CN108039944B - De-ordering encryption framework algorithm with forward security - Google Patents

De-ordering encryption framework algorithm with forward security Download PDF

Info

Publication number
CN108039944B
CN108039944B CN201711345342.7A CN201711345342A CN108039944B CN 108039944 B CN108039944 B CN 108039944B CN 201711345342 A CN201711345342 A CN 201711345342A CN 108039944 B CN108039944 B CN 108039944B
Authority
CN
China
Prior art keywords
encryption
algorithm
order
data
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711345342.7A
Other languages
Chinese (zh)
Other versions
CN108039944A (en
Inventor
汪星辰
赵运磊
朱扬勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Fudan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fudan University filed Critical Fudan University
Priority to CN201711345342.7A priority Critical patent/CN108039944B/en
Publication of CN108039944A publication Critical patent/CN108039944A/en
Application granted granted Critical
Publication of CN108039944B publication Critical patent/CN108039944B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Abstract

The invention belongs to the technical field of passwords, and particularly relates to an order-uncovering encryption framework algorithm with forward security. The invention compiles the original order-preserving encryption and the original order-uncovering encryption into a forward safe order-uncovering encryption framework algorithm. The original order-preserving encryption or order-revealing encryption is expressed as an algorithm
Figure DEST_PATH_IMAGE001
Wherein the three elements are respectively
Figure 796410DEST_PATH_IMAGE002
An initialization algorithm,
Figure DEST_PATH_IMAGE003
An encryption algorithm,
Figure 613056DEST_PATH_IMAGE004
A comparison algorithm; the compiled forward-secure de-sequenced encryption framework algorithm tuple is represented as
Figure DEST_PATH_IMAGE005
I.e. by
Figure 350068DEST_PATH_IMAGE006
The start-up/initialization algorithm is,
Figure DEST_PATH_IMAGE007
the encryption algorithm is used for the encryption algorithm,

Description

De-ordering encryption framework algorithm with forward security
Technical Field
The invention belongs to the technical field of passwords, and particularly relates to a forward security technology and an order-uncovering encryption method in private key encryption.
Background
Preparatory knowledge and symbol marking:
the hash function is used to convert a string into a numeric value or a fixed-length string, etc. Typically, the input to the hash function, i.e. any one string (or a concatenation of several strings), is first encoded as a {0,1}*And then a hash function is applied to the converted 0-1 string input to obtain a fixed-length 0-1 string output. Here {0,1}*The set of all 0-1 strings is represented. {0,1}1[ 0 ] denotes {0,1}1Of (2) a set consisting of elements other than zero (i.e., excluding 0)1The outer 0-1 string of length 1, here 01Representing strings of all 0's of length 1). One basic function of hash functions in cryptography is to provide a "one-way" conversion, where it is difficult to find its input or look ahead given a randomly generated output of a function, and "collision-resistant," where it is difficult to find a different input given an input so that the output of the hash function is the same on the two different inputs. The hash function can be very extensive: from a simple mixing (mixing) function to a function with pseudo-random output properties. Hash functions with pseudo-random output properties are often idealized as a "random oracle" in cryptographic analysis. A commonly used pseudo-random function is also used for this. There are several hash functions widely used in cryptography: for example, MD5 converts data of arbitrary length into a 128-bit 0-1 string, while the output of another common hash function SHA is a 160-bit 0-1 string. In short, a hash function F is goal one-way, if for an algorithm a of arbitrary probability polynomial time, a can solve for an element y randomly chosen from the domain of function values such that the probability (with respect to the length of y) that y ═ F (x) is negligible. More precisely, let d have a value field of
Figure BDA0001509224600000011
A hash function F is (as opposed to)
Figure BDA0001509224600000012
And a function H) objective unidirectional, if algorithm A for arbitrary probability polynomial time, for a slave
Figure BDA0001509224600000013
The randomly selected d, A (F, d) first outputs a message m ∈ {0,1}*Then for the slave
Figure BDA0001509224600000014
Another randomly selected d ' in the sequence, and finally the output m ' ∈ {0,1} from A (F, d, m, d ')*The probability of satisfying dh (m) ═ d 'H (m') is negligible.
Trapdoor permutation is a special one-way permutation. Briefly defined as follows, let an algorithmic tuple of polynomial time (Gen, Π, Inv) defined in field D be a trapdoor permutation family (sometimes informal abbreviated as trapdoor permutation) that needs to satisfy the following condition:
Gen(1λ) → (I, td). A security parameter λ is input and a parameter generation algorithm generates a set of parameters (I, td). Such a set of parameters defines a pair of sets DI=DtdAnd satisfies that the length of I is equal to or greater than lambda. Sometimes we also do not formally refer to (I, td) as the trapdoor permuted public and private keys, respectively.
Gen1(1λ) → I. Let Gen1Is an algorithm that executes Gen and outputs only I as the only returned result (Gen)1Π) is a single row permutation group.
Invtd(y) → x. Inv is a deterministic conversion algorithm, satisfied for each pair of tokens Gen (1)λ) (I, td) of output and arbitrary x ∈ DI=DtdAnd y ═ ΠI(x) All ensure Invtd(y) x. For simplicity, we often refer to InvtdIs written as
Figure BDA0001509224600000021
While we will denote performing k ≧ 1 forward and reverse trapdoor permutations, respectively, as
Figure BDA0001509224600000022
And
Figure BDA0001509224600000023
the forward security is firstly applied to dynamic symmetric searchable encryption in the fields of attribute preserving encryption and attribute revealing encryption, and is a strong attribute. Forward security means that past data operations do not cause any information leakage about newly inserted data, whereas backward security means that past data operations do not cause any information leakage about newly deleted data. We give its definition for de-sequenced encryption as follows:
one leakage function is L, the de-sequenced encryption which is safe against adversary adaptive attack is forward safe, and the leakage of the data insertion operation is LaddThe need can be expressed as:
Ladd(add,Wadd)=L(add,INDadd)。
wherein, WaddIs a data insertion data set that contains its specific storage structure, pointers, constraints, etc. INDaddThe data file is a set of data files that only represents a data table in which data is inserted in the relational database or a data file in which data is inserted in the relational database, and the number of inserted data.
The order-preserving encryption and the order-revealing encryption are important encryption methods in the attribute-preserving encryption and the attribute-revealing encryption, and the attribute-preserving encryption and the attribute-revealing encryption are also important members in the private key encryption. The order-preserving encryption is a special form of the de-ordering encryption, and can be traced back to the order-preserving encryption method for numerical data published by Agrawal et al in 2004 for the earliest time. In 2009, boldyeva et al formally started the wave of academic community on order-preserving encryption research, and developed many algorithms with trade-off in security and efficiency, resulting in a variety of changes to the algorithm structure. After this, Boneh et al first proposed an algorithm for de-scrambling encryption in 2015. Due to the adoption of multi-linear mapping, the efficiency is low, and a plurality of de-ordering encryption algorithms are developed in recent years. In addition to the promotion of the first practical encrypted database system CryptDB published by Popa et al in 2013, the use of the order-preserving encryption and the order-revealing encryption as its internal algorithm components has received great attention and development in recent years.
Satisfying a private key encryption algorithm is an open-ended encryption algorithm that can be expressed as a tuple of algorithms defined on a perfectly ordered plaintext space:
ORE=(ORE.Setup,ORE.Encrypt,ORE.Compare);
and has the following properties:
(1)ORE.Setup(1λ) → sk. Inputting a security parameter lambda, and outputting a private key by the algorithm for subsequent algorithm encryption;
(2) encryption (sk, m) → c. Using the previously generated private key, the encryption algorithm encrypts the input plaintext m into a ciphertext c that can reveal the correct order using a comparison algorithm.
(3)ORE.Compare(c1,c2) Input two ciphertexts → n, the compare function returns one bit b ∈ {0,1} revealing the correct order of the two.
Perfect ordering above refers to a situation where the correct order is known by normal comparison of sizes, like numbers, strings, etc. In addition, not all de-sequenced encryptions have the decryption algorithm ore.
The order preserving encryption is a special case of the order uncovering encryption, and only the ciphertext spaces of the order uncovering encryption need to be perfectly ordered, and meanwhile, the comparison algorithm is a normal size comparison method.
Currently, there is no explicit de-ordering or order-preserving encryption with forward security. The only way to achieve forward security is the POPE (partial order-preserving encryption) published by Roche et al in 2016. The algorithm framework adopts a tree structure, and because the interactive ordering stage of the server and the client is placed in the query stage for execution, the IND-FAPCPA (ordered encrypted Security encryption-associated secret-plain attack) with the strongest order-preserving encryption security so far is realized, namely, part of order-preserving selection plaintext attack is indistinguishable in frequency analysis. Whether the server and the client require the client authentication in the interactive sequencing of the POPE is not indicated in the text, if the server and the client require the client authentication, the POPE has forward security, but due to the consideration of most application scenes in reality, the efficiency and the usability of the authentication in a large number of interactive sequencing stages are greatly reduced, and the POPE does not meet the requirements of the scenes. Therefore, the algorithm does not perform authentication when the server and the client interact and sequencing, and therefore, the algorithm has no forward security. Therefore, the invention is the first framework algorithm capable of constructing forward secure de-sequencing encryption.
Disclosure of Invention
The invention aims to provide an out-of-order encryption framework algorithm with forward security.
The invention provides an order-breaking encryption frame algorithm with forward security, which compiles the original order-preserving encryption and order-breaking encryption into a frame algorithm of forward security order-breaking encryption. Wherein, the original order-preserving encryption or order-revealing encryption is represented as an arithmetic tuple as ═ ORE (ORE)Setup,OREEncrypt,ORECompare) Wherein three elements are respectively initialization algorithms (ORE)Setup) Encryption algorithm (ORE)Encrypt) And comparison algorithm (ORE)Compare) (ii) a The compiled forward-secure de-sequenced encryption framework algorithm tuple is represented as
Figure BDA0001509224600000044
Setting e as the intermediate cipher text (obtained by the original order-preserving encryption or order-revealing encryption algorithm); s is a sorting space, a data table can be referred to in a relational database, and a data file can be referred to in a non-relational database; λ is a safety parameter; the private key and the public key of the trapdoor replacement are (sk, pk); the algorithm master key is k0(ii) a The ordering token map OT contains the last ordering tokens OT for different ordering spaces siAnd current pointer/counter i (counting from 0); m ∈ {0,1}*Is data to be encrypted; c is a ciphertext; add is an operation identifier; sigma is the rest parameters of the original order-preserving encryption or order-uncovering encryption algorithm;
Figure BDA0001509224600000041
and
Figure BDA0001509224600000042
for ciphertext that needs to be compared, p and q are position pointers (i.e., sequence numbers) in the database. II and II-1Respectively a forward and reverse trapdoor permutation function; the key generation function for trapdoor permutation is KeyGen (1)λ) (ii) a H is a key hash function; PRF is a pseudo-random function.
The compiled forward secure de-sequencing encryption framework algorithm provided by the invention has the following three elements in detail:
Setup(1λ) Start-up/initialization algorithm: according to the input safety parameter lambda, the following operations are carried out:
initializing a ranking token graph OT;
ⅱ,(sk,pk)←KeyGen(1λ) Generating a private key and a public key of the trapdoor replacement by a trapdoor replacement key generating function;
ⅲ,
Figure BDA0001509224600000043
and randomly selecting a 0-1 string with the length of a security parameter as a master key of the whole algorithm.
Encrypt (add, σ, m, s) encryption algorithm: according to the input operation identifier, the original order-preserving encryption or order-uncovering encryption and other parameters, the plaintext and the sequencing space, the following operations are carried out:
ⅰ,
Figure BDA0001509224600000051
the client calculates a pseudorandom function result of the sequencing space by using the master key to obtain a key corresponding to the sequencing space;
ⅱ,(OTi,i)←OT[s]acquiring a current last sorting token and a current pointer/counter by the sorting token map;
iii if (OT)iI) is null, let i-1, and randomly choose one from the sorted token space to become OTi+1(ii) a If not, calculating
Figure BDA0001509224600000052
Permutation of private keys and last rank token computation from trapdoorsA most recent ranking token;
ⅳ,OT[s]←(OTi+1i +1), putting the latest sorting token and the pointer/counter into a sorting token map;
ⅴ,
Figure BDA0001509224600000053
and according to the key of the sorting space, the latest sorting token, the operation identifier, the rest parameters of the original order-preserving encryption or order-uncovering encryption and the plaintext, carrying out XOR calculation by the encryption algorithm and the key hash function of the original order-preserving encryption or order-uncovering encryption to obtain the ciphertext.
Vi, ciphertext ci+1And sending to the server for storage in the encrypted database.
Figure BDA0001509224600000054
And (3) comparison algorithm: according to the original order-preserving encryption or order-uncovering encryption, the rest parameters, two comparison ciphertexts with sequence numbers p and q in the ordering space s and the ordering space s, the following operations are carried out:
ⅰ,
Figure BDA0001509224600000055
the client calculates a pseudorandom function result of the sequencing space by using the master key to obtain a key corresponding to the sequencing space;
ⅱ,(OTi,i)←OT[s]acquiring a current last sorting token and a current pointer/counter by the sorting token map;
iii if (OT)iIf i) is null, indicating that no data exists in the sequencing space s, and returning to a null set; if not, the last sequencing token, the token pointer/counter, the sequencing space key and other parameters of the original sequence preserving encryption or sequence uncovering encryption are sent to the server;
ⅳ,
Figure BDA0001509224600000056
according to two ciphertexts, a sorting space key, a trapdoor replacement public key and a last sorting token, through forward trapdoor replacement, a key hash function and an XOR algorithmThe server calculates and obtains a corresponding intermediate ciphertext of the two ciphertexts, namely the ciphertext encrypted by the original order-preserving encryption algorithm or the order-uncovering encryption algorithm;
ⅴ,
Figure BDA0001509224600000057
the server obtains a sequence result of the two intermediate ciphertexts by executing an original order-preserving encryption or order-uncovering encryption comparison algorithm, and finally returns a data set to the client according to the result.
In order to further ensure the safety and the practicability of the method, the invention also provides two data deletion algorithms, which are specifically described as follows:
the first deletion algorithm is to construct a "deletion database" having the same structure according to the compiling framework algorithm. When deleting data, extra check is needed to check whether the data is deleted, and when comparing the data sequence, extra check is needed to check whether the data is deleted, namely whether the data exists in a 'deletion database'. The method also ensures and realizes the backward security of the de-ordering encryption, and is a framework which can be compiled for the first time to generate the de-ordering encryption meeting the backward security.
The second deletion algorithm needs some changes to the compilation framework algorithm: each time data insertion is performed, a plaintext serial number is inserted together to indicate the number of data insertions. Therefore, after the data in the normal data table is deleted, the fact that several times of forward trapdoor replacement is needed can still be known through the sequence number difference so as to obtain a correct corresponding sorting token, so that the hash can obtain correct data noise, and a correct sequence comparison result is obtained after the hash is eliminated.
For the compiling framework algorithm, the storage complexity of the server side is not increased compared with the original order-preserving encryption or order-revealing encryption, and the storage complexity of the client side is increased
Figure BDA0001509224600000061
Where | S | is the number of ordering spaces,
Figure BDA0001509224600000062
is an order token spaceSize, | CsAnd | is the number of ciphertexts per ordering space. In order to reduce the storage complexity of the client in some special scenes, the invention also provides the following two schemes for improving the compiling framework algorithm:
i: for the third and fourth steps of the above encryption algorithm, if OT s]Empty, the OT is0The selection mode is changed from random selection from the sequencing token space to
Figure BDA0001509224600000063
The sorted token map also stores only pointers/counters at a time, i.e. OT s]Oid (i +1), which can reduce the client storage complexity to O (| S | log | C)s|). Under the method, if RSA is selected as a trapdoor replacement algorithm, OT is calculated every timeiThe time complexity is still low from time to time: if (n, r) and (u, v, w) are the private key and the public key of the trapdoor permutation,
Figure BDA0001509224600000064
it can be calculated simply by the following algorithm:
Figure BDA0001509224600000065
where mod is the remainder operation.
Ii: based on the above method, we can perform OT each timeiBefore calculation, the statistical counting operation of the encrypted data is carried out, so that the data quantity of different sequencing spaces can be obtained, and the storage complexity increment of a client can be ensured to be zero, but the method is not suitable for a second deletion algorithm.
The inventor emphasizes that the compiling framework algorithm is applicable to order-preserving encryption or order-revealing encryption of all non-ordered tree-structured stores. Since the storage structure of the sorting tree directly shows the order between data, contrary to the xor noise operation in the present invention, the forward security property cannot be realized. However, the application range of the order-preserving encryption and the order-uncovering encryption stored in the tree structure is poor, so that the tree structure has little practical value at present and mostly has academic safety value, and therefore, the tree structure storage method has wide applicability and practicability.
The invention provides an order-preserving encryption and order-uncovering encryption framework algorithm for compiling the original order-preserving encryption and order-uncovering encryption into forward security. The compilation framework algorithm can be used for order-preserving encryption and order-revealing encryption of various non-tree-structured stores. The order-uncovering encryption generated by compiling is additionally provided with forward security property on the premise of ensuring the security of the original algorithm, can perfectly resist file injection attack, is suitable for most electronic data systems, and particularly ensures an electronic system with third-party data sharing and data exchange equipment. In particular, aiming at security guarantee and expansion, two data deletion algorithms are also included; and the system aiming at the limitation of the storage condition of the client also comprises two optimization measures so as to adjust the basic compiling framework algorithm to meet the requirement.
Detailed Description
The following describes an embodiment of the algorithm in detail, taking the example that the client encrypts, transmits and compares the integer data "123456" and "123457" to the server database.
In view of practical applications, there are many schemes that can be adopted for the key hash algorithm and the pseudo-random function as well as the trapdoor permutation function, and in the following description, an exemplary algorithm that adopts HMAC-SHA256 as the pseudo-random function and the key hash function, RSA as the trapdoor permutation algorithm, and the original order preserving/revealing encryption adopts the order preserving encryption algorithm of the 2009 bolpyreva (Alexandra bolyreva, nature chenet, Younho Lee, and AdamO' neill. The data is expressed in 16-system, the security parameter lambda takes 128, and the RSA algorithm takes 2048 bits as the key length. And both data are stored in the same ordering space, represented as ABCDEF in hexadecimal.
First, algorithm initialization phase
1. Ordering token map initialization, no correlation data
2. Invoking a trapdoor replacement key generation algorithm (in this example, using RSA algorithm), taking a modular length (i.e. key length) of 2048 bits, setting r to 10001, generating a public key pair (n, r) of (8C9A4D654BEE959FD862E311DF75AB5C58acdc 86ACC74BFEED8CD952853039D10F6AADFD0D6D7D8DF6F11E4A6E7827288ECA051D0392C07B63759CF 101F 19B3D877466B92BD80D5BE354413138FCBBA DA 8DA1C7E 085F0896CE783F3843 a3a 1438E776201854E C08F106B08D6C7A6B2DB97019B12769E7F329D9E 8726D 6B2DB97019B12769E 9D9E 26AD 0FAEF 038120F 038120 a B97019D 9a 7B 35D 7B 35D 7D 35D 7F 20D 35D 7D 35B 35D 7D 35D 7B 35D 7D 35D 7F 3D 7D 3D 35D 7B 35D 7D 3D7B 35D 7D 3D7B 3D 3B 35D 3D7B 35D 3D 7D 35D 3D7B 3D7B 3D 3:
(FAA6BFFAFC7D0C6EF46EF324CC513D28650005C1E195AACA34E4F350E73A826E2E567D672CA67A0484C5AA2F223347CF495542E5DFAF27E5F75F52589FDB58B2EAEEAE6F3EEF9D73E14268A2C012BEBD814E5C7ECBE406F5D43CA7242AF6C4D8C4E629C94A4ECDF3A35D0835BFE7F729A4642E45BD2D9E3261F3C76CA1822215,
8F9A61E431B18E2ED73390A6644F66F030B8E66C56DFA48C41712276731138DD9759C51BC90D959123A094428AEC33ACB82C18E88C3B0B0490121F9FCA7E1FC5C6203B0BE3A8F2EDDC54406598A60ACF3464C9FB50D374919836B1AC95833EB0B5679C6D967BFC7999C66EC9A67546903BD8D05BBA9F366BF254B054EC1AEFB5,
833F263000895DB230535E93387CA6D1351567B1BD3FCD5BBCA134869F759E51E79BDA35C2C44A086FC94672A23A495290EE11594D7D90D4420BB911C881B7B74E622A34DA05C84F93365292911C19869AC7463B938D566A020C0A7A0155423867FF5711273EE506D179CBB59EC31EF37F905B55E100D0DBAABA97E9A4DAD444EF42B9B49D64BD14790A9C874401FC4A6A1E7ECB3CEF06E107C587FFE117C47DC8C664DDC773C75D01386F8EBF8D597AA5091AFE1C07C8E40D18AF5D12244911BD3464D43F1F709809839836F634A333C92A43603FB9F6D4E69BC61A35FC77C7DE1496269A39C5531A9A8CFA4F0BE0F3A99B4057AF189547237D10494506DF81)。
3. let random generate master key k0The length of the 0-1 string is 1000001101111101101101111001010011111111100100101000000010011001010001010101001001000010000101010101010011010101111011, and the 16-scale is 826FB794FF925013295248442AA9F 57B.
Binary, decimal integer data "123456" encryption stage:
1. the master key is used to solve the sort space key of the sort space ABCDEF using HMAC-SHA256 as a pseudo-random function:
0FBA9F7E9D84C2E9E3EA266E87FD6195416CAB51A452BE06E92D1CC3481843D1。
2. the last sorting token and pointer/counter of the sorting space ABCDEF are obtained from the sorting token map, since there is no data stored yet, the last sorting token and pointer/counter of the sorting space ABCDEF are empty.
3. Randomly selecting a sorting token from a sorting token space:
f5DC4CA4F82691F885EFE921FF6A9E805D86a76a1533CA9830492009DA6F12F153176F39CBBC91D954E7637D801703E 689137a33B4ED67a66D0426C5a2592CBAF45B35D1C17FEB62F56F1C2F94D0170087a31a96DA13CC9030F5F884252DAAB8188FD57a88D7368AA6368E 08CBA513628E617589194D 229C 7B227C5574FC79A0EA3a04C7799 BD 78642B250DB 7F 262FEB81 DC4DE3F13B521905B 4838E67322B53B 3048281B 6303E 337753B 3E 3D 4D 7BD 11732B 1177B 1172B 6853B 35D 3a 35C 35F 35C 35F 2F 35D 35F 35D 3F 35D 3a 96F 31a96D 31a96 a31a96D 3C 35F 35B 35 a96 A3C 3 A3C 3B3 A3B 3.
4. Setting integer data '123456' encrypted by an original algorithm to correspond to a ciphertext of 0001E27BF057FF96, solving a sorting token hash value through HMAC-SHA256, wherein the key is a sorting space key, and the hash value result is as follows:
597971622E7F416EF17CBCC6AC6452CEB747EEF095BB9B598A5563B44B66D7AF, the final 16 bits are taken to be subjected to bitwise XOR calculation with the intermediate ciphertext to obtain a final ciphertext 8A5481CFBB312839, and the final ciphertext is stored in the server-side database. Wherein the determination of the number of bits is based on the length of the ciphertext consistent with the original order preserving encryption/de-ordering encryption. The final ciphertext after the exclusive or operation has the forward security property, and a correct sequence result cannot be obtained through the original comparison algorithm of order preserving encryption/order uncovering encryption.
Three, decimal integer data "123457" encryption stage:
1. the master key is used to solve the sort space key of the sort space ABCDEF using HMAC-SHA256 as a pseudo-random function:
0FBA9F7E9D84C2E9E3EA266E87FD6195416CAB51A452BE06E92D1CC3481843D1。
2. the last sorting token and pointer/counter of the sorting space ABCDEF are obtained from the sorting token map.
3. Calculating the next sequencing token by utilizing forward trapdoor replacement, and obtaining the sequence according to the last sequencing token and a private key:
5980B0529598C2B95EB49559ADAACE25FD634CA667AF5ECE99E81AAE4480F5A13F26FCBB2EE2CE256D724E78EA86ECE2874F5C9DB6D6F01B5BF91FC4E05B30F78A3B307C388487B777DB3F946A832C00131D239154158E4903C59DF3891E7DD 84E4D8A0B142FE8549CD48E2983F4DD7305EAC5752E53050B906BBF1445A03E814BDA2F65BF 6200A 59E67 AAB0B28E4E 3615626 DFCB 7243 CB7280 BA0A126736DA617606762E 3A 3EF70DC4B14FACB 14 FD 4C 5FD 5B 8B 278B 38F 24D 24F 24D 35F and the result AD 35B 35 AD 7F 31F 35 AD 7 AD 19F 31B 35F and the result BD 35 AD 7A 3B FD 3D 5F 735 FD 3D 3 AD 19F 735 FD 3 AD 19F 3D 3 AD 19 FD 3D.
4. Assuming that integer data '123457' encrypted by an original algorithm corresponds to ciphertext 0001E27BFBF5008C, solving a sorting token hash value through HMAC-SHA256, wherein the key is a sorting space key, and the hash value result is as follows:
FE9226338791AAC85BD3006CF90A3CDB6D17816612DE586DABFE5BD90C2AD4AD, the last 16 bits and the intermediate ciphertext are subjected to bitwise XOR calculation to obtain a final ciphertext ABFFB9A2F7DFD421, and the final ciphertext ABFFB9A2F7DFD421 is stored in the server-side database.
Fourthly, the ciphertext data "8A 5481CFBB 312839" and the ciphertext data "ABFFB 9A2F7DFD 421" comparison stage:
1. the client uses the master key to solve the sequencing space key of the sequencing space ABCDEF by adopting HMAC-SHA256 as a pseudorandom function:
0FBA9F7E9D84C2E9E3EA266E87FD6195416CAB51A452BE06E92D1CC3481843D1。
2. the client obtains the last sorting token and the pointer/counter of the sorting space ABCDEF from the sorting token map. Because the cipher text data stored in the server exists and the sorting token is not null, the last sorting token, the pointer/counter, the sorting space key of the sorting space ABCDEF and the parameters required by the comparison function of the original sorting algorithm/de-sorting algorithm are sent to the server.
3. The server uses the trapdoor to replace the public key, the last sorting token and the pointer/counter, and calculates reversely to obtain the corresponding sorting token (as described above), and obtains the hash value of the corresponding sorting token through HMAC-SHA256, where the key is a sorting space key, and the hash value results are respectively:
597971622E7F416EF17CBCC6AC6452CEB747EEF095BB9B598A5563B44B66D7AF,
FE9226338791AAC85BD3006CF90A3CDB6D17816612DE586DABFE5BD90C2AD4AD。
4. and carrying out XOR calculation on the 16 th bit after the hash value and the ciphertext in the corresponding server to obtain the ciphertext of the original order-preserving encryption/order-revealing encryption, namely 0001E27BF057FF96 and 0001E27BFBF 5008C. And obtaining a comparison result through the original order-preserving encryption/order-uncovering encryption comparison algorithm, and returning the data result set to the client according to the sequencing result and the query statement.

Claims (3)

1. An order-breaking encryption frame algorithm with forward security is characterized in that the original order-preserving encryption and order-breaking encryption are compiled into a frame algorithm of forward security order-breaking encryption; wherein, the original order-preserving encryption or order-revealing encryption is represented as an arithmetic tuple as ═ ORE (ORE)Setup,OREEncrypt,ORECompare) Wherein the three elements are ORESetupInitialization Algorithm, OREEncryptEncryption algorithm, ORECompareA comparison algorithm; the compiled forward-secure de-sequenced encryption framework algorithm tuple is represented asfp=(Setup,Encrypt,Compare);
Setting e as an intermediate cipher text, and encrypting the intermediate cipher text by using an original order-preserving encryption or order-uncovering encryption algorithm; s is a sorting space, a data table is designated in a relational database, and a data file is designated in a non-relational database; λ is a safety parameter; the private key and the public key of the trapdoor replacement are (sk, pk); the algorithm master key is k0(ii) a The ordering token map OT contains the last ordering tokens OT for different ordering spaces siAnd the current pointer/counter i, i counts from 0, m ∈ {0,1}*Is data to be encrypted; c is a ciphertext; add is an operation identifier; sigma is the rest parameters of the original order-preserving encryption or order-uncovering encryption algorithm;
Figure FDA0002444850270000011
and
Figure FDA0002444850270000012
the ciphertext to be compared is obtained, wherein p and q are position pointers, namely sequence numbers, in the database respectively; pi and pi-1Respectively a forward and reverse trapdoor permutation function; the key generation function for trapdoor permutation is KeyGen (1)λ) (ii) a H is a key hash function; PRF is a pseudo-random function;
wherein, three elements are specifically described as follows:
Setup(1λ) The start/initialization algorithm: according to the input safety parameter lambda, the following operations are carried out:
i, initializing a sequencing token graph OT;
ii,(sk,pk)←KeyGen(1λ) Generating a private key and a public key of the trapdoor replacement by a trapdoor replacement key generating function;
iii,
Figure FDA0002444850270000013
randomly selecting a 0-1 string with the length of a safety parameter as a main key of the whole algorithm;
encrypt (add, σ, m, s), encryption algorithm: according to the input operation identifier, the original order-preserving encryption or order-uncovering encryption and other parameters, the plaintext and the sequencing space, the following operations are carried out:
i,
Figure FDA0002444850270000014
the client calculates a pseudorandom function result of the sequencing space by using the master key to obtain a key corresponding to the sequencing space;
ii,(OTi,i)←OT[s]acquiring a current last sorting token and a current pointer/counter by the sorting token map;
iii if (OT)iI) is null, let i-1, and randomly choose one from the sorted token space to become OTi+1(ii) a If not, calculating
Figure FDA0002444850270000021
Calculating the latest sorting token according to the trapdoor replacement private key and the latest sorting token;
iv,OT[s]←(OTi+1f +1), putting the latest sorting token and the pointer/counter into the sorting token map;
v,
Figure FDA0002444850270000022
according to the key of the sorting space, the latest sorting token, the operation identifier, the rest parameters of the original order-preserving encryption or order-uncovering encryption and the plaintext, the ciphertext is obtained through the encryption algorithm and the key hash function of the original order-preserving encryption or order-uncovering encryption;
vi, ciphertext ci+1Sending the data to a server and storing the data in an encryption database;
Figure FDA0002444850270000023
and (3) comparison algorithm: according to the original order-preserving encryption or order-uncovering encryption, the rest parameters, two comparison ciphertexts with sequence numbers p and q in the ordering space s and the ordering space s, the following operations are carried out:
i,
Figure FDA0002444850270000024
the client calculates a pseudorandom function result of the sequencing space by using the master key to obtain a key corresponding to the sequencing space;
ii,(OTi,i)←OT[s]acquiring a current last sorting token and a current pointer/counter by the sorting token map;
iii if (OT)iIf i) is null, indicating that no data exists in the sequencing space s, and returning to a null set; if not, the last sequencing token, token pointer/counter and sequencing space key are usedSending the other parameters of the original order-preserving encryption or the original order-uncovering encryption to a server;
iv,
Figure FDA0002444850270000025
according to the two ciphertexts, the sorting space key, the trapdoor replacement public key and the last sorting token, the server calculates and obtains a middle cipher text corresponding to the two cipher texts through forward trapdoor replacement, a key hash function and an XOR algorithm, namely the cipher text encrypted by the original order-preserving encryption algorithm or the original order-uncovering encryption algorithm;
v,
Figure FDA0002444850270000026
the server obtains a sequence result of the two intermediate ciphertexts by executing an original order-preserving encryption or order-uncovering encryption comparison algorithm, and finally returns a data set to the client according to the result.
2. The de-sequenced encryption framework algorithm with forward security according to claim 1, further comprising two data deletion algorithms, which are specifically described as follows:
the first deleting algorithm is to construct a deleting database with the same structure according to a compiled forward safe de-ordering encryption framework; when deleting data, whether the data are deleted or not needs to be additionally checked, and when comparing the data sequence, whether the data are deleted or not needs to be additionally checked, namely whether the data exist in a 'deletion database' or not needs to be additionally checked;
the second deletion algorithm is to make some changes to the compiled forward secure de-ordering encryption framework: when data insertion is carried out each time, plaintext serial numbers are inserted together so as to indicate that the data insertion is carried out for the second time; therefore, after the data in the normal data table is deleted, the fact that several times of forward trapdoor replacement is needed can still be known through the sequence number difference so as to obtain a correct corresponding sorting token, so that the hash can obtain correct data noise, and a correct sequence comparison result is obtained after the hash is eliminated.
3. The de-sequenced encryption framework algorithm with forward security according to claim 1, characterized in that the algorithm further comprises the following two schemes, and the compiled forward security de-sequenced encryption framework is modified to reduce the storage complexity of the client in some special scenarios:
i: for the third and fourth steps of the above encryption algorithm, if OT s]Empty, the OT is0The selection mode is changed from random selection from the sequencing token space to
Figure FDA0002444850270000031
The sorted token map also stores only pointers/counters at a time, i.e. OT s]Oid (i +1), which reduces the client storage complexity to O (| S | log | C)s| C), where | S | is the number of ordering spaces, | CsI is the number of ciphertexts in each sequencing space; under the method, if RSA is selected as a trapdoor replacement algorithm, OT is calculated every timeiThe time complexity is still low from time to time: if (n, r) and (u, v, w) are the private key and the public key of the trapdoor permutation,
Figure FDA0002444850270000032
calculated by the following algorithm:
f=wimod(u-1)(v-1),
Figure FDA0002444850270000033
wherein mod is a remainder operation;
ii: based on the above method, each OTiBefore calculation, the statistical counting operation of the encrypted data is carried out to obtain the data quantity of different sequencing spaces, and the storage complexity increment of the client is ensured to be zero.
CN201711345342.7A 2017-12-15 2017-12-15 De-ordering encryption framework algorithm with forward security Active CN108039944B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711345342.7A CN108039944B (en) 2017-12-15 2017-12-15 De-ordering encryption framework algorithm with forward security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711345342.7A CN108039944B (en) 2017-12-15 2017-12-15 De-ordering encryption framework algorithm with forward security

Publications (2)

Publication Number Publication Date
CN108039944A CN108039944A (en) 2018-05-15
CN108039944B true CN108039944B (en) 2020-09-01

Family

ID=62103064

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711345342.7A Active CN108039944B (en) 2017-12-15 2017-12-15 De-ordering encryption framework algorithm with forward security

Country Status (1)

Country Link
CN (1) CN108039944B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768639B (en) * 2018-06-06 2021-07-06 电子科技大学 Public key order-preserving encryption method
CN113254971B (en) * 2021-06-09 2022-07-05 中国电子科技集团公司第三十研究所 Multi-data type ciphertext comparison method based on de-scrambling encryption

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843372A (en) * 2012-08-28 2012-12-26 西安交通大学 Order-preserving encryption method based on random interval partition
CN105592100A (en) * 2016-01-26 2016-05-18 西安电子科技大学 Government services cloud access control method based on attribute encryption
CN106850652A (en) * 2017-02-21 2017-06-13 重庆邮电大学 One kind arbitration can search for encryption method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150108516A (en) * 2014-03-18 2015-09-30 한국전자통신연구원 Decryptable index generating method for range query, searching method, and decoding method
US10402792B2 (en) * 2015-08-13 2019-09-03 The Toronto-Dominion Bank Systems and method for tracking enterprise events using hybrid public-private blockchain ledgers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843372A (en) * 2012-08-28 2012-12-26 西安交通大学 Order-preserving encryption method based on random interval partition
CN105592100A (en) * 2016-01-26 2016-05-18 西安电子科技大学 Government services cloud access control method based on attribute encryption
CN106850652A (en) * 2017-02-21 2017-06-13 重庆邮电大学 One kind arbitration can search for encryption method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
POPE:Partial Order Preserving Encoding;Daniel S.Roche;《ACM》;20161231;全文 *
基于保序加密的网格化位置隐私保护方案;沈楠;《通信学报》;20170725(第7期);全文 *

Also Published As

Publication number Publication date
CN108039944A (en) 2018-05-15

Similar Documents

Publication Publication Date Title
Chang et al. Short redactable signatures using random trees
US20090262925A1 (en) Method for designing a secure hash function and a system thereof
JPH11500241A (en) Efficient cryptographic hash function and method for enhancing security of hash function and pseudo-random function
US11349668B2 (en) Encryption device and decryption device
Banik et al. A chosen IV related key attack on Grain-128a
Garg et al. New techniques for efficient trapdoor functions and applications
Krendelev et al. Order-preserving encryption schemes based on arithmetic coding and matrices
Lafitte et al. SAT-based cryptanalysis of ACORN
CN108039944B (en) De-ordering encryption framework algorithm with forward security
Berbain et al. On the security of IV dependent stream ciphers
Palmieri Hash-based signatures for the internet of things: position paper
Goldfeder et al. Efficient post-quantum zero-knowledge and signatures
Moataz et al. Chf-oram: a constant communication oram without homomorphic encryption
CN106301764B (en) Message summarization method and system based on path hashing
Rastaghi An efficient CCA2-secure variant of the McEliece cryptosystem in the standard model
Li et al. Unidirectional FHPRE Scheme from Lattice for Cloud Computing.
Mohamad et al. Verifiable structured encryption
Meng et al. An enhanced long-term blockchain scheme against compromise of cryptography
Ali Feedback with carry shift registers and (in-depth) security of ciphers based on this primitive
Belal et al. 2D-encryption mode
Banik et al. Some results on related key-IV pairs of grain
Peng et al. A fast additively symmetric homomorphic encryption scheme for vector data
Weber et al. Parallel hash collision search by rho method with distinguished points
Iavich et al. Digital Signature Design Using Verkle Tree
Hu Improved Blind Seer System With Constant Communication Rounds

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant