CN107528848A - A kind of sensitive data of cloud storage system shares safely and self-destruction method - Google Patents

Abstract

The invention discloses a kind of safe shared and self-destruction method of the sensitive data of cloud storage system, comprise the steps of：Step 1：Design cloud storage system shared and destruct system safely；Step 2：System initialization generates systematic parameter and master key；Step 3：Sensitive data file is encrypted with being set during authorizing；Step 4：Fine-granularity access control during mandate is set；Step 5：Data self-destruction after the sensitive data file of encryption expires during mandate.The present invention supports user to define authorization cycles, and in the cloud application scene of reality, each data item can be associated with one group of attribute, and each attribute is associated with the specification of time interval.The present invention can also provide fine-grained access control, if the moment is not in specified time interval, then ciphertext can not be decrypted, i.e. the ciphertext will be by self-destruction, and nobody it can be decrypted due to expiring for safe key, it is thus achieved that the secure data self-destruction with fine-granularity access control.

Description

A kind of sensitive data of cloud storage system shares safely and self-destruction method

Technical field

The present invention relates to field of data encryption, and in particular to a kind of shared and self-destruction safely of the sensitive data of cloud storage system Method.

Background technology

Cloud computing is considered as on-demand service technology, and it combines Services Oriented Achitecture (SOA) and virtualized new Technology.With general cloud computing technology and the fast development of service, user can utilize its in cloud storage service and circle of friends Other people shared datas, such as Dropbox, Google Drive and AliCloud.

However, the shared data in Cloud Server generally comprises sensitive information (such as personal information, the financial number of user According to health records etc.), and need to obtain good protection.Separated because the ownership of data manages with it, Cloud Server may The Data Migration of user is shared to other Cloud Server outsourcings or in cloud search system.Therefore, shared data in cloud is protected Privacy turn into a huge challenge, particularly across in cloud and big data environment.In order to tackle this challenge, it is necessary to set A comprehensive solution is counted, to support the user-defined mandate phase, and provides fine-grained access control during this period.Together When, shared data should voluntarily destroy after user-defined expiration time.

One of solution to the problems described above is to store data as public encryption form.The shortcomings that encryption data is user His/her encryption data can not be shared in fine granularity rank.When data owner wants to share his/her information, own Person must be exactly known him/her and want to share with whom.In numerous applications, data owner is desired based on the authority root of user According to security strategy and multiple users to share information.Encryption (ABE) based on attribute has the advantages of notable, because it is based on biography The public key encryption of system rather than one-to-one encryption, it is possible to achieve flexible one-to-many encryption.ABE schemes provide a kind of powerful Method realizes data safety and fine-grained access control.

In addition, in general, the owner has the right to specify some sensitive informations effective only within the limited period, or not It should issue before the specific time.Time controlled released encryption (TRE) provides a kind of interesting cryptographic services, wherein encryption key with Predefined release time is associated, and receiver can only construct corresponding decruption key in the time instance.In this base On plinth, Paterson and Quaglia propose temporal encryption (TSE) scheme, and it can specify suitable time interval, So that ciphertext is only capable of being decrypted in the interval (decryption time interval, DTI).It can be used in many applications, for example, interconnection Net program contest, electronic seal bid auction etc..Electronic seal bid auction is to establish commodity by internet in the bidding period Price keeps secret method of submitting a tender simultaneously.Should be in bidding period (specific time interval) that is, submitting a tender (ciphertext) Keep secret.

However, ABE is applied into shared data is introduced into Railway Project on time particular constraints and self-destruction, and incite somebody to action The problem of TSE is then introduced on fine-granularity access control applied to shared data.Thus traditional technological means can not be simultaneously Solve the problems, such as fine-granularity access control and support user to define authorization cycles.

Data sharing and self-destruction scheme, proposed first by Geambasu et al., be a promising method, design one Vanish systems, allow users to control the life cycle of sensitive data.Wang et al. improves Vanish systems, and proposes A kind of safe self-destruction scheme (SSDD) for electronic data.In SSDD schemes, data are encrypted to ciphertext, are then closed Join and extract so that its is imperfect to resist traditional cryptanalysis and brute force attack.Then, decruption key and the ciphertext of extraction All it is distributed in distributed hashtable (DHT) network, to be realized after the update cycle of DHT networks from destruction.However, Wolchok et al. has done substantial amounts of experiment, and confirms that Vanish systems are highly susceptible to Sybil attacks (Sybil attack) by making With Vuze DHT networks.Therefore the security of SSDD schemes is also suspicious.Boneh and Franklin utilizes DHT networks and base In identity encryption (IBE) and propose the safety based on IBE from destruction scheme (ISS).Sybil attacks just refer to a malice Equipment or node illicitly with multiple identity occur.

The content of the invention

It is an object of the invention to provide a kind of safe shared and self-destruction method of the sensitive data of cloud storage system, this method energy Enough support user-defined authorization cycles and fine-grained access control policy is provided during this period, also, user is from cloud storage The sensitive data file ciphertext that system is downloaded can safely self-destruction after being expired in the time that data owner specifies.

To reach above-mentioned purpose, shared and self-destruction side safely the invention provides a kind of sensitive data of cloud storage system Method, comprise the steps of：

Step 1：Design cloud storage system shared and destruct system safely；

The system includes：Data owner, it is the owner of sensitive data；Cloud storage system manager, it is responsible for cloud The safety of storage system sensitive data is shared；Cloud storage service device, it is used to deposit all sensitive datas of cloud storage system；Time Server, it is used for the usage time of sensitive data ciphertext and sets and verify, and, data consumer, it is to use cloud storage system The user for the sensitive data deposited in system；

Step 2：System initialization generates systematic parameter and master key；

Specially：Data owner selects security parameter k and global parameter u, and calls algorithm Setup (1^k, u) and generation system Unite parameter p and master key MSK；

Step 3：Sensitive data file is encrypted with being set during authorizing；

Specially：Data owner is initially selected for shared sensitive data M attribute set S_attAnd define and be used for S_attMandate during TS；Then, data owner calls algorithm Encr (M, p, S_att, TS) and so that sensitive data file M to be encrypted To its sensitive data ciphertext CT；Finally, sensitive data ciphertext CT is sent to cloud storage service device；

Step 4：Fine-granularity access control during mandate is set；

Specially：When data consumer accesses shared sensitive data M during mandate, i.e. access time T' ∈ TS and When the property set matching of user accesses tree γ, then cloud storage system manager runs algorithm KeyGen lifes (MSK, γ, T') into private Key SK simultaneously sends it to data consumer；Data consumer receives that will to obtain sensitive data from cloud storage service device after SK close Literary CT, and algorithm Decr (CT, SK) is called to decrypt CT to obtain shared sensitive data M；

Step 5：Data self-destruction after the sensitive data file of encryption expires during mandate；

After being expired during mandate, data consumer can not obtain real private key SK at cloud storage system manager, Sensitive data ciphertext CT is decrypted after can not thus being expired during mandate, so as to which shared sensitive data expires during mandate Self-destruction is realized afterwards.

The sensitive data of above-mentioned cloud storage system shares safely and self-destruction method, wherein, the algorithm Setup (1^k,u) Specific calculating process be：

Make the Bilinear Groups that G is Prime Orders P ', g is G maker, e：G × G → G ' is bilinear map；Selection one Security parameter k, and all global parameter u={ 1 ..., n } are defined, n is the integer more than 1；It is what time server provided to make T Maximum time in system, and Man Zu ∣ T ∣=n, wherein, n is the threshold value that time server sets the time；From Bilinear Groups member Plain set z_pA random number y is selected, and g is set₁=g^y；Random number g is selected from Bilinear Groups G₂,u′_1,1,...,u′_n,1, u′_1,2,...,u′_n,2,u₁,...,u_T∈G；

Common parameter is issued as:

Master key MSK is：

The sensitive data of above-mentioned cloud storage system shared and self-destruction method safely, wherein, the algorithm Encr (M, p, S_att, TS) specific calculating process be：

The S under attribute set_attUtilize each attribute i ∈ S_attSensitive data M, wherein i are constrained during being authorized, and are visited Ask the timeWherein,It is the upper-lower door limit value of time；Select random value s ∈ z_p, Define c_L,iAs index, c is made_L,i=n-m_L,i, wherein, m_L,iRepresent for each attribute i ∈ S_attMandate age threshold under Mark；

Issuing ciphertext is：

Wherein C_MTo carry out the data after bilinear map to sensitive data M.

The sensitive data of above-mentioned cloud storage system shared and self-destruction method safely, wherein, the algorithm KeyGen (MSK, γ, T') specific calculating process be：

Tree γ is being accessed for each node x in addition to leaf node₁Select multinomialIt is non-in tree γ for accessing Leaf node x₂, multinomial is setThe number of degreesAnd its threshold valueAnd meetFor root node r, if Put q_r(0)=y simultaneously randomly chooses other d_rPoint is with fully defining multinomial q_r；For any other node x in addition to root node, if Put q_x(0)=q_parent(x)(index (x)) and other d are selected at random_xPoint is with fully defining multinomial q_x, function parent (x) tables Node x father node is shown as, function index (x) returns to the numeral associated with node x, and wherein index value is uniquely distributed Give node x；

Accessing leaf node x defined in tree γ₃∈S_YAs by the momentThe attribute of constraint, S_YRepresent to access tree γ leaf segments Point set；Randomly choose r_x, r '_x∈z_p, define n_XIt is to make C_x=n-n_xIndex, calculate simultaneously provided to data consumer following secret Close value d：

Wherein：

τ_xBe one close to 0 relatively decimal.

The sensitive data of above-mentioned cloud storage system shares safely and self-destruction method, wherein, the algorithm Decr (CT, SK) Specific calculating process be：

Make effective property set x' ∈ S_att,Meet to access tree γ,It is and X During associated mandate, wherein X belongs to sensitive data ciphertext (representing CT), and associated with XBelong to private key decryption Time point；For leaf node x₃：IfThe algorithm simply exports ⊥；Otherwise, the algorithms selection Random r "_x,r″′_x∈z_pAnd calculate：

Wherein：

Then, algorithm Decr (CT, SK) is calculated as follows：

DN is the function that bilinear map is carried out to sensitive data M；

For nonleaf node x₂, all node z are x₂Child node；Make S_xIt is any k_xThe child node z of size set, So that F_x≠ ⊥, F_xTo carry out the function of bilinear map to sensitive data M；If set S_xBeing not present, then node z is unsatisfactory for, Function F_xReturn to ⊥；

Otherwise, calculate：

Tree γ is being accessed for each node x in addition to leaf node₁Select multinomialFor root node r, set q_r(0)=y, random value s ∈ z are selected_p, set

Ω is the function that bilinear map is carried out to sensitive data M, and C is decrypted using Ω_MTo obtain shared sensitive data M, wherein, C_M=Me (g, g₂)^s·y。

Relative to prior art, the invention has the advantages that：

(1) user-defined authorization cycles are supported.In the cloud application scene of reality, each data item can be with one group of category Property be associated, and each attribute and the specification of time interval (decryption properties time interval, DATI) are associated, such as [09： 00,17：00], represent that encrypted data item can only be in the scheduled date 09:00 to 17:It is decrypted between 00, and 09 on the day of:00 Before with 17:It can not be withdrawn after 00.

(2) fine-grained access control is provided.Data owner encrypts his/her data to be total to the user in system Enjoy, wherein the key of each user is associated with accessing tree, and each leaf node and time instant (such as 14:30) it is related Connection.The access tree of each user can be defined as the unique logic expression formula on these DATI attributes, and use is licensed to reflection The data item at family.For successful decryption ciphertext, effective attribute should meet to access tree, wherein in user key at the time of each leaf DATI should be belonged to (for example, 14:30∈[09：00,17：00]) the respective attributes in ciphertext.Due to accessing the logical expression of tree Formula can represent any desired data set with interval any time, and it can realize fine-grained access control.If Moment, then ciphertext can not be decrypted not in specified time interval, i.e., the ciphertext will be by self-destruction, and nobody can be due to Safe key expires and it is decrypted.It is thereby achieved that the secure data self-destruction with fine-granularity access control.

Brief description of the drawings

Fig. 1 is that the sensitive data of cloud storage system of the present invention shares safely the flow chart with self-destruction method；

Fig. 2 is cloud storage system of the present invention shared and destruct system schematic diagram safely.

Embodiment

Below in conjunction with accompanying drawing, by specific embodiment, the invention will be further described, and these embodiments are merely to illustrate The present invention, it is not limiting the scope of the invention.

As shown in figure 1, a kind of sensitive data of cloud storage system shares safely and self-destruction method, comprise the steps of：

Step 1：Design cloud storage system shared and destruct system safely；

As shown in Fig. 2 the system includes：Data owner 1, and it is the owner of sensitive data；Cloud storage system management Person 2, and it is responsible for the safety of cloud storage system sensitive data and shared；Cloud storage service device 3, it, which is used to depositing cloud storage system, owns Sensitive data；Time server 4, it is used for the usage time of sensitive data ciphertext and sets and verify, and, data consumer 5, its To use the user for the sensitive data deposited in cloud storage system；

Step 2：System initialization generates systematic parameter and master key；

Specially：Data owner 1 selects security parameter k and global parameter u, and calls algorithm Setup (1^k, u) and generation Systematic parameter p and master key MSK；

Step 3：Sensitive data file is encrypted with being set during authorizing；

Specially：Data owner 1 is initially selected for shared sensitive data M attribute set S_attAnd define use In S_attMandate during TS；Then, data owner 1 calls algorithm Encr (M, p, S_att, TS) and so that sensitive data file M to be added It is close to arrive its sensitive data ciphertext CT；Finally, sensitive data ciphertext CT is sent to cloud storage service device 3；

Step 4：Fine-granularity access control during mandate is set；

Specially：When data consumer 5 accesses shared sensitive data M during mandate, i.e. access time T' ∈ TS And the property set matching of user is accessed when setting γ, then cloud storage system manager 2 runs algorithm KeyGen (MSK, γ, T') generations Private key SK simultaneously sends it to data consumer 5；Data consumer 5 will obtain sensitivity after receiving SK from cloud storage service device 3 Data ciphertext CT, and algorithm Decr (CT, SK) is called to decrypt CT to obtain shared sensitive data M；

Step 5：Data self-destruction after the sensitive data file of encryption expires during mandate；

After being expired during mandate, data consumer 5 can not obtain real private key at cloud storage system manager 2 SK, sensitive data ciphertext CT are decrypted after can not thus being expired during mandate, so as to which shared sensitive data is during mandate Self-destruction is realized after expiring.

The sensitive data of above-mentioned cloud storage system shares safely and self-destruction method, wherein, the algorithm Setup (1^k,u) Specific calculating process be：

Make the Bilinear Groups that G is Prime Orders P ', g is G maker, e：G × G → G ' is bilinear map；Selection one Security parameter k, and all global parameter u={ 1 ..., n } are defined, n is the integer more than 1；It is what time server 4 provided to make T Maximum time in system, and Man Zu ∣ T ∣=n, wherein, n is the threshold value that time server 4 sets the time；From Bilinear Groups Element set z_pA random number y is selected, and g is set₁=g^y；Random number g is selected from Bilinear Groups G₂,u′_1,1,...,u ′_n,1,u′_1,2,...,u′_n,2,u₁,...,u_T∈G；

Common parameter is issued as:

Master key MSK is：

The sensitive data of above-mentioned cloud storage system shared and self-destruction method safely, wherein, the algorithm Encr (M, p, S_att, TS) specific calculating process be：

In attribute set S_attIt is lower to utilize each attribute i ∈ S_attSensitive data M, wherein i are constrained during being authorized, and are visited Ask the timeWherein,It is the upper-lower door limit value of time；Select random value s ∈ z_p, it is fixed Adopted c_L,iAs index, c is made_L,i=n-m_L,i, wherein, m_L,iRepresent for each attribute i ∈ S_attMandate age threshold subscript；

Issuing ciphertext is：

Wherein C_MTo carry out the data after bilinear map to sensitive data M.

The sensitive data of above-mentioned cloud storage system shared and self-destruction method safely, wherein, the algorithm KeyGen (MSK, γ, T') specific calculating process be：

Tree γ is being accessed for each node x in addition to leaf node₁Select multinomialIt is non-in tree γ for accessing Leaf node x₂, multinomial is setThe number of degreesAnd its threshold valueAnd meetFor root node r, set q_r(0)=y simultaneously randomly chooses other d_rPoint is with fully defining multinomial q_r；For any other node x in addition to root node, set q_x(0)=q_parent(x)(index (x)) and other d are selected at random_xPoint is with fully defining multinomial q_x, function parent (x) expressions For node x father node, function index (x) returns to the numeral associated with node x, and wherein index value is uniquely attributed to Node x；

Accessing leaf node x defined in tree γ₃∈S_YAs by the momentThe attribute of constraint, S_YRepresent to access tree γ leaf segments Point set；Randomly choose r_x, r '_x∈z_p, define n_XIt is to make C_x=n-n_xIndex, calculate simultaneously provided to data consumer 5 following Secret value d：

Wherein：

τ_xBe one close to 0 relatively decimal.

The sensitive data of above-mentioned cloud storage system shares safely and self-destruction method, wherein, the algorithm Decr (CT, SK) Specific calculating process be：

Make effective property setMeet to access tree γ,Be with During mandate associated X, wherein X belongs to sensitive data ciphertext (representing CT), and associated with XBelong to private key decryption Time point；For leaf node x₃：IfThe algorithm simply exports ⊥；Otherwise, the algorithm selects Select random r "_x,r″′_x∈z_pAnd calculate：

Wherein：

Then, algorithm Decr (CT, SK) is calculated as follows：

DN is the function that bilinear map is carried out to sensitive data M；

For nonleaf node x₂, all node z are x₂Child node；Make S_xIt is any k_xThe child node z of size set, So that F_x≠ ⊥, F_xTo carry out the function of bilinear map to sensitive data M；If set S_xBeing not present, then node z is unsatisfactory for, Function F_xReturn to ⊥；

Otherwise, calculate：

Tree γ is being accessed for each node x in addition to leaf node₁Select multinomialFor root node r, set q_r(0)=y, random value s ∈ z are selected_p, set

Ω is the function that bilinear map is carried out to sensitive data M, and C is decrypted using Ω_MTo obtain shared sensitive data M, wherein, C_M=Me (g, g₂)^s·y。

The present invention is subjected to Integrated comparative with currently existing scheme in terms of security attribute, as a result as shown in table 1.

The Integrated comparative of the security attribute of table 1

As known from Table 1, after using the safe shared and self-destruction method of sensitive data of cloud storage system of the present invention, from each side Face is better than existing solution, such as Vanish, SSDD, ISS.

Vanish, SSDD and ISS all schemes are required for preferable hypothesis " expired in VDO (data object of disappearance) Before without attack VDO ".Because Sybil opponent can crawl enough key shares from distributed hashtable (DHT) network To rebuild decruption key.Once opponent obtains VDO before Cloud Server expires, he/her will use the decruption key pair of reconstruct It is decrypted, to obtain in plain text.The present invention is it is not necessary to preferably it is assumed that because it does not need DHT networks.

Vanish and SSDD carrys out encrypted sensitive message using only symmetric cryptography, therefore they bring the key management of complexity, And fine-grained access control can not be realized to the different user with different attribute.ISS can realize that flexible access is controlled System, because IBE (Identity based encryption) and ID-TRE (the time controlled released encryption of identity-based) algorithm.This programme it can lead to Different attribute of the combination with variable time interval is crossed to provide fine-granularity access control.

The present invention supports sensitive data file data self-destruction after setting the time to expire of encryption, there is provided complete Life Cycle Phase secret protection.

Vanish, SSDD and ISS do not provide safe evidence.In addition, the present invention is proved under master pattern be safety 's.

In summary, the present invention supports user-defined authorization cycles.In the cloud application scene of reality, each data item Can be associated with one group of attribute, and each attribute with during authorizing, i.e. time interval (decryption properties time interval, DATI) Specification be associated.The present invention can also provide fine-grained access control.Data owner encrypts his/her data with being Users to share in system, wherein the key of each user is associated with accessing tree, and each leaf node is related to time instant Connection.The access tree of each user can be defined as the unique logic expression formula on these DATI attributes, and use is licensed to reflection The data item at family.For successful decryption ciphertext, effective attribute should meet to access tree, wherein in user key at the time of each leaf The respective attributes that should belong in DATI ciphertexts.Logical expression due to accessing tree can be represented with interval any time Any desired data set, it can realize fine-grained access control.If the moment is close not in specified time interval Text can not be decrypted, i.e., the ciphertext will be by self-destruction, and nobody it can be decrypted due to expiring for safe key. It is thereby achieved that the secure data self-destruction with fine-granularity access control.

Although present disclosure is discussed in detail by above preferred embodiment, but it should be appreciated that above-mentioned Description is not considered as limitation of the present invention.After those skilled in the art have read the above, for the present invention's A variety of modifications and substitutions all will be apparent.Therefore, protection scope of the present invention should be limited to the appended claims.

Claims (5)

1. a kind of sensitive data of cloud storage system shares safely and self-destruction method, it is characterised in that comprises the steps of：

Step 1：Design cloud storage system shared and destruct system safely；

The system includes：Data owner, it is the owner of sensitive data；Cloud storage system manager, it is responsible for cloud storage The safety of system sensitive data is shared；Cloud storage service device, it is used to deposit all sensitive datas of cloud storage system；Time Service Device, it is used for the usage time of sensitive data ciphertext and sets and verify, and, data consumer, it is using in cloud storage system The user of the sensitive data of storage；

Step 2：System initialization generates systematic parameter and master key；

Specially：Data owner selects security parameter k and global parameter u, and calls algorithm Setup (1^k, u) and generation system ginseng Number p and master key MSK；

Step 3：Sensitive data file is encrypted with being set during authorizing；

Specially：Data owner is initially selected for shared sensitive data M attribute set S_attAnd define for S_att Mandate during TS；Then, data owner calls algorithm Encr (M, p, S_att, TS) and so that sensitive data file M is encrypted into it Sensitive data ciphertext CT；Finally, sensitive data ciphertext CT is sent to cloud storage service device；

Step 4：Fine-granularity access control during mandate is set；

Specially：When data consumer accesses shared sensitive data M during mandate, i.e. access time T' ∈ TS and user Property set matching when accessing tree Υ, then cloud storage system manager runs algorithm KeyGen life (MSK, Υ, T') into private key SK And send it to data consumer；Data consumer will obtain sensitive data ciphertext after receiving SK from cloud storage service device CT, and algorithm Decr (CT, SK) is called to decrypt CT to obtain shared sensitive data M；

Step 5：Data self-destruction after the sensitive data file of encryption expires during mandate；

After being expired during mandate, data consumer can not obtain real private key SK at cloud storage system manager, sensitive Data ciphertext CT is decrypted after can not thus being expired during mandate, after being expired so as to shared sensitive data during mandate Realize self-destruction.

2. the sensitive data of cloud storage system as claimed in claim 1 shares safely and self-destruction method, it is characterised in that described Algorithm Setup (1^k, u) specific calculating process be：

Make the Bilinear Groups that G is Prime Orders P ', g is G maker, e：G × G → G ' is bilinear map；Select a safety Parameter k, and all global parameter u={ 1 ..., n } are defined, n is the integer more than 1；It is the system that time server provides to make T In maximum time, and Man Zu ∣ T ∣=n, wherein, n is the threshold value that time server sets the time；From Bilinear Groups element set Close z_pA random number y is selected, and g is set₁=g^y；Random number g is selected from Bilinear Groups G₂,u′_1,1,...,u′_n,1,u ′_1,2,...,u′_n,2,u₁,...,u_T∈G；

Common parameter is issued as:

<mrow> <mi>p</mi> <mo>=</mo> <mo>{</mo> <mi>g</mi> <mo>,</mo> <msub> <mi>g</mi> <mn>1</mn> </msub> <mo>,</mo> <msub> <mi>g</mi> <mn>2</mn> </msub> <mo>,</mo> <mo>{</mo> <mo>&amp;ForAll;</mo> <mi>i</mi> <mo>=</mo> <mn>1</mn> <mo>:</mo> <mi>n</mi> <mo>,</mo> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>1</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <mo>,</mo> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>2</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <mo>}</mo> <mo>,</mo> <mo>{</mo> <mo>&amp;ForAll;</mo> <mi>j</mi> <mo>=</mo> <mn>1</mn> <mo>:</mo> <mi>T</mi> <mo>,</mo> <msub> <mi>u</mi> <mi>j</mi> </msub> <mo>}</mo> <mo>}</mo> <mo>,</mo> </mrow>

Master key MSK is：

3. the sensitive data of cloud storage system as claimed in claim 2 shares safely and self-destruction method, it is characterised in that described Algorithm Encr (M, p, S_att, TS) specific calculating process be：

The S under attribute set_attUtilize each attribute i ∈ S_attSensitive data M, wherein i are constrained during being authorized, during access BetweenWherein,It is the upper-lower door limit value of time；Select random value s ∈ z_p, definition c_L,iAs index, c is made_L,i=n-m_L,i, wherein, m_L,iRepresent for each attribute i ∈ S_attMandate age threshold subscript；

Issuing ciphertext is：

<mrow> <mi>C</mi> <mi>T</mi> <mo>=</mo> <mo>{</mo> <msub> <mi>C</mi> <mi>M</mi> </msub> <mo>=</mo> <mi>M</mi> <mo>&amp;CenterDot;</mo> <mi>e</mi> <msup> <mrow> <mo>(</mo> <mi>g</mi> <mo>,</mo> <msub> <mi>g</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> <mrow> <mi>s</mi> <mi>y</mi> </mrow> </msup> <mo>,</mo> <msup> <mi>g</mi> <mi>s</mi> </msup> <mo>,</mo> <msub> <mi>S</mi> <mrow> <mi>a</mi> <mi>t</mi> <mi>t</mi> </mrow> </msub> <mo>,</mo> <msub> <mrow> <mo>{</mo> <mi>E</mi> <mo>=</mo> <msup> <mrow> <mo>(</mo> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>1</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <munderover> <mo>&amp;Pi;</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mrow> <msub> <mi>m</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>i</mi> </mrow> </msub> <mo>+</mo> <mn>1</mn> </mrow> </munderover> <msubsup> <mi>u</mi> <mi>j</mi> <msub> <mi>t</mi> <mi>j</mi> </msub> </msubsup> <mo>)</mo> </mrow> <mi>s</mi> </msup> <mo>,</mo> <msup> <mi>E</mi> <mo>&amp;prime;</mo> </msup> <mo>=</mo> <msup> <mrow> <mo>(</mo> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>2</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <munderover> <mo>&amp;Pi;</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <msub> <mi>c</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>i</mi> </mrow> </msub> </munderover> <msubsup> <mi>u</mi> <mi>j</mi> <mrow> <mi>T</mi> <mo>-</mo> <msub> <mi>t</mi> <mi>j</mi> </msub> </mrow> </msubsup> <mo>)</mo> </mrow> <mi>s</mi> </msup> <mo>,</mo> <msubsup> <mi>T</mi> <mi>i</mi> <mo>&amp;prime;</mo> </msubsup> <mo>}</mo> </mrow> <mrow> <mi>i</mi> <mo>&amp;Element;</mo> <msub> <mi>S</mi> <mrow> <mi>a</mi> <mi>t</mi> <mi>t</mi> </mrow> </msub> </mrow> </msub> <mo>}</mo> <mo>,</mo> </mrow>

Wherein C_MTo carry out the data after bilinear map to sensitive data M.

4. the sensitive data of cloud storage system as claimed in claim 2 shares safely and self-destruction method, it is characterised in that described Algorithm KeyGen (MSK, Υ, T') specific calculating process is：

Tree Υ is being accessed for each node x in addition to leaf node₁Select multinomialNon- leaf segment in Υ is set for accessing Point x₂, multinomial is setThe number of degreesAnd its threshold valueAnd meetFor root node r, q is set_r (0)=y simultaneously randomly chooses other d_rPoint is with fully defining multinomial q_r；For any other node x in addition to root node, set q_x(0)=q_parent(x)(index (x)) and other d are selected at random_xPoint is with fully defining multinomial q_x, function parent (x) expressions For node x father node, function index (x) returns to the numeral associated with node x, and wherein index value is uniquely attributed to Node x；

Accessing leaf node x defined in tree Υ₃∈S_YAs by the momentThe attribute of constraint, S_YRepresent to access tree Υ leaf segment point sets Close；Randomly choose r_x, r'_x∈z_p, define n_XIt is to make C_x=n-n_xIndex, calculate simultaneously provide following secret value to data consumer d：

<mrow> <mi>d</mi> <mo>=</mo> <msub> <mrow> <mo>{</mo> <msub> <mi>D</mi> <mrow> <mi>x</mi> <mo>,</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>D</mi> <mrow> <mi>x</mi> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msup> <mi>g</mi> <msub> <mi>r</mi> <mi>x</mi> </msub> </msup> <mo>,</mo> <msup> <mi>g</mi> <msubsup> <mi>r</mi> <mi>x</mi> <mo>&amp;prime;</mo> </msubsup> </msup> <mo>,</mo> <msubsup> <mi>u</mi> <mrow> <msub> <mi>n</mi> <mi>x</mi> </msub> <mo>+</mo> <mn>2</mn> </mrow> <msub> <mi>r</mi> <mi>x</mi> </msub> </msubsup> <mn>....</mn> <mo>,</mo> <msubsup> <mi>u</mi> <mi>T</mi> <msub> <mi>r</mi> <mi>x</mi> </msub> </msubsup> <mo>,</mo> <msubsup> <mi>u</mi> <mrow> <msub> <mi>c</mi> <mi>x</mi> </msub> <mo>+</mo> <mn>1</mn> </mrow> <msubsup> <mi>r</mi> <mi>x</mi> <mo>&amp;prime;</mo> </msubsup> </msubsup> <mn>....</mn> <mo>,</mo> <msubsup> <mi>u</mi> <mi>T</mi> <msubsup> <mi>r</mi> <mi>x</mi> <mo>&amp;prime;</mo> </msubsup> </msubsup> <mo>,</mo> <msub> <mi>t</mi> <msub> <mi>n</mi> <mi>x</mi> </msub> </msub> <mo>}</mo> </mrow> <mrow> <mi>x</mi> <mo>&amp;Element;</mo> <msub> <mi>S</mi> <mi>Y</mi> </msub> </mrow> </msub> <mo>,</mo> </mrow>

Wherein：

<mrow> <msub> <mi>D</mi> <mrow> <mi>x</mi> <mo>,</mo> <mn>1</mn> </mrow> </msub> <mo>=</mo> <msubsup> <mi>g</mi> <mn>2</mn> <mrow> <msub> <mi>q</mi> <mi>x</mi> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> <mo>+</mo> <msub> <mi>&amp;tau;</mi> <mi>x</mi> </msub> </mrow> </msubsup> <msup> <mrow> <mo>(</mo> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>1</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <munderover> <mo>&amp;Pi;</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mrow> <msub> <mi>n</mi> <mi>X</mi> </msub> <mo>+</mo> <mn>1</mn> </mrow> </munderover> <msubsup> <mi>u</mi> <mi>j</mi> <msub> <mi>t</mi> <mi>j</mi> </msub> </msubsup> <mo>)</mo> </mrow> <msub> <mi>r</mi> <mi>x</mi> </msub> </msup> <mo>,</mo> </mrow>

τ_xBe one close to 0 relatively decimal.

5. the sensitive data of cloud storage system as claimed in claim 4 shares safely and self-destruction method, it is characterised in that described Algorithm Decr (CT, SK) specific calculating process is：

Make effective property set x' ∈ S_att,Meet to access tree Υ,It is related to X During the mandate of connection, wherein X belongs to sensitive data ciphertext, and associated with XBelong to the time point of private key decryption；For Leaf node x₃：IfThe algorithm simply exports ⊥；Otherwise, the algorithms selection random r "_x, r″′_x∈z_pAnd calculate：

<mrow> <msub> <mi>d</mi> <mrow> <mi>u</mi> <mi>p</mi> <mi>p</mi> <mn>1</mn> </mrow> </msub> <mo>=</mo> <mo>{</mo> <msub> <mi>a</mi> <mn>0</mn> </msub> <mo>,</mo> <msup> <mi>g</mi> <msub> <mi>r</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </msup> <mo>&amp;CenterDot;</mo> <msup> <mi>g</mi> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </msup> <mo>,</mo> <msubsup> <mi>u</mi> <mrow> <msub> <mi>m</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <mn>2</mn> </mrow> <msub> <mi>r</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </msubsup> <mo>&amp;CenterDot;</mo> <msubsup> <mi>u</mi> <mrow> <msub> <mi>m</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <mn>2</mn> </mrow> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </msubsup> <mn>....</mn> <mo>,</mo> <msubsup> <mi>u</mi> <mi>T</mi> <msub> <mi>r</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </msubsup> <mo>&amp;CenterDot;</mo> <msubsup> <mi>u</mi> <mi>T</mi> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </msubsup> <mo>}</mo> <mo>,</mo> </mrow>

<mrow> <msub> <mi>d</mi> <mrow> <mi>u</mi> <mi>p</mi> <mi>p</mi> <mn>2</mn> </mrow> </msub> <mo>=</mo> <mrow> <mo>{</mo> <mrow> <msub> <mi>b</mi> <mn>0</mn> </msub> <mo>,</mo> <msup> <mi>g</mi> <msub> <mi>r</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </msup> <mo>&amp;CenterDot;</mo> <msup> <mi>g</mi> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </msup> <mo>,</mo> <msubsup> <mi>u</mi> <mrow> <msub> <mi>c</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <mn>1</mn> </mrow> <msub> <mi>r</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </msubsup> <mo>&amp;CenterDot;</mo> <msubsup> <mi>u</mi> <mrow> <msub> <mi>c</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <mn>1</mn> </mrow> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </msubsup> <mn>....</mn> <mo>,</mo> <msubsup> <mi>u</mi> <mi>T</mi> <msub> <mi>r</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </msubsup> <mo>&amp;CenterDot;</mo> <msubsup> <mi>u</mi> <mi>T</mi> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </msubsup> </mrow> <mo>}</mo> </mrow> <mo>,</mo> </mrow>

Wherein：

<mrow> <mtable> <mtr> <mtd> <mrow> <msub> <mi>a</mi> <mn>0</mn> </msub> <mo>=</mo> <msub> <mi>D</mi> <mrow> <mi>x</mi> <mo>,</mo> <mn>1</mn> </mrow> </msub> <msup> <mrow> <mo>(</mo> <mrow> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>1</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <munderover> <mi>&amp;Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <msub> <mi>n</mi> <mi>x</mi> </msub> <mo>+</mo> <mn>1</mn> </mrow> <mrow> <msub> <mi>m</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <mn>1</mn> </mrow> </munderover> <msubsup> <mi>u</mi> <mi>j</mi> <msub> <mi>t</mi> <mi>j</mi> </msub> </msubsup> </mrow> <mo>)</mo> </mrow> <msub> <mi>r</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </msup> <msup> <mrow> <mo>(</mo> <mrow> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>1</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <munderover> <mi>&amp;Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mrow> <msub> <mi>m</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <mn>1</mn> </mrow> </munderover> <msubsup> <mi>u</mi> <mi>j</mi> <msub> <mi>t</mi> <mi>j</mi> </msub> </msubsup> </mrow> <mo>)</mo> </mrow> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </msup> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mo>=</mo> <msubsup> <mi>g</mi> <mn>2</mn> <mrow> <msub> <mi>q</mi> <mi>x</mi> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> <mo>+</mo> <msub> <mi>&amp;tau;</mi> <mi>x</mi> </msub> </mrow> </msubsup> <msup> <mrow> <mo>(</mo> <mrow> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>1</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <munderover> <mi>&amp;Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mrow> <msub> <mi>m</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <mn>1</mn> </mrow> </munderover> <msubsup> <mi>u</mi> <mi>j</mi> <msub> <mi>t</mi> <mi>j</mi> </msub> </msubsup> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>r</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </mrow> </msup> </mrow> </mtd> </mtr> </mtable> <mo>,</mo> </mrow>

<mrow> <mtable> <mtr> <mtd> <mrow> <msub> <mi>b</mi> <mn>0</mn> </msub> <mo>=</mo> <msub> <mi>D</mi> <mrow> <mi>x</mi> <mo>,</mo> <mn>2</mn> </mrow> </msub> <msup> <mrow> <mo>(</mo> <mrow> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>2</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <munderover> <mi>&amp;Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <msub> <mi>c</mi> <mi>x</mi> </msub> </mrow> <msub> <mi>c</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </munderover> <msubsup> <mi>u</mi> <mi>j</mi> <mrow> <mi>T</mi> <mo>-</mo> <msub> <mi>t</mi> <mi>j</mi> </msub> </mrow> </msubsup> </mrow> <mo>)</mo> </mrow> <msub> <mi>r</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </msup> <msup> <mrow> <mo>(</mo> <mrow> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>2</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <munderover> <mi>&amp;Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <msub> <mi>c</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </munderover> <msubsup> <mi>u</mi> <mi>j</mi> <mrow> <mi>T</mi> <mo>-</mo> <msub> <mi>t</mi> <mi>j</mi> </msub> </mrow> </msubsup> </mrow> <mo>)</mo> </mrow> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </msup> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mo>=</mo> <msubsup> <mi>g</mi> <mn>2</mn> <mrow> <mo>-</mo> <msub> <mi>&amp;tau;</mi> <mi>x</mi> </msub> </mrow> </msubsup> <msup> <mrow> <mo>(</mo> <mrow> <msubsup> <mi>u</mi> <mrow> <mi>i</mi> <mo>,</mo> <mn>2</mn> </mrow> <mo>&amp;prime;</mo> </msubsup> <munderover> <mi>&amp;Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <msub> <mi>c</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> </munderover> <msubsup> <mi>u</mi> <mi>j</mi> <mrow> <mi>T</mi> <mo>-</mo> <msub> <mi>t</mi> <mi>j</mi> </msub> </mrow> </msubsup> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>r</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <msubsup> <mi>r</mi> <mi>x</mi> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msubsup> </mrow> </msup> </mrow> </mtd> </mtr> </mtable> <mo>,</mo> </mrow>

Then, algorithm Decr (CT, SK) is calculated as follows：

<mrow> <mi>D</mi> <mi>N</mi> <mo>=</mo> <mfrac> <mrow> <mi>e</mi> <mrow> <mo>(</mo> <mrow> <msup> <mi>g</mi> <mi>s</mi> </msup> <mo>,</mo> <msub> <mi>a</mi> <mn>0</mn> </msub> </mrow> <mo>)</mo> </mrow> <mo>&amp;CenterDot;</mo> <mi>e</mi> <mrow> <mo>(</mo> <mrow> <msub> <mi>b</mi> <mn>0</mn> </msub> <mo>,</mo> <msup> <mi>g</mi> <mi>s</mi> </msup> </mrow> <mo>)</mo> </mrow> </mrow> <mrow> <mi>e</mi> <mrow> <mo>(</mo> <mrow> <mi>E</mi> <mo>,</mo> <msup> <mi>g</mi> <mrow> <msub> <mi>r</mi> <mrow> <mi>R</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <msup> <msub> <mi>r</mi> <mi>x</mi> </msub> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msup> </mrow> </msup> </mrow> <mo>)</mo> </mrow> <mo>&amp;CenterDot;</mo> <mi>e</mi> <mrow> <mo>(</mo> <mrow> <msup> <mi>g</mi> <mrow> <msub> <mi>r</mi> <mrow> <mi>L</mi> <mo>,</mo> <mi>x</mi> </mrow> </msub> <mo>+</mo> <msup> <msub> <mi>r</mi> <mi>x</mi> </msub> <mrow> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> <mo>&amp;prime;</mo> </mrow> </msup> </mrow> </msup> <mo>,</mo> <msup> <mi>E</mi> <mo>&amp;prime;</mo> </msup> </mrow> <mo>)</mo> </mrow> </mrow> </mfrac> <mo>=</mo> <mi>e</mi> <msup> <mrow> <mo>(</mo> <mrow> <mi>g</mi> <mo>,</mo> <msub> <mi>g</mi> <mn>2</mn> </msub> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>sq</mi> <mi>x</mi> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow> </msup> <mo>,</mo> </mrow>

DN is the function that bilinear map is carried out to sensitive data M；

For nonleaf node x₂, all node z are x₂Child node；Make S_xIt is any k_xThe child node z of size set so that F_x ≠ ⊥, F_xTo carry out the function of bilinear map to sensitive data M；If set S_xIt is not present, then node z is unsatisfactory for, function F_x Return to ⊥；

Otherwise, calculate：

<mrow> <mtable> <mtr> <mtd> <mrow> <msub> <mi>F</mi> <mi>x</mi> </msub> <mo>=</mo> <munder> <mi>&amp;Pi;</mi> <mrow> <mi>c</mi> <mo>&amp;Element;</mo> <msub> <mi>S</mi> <mi>x</mi> </msub> </mrow> </munder> <msubsup> <mi>F</mi> <mi>c</mi> <mrow> <msub> <mi>&amp;Delta;</mi> <mrow> <mi>i</mi> <mo>,</mo> <msubsup> <mi>S</mi> <mi>x</mi> <mo>&amp;prime;</mo> </msubsup> </mrow> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow> </msubsup> <mo>=</mo> <munder> <mi>&amp;Pi;</mi> <mrow> <mi>c</mi> <mo>&amp;Element;</mo> <msub> <mi>S</mi> <mi>x</mi> </msub> </mrow> </munder> <msup> <mrow> <mo>(</mo> <mrow> <mi>e</mi> <msup> <mrow> <mo>(</mo> <mrow> <mi>g</mi> <mo>,</mo> <msub> <mi>g</mi> <mn>2</mn> </msub> </mrow> <mo>)</mo> </mrow> <mrow> <mi>s</mi> <mo>&amp;CenterDot;</mo> <msub> <mi>q</mi> <mi>c</mi> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow> </msup> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>&amp;Delta;</mi> <mrow> <mi>i</mi> <mo>,</mo> <msubsup> <mi>S</mi> <mi>x</mi> <mo>&amp;prime;</mo> </msubsup> </mrow> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow> </msup> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mo>=</mo> <munder> <mi>&amp;Pi;</mi> <mrow> <mi>c</mi> <mo>&amp;Element;</mo> <msub> <mi>S</mi> <mi>x</mi> </msub> </mrow> </munder> <msup> <mrow> <mo>(</mo> <mrow> <mi>e</mi> <msup> <mrow> <mo>(</mo> <mrow> <mi>g</mi> <mo>,</mo> <msub> <mi>g</mi> <mn>2</mn> </msub> </mrow> <mo>)</mo> </mrow> <mrow> <mi>s</mi> <mo>&amp;CenterDot;</mo> <msub> <mi>q</mi> <mrow> <mi>p</mi> <mi>a</mi> <mi>r</mi> <mi>a</mi> <mi>e</mi> <mi>n</mi> <mi>t</mi> <mrow> <mo>(</mo> <mi>c</mi> <mo>)</mo> </mrow> </mrow> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow> </msup> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>&amp;Delta;</mi> <mrow> <mi>i</mi> <mo>,</mo> <msubsup> <mi>S</mi> <mi>x</mi> <mo>&amp;prime;</mo> </msubsup> </mrow> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow> </msup> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mo>=</mo> <munder> <mi>&amp;Pi;</mi> <mrow> <mi>c</mi> <mo>&amp;Element;</mo> <msub> <mi>S</mi> <mi>x</mi> </msub> </mrow> </munder> <mi>e</mi> <msup> <mrow> <mo>(</mo> <mrow> <mi>g</mi> <mo>,</mo> <msub> <mi>g</mi> <mn>2</mn> </msub> </mrow> <mo>)</mo> </mrow> <mrow> <mi>s</mi> <mo>&amp;CenterDot;</mo> <msub> <mi>q</mi> <mrow> <mi>x</mi> <mrow> <mo>(</mo> <mi>i</mi> <mo>)</mo> </mrow> </mrow> </msub> <msub> <mi>&amp;Delta;</mi> <mrow> <mi>i</mi> <mo>,</mo> <msubsup> <mi>S</mi> <mi>x</mi> <mo>&amp;prime;</mo> </msubsup> </mrow> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow> </msup> <mo>=</mo> <mi>e</mi> <msup> <mrow> <mo>(</mo> <mrow> <mi>g</mi> <mo>,</mo> <msub> <mi>g</mi> <mn>2</mn> </msub> </mrow> <mo>)</mo> </mrow> <mrow> <mi>s</mi> <mo>&amp;CenterDot;</mo> <msub> <mi>q</mi> <mi>x</mi> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow> </msup> </mrow> </mtd> </mtr> </mtable> <mo>,</mo> </mrow>

Tree Υ is being accessed for each node x in addition to leaf node₁Select multinomialFor root node r, q is set_r(0) =y, select random value s ∈ z_p, set

<mrow> <mi>&amp;Omega;</mi> <mo>=</mo> <mi>e</mi> <msup> <mrow> <mo>(</mo> <mi>g</mi> <mo>,</mo> <msub> <mi>g</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> <mrow> <mi>s</mi> <mo>&amp;CenterDot;</mo> <msub> <mi>q</mi> <mi>r</mi> </msub> <mrow> <mo>(</mo> <mn>0</mn> <mo>)</mo> </mrow> </mrow> </msup> <mo>=</mo> <mi>e</mi> <msup> <mrow> <mo>(</mo> <mi>g</mi> <mo>,</mo> <msub> <mi>g</mi> <mn>2</mn> </msub> <mo>)</mo> </mrow> <mrow> <mi>s</mi> <mo>&amp;CenterDot;</mo> <mi>y</mi> </mrow> </msup> <mo>,</mo> </mrow>

Ω is the function that bilinear map is carried out to sensitive data M, and C is decrypted using Ω_MTo obtain shared sensitive data M, its In, C_M=Me (g, g₂)^s·y。