting a ciphertext CT, wherein the CT comprises the following three parts:
and (3): the receiving party inputs the master key MSK and the attribute S, selects random parameters and outputs the TK and the SK, and the specific process of the step (3) is as follows:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpAnd outputting:
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S)。
step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
SK=(q1,z)。
and (4): and the sender sends the ciphertext data CT to the cloud through the public channel.
After the cloud receives ciphertext data CT sent by the sender; the cryptogram may be subjected to a homomorphic computation operation, which may be at least one addition homomorphic operation and at most one multiplication homomorphic operation. In this embodiment, one addition homomorphic operation is performed:
the cloud-received ciphertext data comprises c1 and c 2:
The ciphertext after the homomorphic calculation by the addition is as follows:
C=gs,
because c' epsilon G in the ciphertext obtained through the addition homomorphism shows that the cloud can carry out multiple times of addition homomorphism operations after receiving the ciphertext CT.
And (5): and the receiving side sends the TK to the cloud.
And (6): the cloud end carries out conversion calculation on the ciphertext subjected to the homomorphic operation by using the TK to obtain a partial ciphertext CT ', and sends the partial ciphertext CT' to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1): the cloud side carries out conversion calculation on the ciphertext CT by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), definingAnd I ═ I: ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈IFor { λiAll of the values in { λ i } are the valid part of the secret s, i.e. the calculation ∑i∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial ciphertext CT',
the conversion algorithm is specifically calculated as follows:
step (6-2): the cloud returns the partial ciphertext CT ═ c, Q to the recipient.
And (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain the message, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)sα=QzObtaining e' (g, g)sαThus obtaining H (e' (g, g)sα) The value of (c).
Step (7-2): receiver reusing part of private key q1And (3) calculating:
step (7-3): the receiving party decrypts through Pollard's lambda algorithm toIs a bottomDiscrete logarithm of (m), the plaintext message m can be obtained1+m2。
The ciphertext CT received by the cloud and encrypted according to the scheme of the embodiment comprises three parts, wherein the first part of ciphertext c is embedded into the BGN type ciphertext, so that the server can be allowed to perform multiple addition homomorphic operations on the part of ciphertext, and the processing result is the same as that obtained by directly performing the same operation on the plaintext and then encrypting the result; therefore, after the ciphertext is subjected to the similar-state operation, the data security can be greatly improved, and the difficulty of the user decryption process is not increased. Because c' epsilon G in the ciphertext obtained through the addition homomorphism shows that the cloud can carry out multiple times of addition homomorphism operations after receiving the ciphertext CT.
In the ciphertext decryption outsourcing scheme of the embodiment, the operation subject of step (3) is the receiving party, which is different from step (2) and step (4), so the order of step (3) may be changed, and step (3) does not need to be between step (2) and step (4), as long as it is after step (1) and before step (5).
The parameter generation algorithm referred to by the random selection in the scheme of the invention specifically uses a pseudo-random generator to randomly select two large prime numbers q with the size of 512 bits1、q2,G、G1Are all of order n ═ q1q2Group (e) G × G → G1Is a bilinear map. The pseudo-random number generator is not specifically specified as long as it can achieve the purpose of random selection, and as long as random selection can be achieved, no influence is exerted on the scheme security.
Example 3: BGN type ciphertext decryption outsourcing scheme based on attributes
The specific scheme is as follows:
step (1): setting system parameters, generating an encryption key, a master key MSK and a public key PK, wherein the specific process of the step (1) is as follows:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*(ii) a The value of the input security parameter λ is relatively large, and in this embodiment, the value of λ is 1024 bits, which is enough to ensure the security of the scheme.
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bisLinear mapping e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2ξ (lambda) is a published parameter generation algorithm, q1,q2For large prime numbers, q is selected in this example1,q2Is a prime number of 512bit size.
Step (1-3): randomly selecting generator k, u in group G, and enablingThen h is q of group G1Generating element of subgroup of order, and randomly selecting prime order groups G ' and G ' with order of p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T。
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function H mapped to (0,1), randomly chosen coefficients α, a ∈ ZpI.e. α, a are both randomly chosen in the integer domain modulo p, ZpI.e. the integer field modulo p, the master key of the algorithm is expressed as: MSK ═ gα,PK);
The output public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1)。
The hash function F and the hash function H used in the step (1) are public domestic hash function SM3 algorithms.
Step (2): the sender selects an access structure, encrypts the message and generates a ciphertext CT, and the specific process of the step (2) is as follows:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiThe associated function, which represents a mapping that may correspond each row of matrix M to an element in the access structure, i ═ 1,2, …, l.
Step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Wherein s is secret sharingParameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpI.e. randomly selecting R, R in the integer domain modulo p1,…,rlAnd outputting a ciphertext CT, wherein the CT comprises the following three parts:
and (3): the receiving party inputs the master key MSK and the attribute S, selects random parameters and outputs the TK and the SK, and the specific process of the step (3) is as follows:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpAnd outputting:
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S)。
step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
SK=(q1,z)。
and (4): and the sender sends the ciphertext data CT to the cloud through the public channel.
After the cloud receives ciphertext data CT sent by the sender; the cryptogram may be subjected to a homomorphic computation operation, which may be at least one addition homomorphic operation and at most one multiplication homomorphic operation. In this embodiment, one multiplication homomorphic operation is performed:
let k1=e(k,k),h1E (k, h), then k1Is of order n, h1Of order q1And must have β∈ Z so thatz is a finite integer field, compute
C=gs,
g is the E' ∈ G1 in the ciphertext obtained by the multiplication homomorphism because no effective algorithm exists1×G1→ G holds, so this scheme can only perform multiplication once.
And (5): and the receiving side sends the TK to the cloud.
And (6): the cloud end carries out conversion calculation on the ciphertext by using the conversion key TK to obtain a partial ciphertext CT ', and sends the partial ciphertext CT' to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1): the cloud side carries out conversion calculation on the ciphertext CT by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), definingAnd I ═ I:ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈IFor { λiAll values in { lambda }, are used as the reference valueiIs the valid part of the secret s, ∑ is calculatedi∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial ciphertext CT',
the conversion algorithm is specifically calculated as follows:
step (6-2): the cloud returns the partial ciphertext CT ═ c, Q to the recipient.
And (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain the message, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)sα=QzObtaining e' (g, g)sαThus obtaining H (e' (g, g)sα)2The value of (c).
Step (7-2): receiver reusing part of private key q1And (3) calculating:
step (7-3): the receiving party decrypts through Pollard's lambda algorithm toIs a bottomDiscrete logarithm of (m), the plaintext message m can be obtained1m2。
According to embodiment 3, the ciphertext CT received by the cloud and encrypted according to the scheme of this embodiment includes three parts, where the first part of the ciphertext c is embedded into the BGN-type ciphertext, and the server may be allowed to perform a multiplication homomorphic operation on the part of the ciphertext, and the processing result is the same as that obtained by directly performing the same operation on the plaintext and then encrypting the result; therefore, after the ciphertext is subjected to the similar-state operation, the data security can be greatly improved, and the difficulty of the user decryption process is not increased.
Under the mobile cloud storage environment, a user embeds attribute control into a BGN (BGN) ciphertext after hash processing, uploads the attribute control to a cloud storage, and outsourcing partial decryption of the ciphertext to the cloud for storage through a ciphertext conversion step, so that the safety of data at the cloud is ensured, and on the premise of not revealing plaintext data, the outsourcing decryption agent has strong computing power, the decryption speed is accelerated, the storage and decryption overhead of a receiver is reduced, and the decryption efficiency of the system is improved.
Example 4: the security of the BGN type ciphertext decryption outsourcing scheme of the invention is explained
The safety of the scheme of the invention is based on the assumption that the enemy algorithm A can not overcome the sub-group judgment problem. Assuming that a certain algorithm BETA can overcome the semantic security of the scheme with advantages, an assumption that an adversary algorithm ALPHA can solve the subgroup judgment problem with advantages certainly exists. The detailed demonstration procedure is as follows:
(1) the hostile algorithm A randomly selects G ∈ G, and the public keys (n, G)1E, g, x) to algorithm beta.
(2) Algorithm BETA randomly selects two plaintext messages m0,m1Sending to hostile Ala, which returns a random challenge ciphertextWherein
(3) Algorithm beta outputs a guess b 'for b, which outputs "1" if b ═ b', and "0" otherwise.
If the element x is uniformly distributed in the group G, the challenge ciphertext c is also uniformly distributed in the group G, regardless of the choice of b, i.e., Pr | b ═ b' | 1/2; if x is q of group G1The elements in the subgroup of orders, then according to the assumption that there is Pr | b ═ b' | > 1/2+, so SD-AdvA(τ) >, which means that the advantages of the hostile algorithm a to solve the sub-group decision problem assumption are not negligible, contradicting the difficult problem.
Thus, the scheme achieves CPA security under the assumption that the subgroup decision problem is difficult. Meanwhile, it is noted that the leakage of the attribute of the decryptor does not affect the security of the ciphertext. Because of the fact thatIf the attacker cannot take part of the key q1Then he can calculate e' (g, g) even if he knows the properties of the encryptor and the random parameter z, i.e. the attacker can calculate esαBut the partial key q is unclear1So that it cannot calculate
So correct plaintext is not available. On the other hand, even if the attacker only takes part of the key q1But because his attributes do not satisfy the ciphertext access policy, i.e., the attacker cannot compute e' (g, g)sαAnd therefore cannot be decrypted to obtain plaintext. In summary, only a legitimate decryptor whose attribute satisfies the ciphertext access policy can decrypt the ciphertext normally.
According to the above description process, the decryption outsourcing scheme of the present invention utilizes a bilinear mapping technique and uses a domestic hash function SM3 algorithm to reduce the security of the scheme to a difficult assumption of subgroup decision, so that CPA security is achieved.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.
Claims (2)
1. A BGN type ciphertext decryption outsourcing scheme based on attributes comprises the following steps:
step (1): setting system parameters, and generating an encryption key, a master key MSK and a public key PK;
step (2): the sender selects an access structure, encrypts the message and outputs a ciphertext CT;
and (3): the receiving party inputs a master key MSK and an attribute S, randomly selects parameters and outputs a transformed key TK and a private key SK;
and (4): a sender sends ciphertext data CT to a cloud through a public channel;
and (5): the receiving side sends a TK to the cloud side;
and (6): the cloud end carries out conversion calculation on the ciphertext CT by using the conversion key TK to obtain a part of ciphertext CT 'and sends the part of ciphertext CT' to the receiving party;
and (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain a message;
the method is characterized in that a homomorphic computing operation step of the cloud end on the ciphertext is further included between the step (4) and the step (5);
the step (1) is specifically as follows:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*;
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bilinear map e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2A group of (1);
step (1-3): randomly selecting generator k, u in group G, and enablingThen h is q of group G1Generating element of subgroup of order, and randomly selecting prime order groups G ' and G ' with order of p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T;
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function H mapped to (0,1), randomly chosen coefficients α, a ∈ ZpI.e. α, a are both randomly chosen in the integer domain modulo p, ZpBeing an integer field modulo p, the master key of the algorithm is then expressed as: MSK ═ gα,PK);
The public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1);
The step (2) is specifically as follows:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiA correlation function, representing a mapping that may correspond each row of matrix M to an element in the access structure, i ═ 1,2, …, l;
step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Where s is a secret sharing parameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpI.e. randomly selecting R, R in the integer domain modulo p1,…,rlAnd outputting a ciphertext CT, wherein the ciphertext CT comprises the following three parts:
C′=gs,
the homomorphic calculation operation step comprises at least one addition homomorphic operation and at most one multiplication homomorphic operation;
the step (3) is specifically as follows:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpOutput of
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S);
Step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
TK is:
SK is: SK ═ q1,z);
In the step (4), the cloud performs homomorphic calculation operation on the ciphertext by adopting two modes:
the first method is as follows: after the sender sends the ciphertext data CT to the cloud through the public channel, the homomorphic calculation operation step of the cloud to the ciphertext is at least one addition homomorphic operation,
the cloud-received ciphertext comprises c1 and c 2:
computing
The ciphertext after the homomorphic calculation by the addition is:
C=gs,
the second method comprises the following steps: after the sender sends the ciphertext data CT to the cloud through the public channel, the homomorphic calculation operation step of the cloud to the ciphertext is a multiplication homomorphic operation,
let k1=e(k,k),h1E (k, h), then k1Is of order n, h1Of order q1And must have β∈ Z so thatz is a finite integer field, compute
The ciphertext after one multiplication homomorphic calculation is:
C=gs,
the step (6) is as follows: the cloud end carries out conversion calculation on the cryptograph CT after homomorphic calculation by using the conversion key TK to obtain a partial cryptograph CT ', and sends the partial cryptograph CT' to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1): the cloud side carries out conversion calculation on the ciphertext by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), definingAnd I ═ I:ρ (I) ∈ S }, then there is a set of constants { w }i∈Zp}i∈IFor { λiAll of them are calculated ∑i∈IwiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial cipher text,
the conversion algorithm is specifically calculated as follows:
step (6-2): the cloud returns partial ciphertext CT' ═ c, Q to the receiver;
when the homomorphic computing operation of the cloud end on the ciphertext is in a first mode, the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation to compute e' (g, g)sα=QzObtaining e' (g, g)sαThus obtaining H (e' (g, g)sα) A value of (d);
step (7-2): receiver reusing part of private key q1And (3) calculating:
step (7-3): the receiving party decrypts through Pollard's lambda algorithm toIs a bottomDiscrete logarithm of (m), the plaintext message m can be obtained1+m2;
When the homomorphic computing operation of the cloud end on the ciphertext is the mode two, the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)sα=QzObtaining e' (g, g)sαThus obtaining H (e' (g, g)sα)2A value of (d);
step (7-2): receiver reusing part of private key q1And (3) calculating:
2. The attribute-based BGN-type ciphertext decryption outsourcing scheme of claim 1, wherein the parameter generation algorithm for random selection is two large prime numbers q of 512bit size randomly selected using a pseudo random number generator1、q2,G、G1Are all of order n ═ q1q2Group (e) G × G → G1Is a bilinear map.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710233091.7A CN107154845B (en) | 2017-04-11 | 2017-04-11 | BGN type ciphertext decryption outsourcing scheme based on attributes |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710233091.7A CN107154845B (en) | 2017-04-11 | 2017-04-11 | BGN type ciphertext decryption outsourcing scheme based on attributes |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107154845A CN107154845A (en) | 2017-09-12 |
CN107154845B true CN107154845B (en) | 2020-08-11 |
Family
ID=59792652
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710233091.7A Active CN107154845B (en) | 2017-04-11 | 2017-04-11 | BGN type ciphertext decryption outsourcing scheme based on attributes |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107154845B (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108155994B (en) * | 2017-12-22 | 2021-06-22 | 青岛大学 | Secure outsourcing calculation method applied to RSA decryption |
CN108537315A (en) * | 2018-04-13 | 2018-09-14 | 中国人民武装警察部队工程大学 | A kind of generation of safe Quick Response Code and authentication method |
CN109214201B (en) * | 2018-08-31 | 2024-03-19 | 平安科技(深圳)有限公司 | Data sharing method, terminal equipment and computer readable storage medium |
CN109214160A (en) * | 2018-09-14 | 2019-01-15 | 温州科技职业学院 | A kind of computer network authentication system and method, computer program |
CN110308691B (en) * | 2019-07-26 | 2021-07-02 | 湘潭大学 | Multidimensional data aggregation and access control method for ubiquitous power Internet of things |
CN110891066B (en) * | 2019-12-03 | 2022-03-01 | 重庆交通大学 | Proxy anonymous communication method based on homomorphic encryption scheme |
CN110995430B (en) * | 2019-12-24 | 2021-04-27 | 电子科技大学 | Outsourcing decryption method supporting invalid ciphertext detection based on attribute encryption |
CN112182600A (en) * | 2020-09-18 | 2021-01-05 | 北京云钥网络科技有限公司 | Data encryption method, data decryption method and electronic equipment |
CN114499967B (en) * | 2021-12-27 | 2024-03-08 | 天翼云科技有限公司 | Data access control method, device and system and computer readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104156671A (en) * | 2013-05-13 | 2014-11-19 | 清华大学 | Non-center dot product computing method achieving privacy protection |
CN104320393A (en) * | 2014-10-24 | 2015-01-28 | 西安电子科技大学 | Effective attribute base agent re-encryption method capable of controlling re-encryption |
CN105447361A (en) * | 2014-08-27 | 2016-03-30 | 华为技术有限公司 | Encryption and similarity measurement method, terminal and server |
CN106534313A (en) * | 2016-11-17 | 2017-03-22 | 浙江工商大学 | Frequentness measuring method and system for security and privacy protection facing cloud data issuing |
-
2017
- 2017-04-11 CN CN201710233091.7A patent/CN107154845B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104156671A (en) * | 2013-05-13 | 2014-11-19 | 清华大学 | Non-center dot product computing method achieving privacy protection |
CN105447361A (en) * | 2014-08-27 | 2016-03-30 | 华为技术有限公司 | Encryption and similarity measurement method, terminal and server |
CN104320393A (en) * | 2014-10-24 | 2015-01-28 | 西安电子科技大学 | Effective attribute base agent re-encryption method capable of controlling re-encryption |
CN106534313A (en) * | 2016-11-17 | 2017-03-22 | 浙江工商大学 | Frequentness measuring method and system for security and privacy protection facing cloud data issuing |
Also Published As
Publication number | Publication date |
---|---|
CN107154845A (en) | 2017-09-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107154845B (en) | BGN type ciphertext decryption outsourcing scheme based on attributes | |
Jia et al. | SDSM: a secure data service mechanism in mobile cloud computing | |
Lin et al. | A collaborative key management protocol in ciphertext policy attribute-based encryption for cloud data sharing | |
CN107086911B (en) | CCA (clear channel assessment) safe proxy re-encryption method capable of delegating verification | |
CN109831297A (en) | A kind of full homomorphic cryptography method of more identity for supporting thresholding to decrypt | |
CN110719295B (en) | Identity-based food data security-oriented proxy re-encryption method and device | |
CN110120873B (en) | Frequent item set mining method based on cloud outsourcing transaction data | |
CN111786786A (en) | Agent re-encryption method and system supporting equation judgment in cloud computing environment | |
Nasiraee et al. | Privacy-preserving distributed data access control for CloudIoT | |
CN116846556A (en) | SM 9-based data condition proxy re-encryption method, system and equipment | |
CN114697042A (en) | Block chain-based Internet of things security data sharing proxy re-encryption method | |
Kumar et al. | Privacy preserving data sharing in cloud using EAE technique | |
Qin et al. | Strongly secure and cost-effective certificateless proxy re-encryption scheme for data sharing in cloud computing | |
CN115361109B (en) | Homomorphic encryption method supporting bidirectional proxy re-encryption | |
Kumar et al. | Hybridization of Cryptography for Security of Cloud Data | |
Backes et al. | Fully secure inner-product proxy re-encryption with constant size ciphertext | |
CN114900283A (en) | Deep learning user gradient aggregation method based on multi-party security calculation | |
Siva et al. | Hybrid cryptography security in public cloud using TwoFish and ECC algorithm | |
Mishra et al. | A certificateless authenticated key agreement protocol for digital rights management system | |
CN114070549A (en) | Key generation method, device, equipment and storage medium | |
Acharya et al. | Encryption and decryption of informative image by key image using modified Hill cipher technique based on non-invertible matrices | |
Kim et al. | Certificateless Group to Many Broadcast Proxy Reencryptions for Data Sharing towards Multiple Parties in IoTs | |
Al-Attab et al. | Hybrid data encryption technique for data security in cloud computing | |
Ding et al. | Ciphertext retrieval via attribute-based FHE in cloud computing | |
CN116094845B (en) | Efficient revocation conditional proxy re-encryption method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |