CN107154845B - BGN type ciphertext decryption outsourcing scheme based on attributes - Google Patents

BGN type ciphertext decryption outsourcing scheme based on attributes Download PDF

Info

Publication number
CN107154845B
CN107154845B CN201710233091.7A CN201710233091A CN107154845B CN 107154845 B CN107154845 B CN 107154845B CN 201710233091 A CN201710233091 A CN 201710233091A CN 107154845 B CN107154845 B CN 107154845B
Authority
CN
China
Prior art keywords
ciphertext
cloud
key
homomorphic
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710233091.7A
Other languages
Chinese (zh)
Other versions
CN107154845A (en
Inventor
张薇
李镇林
杨晓元
周潭平
张帅伟
张敏情
韩益亮
薛帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Engineering University of Chinese Peoples Armed Police Force
Original Assignee
Engineering University of Chinese Peoples Armed Police Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Engineering University of Chinese Peoples Armed Police Force filed Critical Engineering University of Chinese Peoples Armed Police Force
Priority to CN201710233091.7A priority Critical patent/CN107154845B/en
Publication of CN107154845A publication Critical patent/CN107154845A/en
Application granted granted Critical
Publication of CN107154845B publication Critical patent/CN107154845B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Power Engineering (AREA)
  • Other Investigation Or Analysis Of Materials By Electrical Means (AREA)
  • Medicines Containing Antibodies Or Antigens For Use As Internal Diagnostic Agents (AREA)
  • Storage Device Security (AREA)

Abstract

The invention particularly relates to an attribute-based BGN type ciphertext decryption outsourcing scheme, which comprises the following steps of: (1) setting system parameters and generating an encryption key; (2) the sender selects an access structure, encrypts the message and generates a ciphertext; (3) the receiving party inputs the master key and the attributes and outputs the conversion key and the private key; (4) the sender sends the ciphertext to the cloud; (5) the receiving side sends the conversion key to the cloud side; (6) the cloud end converts the ciphertext by using the conversion key to obtain a part of ciphertext and sends the part of ciphertext to the receiver; (7) the receiving party decrypts part of the ciphertext by using the private key to obtain a message; and (5) a homomorphic calculation operation step of the cloud end on the ciphertext is further included between the step (4) and the step (5). The outsourcing decryption scheme not only improves the decryption efficiency of the system, but also reduces the storage overhead of a receiver; according to the cipher text obtained by the encryption method, the server can be allowed to carry out multiple times of addition homomorphic operation and one time of multiplication homomorphic operation on the cipher text data, and the CPA security of the user information is greatly improved under the condition that the decryption difficulty is not increased.

Description

BGN type ciphertext decryption outsourcing scheme based on attributes
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a BGN type ciphertext decryption outsourcing scheme based on attributes.
Background
The cloud computing concept brings the development of the information industry into a motorway. The cloud service provides massive storage service and strong computing capability for users, and meanwhile, economic development is promoted, public clouds are mainly maintained and operated by untrusted third-party service providers, and security problems associated with cloud computing are increasingly highlighted. The security problem of the cloud is considered as the biggest challenge in many difficulties in practical application of the cloud service, and is also the biggest problem to be solved urgently by the cloud service. If the user stores sensitive data in a clear text form to the cloud server, the cloud cannot be unconditionally trusted because the cloud may copy and even tamper with the information, and the user cannot know unauthorized behaviors of the cloud at all, thereby causing unpredictable loss. In order to prevent malicious leakage and illegal access of sensitive data, a user can outsource the data in a ciphertext form.
The traditional cloud computing encryption and decryption model cannot realize fine-grained access control on a computing result. Shamir proposed identity-based encryption in 1984, where the public key of the user is generated from a unique identifier associated with the user's identity, and the server side does not need to query the user's public key certificate when accessing the public key. The encryption based on the attribute is proposed by Sahai and Waters, which can be regarded as popularization of the encryption based on the identity.
In an attribute-based encryption system, a user's key and ciphertext are associated with a set of descriptive attributes and an access policy, respectively. A particular key can decrypt a particular ciphertext only if the associated attribute and access policy match. Currently, two attribute-based encryption methods have been proposed, including attribute-based encryption by key policy (KP-ABE) and attribute-based encryption by ciphertext policy (CP-ABE). In KP-ABE, the access policy is embedded in the private key, while in CP-ABE, the access policy is embedded in the ciphertext. Attribute-based encryption ABE provides a secure way for data owners to share outsourced data on untrusted servers, rather than on trusted servers with specific users. This advantage makes ABE a popular approach to cloud storage, which provides secure access control to a large number of users belonging to different organizations.
Nevertheless, the attribute-based encryption ABE has a major drawback in efficiency, i.e. the computational cost of the key distribution and decryption stages grows with the complexity of the access pattern. The ciphertext size and the time required for decryption increase with the complexity of the access formula, which is clearly a huge challenge for resource-constrained mobile users. In order to ensure that the remote resource-limited mobile user can also decrypt safely and efficiently, the concept of outsourced ABE is proposed, which enables encryption and decryption to be outsourced to third party service providers. The core of the ABE decryption outsourcing is to modify a key generation algorithm to generate two keys, namely a short ElGamal key stored by a user and a deformed key TK. For ciphertext CT satisfying the access function, TK can be used in the cloud to convert CT into simple and short ElGamal ciphertext CT'. The user only needs a simple exponential operation to decrypt. Compared with the traditional encryption scheme based on attributes, the outsourcing decryption scheme improves the decryption efficiency of the system and reduces the storage overhead of a receiver. However, in this scheme, a part of decryption of the ciphertext is performed by the cloud, which requires trust of the outsourcing server, and both the ciphertext and the transformation key TK may be illegally read.
Therefore, the ciphertext decryption outsourcing scheme which can improve the information security in the decryption outsourcing process and does not increase the decryption difficulty of the user has important value.
Disclosure of Invention
In order to improve the information security in the decryption outsourcing process of the decryption outsourcing scheme of the CP-ABE scheme in the prior art and simultaneously not increase the decryption difficulty of a user, the invention provides an attribute-based BGN type ciphertext decryption outsourcing scheme. The invention provides an attribute-based BGN type ciphertext decryption outsourcing scheme, and the ciphertext obtained by the encryption method according to the scheme can allow a server to carry out multiple addition homomorphic and multiplication homomorphic operations on ciphertext data, so that the CPA security of user information is greatly improved without increasing the decryption difficulty of a user.
The technical problem to be solved by the invention is realized by the following technical scheme:
a BGN type ciphertext decryption outsourcing scheme based on attributes comprises the following steps:
step (1): setting system parameters, and generating an encryption key, a master key MSK and a public key PK;
step (2): the sender selects an access structure, encrypts the message and outputs a ciphertext CT;
and (3): the receiving party inputs a master key MSK and an attribute S, randomly selects parameters and outputs a transformed key TK and a private key SK;
and (4): a sender sends ciphertext data CT to a cloud through a public channel;
and (5): the receiving side sends a TK to the cloud side;
and (6): the cloud end carries out conversion calculation on the ciphertext CT by using the conversion key TK to obtain a part of ciphertext CT 'and sends the part of ciphertext CT' to the receiving party;
and (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain a message;
and (5) between the step (4) and the step (5), a homomorphic computing operation step of the cloud end on the ciphertext is further included.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (1) is specifically:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bilinear map e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2A group of (1);
step (1-3): randomly selecting generator k, u in group G, and enabling
Figure BDA0001267184690000021
Then h isQ1 subgroup generator of group G, and prime number order groups G ' and G ' of order p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function mapping to (0,1), randomly choosing coefficients α, a ∈ Zp,ZpI.e. the integer field modulo p, the master key of the algorithm is expressed as: MSK ═ gαPK); the public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1)。
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (2) is specifically:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiThe function of correlation, i ═ 1,2, …, l;
step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Where s is a secret sharing parameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpAnd outputting a ciphertext CT, wherein the ciphertext CT comprises the following three parts:
Figure BDA0001267184690000031
more specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (3) is specifically:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpOutput of
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S)
Step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
TK is:
Figure BDA0001267184690000032
SK is: SK ═ q1,z)。
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (6) is specifically:
step (6-1): the cloud side carries out conversion calculation on the ciphertext CT by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), defining
Figure BDA0001267184690000033
And I ═ I:ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈IFor { λiAll of them are calculated ∑i∈IωiλiThe secret shared parameter s can be recovered as s, then the conversion algorithm is operated to calculate, and partial cipher text CT' is obtained,
the conversion algorithm is specifically calculated as follows:
Figure BDA0001267184690000041
step (6-2): the cloud returns the partial ciphertext CT ═ c, Q to the recipient.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the step (7) is specifically:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to compute e' (g, g)=Qz
Step (7-2): receiver reusing part of private key q1Computing
Figure BDA0001267184690000042
Step (7-3): the receiving party decrypts through Pollard's lambda algorithm to
Figure BDA0001267184690000043
Is a bottom
Figure BDA0001267184690000046
The plaintext message m can be obtained by the discrete logarithm of the number.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the homomorphic calculation operation steps are at least one addition homomorphic operation and at most one multiplication homomorphic operation.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, step (4): after the sender sends the ciphertext data CT to the cloud through the public channel, the homomorphic calculation operation step of the cloud to the ciphertext is at least one addition homomorphic operation,
the cloud-received ciphertext data comprises c1 and c 2:
Figure BDA0001267184690000044
and
Figure BDA0001267184690000045
computing
Figure BDA0001267184690000051
The ciphertext after the homomorphic calculation by the addition is:
Figure BDA0001267184690000052
C=gs
Figure BDA0001267184690000053
and (5): the receiving side sends a TK to the cloud side;
and (6): the cloud end performs conversion calculation on the ciphertext subjected to the homomorphic operation by using the TK, and sends part of the ciphertext to the receiving party, wherein the specific process in the step (6) is as follows:
step (6-1): the cloud end performs conversion calculation on the ciphertext by using the TK sent by the receiving party,
when the attribute S of the receiving party satisfies the access structure (M, rho), defining
Figure BDA0001267184690000055
And I ═ I:ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈I∑ are calculatedi∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial cipher text,
the conversion algorithm is specifically calculated as follows:
Figure BDA0001267184690000054
step (6-2): the cloud returns partial ciphertext CT' ═ c, Q to the receiver;
and (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation to compute e' (g, g)=QzObtaining e' (g, g)Thus obtaining H (e' (g, g)) A value of (d);
step (7-2): receiver reusing part of private key q1And (3) calculating:
Figure BDA0001267184690000061
step (7-3): the receiving party passes through Pollard' sDecrypted by the lambda algorithm
Figure BDA0001267184690000062
Is a bottom
Figure BDA0001267184690000065
Discrete logarithm of (m), the plaintext message m can be obtained1+m2
Because c' is E G in the ciphertext obtained through one-time addition homomorphism, the cloud can perform multiple-time addition homomorphism operation after receiving the ciphertext CT.
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, step (4): after the sender sends the ciphertext data CT to the cloud through the public channel, the homomorphic calculation operation step of the cloud to the ciphertext is a multiplication homomorphic operation,
let k1=e(k,k),h1E (k, h), the order of k1 is n, the order of h1 is q1, and β∈ Z must be present, such that
Figure BDA0001267184690000063
z is a finite integer field, compute
Figure BDA0001267184690000064
The ciphertext after one multiplication homomorphic calculation is:
Figure BDA0001267184690000071
C=gs
Figure BDA0001267184690000072
and (5): the receiving side sends a TK to the cloud side;
and (6): the cloud end carries out conversion calculation on the ciphertext by using the TK to obtain a part of ciphertext, and sends the part of ciphertext to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1)): the cloud end carries out conversion calculation on the ciphertext by using the TK sent by the receiving party, and when the attribute S of the receiving party meets the access structure (M, rho), the definition is carried out
Figure BDA0001267184690000074
And I ═ I:ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈I∑ are calculatedi∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial ciphertext CT',
the conversion algorithm is specifically calculated as follows:
Figure BDA0001267184690000073
step (6-2): the cloud returns partial ciphertext CT' ═ c, Q to the receiver;
and (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain the message, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)=QzObtaining e' (g, g)Thus obtaining H (e' (g, g))2A value of (d);
step (7-2): receiver reusing part of private key q1And (3) calculating:
Figure BDA0001267184690000081
step (7-3): the receiving party decrypts through Pollard's lambda algorithm to
Figure BDA0001267184690000082
Is a bottom
Figure BDA0001267184690000083
Discrete logarithm of (m), the plaintext message m can be obtained1m2
More specifically, in the attribute-based BGN-type ciphertext decryption outsourcing scheme of the present invention, the parameter generation algorithm for random selection specifically uses a pseudo random number generator to randomly select two large prime numbers q with 512 bits1、q2,G、G1Are all of order n ═ q1q2Group (e) G × G → G1Is a bilinear map.
The following is a description of the mathematical theory applied by the present invention:
the bilinear mapping, namely bilinear pairings, is a function mapping for mapping elements in a group G to the group GTThe meaning of (1) is as follows:
G,GTtwo multiplication cyclic groups with order p, and G is the generator of G, then the bilinear map e is G × G → GTThe following properties are satisfied:
(1) bilinear for arbitrary u, k ∈ G and a, b ∈ ZpAll have e (u)a,kb)=e(u,k)ab
(2) Non-degradability: there is u, k ∈ G, so that e (u, k) ≠ 1.
(3) Calculability: there are efficient algorithms that allow e (u, k) to be calculated for any u, k ∈ G.
Wherein Z ispAn integer field modulo p;
the "access structure" described in the present invention has the following meaning:
suppose { P1,P2,…,PnIs a secret shared set of participants, defining P-2 { P ═ P1,P2,…,PnIs the access structure { P }1,P2,…,PnA non-empty subset of i.e.
Figure BDA0001267184690000084
The monotonicity of the access structure is defined as follows if A ∈ and
Figure BDA0001267184690000085
b ∈. at the same time, the subset is referred to as an authorized subset, and the subset for which the shared secret cannot be reconstructed is an unauthorized subset.
The "LSSS (Linear Secret Sharing scheme) access structure" in the invention has the following meanings:
a Linear secret sharing mechanism (LSSS) Π defined on the secret sharing participant set P means:
(1) all participants' shares make up one ZpThe vector of (c).
(2) There is a matrix M of l × n, which is a shared generator matrix for pi, the ith row of M corresponds to the entity ρ (i), where i is 1,2, …, l, ρ is a mapping function from {1,2, …, l } to P
Figure BDA0001267184690000091
Where s is the shared secret, then M.v is the vector of l shared components for s obtained using Π, and (M.v)iBelonging to the entity p (i).
Linear reconstructability assuming pi is an LSSS on the access structure, let grant set S ∈, define I ═ I: ρ (I) ∈ S } and
Figure BDA0001267184690000092
then there must be such a set of constants wi∈Zp}i∈ISo that ∑i∈ IwiMiTrue for (1,0, …,0), thus ∑i∈IwiMiv ═ s; for the unauthorized set, however, there is no such wi∈Zp}i∈I
The invention has the beneficial effects that:
1. in the decryption outsourcing scheme, a ciphertext generated in the encryption process of the information comprises three parts, wherein one part of the ciphertext is embedded into a BGN type ciphertext, the server can be allowed to carry out multiple times of addition homomorphic operation and one time of multiplication homomorphic operation on the part of the ciphertext, and the processing result is the same as that of directly carrying out the same operation on a plaintext and then encrypting the result; therefore, after the ciphertext is subjected to the similar-state operation, the data security can be greatly improved, and the difficulty of the user decryption process is not increased.
2. Homomorphic computing operations can perform operations such as retrieval, comparison, etc. on encrypted data to obtain correct results, without decrypting the data during the entire process, i.e., the server can process the data information without reading user sensitive data.
3. The decryption outsourcing scheme of the invention utilizes a bilinear mapping technology and uses a domestic hash function SM3 algorithm to reduce the security of the scheme to the difficult hypothesis of subgroup judgment, so that the CPA security is achieved.
4. In the access control of the cloud computing result, an attribute-based encryption method is added to realize attribute-based fine-grained access control of the decryption authority of the homomorphic operation result; the access rule is specified by a user, and the access right can be changed at any time, namely the shared generation matrix and the message are bound together to generate a ciphertext, so that the identity feature set associated with the shared generation matrix can be changed at any time, and the private key of the user is only related to the identity feature set.
5. In the aspect of efficiency, under the mobile cloud storage environment, a user embeds attribute control into a BGN (BGN) ciphertext after hash processing, uploads the attribute control to a cloud storage, outsourcing partial decryption of the ciphertext to the cloud for storage through a ciphertext conversion step, ensures the safety of data at the cloud, borrows the powerful computing capacity of an outsourcing decryption agent on the premise of not revealing plaintext data, accelerates decryption speed, reduces storage and decryption overhead of a receiver, and improves the decryption efficiency of the system.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Drawings
Fig. 1 is a schematic flow chart of the attribute-based BGN type ciphertext decryption outsourcing scheme of the present invention.
Detailed Description
To further explain the technical means and effects of the present invention adopted to achieve the intended purpose, the following detailed description of the embodiments and structural features of the present invention is provided with reference to the accompanying drawings and examples.
Example 1: BGN type ciphertext decryption outsourcing scheme based on attributes
The attribute-based BGN type ciphertext decryption outsourcing scheme shown in fig. 1 specifically includes the following steps:
step (1): setting system parameters, generating an encryption key, a master key MSK and a public key PK, wherein the specific process of the step (1) is as follows:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*(ii) a The value of the input security parameter λ is relatively large, and in this embodiment, the value of λ is 1024 bits, which is enough to ensure the security of the scheme.
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bilinear map e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2ξ (lambda) is a published parameter generation algorithm, q1,q2For large prime numbers, q is selected in this example1,q2Is a prime number of 512bit size.
Step (1-3): randomly selecting generator k, u in group G, and enabling
Figure BDA0001267184690000101
Then h is q of group G1Generating element of subgroup of order, and randomly selecting prime order groups G ' and G ' with order of p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function H mapped to (0,1), randomly chosen coefficients α, a ∈ ZpI.e. α, a are both randomly chosen in the integer domain modulo p, ZpI.e. the integer field modulo p, the master key of the algorithm is expressed as: MSK ═ gα,PK);
The public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1)。
The hash function F and the hash function H used in the step (1) are public domestic hash function SM3 algorithms.
Step (2): the sender selects an access structure, encrypts the message and generates a ciphertext CT, and the specific process of the step (2) is as follows:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiThe associated function, which represents a mapping that may correspond each row of matrix M to an element in the access structure, i ═ 1,2, …, l.
Step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Where s is a secret sharing parameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpI.e. randomly selecting R, R in the integer domain modulo p1,…,rlAnd outputting a ciphertext CT, wherein the CT comprises the following three parts:
Figure BDA0001267184690000111
and (3): the receiving party inputs the master key MSK and the attribute S, selects random parameters and outputs the TK and the SK, and the specific process of the step (3) is as follows:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpAnd outputting:
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S)。
step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
Figure BDA0001267184690000112
SK=(q1,z)。
and (4): and the sender sends the ciphertext data CT to the cloud through the public channel.
After the cloud receives ciphertext data CT sent by the sender; the homomorphic calculation operation steps can be carried out on the ciphertext, and the homomorphic calculation operation steps comprise at least one addition homomorphic operation and at most one multiplication homomorphic operation; the ciphertext CT received by the cloud and encrypted according to the scheme of the embodiment includes three parts, wherein the first part of the ciphertext c is embedded into the BGN, so that the server can be allowed to perform multiple addition homomorphic operations and one multiplication homomorphic operation on the part of the ciphertext.
And (5): and the receiving side sends the TK to the cloud.
And (6): the cloud end carries out conversion calculation on the ciphertext CT by using the conversion key TK to obtain a part of ciphertext CT ', and sends the part of ciphertext CT' to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1): the cloud side carries out conversion calculation on the ciphertext CT by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), defining
Figure BDA0001267184690000124
And I ═ I:ρ (I) ∈ S }, i.e. all elements ρ (I) ∈ S in the attribute set S correspond to the set of row labels I of the matrix M by mapping ρ (), then there exists a constant set { ωi∈Zp}i∈ISo that ∑i∈IwiMi(1,0, …,0) for { λiAll values in { lambda }, are used as the reference valueiIs the valid part of the secret s, ∑ is calculatedi∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial ciphertext CT',
the conversion algorithm is specifically calculated as follows:
Figure BDA0001267184690000121
step (6-2): the cloud returns the partial ciphertext CT ═ c, Q to the recipient.
And (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain the message, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)=Qz
Step (7-2): receiver reusing part of private key q1And (3) calculating:
Figure BDA0001267184690000122
step (7-3): the receiving party decrypts through Pollard's lambda algorithm to
Figure BDA0001267184690000123
Is a bottom
Figure BDA0001267184690000125
The plaintext message m can be obtained by the discrete logarithm of the number.
In the ciphertext decryption outsourcing scheme of the embodiment, the operation subject of step (3) is the receiving party, which is different from step (2) and step (4), so the order of step (3) may be changed, and step (3) does not need to be between step (2) and step (4), as long as it is after step (1) and before step (5). The parameter generation algorithm referred to by the random selection in the scheme of the invention specifically uses a pseudo-random generator to randomly select two large prime numbers q with the size of 512 bits1、q2,G、G1Are all of order n ═ q1q2Group (e) G × G → G1Is a bilinear map. The pseudo-random number generator is not specifically specified as long as it can achieve the purpose of random selection, and as long as random selection can be achieved, no influence is exerted on the scheme security.
Example 2: BGN type ciphertext decryption outsourcing scheme based on attributes
The specific scheme is as follows:
step (1): setting system parameters, generating an encryption key, a master key MSK and a public key PK, wherein the specific process of the step (1) is as follows:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*(ii) a The value of the input security parameter λ is relatively large, and in this embodiment, the value of λ is 1024 bits, which is enough to ensure the security of the scheme.
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bilinear map e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2ξ (lambda) is a published parameter generation algorithm, q1,q2For large prime numbers, q is selected in this example1,q2Is a prime number of 512bit size.
Step (1-3): randomly selecting generator k, u in group G, and enabling
Figure BDA0001267184690000131
Then h is q of group G1Generating element of subgroup of order, and randomly selecting prime order groups G ' and G ' with order of p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function H mapped to (0,1), randomly chosen coefficients α, a ∈ ZpI.e. α, a are both randomly chosen in the integer domain modulo p, ZpI.e. the integer field modulo p, the master key of the algorithm is expressed as: MSK ═ gα,PK);
The output public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1)。
The hash function F and the hash function H used in the step (1) are public domestic hash function SM3 algorithms.
Step (2): the sender selects an access structure, encrypts the message and generates a ciphertext CT, and the specific process of the step (2) is as follows:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiThe associated function, which represents a mapping that may correspond each row of matrix M to an element in the access structure, i ═ 1,2, …, l.
Step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Where s is a secret sharing parameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpI.e. randomly selecting R, R in the integer domain modulo p1,…,rlAnd outputting a ciphertext CT, wherein the CT comprises the following three parts:
Figure BDA0001267184690000141
and (3): the receiving party inputs the master key MSK and the attribute S, selects random parameters and outputs the TK and the SK, and the specific process of the step (3) is as follows:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpAnd outputting:
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S)。
step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
Figure BDA0001267184690000142
SK=(q1,z)。
and (4): and the sender sends the ciphertext data CT to the cloud through the public channel.
After the cloud receives ciphertext data CT sent by the sender; the cryptogram may be subjected to a homomorphic computation operation, which may be at least one addition homomorphic operation and at most one multiplication homomorphic operation. In this embodiment, one addition homomorphic operation is performed:
the cloud-received ciphertext data comprises c1 and c 2:
Figure BDA0001267184690000143
and
Figure BDA0001267184690000144
computing
Figure BDA0001267184690000151
The ciphertext after the homomorphic calculation by the addition is as follows:
Figure BDA0001267184690000152
C=gs
Figure BDA0001267184690000153
because c' epsilon G in the ciphertext obtained through the addition homomorphism shows that the cloud can carry out multiple times of addition homomorphism operations after receiving the ciphertext CT.
And (5): and the receiving side sends the TK to the cloud.
And (6): the cloud end carries out conversion calculation on the ciphertext subjected to the homomorphic operation by using the TK to obtain a partial ciphertext CT ', and sends the partial ciphertext CT' to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1): the cloud side carries out conversion calculation on the ciphertext CT by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), defining
Figure BDA0001267184690000154
And I ═ I: ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈IFor { λiAll of the values in { λ i } are the valid part of the secret s, i.e. the calculation ∑i∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial ciphertext CT',
the conversion algorithm is specifically calculated as follows:
Figure BDA0001267184690000161
step (6-2): the cloud returns the partial ciphertext CT ═ c, Q to the recipient.
And (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain the message, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)=QzObtaining e' (g, g)Thus obtaining H (e' (g, g)) The value of (c).
Step (7-2): receiver reusing part of private key q1And (3) calculating:
Figure BDA0001267184690000162
step (7-3): the receiving party decrypts through Pollard's lambda algorithm to
Figure BDA0001267184690000163
Is a bottom
Figure BDA0001267184690000164
Discrete logarithm of (m), the plaintext message m can be obtained1+m2
The ciphertext CT received by the cloud and encrypted according to the scheme of the embodiment comprises three parts, wherein the first part of ciphertext c is embedded into the BGN type ciphertext, so that the server can be allowed to perform multiple addition homomorphic operations on the part of ciphertext, and the processing result is the same as that obtained by directly performing the same operation on the plaintext and then encrypting the result; therefore, after the ciphertext is subjected to the similar-state operation, the data security can be greatly improved, and the difficulty of the user decryption process is not increased. Because c' epsilon G in the ciphertext obtained through the addition homomorphism shows that the cloud can carry out multiple times of addition homomorphism operations after receiving the ciphertext CT.
In the ciphertext decryption outsourcing scheme of the embodiment, the operation subject of step (3) is the receiving party, which is different from step (2) and step (4), so the order of step (3) may be changed, and step (3) does not need to be between step (2) and step (4), as long as it is after step (1) and before step (5).
The parameter generation algorithm referred to by the random selection in the scheme of the invention specifically uses a pseudo-random generator to randomly select two large prime numbers q with the size of 512 bits1、q2,G、G1Are all of order n ═ q1q2Group (e) G × G → G1Is a bilinear map. The pseudo-random number generator is not specifically specified as long as it can achieve the purpose of random selection, and as long as random selection can be achieved, no influence is exerted on the scheme security.
Example 3: BGN type ciphertext decryption outsourcing scheme based on attributes
The specific scheme is as follows:
step (1): setting system parameters, generating an encryption key, a master key MSK and a public key PK, wherein the specific process of the step (1) is as follows:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*(ii) a The value of the input security parameter λ is relatively large, and in this embodiment, the value of λ is 1024 bits, which is enough to ensure the security of the scheme.
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bisLinear mapping e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2ξ (lambda) is a published parameter generation algorithm, q1,q2For large prime numbers, q is selected in this example1,q2Is a prime number of 512bit size.
Step (1-3): randomly selecting generator k, u in group G, and enabling
Figure BDA0001267184690000171
Then h is q of group G1Generating element of subgroup of order, and randomly selecting prime order groups G ' and G ' with order of p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function H mapped to (0,1), randomly chosen coefficients α, a ∈ ZpI.e. α, a are both randomly chosen in the integer domain modulo p, ZpI.e. the integer field modulo p, the master key of the algorithm is expressed as: MSK ═ gα,PK);
The output public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1)。
The hash function F and the hash function H used in the step (1) are public domestic hash function SM3 algorithms.
Step (2): the sender selects an access structure, encrypts the message and generates a ciphertext CT, and the specific process of the step (2) is as follows:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiThe associated function, which represents a mapping that may correspond each row of matrix M to an element in the access structure, i ═ 1,2, …, l.
Step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Wherein s is secret sharingParameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpI.e. randomly selecting R, R in the integer domain modulo p1,…,rlAnd outputting a ciphertext CT, wherein the CT comprises the following three parts:
Figure BDA0001267184690000181
and (3): the receiving party inputs the master key MSK and the attribute S, selects random parameters and outputs the TK and the SK, and the specific process of the step (3) is as follows:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpAnd outputting:
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S)。
step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
Figure BDA0001267184690000182
SK=(q1,z)。
and (4): and the sender sends the ciphertext data CT to the cloud through the public channel.
After the cloud receives ciphertext data CT sent by the sender; the cryptogram may be subjected to a homomorphic computation operation, which may be at least one addition homomorphic operation and at most one multiplication homomorphic operation. In this embodiment, one multiplication homomorphic operation is performed:
let k1=e(k,k),h1E (k, h), then k1Is of order n, h1Of order q1And must have β∈ Z so that
Figure BDA0001267184690000183
z is a finite integer field, compute
Figure BDA0001267184690000191
The ciphertext after one-time multiplication homomorphic calculation is as follows:
Figure BDA0001267184690000192
C=gs
Figure BDA0001267184690000193
g is the E' ∈ G1 in the ciphertext obtained by the multiplication homomorphism because no effective algorithm exists1×G1→ G holds, so this scheme can only perform multiplication once.
And (5): and the receiving side sends the TK to the cloud.
And (6): the cloud end carries out conversion calculation on the ciphertext by using the conversion key TK to obtain a partial ciphertext CT ', and sends the partial ciphertext CT' to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1): the cloud side carries out conversion calculation on the ciphertext CT by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), defining
Figure BDA0001267184690000194
And I ═ I:ρ (I) ∈ S }, then there is a set of constants { ωi∈Zp}i∈IFor { λiAll values in { lambda }, are used as the reference valueiIs the valid part of the secret s, ∑ is calculatedi∈IωiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial ciphertext CT',
the conversion algorithm is specifically calculated as follows:
Figure BDA0001267184690000201
step (6-2): the cloud returns the partial ciphertext CT ═ c, Q to the recipient.
And (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain the message, and the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)=QzObtaining e' (g, g)Thus obtaining H (e' (g, g))2The value of (c).
Step (7-2): receiver reusing part of private key q1And (3) calculating:
Figure BDA0001267184690000202
step (7-3): the receiving party decrypts through Pollard's lambda algorithm to
Figure BDA0001267184690000203
Is a bottom
Figure BDA0001267184690000204
Discrete logarithm of (m), the plaintext message m can be obtained1m2
According to embodiment 3, the ciphertext CT received by the cloud and encrypted according to the scheme of this embodiment includes three parts, where the first part of the ciphertext c is embedded into the BGN-type ciphertext, and the server may be allowed to perform a multiplication homomorphic operation on the part of the ciphertext, and the processing result is the same as that obtained by directly performing the same operation on the plaintext and then encrypting the result; therefore, after the ciphertext is subjected to the similar-state operation, the data security can be greatly improved, and the difficulty of the user decryption process is not increased.
Under the mobile cloud storage environment, a user embeds attribute control into a BGN (BGN) ciphertext after hash processing, uploads the attribute control to a cloud storage, and outsourcing partial decryption of the ciphertext to the cloud for storage through a ciphertext conversion step, so that the safety of data at the cloud is ensured, and on the premise of not revealing plaintext data, the outsourcing decryption agent has strong computing power, the decryption speed is accelerated, the storage and decryption overhead of a receiver is reduced, and the decryption efficiency of the system is improved.
Example 4: the security of the BGN type ciphertext decryption outsourcing scheme of the invention is explained
The safety of the scheme of the invention is based on the assumption that the enemy algorithm A can not overcome the sub-group judgment problem. Assuming that a certain algorithm BETA can overcome the semantic security of the scheme with advantages, an assumption that an adversary algorithm ALPHA can solve the subgroup judgment problem with advantages certainly exists. The detailed demonstration procedure is as follows:
(1) the hostile algorithm A randomly selects G ∈ G, and the public keys (n, G)1E, g, x) to algorithm beta.
(2) Algorithm BETA randomly selects two plaintext messages m0,m1Sending to hostile Ala, which returns a random challenge ciphertext
Figure BDA0001267184690000211
Wherein
Figure BDA0001267184690000212
(3) Algorithm beta outputs a guess b 'for b, which outputs "1" if b ═ b', and "0" otherwise.
If the element x is uniformly distributed in the group G, the challenge ciphertext c is also uniformly distributed in the group G, regardless of the choice of b, i.e., Pr | b ═ b' | 1/2; if x is q of group G1The elements in the subgroup of orders, then according to the assumption that there is Pr | b ═ b' | > 1/2+, so SD-AdvA(τ) >, which means that the advantages of the hostile algorithm a to solve the sub-group decision problem assumption are not negligible, contradicting the difficult problem.
Thus, the scheme achieves CPA security under the assumption that the subgroup decision problem is difficult. Meanwhile, it is noted that the leakage of the attribute of the decryptor does not affect the security of the ciphertext. Because of the fact thatIf the attacker cannot take part of the key q1Then he can calculate e' (g, g) even if he knows the properties of the encryptor and the random parameter z, i.e. the attacker can calculate eBut the partial key q is unclear1So that it cannot calculate
Figure BDA0001267184690000213
So correct plaintext is not available. On the other hand, even if the attacker only takes part of the key q1But because his attributes do not satisfy the ciphertext access policy, i.e., the attacker cannot compute e' (g, g)And therefore cannot be decrypted to obtain plaintext. In summary, only a legitimate decryptor whose attribute satisfies the ciphertext access policy can decrypt the ciphertext normally.
According to the above description process, the decryption outsourcing scheme of the present invention utilizes a bilinear mapping technique and uses a domestic hash function SM3 algorithm to reduce the security of the scheme to a difficult assumption of subgroup decision, so that CPA security is achieved.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (2)

1. A BGN type ciphertext decryption outsourcing scheme based on attributes comprises the following steps:
step (1): setting system parameters, and generating an encryption key, a master key MSK and a public key PK;
step (2): the sender selects an access structure, encrypts the message and outputs a ciphertext CT;
and (3): the receiving party inputs a master key MSK and an attribute S, randomly selects parameters and outputs a transformed key TK and a private key SK;
and (4): a sender sends ciphertext data CT to a cloud through a public channel;
and (5): the receiving side sends a TK to the cloud side;
and (6): the cloud end carries out conversion calculation on the ciphertext CT by using the conversion key TK to obtain a part of ciphertext CT 'and sends the part of ciphertext CT' to the receiving party;
and (7): the receiving party decrypts the partial ciphertext CT' by using the private key SK to obtain a message;
the method is characterized in that a homomorphic computing operation step of the cloud end on the ciphertext is further included between the step (4) and the step (5);
the step (1) is specifically as follows:
step (1-1): setting system parameters, inputting safety parameters lambda and attribute space U, wherein U is {0,1}*
Step (1-2) of running an algorithm ξ (λ) to obtain a tuple (q)1,q2,G,G1E) and bilinear map e G × G → G1Wherein q is1,q2Is prime number, G1Are all of order n ═ q1q2A group of (1);
step (1-3): randomly selecting generator k, u in group G, and enabling
Figure FDA0002520300950000011
Then h is q of group G1Generating element of subgroup of order, and randomly selecting prime order groups G ' and G ' with order of p 'TLet G be a generator of the group G ', to obtain a bilinear map e ': G ' × G ' → G 'T
Step (1-4): randomly select from {0,1}*Hash function F mapped to G 'and from G'THash function H mapped to (0,1), randomly chosen coefficients α, a ∈ ZpI.e. α, a are both randomly chosen in the integer domain modulo p, ZpBeing an integer field modulo p, the master key of the algorithm is then expressed as: MSK ═ gα,PK);
The public key is expressed as: PK ═ n (g, k, h, e, e' (g, g)α,ga,F,H,G,G1);
The step (2) is specifically as follows:
step (2-1) the sender selects the LSSS access structure (M, p), where M is a matrix of l × n associated with the attribute, and p is the row element M associated with MiA correlation function, representing a mapping that may correspond each row of matrix M to an element in the access structure, i ═ 1,2, …, l;
step (2-2): randomly selecting n ZpElement (s, y) of (1)2,……,yn)∈ZpThe component vector v, v ═ s, y2,……,yn) Where s is a secret sharing parameter, calculating λi=MiV, wherein MiIs a vector formed by the ith row element of M, and then randomly selects l + 1ZpThe element (R, R) in (1)1,……,rl)∈ZpI.e. randomly selecting R, R in the integer domain modulo p1,…,rlAnd outputting a ciphertext CT, wherein the ciphertext CT comprises the following three parts:
Figure FDA0002520300950000021
C′=gs,
Figure FDA0002520300950000022
the homomorphic calculation operation step comprises at least one addition homomorphic operation and at most one multiplication homomorphic operation;
the step (3) is specifically as follows:
step (3-1) in which the recipient inputs the master key MSK and the attribute S, and randomly selects t' ∈ ZpOutput of
SK′=(PK,K′=gαgat′,L′=gt′,{Kx′=F(x)t′}x∈S);
Step (3-2) of randomly selecting Z ∈ ZpAnd let t ═ t'/z, obtain the private key SK of the take over party and the TK:
TK is:
Figure FDA0002520300950000023
SK is: SK ═ q1,z);
In the step (4), the cloud performs homomorphic calculation operation on the ciphertext by adopting two modes:
the first method is as follows: after the sender sends the ciphertext data CT to the cloud through the public channel, the homomorphic calculation operation step of the cloud to the ciphertext is at least one addition homomorphic operation,
the cloud-received ciphertext comprises c1 and c 2:
Figure FDA0002520300950000024
and
Figure FDA0002520300950000025
computing
Figure FDA0002520300950000031
The ciphertext after the homomorphic calculation by the addition is:
Figure FDA0002520300950000032
C=gs
Figure FDA0002520300950000033
the second method comprises the following steps: after the sender sends the ciphertext data CT to the cloud through the public channel, the homomorphic calculation operation step of the cloud to the ciphertext is a multiplication homomorphic operation,
let k1=e(k,k),h1E (k, h), then k1Is of order n, h1Of order q1And must have β∈ Z so that
Figure FDA0002520300950000034
z is a finite integer field, compute
Figure FDA0002520300950000035
The ciphertext after one multiplication homomorphic calculation is:
Figure FDA0002520300950000036
C=gs
Figure FDA0002520300950000041
the step (6) is as follows: the cloud end carries out conversion calculation on the cryptograph CT after homomorphic calculation by using the conversion key TK to obtain a partial cryptograph CT ', and sends the partial cryptograph CT' to the receiving party, wherein the specific process of the step (6) is as follows:
step (6-1): the cloud side carries out conversion calculation on the ciphertext by using a conversion key TK sent by the receiver, and when the attribute S of the receiver does not meet the access structure (M, rho), the cloud side outputs inverted T, and the system stops running;
when the attribute S of the receiving party satisfies the access structure (M, rho), defining
Figure FDA0002520300950000042
And I ═ I:ρ (I) ∈ S }, then there is a set of constants { w }i∈Zp}i∈IFor { λiAll of them are calculated ∑i∈IwiλiThe secret sharing parameter s can be recovered as s, and then the calculation of the conversion algorithm is operated to obtain a partial cipher text,
the conversion algorithm is specifically calculated as follows:
Figure FDA0002520300950000043
step (6-2): the cloud returns partial ciphertext CT' ═ c, Q to the receiver;
when the homomorphic computing operation of the cloud end on the ciphertext is in a first mode, the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation to compute e' (g, g)=QzObtaining e' (g, g)Thus obtaining H (e' (g, g)) A value of (d);
step (7-2): receiver reusing part of private key q1And (3) calculating:
Figure FDA0002520300950000051
step (7-3): the receiving party decrypts through Pollard's lambda algorithm to
Figure FDA0002520300950000052
Is a bottom
Figure FDA0002520300950000053
Discrete logarithm of (m), the plaintext message m can be obtained1+m2
When the homomorphic computing operation of the cloud end on the ciphertext is the mode two, the specific process of the step (7) is as follows:
step (7-1): receiving party input private key SK ═ (q)1Z) and partial ciphertext CT ', using (z, Q) to perform an exponential operation, i.e., calculate e' (g, g)=QzObtaining e' (g, g)Thus obtaining H (e' (g, g))2A value of (d);
step (7-2): receiver reusing part of private key q1And (3) calculating:
Figure FDA0002520300950000054
step (7-3): the receiving party decrypts through Pollard's lambda algorithm to
Figure FDA0002520300950000055
Is a bottom
Figure FDA0002520300950000056
Discrete logarithm of (m), the plaintext message m can be obtained1m2
2. The attribute-based BGN-type ciphertext decryption outsourcing scheme of claim 1, wherein the parameter generation algorithm for random selection is two large prime numbers q of 512bit size randomly selected using a pseudo random number generator1、q2,G、G1Are all of order n ═ q1q2Group (e) G × G → G1Is a bilinear map.
CN201710233091.7A 2017-04-11 2017-04-11 BGN type ciphertext decryption outsourcing scheme based on attributes Active CN107154845B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710233091.7A CN107154845B (en) 2017-04-11 2017-04-11 BGN type ciphertext decryption outsourcing scheme based on attributes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710233091.7A CN107154845B (en) 2017-04-11 2017-04-11 BGN type ciphertext decryption outsourcing scheme based on attributes

Publications (2)

Publication Number Publication Date
CN107154845A CN107154845A (en) 2017-09-12
CN107154845B true CN107154845B (en) 2020-08-11

Family

ID=59792652

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710233091.7A Active CN107154845B (en) 2017-04-11 2017-04-11 BGN type ciphertext decryption outsourcing scheme based on attributes

Country Status (1)

Country Link
CN (1) CN107154845B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108155994B (en) * 2017-12-22 2021-06-22 青岛大学 Secure outsourcing calculation method applied to RSA decryption
CN108537315A (en) * 2018-04-13 2018-09-14 中国人民武装警察部队工程大学 A kind of generation of safe Quick Response Code and authentication method
CN109214201B (en) * 2018-08-31 2024-03-19 平安科技(深圳)有限公司 Data sharing method, terminal equipment and computer readable storage medium
CN109214160A (en) * 2018-09-14 2019-01-15 温州科技职业学院 A kind of computer network authentication system and method, computer program
CN110308691B (en) * 2019-07-26 2021-07-02 湘潭大学 Multidimensional data aggregation and access control method for ubiquitous power Internet of things
CN110891066B (en) * 2019-12-03 2022-03-01 重庆交通大学 Proxy anonymous communication method based on homomorphic encryption scheme
CN110995430B (en) * 2019-12-24 2021-04-27 电子科技大学 Outsourcing decryption method supporting invalid ciphertext detection based on attribute encryption
CN112182600A (en) * 2020-09-18 2021-01-05 北京云钥网络科技有限公司 Data encryption method, data decryption method and electronic equipment
CN114499967B (en) * 2021-12-27 2024-03-08 天翼云科技有限公司 Data access control method, device and system and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104156671A (en) * 2013-05-13 2014-11-19 清华大学 Non-center dot product computing method achieving privacy protection
CN104320393A (en) * 2014-10-24 2015-01-28 西安电子科技大学 Effective attribute base agent re-encryption method capable of controlling re-encryption
CN105447361A (en) * 2014-08-27 2016-03-30 华为技术有限公司 Encryption and similarity measurement method, terminal and server
CN106534313A (en) * 2016-11-17 2017-03-22 浙江工商大学 Frequentness measuring method and system for security and privacy protection facing cloud data issuing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104156671A (en) * 2013-05-13 2014-11-19 清华大学 Non-center dot product computing method achieving privacy protection
CN105447361A (en) * 2014-08-27 2016-03-30 华为技术有限公司 Encryption and similarity measurement method, terminal and server
CN104320393A (en) * 2014-10-24 2015-01-28 西安电子科技大学 Effective attribute base agent re-encryption method capable of controlling re-encryption
CN106534313A (en) * 2016-11-17 2017-03-22 浙江工商大学 Frequentness measuring method and system for security and privacy protection facing cloud data issuing

Also Published As

Publication number Publication date
CN107154845A (en) 2017-09-12

Similar Documents

Publication Publication Date Title
CN107154845B (en) BGN type ciphertext decryption outsourcing scheme based on attributes
Jia et al. SDSM: a secure data service mechanism in mobile cloud computing
Lin et al. A collaborative key management protocol in ciphertext policy attribute-based encryption for cloud data sharing
CN107086911B (en) CCA (clear channel assessment) safe proxy re-encryption method capable of delegating verification
CN109831297A (en) A kind of full homomorphic cryptography method of more identity for supporting thresholding to decrypt
CN110719295B (en) Identity-based food data security-oriented proxy re-encryption method and device
CN110120873B (en) Frequent item set mining method based on cloud outsourcing transaction data
CN111786786A (en) Agent re-encryption method and system supporting equation judgment in cloud computing environment
Nasiraee et al. Privacy-preserving distributed data access control for CloudIoT
CN116846556A (en) SM 9-based data condition proxy re-encryption method, system and equipment
CN114697042A (en) Block chain-based Internet of things security data sharing proxy re-encryption method
Kumar et al. Privacy preserving data sharing in cloud using EAE technique
Qin et al. Strongly secure and cost-effective certificateless proxy re-encryption scheme for data sharing in cloud computing
CN115361109B (en) Homomorphic encryption method supporting bidirectional proxy re-encryption
Kumar et al. Hybridization of Cryptography for Security of Cloud Data
Backes et al. Fully secure inner-product proxy re-encryption with constant size ciphertext
CN114900283A (en) Deep learning user gradient aggregation method based on multi-party security calculation
Siva et al. Hybrid cryptography security in public cloud using TwoFish and ECC algorithm
Mishra et al. A certificateless authenticated key agreement protocol for digital rights management system
CN114070549A (en) Key generation method, device, equipment and storage medium
Acharya et al. Encryption and decryption of informative image by key image using modified Hill cipher technique based on non-invertible matrices
Kim et al. Certificateless Group to Many Broadcast Proxy Reencryptions for Data Sharing towards Multiple Parties in IoTs
Al-Attab et al. Hybrid data encryption technique for data security in cloud computing
Ding et al. Ciphertext retrieval via attribute-based FHE in cloud computing
CN116094845B (en) Efficient revocation conditional proxy re-encryption method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant