CN108880798B - Attribute basis weight encryption method for realizing fine-grained attribute revocation - Google Patents
Attribute basis weight encryption method for realizing fine-grained attribute revocation Download PDFInfo
- Publication number
- CN108880798B CN108880798B CN201810684303.8A CN201810684303A CN108880798B CN 108880798 B CN108880798 B CN 108880798B CN 201810684303 A CN201810684303 A CN 201810684303A CN 108880798 B CN108880798 B CN 108880798B
- Authority
- CN
- China
- Prior art keywords
- attribute
- ciphertext
- file
- encryption
- revocation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Physics & Mathematics (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Computing Systems (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an attribute basis weight encryption method for realizing fine-grained attribute revocation, which belongs to the field of information security and mainly comprises the following steps: A. system initialization, encryption, re-encryption: c1, user revocation information, C2, first re-encryption, C3 and subsequent re-encryption. By introducing the attribute revocation list, when the system has attribute revocation, the encryption party can only calculate and update the sub-ciphertext corresponding to the attribute which has been revoked through a re-encryption algorithm, but not recalculate the sub-ciphertext corresponding to the attribute which has not been revoked, so that the calculation complexity is reduced, the access authority of other users which have not been revoked is not influenced, and fine-grained attribute authority revocation is realized. In the process of re-encryption, the re-encryption of the file is realized through simple point-doubling operation and modular exponential operation, complex and time-consuming complex order bilinear operation and multilinear operation are avoided, the calculation complexity is low, and the revocation efficiency is high.
Description
Technical Field
The invention relates to an attribute basis weight encryption method for realizing fine-grained attribute revocation.
Background
The rapid development of big data application such as cloud computing and the like solves the problems of computing and storing of mass information and data at present; the coming of the cloud computing era shows that the information technology is rapidly moving to a large-scale, intensive and specialized road. However, the cloud computing has the problems that the security boundary is not fixed, the data storage and use permission is separated, the user privacy information is easy to leak, and the like; therefore, how to protect the confidentiality of data and implement anonymous identity authentication and access control functions becomes a very practical and urgent problem to be solved. Based on the (attribute-based) encryption scheme of the attribute, carrying out fine-grained division on the user by using the attribute; and the data is encrypted by using a specific access strategy, and the ciphertext can be successfully decrypted only if the user attribute meets the access strategy. Therefore, the attribute-based encryption scheme is particularly suitable for confidentiality protection of data on the premise of ensuring the privacy of the cloud platform user. In an actual application environment, the conditions of attribute expiration, key leakage, attribute authority change and the like inevitably exist; however, most of the existing attribute-based encryption methods often affect other users having the attribute in the system when the attribute authority of a certain user is revoked, so that it is difficult to efficiently revoke the attribute authority of the user with fine granularity; when the user attribute authority is changed, the access authority of the user cannot be updated in time, and the user cannot decrypt the ciphertext by using the original secret key.
Rong elegance et al (a CP-ABE scheme supporting complete fine-grained attribute revocation [ J)]Software bulletin, 2012, 23(10):2805-2816) proposed in 2012 a CP-ABE method that supports full fine-grained property revocation; the method utilizes a composite order bilinear group, introduces the ideas of dual-system encryption and binary tree, and can realize the function of canceling fine-grained attributes; the method comprises four stages of initialization, key generation, encryption and decryption; when the attribute authority of the user is cancelled, the encryption party processes the existing ciphertext by using a re-encryption algorithm, so that the user with the cancelled attribute authority cannot decrypt the file corresponding to the ciphertext by using the original key. However, the decryption process of the method needs a large amount of time-consuming complex order bilinear pairings, and the efficiency is not high; in addition, the length of the ciphertext generated by the method is longer, and reaches (3| B | +2r +2) | G1| bit, where | B | represents the number of attributes declared in the access policy, r represents the number of revocation events, | G |1And | represents the length of the element in the exchange group on the elliptic curve, which greatly increases the communication burden of the system, so the practicability is poor.
Shi et al (direct revocable key-polarity attribute-based encryption with vertical encryption & decryption [ J ]. Information Sciences, 2015, 295:221-231) propose an attribute-based encryption method based on a key strategy that supports direct revocation of attributes based on multi-linear mapping; but the method can only realize the revocation of all the attributes of the user, and the revocation granularity is thicker; in addition, the method needs to perform a large number of multi-linear pair operations in the encryption, re-encryption and decryption processes, and the attribute revocation efficiency is low; and thus, are not suitable for environments where computing resources are limited. In addition, the decryption strategy is bound with the user key, and the flexibility and the practicability of the method are limited by the binding mode of the attribute and the ciphertext.
Disclosure of Invention
The invention aims to provide an attribute basis weight encryption method for realizing fine-grained attribute revocation, which can efficiently revoke the attribute access authority of a user and has higher security.
The technical scheme adopted by the invention for realizing the aim of the invention is that an attribute basis weight encryption method for realizing fine-grained attribute revocation comprises the following steps:
A. system initialization
A1, selecting a prime number q with the length of 160bit by a system center SA, and constructing a cyclic group G and a q-order fundamental domain cyclic group Y on a q-order elliptic curve; and a bilinear mapping relation exists between elements in the cyclic group G on the elliptic curve of the order q and elements in the cyclic group Y of the base domain of the order q, namely Y is e (G)1,g2) (ii) a Wherein, g1Representing an element in a cyclic group G, G, on an elliptic curve of order q2Represents another element in the cyclic group G on the elliptic curve of order q, Y is an element in the cyclic group Y of the base domain of order q, e (·,) represents a bilinear mapping operation;
a2, selecting two random numbers which are less than prime number q and not 0 by system center SA, and respectively using the two random numbers as a system first key a and a system second key b; then selecting three random elements in a cyclic group G on the q-order elliptic curve as a third system key c, a fourth system key d and a first system public key G respectively; the system center SA utilizes the first public key g of the system to carry out bilinear mapping operation, and uses the second key B power of the system of the obtained result as the second public key B of the system, wherein B is e (g, g) B; the system center SA performs b times of point multiplication operation on the system third key C to obtain a system third public key C, where C is Cb;
A3, system center SA is the p-th user ID in the systempSelecting a random number which is less than a prime number q and is not 0 as an identity mark lambda thereofp(ii) a And the second system key b and the user identity lambda are identified through a secure channelpSent to the corresponding user IDp(ii) a The system center SA sends the system first secret key a and the system fourth secret key d to an attribute authority AA;
a4, system presence attribute subset W, W ═ W { [ W ]1,…,wj,…,w|W|In which wjIs the jth attribute in the attribute subset W, | W | is the attribute W in the attribute subset WjThe total number of (c); the attribute authorization center AA has the key distribution and management authority of the attributes in the attribute subset W; the attribute authority AA is any attribute W in the attribute subset WjSelecting a random number which is less than the prime number q and is not 0 as the attribute wjPrivate key t ofj(ii) a Attributing w to a system first public key gjPrivate key t ofjSub-multiple point operation to obtain attribute wjIs given by the attribute public key Tj,
A5, attribute authority AA, maintaining an attribute revocation list R in public, R ═ R1,R2,…,Rj,…,R|W|}; wherein R isjIs the jth attribute W in the attribute subset WjThe attribute revocation sub-list of (1); during initialization, the attribute authorization center AA uses the system first key a, the system second key b, the system third key c, the system fourth key d and the attribute wjPrivate key t ofjCalculating the attribute wjInitial revocation information L ofj,And will attribute wjInitial revocation information L ofjAdd Attribute wjProperty revocation list R ofj(ii) a Wherein, x represents a modular multiplication operation, and represents a point addition operation in an elliptic curve;
B. encryption
The encryption party selects a first encryption random number s and a second encryption random number r which are smaller than the prime number q and are not 0, and encrypts the file m by using the first encryption random number s, the second encryption random number r and the attribute subset W to obtain a ciphertext CT of the file m, wherein CT is { C ═ C1,C2,{C3,j,C4,j}j∈[1,|W|]}; wherein, C1Is the first sub-ciphertext of file m, C2Is the second sub-ciphertext of file m, C3,jFor file m corresponds to attribute wjThird sub-ciphertext, C4,jIs a text ofPiece m corresponds to attribute wjThe fourth sub-ciphertext of (1);
C. re-encryption
C1 user revocation information
User IDpOwning an attribute W in an attribute subset WjAccess right, as user IDpFor attribute wjWhen the access authority of (2) is revoked, the user ID is setpIs recorded as revoked user IDrev(ii) a Attribute authority AA using revoked user IDrevIdentity of (2)revA system first key a, a system second key b, a system third key c, a system fourth key d and an attribute wjPrivate key t ofjAnd a first public key g of the system, calculating an attribute wjWith respect to revoked user IDrevRevocation information L ofj,rev,
C2, first time re-encryption
If attribute wjProperty revocation list R ofjWhen the user ID of the revoked user is not included in the ID list, the revoked user ID is addedrevNamed revoked user IDnLet attribute wjWith respect to revoked user IDrevRevocation information L ofj,revIs equal to attribute wjAgainst revoked user IDnRevocation information L ofj,n(ii) a And combines the attributes wjAgainst revoked user IDnRevocation information L ofj,nAdding attribute wjProperty revocation list R ofj(ii) a Wherein n is an attribute revocation list RjThe serial number of the revoked user;
the encryption party performs the following re-encryption on the ciphertext CT corresponding to the file m:
and the encryption party selects a random number u which is less than the prime number q and is not 0, and combines a second encryption random number r in the step B to calculate: the file m corresponds to the attribute wjOf (2) a third triple encrypted sub-ciphertext C'3,j,File m correspondenceIn the attribute wjFourth encrypted sub-ciphertext C'4,j,The file m corresponds to the attribute wjIn revoked user IDnOf the third revocation sub-ciphertext C'3,j,n,The file m corresponds to the attribute wjIn revoked user IDnFourth revocation child ciphertext C'4,j,n,
Then, the encrypting side corresponds to the attribute w using the file mjOf (2) a third triple encrypted sub-ciphertext C'3,jAnd file m corresponds to attribute wjFourth encrypted sub-ciphertext C'4,jUpdating the file m respectively corresponds to the attribute wjThird sub-ciphertext C3,jAnd file m corresponds to attribute wjFourth sub-ciphertext C4,j(ii) a And corresponds file m to attribute wjIn revoked user IDnOf the third revocation sub-ciphertext C'3,j,nAnd file m corresponds to attribute wjIn revoked user IDnFourth revocation child ciphertext C'4,j,nAdding the ciphertext CT of the file m to the back of the ciphertext CT to obtain the ciphertext CT ═ C of the file m after the re-encryption updating1,C2,{C3,j,C4,j}j∈[1,|W|],,{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]}; wherein N is an attribute wjProperty revocation list R ofjIn revoked user IDnThe number of (2);
c3, subsequent re-encryption
If attribute wjProperty revocation list R ofjIncluding other revoked user IDsnThen, the encrypting party performs the following re-encryption on the ciphertext CT of the file m:
the encryption party selects a random number v which is less than the prime number q and is not 0, and the encryption party calculates: file m corresponds to an attributewjIn revoked user IDnThird update of the remove pin ciphertext The file m corresponds to the attribute wjIn revoked user IDnFourth repealed child ciphertext And corresponds to the attribute w using the file mjIn revoked user IDnThird update of the remove pin ciphertextAnd file m corresponds to attribute wjIn revoked user IDnFourth renew the pin-withdrawing ciphertextUpdating file m separately corresponds to attribute wjIn revoked user IDnThird revocation sub-ciphertext C3,j,nAnd file m corresponds to attribute wjIn revoked user IDnThe fourth revocation sub-ciphertext C4,j,n(ii) a Obtaining the ciphertext CT ═ { C of the file m after the re-encryption updating1,C2,{C3,j,C4,j}j∈[1,|W|],,{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]};
The encryption party calculates: the file m corresponds to the attribute wjIn revoked user IDrevOf the third revocation sub-ciphertext C'3,j,rev,And file m corresponds to attribute wjIn revoked user IDrevFourth revocation child ciphertext C'4,j,rev,
Subsequently, the user ID to be revokedrevRenamed as revoked user IDNAnd will revoke the user IDNAdd Attribute wjProperty revocation list R ofjI.e. the revoked user IDNIs equal to the attribute revocation sub-list RjThe number N of users;
let file m correspond to attribute wjIn revoked user IDrevOf the third revocation sub-ciphertext C'3,j,revEqual to file m corresponding to attribute wjIn revoked user IDNThird revocation sub-ciphertext C3,j,nThe file m corresponds to the attribute wjIn revoked user IDrevFourth revocation child ciphertext C'4,j,revEqual to file m corresponding to attribute wjIn revoked user IDNThe fourth revocation sub-ciphertext C4,j,n(ii) a And corresponds file m to attribute wjIn revoked user IDNThird revocation sub-ciphertext C3,j,nAnd file m corresponds to attribute wjIn revoked user IDNThe fourth revocation sub-ciphertext C4,j,nAdding the file m behind the corresponding ciphertext CT; after the re-encryption update is obtained, the ciphertext CT (C) corresponding to the file m is equal to { C }1,C2,{C3,j,C4,j}j∈[1,|W|],,{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]}。
Further, in step B of the present invention, the encryption party encrypts the file m by using the first encrypted random number s, the second encrypted random number r and the attribute subset W to obtain a ciphertext CT of the file m, where CT ═ C1,C2,{C3,j,C4,j}j∈[1,|W|]The concrete method comprises the following steps:
the encryption party calculates a first sub-ciphertext C of the file m by using the first encryption random number s, the second encryption random number r and a system second public key B1,C1=m·B^(s×r);
The encrypting party uses a first encrypted random number s, a second encryptionCalculating a random number r and a system first public key g to obtain a second sub-ciphertext C of the file m2,C2=gs×r;
Selecting a k-1 degree polynomial as f (x) by the encryption party according to a set decryption threshold value k; the constant item value of the polynomial f (x) is equal to the first encryption random number s, and the coefficients of the other items of the polynomial f (x) are random numbers which are respectively selected by an encryption party and are less than a prime number q and not 0; will attribute wjThe value obtained by substituting the polynomial f (x) as the argument x is the attribute wjIs given a secret sharing value sj(ii) a Further obtaining the corresponding attribute w of the file mjThird sub-ciphertext C3,j,And file m corresponds to attribute wjFourth sub-ciphertext C4,j,
Finally, the first sub-ciphertext C of the file m1The second sub-ciphertext C2File m corresponds to attribute wjThird sub-ciphertext C3,jAnd file m corresponds to attribute wjFourth sub-ciphertext C4,jSequentially concatenating to obtain ciphertext CT of file m, where CT is { C }1,C2,{C3,j,C4,j}j∈[1,|W|]}。
Compared with the prior art, the beneficial results of the invention are as follows:
according to the method, by introducing the attribute revocation list, when the system has attribute revocation, the encryption party can only calculate and update the sub-ciphertext corresponding to the attribute which has been revoked through a re-encryption algorithm, but does not recalculate the sub-ciphertext corresponding to the attribute which has not been revoked, so that the calculation complexity is reduced, the access authority of other users which have not been revoked is not influenced, and fine-grained attribute authority revocation is realized.
In the re-encryption process, the method realizes the re-encryption of the file through simple point multiplication operation and modular exponential operation, avoids complex and time-consuming complex order bilinear operation and multilinear operation, and has low calculation complexity and high revocation efficiency.
The present invention will be described in further detail with reference to specific embodiments;
Detailed Description
Examples
One specific embodiment of the present invention is an attribute basis weight encryption method for implementing fine-grained attribute revocation, which includes the steps of:
A. system initialization
A1, selecting a prime number q with the length of 160bit by a system center SA, and constructing a cyclic group G and a q-order fundamental domain cyclic group Y on a q-order elliptic curve; and a bilinear mapping relation exists between elements in the cyclic group G on the elliptic curve of the order q and elements in the cyclic group Y of the base domain of the order q, namely Y is e (G)1,g2) (ii) a Wherein, g1Representing an element in a cyclic group G, G, on an elliptic curve of order q2Represents another element in the cyclic group G on the elliptic curve of order q, Y is an element in the cyclic group Y of the base domain of order q, e (·,) represents a bilinear mapping operation;
a2, selecting two random numbers which are less than prime number q and not 0 by system center SA, and respectively using the two random numbers as a system first key a and a system second key b; then selecting three random elements in a cyclic group G on the q-order elliptic curve as a third system key c, a fourth system key d and a first system public key G respectively; the system center SA utilizes the first public key g of the system to carry out bilinear mapping operation, and uses the second key B power of the system of the obtained result as the second public key B of the system, wherein B is e (g, g) B; the system center SA performs b times of point multiplication operation on the system third key C to obtain a system third public key C, where C is Cb;
A3, system center SA is the p-th user ID in the systempSelecting a random number which is less than a prime number q and is not 0 as an identity mark lambda thereofp(ii) a And the second system key b and the user identity lambda are identified through a secure channelpSent to the corresponding user IDp(ii) a The system center SA sends the system first secret key a and the system fourth secret key d to an attribute authority AA;
a4, system presence attribute subset W, W ═ W { [ W ]1,…,wj,…,w|W|In which wjIs the jth attribute in the attribute subset W, | W | is the attribute W in the attribute subset WjThe total number of (c); the attribute authorization center AA has the key distribution and management authority of the attributes in the attribute subset W; the attribute authority AA is any attribute W in the attribute subset WjSelecting a random number which is less than the prime number q and is not 0 as the attribute wjPrivate key t ofj(ii) a Attributing w to a system first public key gjPrivate key t ofjSub-multiple point operation to obtain attribute wjIs given by the attribute public key Tj,
A5, attribute authority AA, maintaining an attribute revocation list R in public, R ═ R1,R2,…,Rj,…,R|W|}; wherein R isjIs the jth attribute W in the attribute subset WjThe attribute revocation sub-list of (1); during initialization, the attribute authorization center AA uses the system first key a, the system second key b, the system third key c, the system fourth key d and the attribute wjPrivate key t ofjCalculating the attribute wjInitial revocation information L ofj,And will attribute wjInitial revocation information L ofjAdd Attribute wjProperty revocation list R ofj(ii) a Wherein, x represents a modular multiplication operation, and represents a point addition operation in an elliptic curve;
B. encryption
The encryption party selects a first encryption random number s and a second encryption random number r which are smaller than the prime number q and are not 0, and encrypts the file m by using the first encryption random number s, the second encryption random number r and the attribute subset W to obtain a ciphertext CT of the file m, wherein CT is { C ═ C1,C2,{C3,j,C4,j}j∈[1,|W|]}; wherein, C1Is the first sub-ciphertext of file m, C2Is a text ofSecond sub-ciphertext of piece m, C3,jFor file m corresponds to attribute wjThird sub-ciphertext, C4,jFor file m corresponds to attribute wjThe fourth sub-ciphertext of (1);
C. re-encryption
C1 user revocation information
User IDpOwning an attribute W in an attribute subset WjAccess right, as user IDpFor attribute wjWhen the access authority of (2) is revoked, the user ID is setpIs recorded as revoked user IDrev(ii) a Attribute authority AA using revoked user IDrevIdentity of (2)revA system first key a, a system second key b, a system third key c, a system fourth key d and an attribute wjPrivate key t ofjAnd a first public key g of the system, calculating an attribute wjWith respect to revoked user IDrevRevocation information L ofj,rev,
C2, first time re-encryption
If attribute wjProperty revocation list R ofjWhen the user ID of the revoked user is not included in the ID list, the revoked user ID is addedrevNamed revoked user IDnLet attribute wjWith respect to revoked user IDrevRevocation information L ofj,revIs equal to attribute wjAgainst revoked user IDnRevocation information L ofj,n(ii) a And combines the attributes wjAgainst revoked user IDnRevocation information L ofj,nAdding attribute wjProperty revocation list R ofj(ii) a Wherein n is an attribute revocation list RjThe serial number of the revoked user;
the encryption party performs the following re-encryption on the ciphertext CT corresponding to the file m:
and the encryption party selects a random number u which is less than the prime number q and is not 0, and combines a second encryption random number r in the step B to calculate: the file m corresponds to the attribute wjOf (2) a third triple encrypted sub-ciphertext C'3,j,The file m corresponds to the attribute wjFourth encrypted sub-ciphertext C'4,j,The file m corresponds to the attribute wjIn revoked user IDnOf the third revocation sub-ciphertext C'3,j,n,The file m corresponds to the attribute wjIn revoked user IDnFourth revocation child ciphertext C'4,j,n,
Then, the encrypting side corresponds to the attribute w using the file mjOf (2) a third triple encrypted sub-ciphertext C'3,jAnd file m corresponds to attribute wjFourth encrypted sub-ciphertext C'4,jUpdating the file m respectively corresponds to the attribute wjThird sub-ciphertext C3,jAnd file m corresponds to attribute wjFourth sub-ciphertext C4,j(ii) a And corresponds file m to attribute wjIn revoked user IDnOf the third revocation sub-ciphertext C'3,j,nAnd file m corresponds to attribute wjIn revoked user IDnFourth revocation child ciphertext C'4,j,nAdding the ciphertext CT of the file m to the back of the ciphertext CT to obtain the ciphertext CT ═ C of the file m after the re-encryption updating1,C2,{C3,j,C4,j}j∈[1,|W|],,{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]}; wherein N is an attribute wjProperty revocation list R ofjIn revoked user IDnThe number of (2);
c3, subsequent re-encryption
If attribute wjProperty revocation list R ofjIncluding other revoked user IDsnThen, the encrypting party performs the following re-encryption on the ciphertext CT of the file m:
the encryption party selects a random number v which is less than the prime number q and is not 0, and the encryption party calculates: the file m corresponds to the attribute wjIn revoked user IDnThird update of the remove pin ciphertext The file m corresponds to the attribute wjIn revoked user IDnFourth repealed child ciphertext And corresponds to the attribute w using the file mjIn revoked user IDnThird update of the remove pin ciphertextAnd file m corresponds to attribute wjIn revoked user IDnFourth renew the pin-withdrawing ciphertextUpdating file m separately corresponds to attribute wjIn revoked user IDnThird revocation sub-ciphertext C3,j,nAnd file m corresponds to attribute wjIn revoked user IDnThe fourth revocation sub-ciphertext C4,j,n(ii) a Obtaining the ciphertext CT ═ { C of the file m after the re-encryption updating1,C2,{C3,j,C4,j}j∈[1,|W|],,{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]};
The encryption party calculates: the file m corresponds to the attribute wjIn revoked user IDrevOf the third revocation sub-ciphertext C'3,j,rev,And file m corresponds to attribute wjIn revoked user IDrevFourth revocation child ciphertext C'4,j,rev,
Subsequently, the user ID to be revokedrevRenamed as revoked user IDNAnd will revoke the user IDNAdd Attribute wjProperty revocation list R ofjI.e. the revoked user IDNIs equal to the attribute revocation sub-list RjThe number N of users;
let file m correspond to attribute wjIn revoked user IDrevOf the third revocation sub-ciphertext C'3,j,revEqual to file m corresponding to attribute wjIn revoked user IDNThird revocation sub-ciphertext C3,j,nThe file m corresponds to the attribute wjIn revoked user IDrevFourth revocation child ciphertext C'4,j,revEqual to file m corresponding to attribute wjIn revoked user IDNThe fourth revocation sub-ciphertext C4,j,n(ii) a And corresponds file m to attribute wjIn revoked user IDNThird revocation sub-ciphertext C3,j,nAnd file m corresponds to attribute wjIn revoked user IDNThe fourth revocation sub-ciphertext C4,j,nAdding the file m behind the corresponding ciphertext CT; after the re-encryption update is obtained, the ciphertext CT (C) corresponding to the file m is equal to { C }1,C2,{C3,j,C4,j}j∈[1,|W|],,{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]};
The encryption party calculates: the file m corresponds to the attribute wjIn revoked user IDrevOf the third revocation sub-ciphertext C'3,j,rev,And file m corresponds to attribute wjIn revoked user IDrevFourth revocation child ciphertext C'4,j,rev,
Subsequently, the user ID to be revokedrevRenamed as revoked user IDNAnd will revoke the user IDNAdd Attribute wjProperty revocation list R ofjI.e. the revoked user IDNIs equal to the attribute revocation sub-list RjThe number N of users;
let file m correspond to attribute wjIn revoked user IDrevOf the third revocation sub-ciphertext C'3,j,revEqual to file m corresponding to attribute wjIn revoked user IDNThird revocation sub-ciphertext C3,j,nThe file m corresponds to the attribute wjIn revoked user IDrevFourth revocation child ciphertext C'4,j,revEqual to file m corresponding to attribute wjIn revoked user IDNThe fourth revocation sub-ciphertext C4,j,n(ii) a And corresponds file m to attribute wjIn revoked user IDNThird revocation sub-ciphertext C3,j,nAnd file m corresponds to attribute wjIn revoked user IDNThe fourth revocation sub-ciphertext C4,j,nAdding the file m behind the corresponding ciphertext CT; after the re-encryption update is obtained, the ciphertext CT (C) corresponding to the file m is equal to { C }1,C2,{C3,j,C4,j}j∈[1,|W|],,{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]};
In step B, the encryptor encrypts the file m by using the first encrypted random number s, the second encrypted random number r and the attribute subset W to obtain a ciphertext CT of the file m, where CT ═ C1,C2,{C3,j,C4,j}j∈[1,|W|]The concrete method comprises the following steps:
the encryption party calculates a first sub-ciphertext C of the file m by using the first encryption random number s, the second encryption random number r and a system second public key B1,C1=m·B^(s×r);
The encryption party calculates a second sub-ciphertext of the file m by using the first encryption random number s, the second encryption random number r and the system first public key gC2,C2=gs×r;
Selecting a k-1 degree polynomial as f (x) by the encryption party according to a set decryption threshold value k; the constant item value of the polynomial f (x) is equal to the first encryption random number s, and the coefficients of the other items of the polynomial f (x) are random numbers which are respectively selected by an encryption party and are less than a prime number q and not 0; will attribute wjThe value obtained by substituting the polynomial f (x) as the argument x is the attribute wjIs given a secret sharing value sj(ii) a Further obtaining the corresponding attribute w of the file mjThird sub-ciphertext C3,j,And file m corresponds to attribute wjFourth sub-ciphertext C4,j,
Finally, the first sub-ciphertext C of the file m1The second sub-ciphertext C2File m corresponds to attribute wjThird sub-ciphertext C3,jAnd file m corresponds to attribute wjFourth sub-ciphertext C4,jSequentially concatenating to obtain ciphertext CT of file m, where CT is { C }1,C2,{C3,j,C4,j}j∈[1,|W|]}。
Claims (1)
1. An attribute basis weight encryption method for realizing fine-grained attribute revocation comprises the following steps:
A. system initialization
A1, selecting a prime number q with the length of 160bit by a system center SA, and constructing a cyclic group G and a q-order fundamental domain cyclic group Y on a q-order elliptic curve; and a bilinear mapping relation exists between elements in the cyclic group G on the elliptic curve of the order q and elements in the cyclic group Y of the base domain of the order q, namely Y is e (G)1,g2) (ii) a Wherein, g1Representing an element in a cyclic group G, G, on an elliptic curve of order q2Represents another element in the cyclic group G on the elliptic curve of order q, Y is an element in the cyclic group Y of the base domain of order q, e (·,) represents a bilinear mapping operation;
a2, selecting two random numbers which are less than prime number q and not 0 by system center SA, and respectively using the two random numbers as a system first key a and a system second key b; then selecting three random elements in a cyclic group G on the q-order elliptic curve as a third system key c, a fourth system key d and a first system public key G respectively; the system center SA utilizes the first public key g of the system to carry out bilinear mapping operation, and uses the second key B power of the system of the obtained result as the second public key B of the system, wherein B is e (g, g) B; the system center SA performs b times of point multiplication operation on the system third key C to obtain a system third public key C, where C is Cb;
A3, system center SA is the p-th user ID in the systempSelecting a random number which is less than a prime number q and is not 0 as an identity mark lambda thereofp(ii) a And the second system key b and the user identity lambda are identified through a secure channelpSent to the corresponding user IDp(ii) a The system center SA sends the system first secret key a and the system fourth secret key d to an attribute authority AA;
a4, system presence attribute subset W, W ═ W { [ W ]1,…,wj,…,w|W|In which wjIs the jth attribute in the attribute subset W, | W | is the attribute W in the attribute subset WjThe total number of (c); the attribute authority AA has the key distribution and management authority of the attributes in the attribute subset W; the attribute authority AA is any attribute W in the attribute subset WjSelecting a random number which is less than the prime number q and is not 0 as the attribute wjPrivate key t ofj(ii) a Attributing w to a system first public key gjPrivate key t ofjSub-multiple point operation to obtain attribute wjIs given by the attribute public key Tj,
A5, attribute authority AA publicly maintains an attribute revocation list R, R ═ R1,R2,…,Rj,…,R|W|}; wherein R isjIs the jth attribute W in the attribute subset WjThe attribute revocation sub-list of (1); on initialization, attribute authorizationThe organization AA uses a system first key a, a system second key b, a system third key c, a system fourth key d and an attribute wjPrivate key t ofjCalculating the attribute wjInitial revocation information L ofj,And will attribute wjInitial revocation information L ofjAdd Attribute wjProperty revocation list R ofj(ii) a Wherein, x represents a modular multiplication operation, and represents a point addition operation in an elliptic curve;
B. encryption
The encryption party selects a first encryption random number s and a second encryption random number r which are smaller than the prime number q and are not 0, and encrypts the file m by using the first encryption random number s, the second encryption random number r and the attribute subset W to obtain a ciphertext CT of the file m, wherein CT is { C ═ C1,C2,{C3,j,C4,j}j∈[1,|W|]}; wherein, C1Is the first sub-ciphertext of file m, C2Is the second sub-ciphertext of file m, C3,jFor file m corresponds to attribute wjThird sub-ciphertext, C4,jFor file m corresponds to attribute wjThe fourth sub-ciphertext of (1);
the specific method for the encrypting party to encrypt the file m by using the first encrypted random number s, the second encrypted random number r and the attribute subset W to obtain the ciphertext CT of the file m is as follows:
the encryption party calculates a first sub-ciphertext C of the file m by using the first encryption random number s, the second encryption random number r and a system second public key B1,C1=m·B^(s×r);
The encryption party calculates a second sub-ciphertext C of the file m by using the first encryption random number s, the second encryption random number r and the system first public key g2,C2=gs×r;
Selecting a k-1 degree polynomial as f (x) by the encryption party according to a set decryption threshold value k; wherein, the constant item value of the polynomial f (x) is equal to the first encrypted random number s, and the coefficients of the other items of the polynomial f (x) are respectively less than the prime number q and are selected by the encryption partyA random number other than 0; will attribute wjThe value obtained by substituting the polynomial f (x) as the argument x is the attribute wjIs given a secret sharing value sj(ii) a Further obtaining the corresponding attribute w of the file mjThird sub-ciphertext C3,j,And file m corresponds to attribute wjFourth sub-ciphertext C4,j,
Finally, the first sub-ciphertext C of the file m1The second sub-ciphertext C2File m corresponds to attribute wjThird sub-ciphertext C3,jAnd file m corresponds to attribute wjFourth sub-ciphertext C4,jSequentially concatenating to obtain ciphertext CT of file m, where CT is { C }1,C2,{C3,j,C4,j}j∈[1,|W|]};
C. Re-encryption
C1 user revocation information
User IDpOwning an attribute W in an attribute subset WjAccess right, as user IDpFor attribute wjWhen the access authority of (2) is revoked, the user ID is setpIs recorded as revoked user IDrev(ii) a Attribute authority AA uses revoked user IDrevIdentity of (2)revA system first key a, a system second key b, a system third key c, a system fourth key d and an attribute wjPrivate key t ofjAnd a first public key g of the system, calculating an attribute wjWith respect to revoked user IDrevRevocation information L ofj,rev,
C2, first time re-encryption
If attribute wjProperty revocation list R ofjWhen the user ID of the revoked user is not included in the ID list, the revoked user ID is addedrevNamed revoked user IDnLet attribute wjWith respect to revoked user IDrevRevocation information L ofj,revIs equal to attribute wjAgainst revoked user IDnRevocation information L ofj,n(ii) a And combines the attributes wjAgainst revoked user IDnRevocation information L ofj,nAdding attribute wjProperty revocation list R ofj(ii) a Wherein n is an attribute revocation list RjThe serial number of the revoked user;
the encryption party performs the following re-encryption on the ciphertext CT corresponding to the file m:
and the encryption party selects a random number u which is less than the prime number q and is not 0, and combines a second encryption random number r in the step B to calculate: the file m corresponds to the attribute wjOf (2) a third triple encrypted sub-ciphertext C'3,j,The file m corresponds to the attribute wjFourth encrypted sub-ciphertext C'4,j,The file m corresponds to the attribute wjIn revoked user IDnOf the third revocation sub-ciphertext C'3,j,n,The file m corresponds to the attribute wjIn revoked user IDnFourth revocation child ciphertext C'4,j,n,
Then, the encrypting side corresponds to the attribute w using the file mjOf (2) a third triple encrypted sub-ciphertext C'3,jAnd file m corresponds to attribute wjFourth encrypted sub-ciphertext C'4,jUpdating the file m respectively corresponds to the attribute wjThird sub-ciphertext C3,jAnd file m corresponds to attribute wjFourth sub-ciphertext C4,j(ii) a And corresponds file m to attribute wjIn revoked user IDnOf the third revocation sub-ciphertext C'3,j,nAnd file m corresponds to attribute wjIn revoked user IDnFourth revocation child ciphertext C'4,j,nAdding the ciphertext CT of the file m to the back of the ciphertext CT to obtain the ciphertext CT ═ C of the file m after the re-encryption updating1,C2,{C3,j,C4,j}j∈[1,|W|],{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]}; wherein N is an attribute wjProperty revocation list R ofjIn revoked user IDnThe number of (2);
c3, subsequent re-encryption
If attribute wjProperty revocation list R ofjIncluding other revoked user IDsnThen, the encrypting party performs the following re-encryption on the ciphertext CT of the file m:
the encryption party selects a random number v which is less than the prime number q and is not 0, and the encryption party calculates: the file m corresponds to the attribute wjIn revoked user IDnThird update of the remove pin ciphertext The file m corresponds to the attribute wjIn revoked user IDnFourth repealed child ciphertext And corresponds to the attribute w using the file mjIn revoked user IDnThird update of the remove pin ciphertextAnd file m corresponds to attribute wjHas been withdrawn fromHousehold IDnFourth renew the pin-withdrawing ciphertextUpdating file m separately corresponds to attribute wjIn revoked user IDnThird revocation sub-ciphertext C3,j,nAnd file m corresponds to attribute wjIn revoked user IDnThe fourth revocation sub-ciphertext C4,j,n(ii) a Obtaining the ciphertext CT ═ { C of the file m after the re-encryption updating1,C2,{C3,j,C4,j}j∈[1,|W|],{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]};
The encryption party calculates: the file m corresponds to the attribute wjIn revoked user IDrevOf the third revocation sub-ciphertext C'3,j,rev,And file m corresponds to attribute wjIn revoked user IDrevFourth revocation child ciphertext C'4,j,rev,
Subsequently, the user ID to be revokedrevRenamed as revoked user IDNAnd will revoke the user IDNAdd Attribute wjProperty revocation list R ofjI.e. the revoked user IDNIs equal to the attribute revocation sub-list RjThe number N of users;
let file m correspond to attribute wjIn revoked user IDrevOf the third revocation sub-ciphertext C'3,j,revEqual to file m corresponding to attribute wjIn revoked user IDNThird revocation sub-ciphertext C3,j,nThe file m corresponds to the attribute wjIn revoked user IDrevFourth revocation child ciphertext C'4,j,revEqual to file m corresponding to attribute wjIn revoked user IDNThe fourth revocation sub-ciphertext C4,j,n(ii) a And areCorresponding file m to attribute wjIn revoked user IDNThird revocation sub-ciphertext C3,j,nAnd file m corresponds to attribute wjIn revoked user IDNThe fourth revocation sub-ciphertext C4,j,nAdding the file m behind the corresponding ciphertext CT; after the re-encryption update is obtained, the ciphertext CT (C) corresponding to the file m is equal to { C }1,C2,{C3,j,C4,j}j∈[1,|W|],{C3,j,n,C4,j,n}j∈[1,|W|],n∈[1,N]}。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810684303.8A CN108880798B (en) | 2018-06-28 | 2018-06-28 | Attribute basis weight encryption method for realizing fine-grained attribute revocation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810684303.8A CN108880798B (en) | 2018-06-28 | 2018-06-28 | Attribute basis weight encryption method for realizing fine-grained attribute revocation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108880798A CN108880798A (en) | 2018-11-23 |
CN108880798B true CN108880798B (en) | 2020-11-03 |
Family
ID=64296055
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810684303.8A Active CN108880798B (en) | 2018-06-28 | 2018-06-28 | Attribute basis weight encryption method for realizing fine-grained attribute revocation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108880798B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111447209B (en) * | 2020-03-24 | 2021-04-06 | 西南交通大学 | Black box traceable ciphertext policy attribute-based encryption method |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104363215A (en) * | 2014-11-04 | 2015-02-18 | 河海大学 | Encryption method and system based on attributes |
CN105071937A (en) * | 2015-07-14 | 2015-11-18 | 河海大学 | Ciphertext poly attribute base encryption method having efficient attribute revocation capability |
WO2016103960A1 (en) * | 2014-12-25 | 2016-06-30 | 国立大学法人 東京大学 | Control device, statistical analysis device, decoding device and transmitting device |
CN105978895A (en) * | 2016-06-28 | 2016-09-28 | 电子科技大学 | Attribute-based encryption scheme supporting non-monotonic access structure and fine-granularity cancellation |
CN107040374A (en) * | 2017-03-06 | 2017-08-11 | 陕西师范大学 | The attribute base data encryption method of user's Dynamic Revocation is supported under a kind of cloud storage environment |
CN107566386A (en) * | 2017-09-14 | 2018-01-09 | 上海海事大学 | A kind of voidable attribute base encryption method |
CN107769915A (en) * | 2016-08-17 | 2018-03-06 | 实创时新(北京)科技有限公司 | Possess the data encrypting and deciphering system and method for fine-grained user control |
CN108200181A (en) * | 2018-01-11 | 2018-06-22 | 中国人民解放军战略支援部队信息工程大学 | A kind of revocable attribute-based encryption system and method towards cloud storage |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9350714B2 (en) * | 2013-11-19 | 2016-05-24 | Globalfoundries Inc. | Data encryption at the client and server level |
US10355858B2 (en) * | 2016-03-30 | 2019-07-16 | Intel Corporation | Authenticating a system to enable access to a diagnostic interface in a storage device |
US20180101688A1 (en) * | 2016-10-11 | 2018-04-12 | Intel Corporation | Trust-enhanced attribute-based encryption |
-
2018
- 2018-06-28 CN CN201810684303.8A patent/CN108880798B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104363215A (en) * | 2014-11-04 | 2015-02-18 | 河海大学 | Encryption method and system based on attributes |
WO2016103960A1 (en) * | 2014-12-25 | 2016-06-30 | 国立大学法人 東京大学 | Control device, statistical analysis device, decoding device and transmitting device |
CN105071937A (en) * | 2015-07-14 | 2015-11-18 | 河海大学 | Ciphertext poly attribute base encryption method having efficient attribute revocation capability |
CN105978895A (en) * | 2016-06-28 | 2016-09-28 | 电子科技大学 | Attribute-based encryption scheme supporting non-monotonic access structure and fine-granularity cancellation |
CN107769915A (en) * | 2016-08-17 | 2018-03-06 | 实创时新(北京)科技有限公司 | Possess the data encrypting and deciphering system and method for fine-grained user control |
CN107040374A (en) * | 2017-03-06 | 2017-08-11 | 陕西师范大学 | The attribute base data encryption method of user's Dynamic Revocation is supported under a kind of cloud storage environment |
CN107566386A (en) * | 2017-09-14 | 2018-01-09 | 上海海事大学 | A kind of voidable attribute base encryption method |
CN108200181A (en) * | 2018-01-11 | 2018-06-22 | 中国人民解放军战略支援部队信息工程大学 | A kind of revocable attribute-based encryption system and method towards cloud storage |
Non-Patent Citations (1)
Title |
---|
属性撤销的密文策略属性基加密及其应用研究;储转转;《中国优秀硕士学位论文》;20180215;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN108880798A (en) | 2018-11-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | User collusion avoidance CP-ABE with efficient attribute revocation for cloud storage | |
Wang et al. | Hierarchical attribute-based encryption for fine-grained access control in cloud storage services | |
Jia et al. | SDSM: a secure data service mechanism in mobile cloud computing | |
CN108833393B (en) | Revocable data sharing method based on fog computing | |
Ali et al. | Lightweight revocable hierarchical attribute-based encryption for internet of things | |
Li et al. | Two-factor data access control with efficient revocation for multi-authority cloud storage systems | |
Jin et al. | A secure and lightweight data access control scheme for mobile cloud computing | |
CN107566386A (en) | A kind of voidable attribute base encryption method | |
Zhang et al. | A cloud-based access control scheme with user revocation and attribute update | |
Ying et al. | Adaptively secure ciphertext-policy attribute-based encryption with dynamic policy updating | |
Zhao et al. | RL-ABE: A revocable lattice attribute based encryption scheme based on R-LWE problem in cloud storage | |
CN108111540A (en) | The hierarchical access control system and method for data sharing are supported in a kind of cloud storage | |
CN109873699A (en) | A kind of voidable identity public key encryption method | |
Ming et al. | Efficient revocable multi-authority attribute-based encryption for cloud storage | |
Fan et al. | Privacy protection based access control scheme in cloud-based services | |
Nasiraee et al. | Privacy-preserving distributed data access control for CloudIoT | |
CN107426162A (en) | A kind of method based on attribute base encryption Implement Core mutual role help | |
Liu et al. | Dynamic attribute-based access control in cloud storage systems | |
Chaudhary et al. | RMA-CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT devices | |
Deng et al. | An efficient revocable attribute-based signcryption scheme with outsourced unsigncryption in cloud computing | |
He et al. | A fine-grained and lightweight data access control scheme for WSN-integrated cloud computing | |
CN114531293B (en) | Cross-trust-domain based identity agent re-encryption method | |
Yuan et al. | Fine-grained access control for big data based on CP-ABE in cloud computing | |
Hu et al. | Autonomous path identity-based broadcast proxy re-encryption for data sharing in clouds | |
CN114143072A (en) | CP-ABE-based attribute revocation optimization method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230315 Address after: Room 801, 85 Kefeng Road, Huangpu District, Guangzhou City, Guangdong Province Patentee after: Yami Technology (Guangzhou) Co.,Ltd. Address before: 610031 No. two, section 111, ring road, Chengdu, Sichuan, China Patentee before: SOUTHWEST JIAOTONG University |
|
TR01 | Transfer of patent right |