CN110247761B - Ciphertext strategy attribute encryption method supporting attribute revocation in lattice manner - Google Patents

Ciphertext strategy attribute encryption method supporting attribute revocation in lattice manner Download PDF

Info

Publication number
CN110247761B
CN110247761B CN201910526965.7A CN201910526965A CN110247761B CN 110247761 B CN110247761 B CN 110247761B CN 201910526965 A CN201910526965 A CN 201910526965A CN 110247761 B CN110247761 B CN 110247761B
Authority
CN
China
Prior art keywords
attribute
access member
key
generation center
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910526965.7A
Other languages
Chinese (zh)
Other versions
CN110247761A (en
Inventor
屈碧莹
张姗姗
董思越
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201910526965.7A priority Critical patent/CN110247761B/en
Publication of CN110247761A publication Critical patent/CN110247761A/en
Application granted granted Critical
Publication of CN110247761B publication Critical patent/CN110247761B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a ciphertext strategy attribute encryption method supporting attribute revocation in a lattice manner, which is used for solving the technical problems of lower efficiency and flexibility in the existing attribute encryption technology and comprises the following implementation steps: (1) initializing system parameters by a parameter generation center; (2) the key generation center obtains an attribute private key pair (sk) of the access member1,sk2) (ii) a (3) Obtaining ciphertext message pair by accessed user (C)0,(C1,C2) ); (4) the key generation center calculates and transmits the entrusted key PXK; (5) the proxy server calculates and transmits the Lagrange coefficient; (6) unrevoked access member pair ciphertext message pair (C)0,(C1,C2) To decrypt the content). In an actual social network, the invention can support a flexible access structure while improving the efficiency of the attribute-based encryption method.

Description

Ciphertext strategy attribute encryption method supporting attribute revocation in lattice manner
Technical Field
The invention belongs to the technical field of communication, relates to a ciphertext policy attribute encryption method, and particularly relates to a ciphertext policy attribute encryption method supporting attribute revocation in a lattice manner in the technical field of information security.
Background
With the rapid development of communication technology, the level of economy and information globalization is increasing day by day, secure transmission channels and information security become important cornerstones for the development of internet and electronic commerce, and the most basic and core technology in information security is information encryption technology. Modern cryptography mostly uses a public key encryption system to encrypt information, but in the system, distribution and maintenance of a public key certificate need to occupy more resources, management is complex, and overload operation of an authentication server can be caused.
The attribute encryption is divided into an attribute encryption method based on a key strategy and an attribute encryption method based on a ciphertext strategy, wherein the attribute encryption method based on the key strategy has rich access structure, but lacks flexibility and cannot adapt to changeable user attributes in reality, while the attribute encryption method based on the ciphertext strategy has higher flexibility.
Because the traditional ciphertext strategy attribute encryption method cannot resist quantum attack and has larger calculation amount, and the encryption method based on the lattice has higher safety and can also reduce the calculation complexity of the original encryption process, the establishment of the lattice attribute encryption method is very necessary. Although the existing attribute encryption method based on the lattice solves the problems, in a social network, the attribute of an access member changes along with various factors such as time, the existing encryption method can only check and update the private key information of all the access members in real time through a key generation center, so that the calculation amount of the encryption and decryption process is large, particularly when the number of the access members of a system is large, the efficiency of the method is low, and meanwhile, because the access structure is embedded into the member key in the prior art, the attribute information of the access member cannot be specified in the encryption process, and the flexibility is also low.
For example, a patent application with publication number CN105162589A entitled "a lattice-based verifiable attribute encryption method" discloses a lattice-based verifiable attribute encryption method, which realizes operability of a lattice-based attribute encryption scheme, and the method utilizes the problem of difficult vectors on lattices, constructs a lattice-based attribute encryption scheme based on a key policy, and constructs a new dynamic key generation algorithm to generate a key and verification information of the key at the same time, so that a user can verify the credibility of an authority, thereby solving the defect that the existing attribute encryption mechanism is no longer safe under quantum computation, and can supervise the authority to enhance the security of the system, but the method still has the following defects: in practical situations, the identity attribute of the user changes along with time and position, so that the access right of the user changes correspondingly.
Disclosure of Invention
The invention aims to provide a ciphertext policy attribute encryption method supporting attribute revocation in a lattice manner aiming at the defects of the prior art, and is used for solving the technical problems of low efficiency and low flexibility in the prior art.
The technical idea of the invention is as follows: on the basis of the technical basis of the lattice theory, a parameter generation center initializes system parameters and generates a system public key and a master key; the key generation center calculates a private key for each member through the master key of the system and the attribute of the access member; the accessed user encrypts a plaintext through a system public key to generate a ciphertext message pair; the key generation center calculates an entrusted key containing the information of the access member to be revoked; the proxy server is used for calculating the Lagrange coefficient of the random polynomial and the access member attribute in the entrusting key; and the unrevoked access member recovers the private key and decrypts the ciphertext message pair by using the entrusted key.
In order to achieve the above object, the technical solution adopted by the present invention is implemented by an attribute encryption system, which includes a parameter generation center, a proxy server, a key generation center, an accessed user, and an access member including an access member to be revoked and an access member not to be revoked, and specifically implemented steps are:
(1) initializing system parameters by a parameter generation center:
(1a) the parameter generation center is set to contain L attribute elements wiAccessed user attribute set
W'={w1,…,wi,…wLContains t attribute elements wlSet W ═ W of attributes to be revoked1,…,wl,…wtL-t attribute elements wkOf an unrevoked attribute set W0={wt+1,…,wk,…wLContains J attribute elements ajAccess member attribute set a ═ { a ═ a1,…,aj,…,aJIdentification information I of the access member, identification information of the access member to be revoked
Figure BDA0002098554040000021
Identification information of non-revoked access member
Figure BDA0002098554040000022
Integer group Z containing q elementsqAt ZqUp-randomly generating L polynomials of order t
Figure BDA0002098554040000031
Wherein i is more than 0 and less than or equal to L, L is more than 0 and less than or equal to t, t is more than 0 and less than or equal to L, t is more than k and less than or equal to L, and W' ═ W ^ W0J is more than 0 and less than or equal to J, q is prime number,
Figure BDA0002098554040000032
corresponding attribute element wiY represents a variable;
(1b) setting a safety parameter lambda by a parameter generation center, and generating a random matrix A with the size of n multiplied by m through lambda by adopting an algorithm TrapGen0And passing through
Figure BDA0002098554040000033
Set of full rank short bases
Figure BDA0002098554040000034
Will be provided with
Figure BDA0002098554040000035
The MSK is used as a master key of the system, wherein n is more than 2 and less than m;
(1c) the parameter generation center generates a random matrix B of size n m, while for each W of WiGenerating random matrices of size n m
Figure BDA0002098554040000036
And A is0B, L random matrixes
Figure BDA0002098554040000037
As a public key of the system
Figure BDA0002098554040000038
Wherein, the matrix B and the matrix
Figure BDA0002098554040000039
The value of each element in (a) is a positive integer not exceeding q;
(2) the key generation center obtains an attribute private key pair (sk) of the access member1,sk2):
(2a) Key generation center generates random vector mu ═ mu1,…,μz,…,μn) And for each a in the access member attribute set AjRandomly generating a set of polynomials
Figure BDA00020985540400000310
And P isz'(aj) Constant term P ofz'(0)=μzWherein, muzDenotes the z-th component, P, of the vector muz'(aj) Representing sets of polynomials
Figure BDA00020985540400000311
Z polynomial of (1 < z < n) ()TRepresenting transpose operationsMaking;
(2b) the key generation center adopts a left sampling algorithm and passes through a master key MSK of the system, a public key pk of the system and a plurality of polynomial sets of J
Figure BDA00020985540400000312
Computing an attribute private key e of an unrevoked access members
(2c) Key generation center by esAnd any one of wiCorresponding polynomial
Figure BDA00020985540400000313
Constant term of
Figure BDA00020985540400000314
Computing an attribute private key sk of an access member1
Figure BDA00020985540400000315
And by accessing the identification information I and I of the members
Figure BDA00020985540400000316
Computing an attribute private key sk of an access member2
Figure BDA00020985540400000317
sk1And sk2Attribute private key pair (sk) comprising access members1,sk2);
(3) Obtaining ciphertext message pair by accessed user (C)0,(C1,C2)):
(3a) The accessed user generates an n-dimensional random vector f, an n-dimensional random vector x obeying discrete Gaussian distribution on a grid and L random matrixes with the size of m multiplied by m
Figure BDA00020985540400000318
Where each dimension component value of f is a positive integer less than q, the matrix
Figure BDA00020985540400000319
The value of each element is randomly selected from-1 or 1Of (1);
(3b) the accessed user encrypts the plaintext M to obtain a ciphertext message C0And obtaining a ciphertext message C0Auxiliary message pair (C)1,C2),C0And (C)1,C2) Ciphertext message pair (C) forming accessed user0,(C1,C2)):
Figure BDA0002098554040000041
C1=A0 Tf+x
Figure BDA0002098554040000042
Wherein the content of the first and second substances,
Figure BDA0002098554040000043
represents a round-down operation;
(4) the key generation center calculates the entrusted key PXK and sends:
the key generation center passes through L polynomials
Figure BDA0002098554040000044
And identification information of members to be revoked
Figure BDA0002098554040000045
Calculates the entrusted key PXK and sends the entrusted key PXK to the proxy server and to the unreleased access member, wherein,
Figure BDA0002098554040000046
(5) the proxy server calculates the Lagrange coefficient and sends:
the proxy server passes the entrusting secret key PXK, the identification information I of the access member and the identification information of the unrevoked access member
Figure BDA0002098554040000047
Respectively calculating L polynomials
Figure BDA0002098554040000048
Corresponding Lagrange coefficient
Figure BDA0002098554040000049
Passing L attribute elements { w ] simultaneously1,…,wi,…wLThe values of these L attribute elements are computed separately for the Lagrangian coefficients { H }1,…,Hi,…,HLAnd will be
Figure BDA00020985540400000410
And { H1,…,Hi,…,HLSending to the unreleased access member;
(6) unrevoked access member pair ciphertext message pair (C)0,(C1,C2) To decrypt:
(6a) the unreleased access member passes through PXK,
Figure BDA00020985540400000411
And an attribute private key (sk) of the access member1,sk2) Calculating the private key e of the unrevoked access members
Figure BDA00020985540400000412
Wherein the content of the first and second substances,
Figure BDA00020985540400000413
to represent
Figure BDA00020985540400000414
Any of the lagrangian coefficients;
(6b) lagrange coefficient { H) of unrevoked access member through L attribute elements1,…,Hi,…,HLAnd the private key e of the unrevoked access membersTo (C)0,(C1,C2) Decryption to obtain decrypted plaintext M':
Figure BDA0002098554040000051
wherein, omega ═ W' # A, (;) represents the row-wise splicing operation;
(6c) the unrevoked access member calculates the error term r 'of M' and judges
Figure BDA0002098554040000052
And if so, the decryption is successful, namely M' is used as the plaintext M, otherwise, the decryption is failed.
Compared with the prior art, the invention has the following advantages:
1. the invention changes the private key of the access member generated on the basis of the lattice theory by adopting the entrusted key, can revoke the authority of the access member in real time, avoids the defect of large encryption and decryption computation amount caused by the check and update of the private key of the access member through a key generation center in the prior art, and effectively improves the efficiency of attribute encryption.
2. The private key of the access member is calculated through the access member attribute, the identity of the access member can be directly limited, the defect that the prior art cannot adapt to the variable member attribute due to the fact that the access structure is bound with the private key of the access member is overcome, and the flexibility of attribute encryption is effectively improved.
Drawings
FIG. 1 is a schematic diagram of an attribute encryption system employed in the present invention;
fig. 2 is a flow chart of the implementation of the present invention.
Detailed Description
The invention is described in further detail below with reference to the figures and the specific embodiments.
Referring to fig. 1, the attribute encryption system adopted in the present invention includes a parameter generation center, a proxy server, a key generation center, an accessed user, and access members including an access member to be revoked and an access member not to be revoked: the parameter generation center is used for initializing system parameters and generating a system public key and a master key, and the accessed user encrypts a plaintext through the system public key; the proxy server is used for calculating the Lagrange coefficient of the random polynomial and the access member attribute in the entrusting key; the key generation center calculates a private key for each member through the master key of the system and the attributes of the access members, and calculates an entrusting key containing the information of the access members to be revoked; the accessed user encrypts a plaintext through a system public key to generate a ciphertext message pair; the access member to be revoked is the access member needing to be revoked in the method; and the unrevoked access member changes the private key through the entrusted key and decrypts the ciphertext message pair.
Referring to fig. 2, an attribute encryption method for a ciphertext policy supporting attribute revocation includes the following steps:
step 1) parameter generation center initialization system parameters:
step 1a) the parameter generation center is set to contain L attribute elements wiIs accessed as a set of user attributes W ═ W1,…,wi,…wLContains t attribute elements wlSet W ═ W of attributes to be revoked1,…,wl,…wtContains L-t attribute elements wkOf an unrevoked attribute set W0={wt+1,…,wk,…wLAn accessed user attribute set W' is a set W of attributes to be revoked and a set W of attributes not to be revoked0Contains J attribute elements ajAccess member attribute set a ═ { a ═ a1,…,aj,…,aJWherein L is 10, t is 3, J is 5, i is greater than 0 and less than or equal to 10, L is greater than 0 and less than or equal to 3, k is greater than 3 and less than or equal to 10, and J is greater than 0 and less than or equal to 5;
the parameter generation center sets identification information I of the access member, the identification information of the access member to be cancelled
Figure BDA0002098554040000061
Identification information of non-revoked access member
Figure BDA0002098554040000062
Wherein I represents identification information of all access members,
Figure BDA0002098554040000063
representation and attributes to be revoked wlThe identity of the associated member of access to be revoked,
Figure BDA0002098554040000064
representation and attributes to be revoked wkIdentification of the relevant member to be revoked;
the parameter generation center sets an integer group Z containing q elementsqSetting ZqQ, where q is a large prime number;
center of parameter generation at ZqRandomly generating 10 polynomials of order 3
Figure BDA0002098554040000065
Wherein the polynomial expression
Figure BDA0002098554040000066
Corresponding attribute element w in accessed user attribute setiY represents a variable, generating a polynomial
Figure BDA0002098554040000067
A Shamir polynomial secret sharing mechanism is applied that divides a secret into d shares to be shared by d access members, each member obtaining one of the d shares after which no d-1 members can deduce the complete secret.
Step 1b) a parameter generation center sets a safety parameter lambda, and generates a matrix A with the size of n multiplied by m through lambda by adopting an algorithm TrapGen0And passing through
Figure BDA0002098554040000068
Set of full rank short bases
Figure BDA0002098554040000069
Will be provided with
Figure BDA00020985540400000610
As the master key MSK of the system, the trappen algorithm is as follows:
Figure BDA00020985540400000611
setting a binary number with a security parameter lambda of 1024 bits, and outputting a matrix A in a probability polynomial time by an algorithm0And integral lattice
Figure BDA0002098554040000071
Of (2) a substrate
Figure BDA0002098554040000072
Then passes through the substrate as the master key MSK
Figure BDA0002098554040000073
Carrying out encryption and decryption, wherein n is more than 2 and less than m, e represents an integer vector with m dimensions, and mod represents a modulus operation;
step 1c) the parameter generation center generates a random matrix B of size n × m, simultaneously for each W in WiGenerating random matrices of size n m
Figure BDA0002098554040000074
And A is0B, random matrix
Figure BDA0002098554040000075
As a public key of the system
Figure BDA0002098554040000076
Wherein, the matrix B and the matrix
Figure BDA0002098554040000077
The value of each element in (a) is a positive integer not exceeding q;
step 2) the key generation center obtains the attribute private key pair (sk) of the access member1,sk2):
Step 2a) the key generation center generates an n-dimensional random vector mu and accesses each a in the member attribute set AjRandomly generating a polynomial set having n polynomials
Figure BDA0002098554040000078
Step 2a1) key generation center generates a random vector μ ═ μ (μ ═ m1,…,μz,…,μn) With random vectors mu for assisting in generating polynomial sets
Figure BDA0002098554040000079
Wherein each component value of the vector mu is a random number, muzRepresents the z-th component of mu, 1 < z < n;
step 2a2) in order to calculate the private key of the access member by the access member attribute, the key generation center calculates for each a in the access member attribute set AjRandomly generating a set of polynomials
Figure BDA00020985540400000710
Wherein, Pz'(aj) Constant term P ofz'(0)=μz,Pz'(aj) Representing sets of polynomials
Figure BDA00020985540400000711
Z polynomial of (1) ()TRepresenting a transpose operation;
step 2b) the key generation center adopts a SampleLeft algorithm and passes through the master key MSK of the system, the public key pk of the system and the polynomial set
Figure BDA00020985540400000712
Computing an attribute private key e of an unrevoked access membersThe algorithm SampleLeft is as follows:
Figure BDA00020985540400000713
where g is a Gaussian parameter, output esStatistically, the vector is close to a Gaussian discrete distribution vector and is used as an attribute private key of an unrevoked access member, and each component value of the vector is a positive integer not exceeding q;
step 2c) Key Generation center bysAnd any one ofA wiCorresponding polynomial
Figure BDA00020985540400000714
Constant term of
Figure BDA00020985540400000715
Computing an attribute private key sk of an access member1
Figure BDA00020985540400000716
Enabling private keys e to non-revoked access memberssHiding; for the revocation, by accessing the identification information I of the members
Figure BDA0002098554040000081
Attribute private key sk of access member for calculating identity information of hidden access member2
Figure BDA0002098554040000082
sk1And sk2Attribute private key pair (sk) comprising access members1,sk2);
Step 3) the accessed user acquires the ciphertext message pair (C)0,(C1,C2)):
Step 3a) the accessed user generates n-dimensional random vectors f and 10 random matrixes with the size of m multiplied by m
Figure BDA0002098554040000083
And an n-dimensional vector x from a discrete Gaussian distribution, where each dimension component value of f is a positive integer less than q, a matrix
Figure BDA0002098554040000084
The value of each element is randomly selected from-1 or 1, because the encryption scheme on the grid is based on the assumption of the difficulty of the LWE problem, and the error amount in the LWE problem is generally sampled from a Gaussian discrete distribution, so that in order to ensure the correctness in the encryption and decryption process, it is necessary to generate a random vector x on the grid which follows the discrete Gaussian distribution, and the discrete height of the random vector x on the grid is highThe distribution of the Si is:
Figure BDA0002098554040000085
where c is an n-dimensional vector on the real number set, L' is an n-dimensional lattice, the real number s > 0, ρs,c(x) Is a gaussian function and is calculated as follows:
Figure BDA0002098554040000086
wherein e is a natural base number, pi is a circumferential rate, and | | represents the square sum of each component of the vector and the root-opening operation;
step 3b), the accessed user passes through the system public key pk, the vector f and the arbitrary attribute element wiCorresponding matrix
Figure BDA0002098554040000087
And vector x computing ciphertext message pair (C)0,(C1,C2)):
Step 3b1) the accessed user encrypts the plaintext M to obtain the ciphertext message C0
Figure BDA0002098554040000088
Wherein the content of the first and second substances,
Figure BDA0002098554040000089
represents a round-down operation;
step 3b2) accessed user computes ciphertext message C0Auxiliary message pair (C)1,C2):
C1=A0 Tf+x
Figure BDA0002098554040000091
Step 3b3) visited user C0And (C)1,C2) Form a ciphertext message pair (C)0,(C1,C2));
Step 4), the key generation center calculates the entrusted key PXK and sends:
key generation center pass through
Figure BDA0002098554040000092
And identification information of members to be revoked
Figure BDA0002098554040000093
Computing a proxy key PXK for changing the member private key, and sending the PXK to the proxy server and to the non-revoked access member, wherein,
Figure BDA0002098554040000094
step 5), the proxy server calculates the Lagrange coefficient and sends:
step 5a) the proxy server passes the entrusted key PXK, the identification information I of the access member and the identification information of the unrevoked access member
Figure BDA0002098554040000095
And identification information of members to be revoked
Figure BDA0002098554040000096
Respectively calculating polynomials
Figure BDA0002098554040000097
Corresponding Lagrange coefficient
Figure BDA0002098554040000098
The unrevoked access user restores the private key e through the calculated Lagrangian coefficientsWherein the Lagrange coefficient
Figure BDA0002098554040000099
The calculation formula of (2) is as follows:
Figure BDA00020985540400000910
wherein the content of the first and second substances,
Figure BDA00020985540400000911
in order to be a lagrange coefficient,
Figure BDA00020985540400000912
identification information of an unrevoked access member, I identification information of an access member,
Figure BDA00020985540400000913
identification information of the member to be revoked.
Step 5b) proxy Server passing Attribute element { w1,…,wi,…w10The values of which calculate the lagrangian coefficients H for each attribute element, respectively1,…,Hi,…,H10}:
Figure BDA00020985540400000914
Wherein, wpRepresented in the set W' with WiDifferent attribute elements;
step 5c) the proxy server will
Figure BDA00020985540400000915
And { H1,…,Hi,…,H10Sending to the unreleased access member;
step 6) Un-revoked access member pair ciphertext message pair (C)0,(C1,C2) To decrypt:
step 6a) non-revoked access members are connected via PXK,
Figure BDA0002098554040000101
And an attribute private key (sk) of the access member1,sk2) Computing the private key e of an unrevoked access member by means of a Lagrange's interpolation polynomialsThe attribute of the access member through the entrusted key PXK is realizedPrivate key (sk)1,sk2) And (3) changing:
Figure BDA0002098554040000102
wherein the content of the first and second substances,
Figure BDA0002098554040000103
to represent
Figure BDA0002098554040000104
Any of the lagrangian coefficients;
step 6b) Un-revoked access member passes through { H }1,…,Hi,…,H10And the private key e of the unrevoked access membersTo (C)0,(C1,C2) Decryption to obtain decrypted plaintext M':
Figure BDA0002098554040000105
wherein, omega ═ W' # A, (;) represents the row-wise splicing operation;
step 6c) calculating an error term r 'of M' by the unrevoked access member, wherein the error term r 'represents the difference between M' and M, and judging
Figure BDA0002098554040000106
And if so, considering M 'to recover M under the condition of ignoring errors, successfully decrypting, and taking M' as a plaintext M, otherwise, failing to decrypt.

Claims (3)

1. A ciphertext strategy attribute encryption method supporting attribute revocation in a lattice manner is characterized by being realized by an attribute encryption system, wherein the system comprises a parameter generation center, a proxy server, a key generation center, an accessed user and access members including access members to be revoked and access members not to be revoked, and the specific realization steps are as follows:
(1) initializing system parameters by a parameter generation center:
(1a) the parameter generation center is set to contain L attribute elements wiIs accessed as a set of user attributes W ═ W1,…,wi,…wLContains t attribute elements wlSet W ═ W of attributes to be revoked1,…,wl,…wtL-t attribute elements wkOf an unrevoked attribute set W0={wt+1,…,wk,…wLContains J attribute elements ajAccess member attribute set a ═ { a ═ a1,…,aj,…,aJIdentification information I of access member, identification information I of member to be revokedwlIdentification information I of unrevoked access memberwkInteger group Z comprising q elementsqAt ZqUp-randomly generating L polynomials of order t
Figure FDA0002958904910000011
Wherein i is more than 0 and less than or equal to L, L is more than 0 and less than or equal to t, t is more than 0 and less than or equal to L, t is more than k and less than or equal to L, and W' ═ W ^ W0J is more than 0 and less than or equal to J, q is a large prime number,
Figure FDA0002958904910000012
corresponding attribute element wiY represents a variable;
(1b) setting a safety parameter lambda by a parameter generation center, and generating a random matrix A with the size of n multiplied by m through lambda by adopting an algorithm TrapGen0And passing through
Figure FDA0002958904910000013
Set of full rank short bases
Figure FDA0002958904910000014
Will be provided with
Figure FDA0002958904910000015
The MSK is used as a master key of the system, wherein n is more than 2 and less than m;
(1c) the parameter generation center generates a random matrix B of size n m, while for each W of WiGenerating random with size n × mMatrix array
Figure FDA0002958904910000016
And A is0B, L random matrixes
Figure FDA0002958904910000017
As a public key of the system
Figure FDA0002958904910000018
Wherein, the matrix B and the matrix
Figure FDA0002958904910000019
The value of each element in (a) is a positive integer not exceeding q;
(2) the key generation center obtains an attribute private key pair (sk) of the access member1,sk2):
(2a) Key generation center generates random vector mu ═ mu1,…,μz,…,μn) And for each a in the access member attribute set AjRandomly generating a set of polynomials
Figure FDA00029589049100000110
And P isz'(aj) Constant term P ofz'(0)=μzWherein, muzDenotes the z-th component, P, of the vector muz'(aj) Representing sets of polynomials
Figure FDA0002958904910000021
Z polynomial of (1 < z < n) ()TRepresenting a transpose operation;
(2b) the key generation center adopts a SampleLeft algorithm and passes through a master key MSK of the system, a public key pk of the system and a plurality of polynomial sets of J
Figure FDA0002958904910000022
Computing an attribute private key e of an unrevoked access members
(2c) Key generation center by esAnd any one ofwiCorresponding polynomial
Figure FDA0002958904910000023
Constant term of
Figure FDA0002958904910000024
Computing an attribute private key sk of an access member1
Figure FDA0002958904910000025
And by accessing the identification information I and I of the members
Figure FDA0002958904910000026
Computing an attribute private key sk of an access member2
Figure FDA0002958904910000027
sk1And sk2Attribute private key pair (sk) comprising access members1,sk2);
(3) Obtaining ciphertext message pair by accessed user (C)0,(C1,C2)):
(3a) The accessed user generates an n-dimensional random vector f, an n-dimensional random vector x obeying discrete Gaussian distribution on a grid and L random matrixes with the size of m multiplied by m
Figure FDA0002958904910000028
Where each dimension component value of f is a positive integer less than q, the matrix
Figure FDA0002958904910000029
The value of each element is randomly selected from-1 or 1;
(3b) the accessed user encrypts the plaintext M to obtain a ciphertext message C0And obtaining a ciphertext message C0Auxiliary message pair (C)1,C2),C0And (C)1,C2) Ciphertext message pair (C) forming accessed user0,(C1,C2)):
Figure FDA00029589049100000210
C1=A0 Tf+x
Figure FDA00029589049100000211
Wherein the content of the first and second substances,
Figure FDA00029589049100000212
represents a round-down operation;
(4) the key generation center calculates the entrusted key PXK and sends:
the key generation center passes through L polynomials
Figure FDA00029589049100000213
And identification information of members to be revoked
Figure FDA00029589049100000214
Calculates the entrusted key PXK and sends the entrusted key PXK to the proxy server and to the unreleased access member, wherein,
Figure FDA0002958904910000031
(5) the proxy server calculates the Lagrange coefficient and sends:
the proxy server passes the entrusting secret key PXK, the identification information I of the access member and the identification information of the unrevoked access member
Figure FDA0002958904910000032
And identification information of t access members to be revoked
Figure FDA0002958904910000033
Respectively calculating L polynomials
Figure FDA0002958904910000034
Corresponding Lagrange coefficient
Figure FDA0002958904910000035
Passing L attribute elements { w ] simultaneously1,…,wi,…wLThe values of these L attribute elements are computed separately for the Lagrangian coefficients { H }1,…,Hi,…,HLAnd will be
Figure FDA0002958904910000036
And { H1,…,Hi,…,HLSending to the unreleased access member;
(6) unrevoked access member pair ciphertext message pair (C)0,(C1,C2) To decrypt:
(6a) the unreleased access member passes through PXK,
Figure FDA0002958904910000037
And an attribute private key (sk) of the access member1,sk2) Calculating the private key e of the unrevoked access members
Figure FDA0002958904910000038
Wherein the content of the first and second substances,
Figure FDA0002958904910000039
to represent
Figure FDA00029589049100000310
Any of the lagrangian coefficients;
(6b) lagrange coefficient { H) of unrevoked access member through L attribute elements1,…,Hi,…,HLAnd the private key e of the unrevoked access membersTo (C)0,(C1,C2) Decryption to obtain decrypted plaintext M':
Figure FDA00029589049100000311
wherein, omega ═ W' # A, (;) represents the row-wise splicing operation;
(6c) the unrevoked access member calculates the error term r 'of M' and judges
Figure FDA00029589049100000312
And if so, the decryption is successful, namely M' is used as the plaintext M, otherwise, the decryption is failed.
2. The method for encrypting the ciphertext policy attribute according to claim 1, wherein the n-dimensional random vector x obeying discrete gaussian distribution on the lattice in the step (3a) is as follows:
Figure FDA0002958904910000041
where c is an n-dimensional vector on the real number set, L' is an n-dimensional lattice, the real number s > 0, ρs,c(x) Is a gaussian function and is calculated as follows:
Figure FDA0002958904910000042
wherein e is a natural base number, pi is a circumferential rate, and | | represents the square sum of each component of the vector and the root-opening operation.
3. The method for encrypting the ciphertext policy attribute according to claim 1, wherein the calculating in step (5) is performed
Figure FDA0002958904910000043
Lagrange coefficient of
Figure FDA0002958904910000044
The calculation formula is as follows:
Figure FDA0002958904910000045
wherein the content of the first and second substances,
Figure FDA0002958904910000046
in order to be a lagrange coefficient,
Figure FDA0002958904910000047
identification information of an unrevoked access member, I identification information of an access member,
Figure FDA0002958904910000048
identification information of the member to be revoked.
CN201910526965.7A 2019-06-18 2019-06-18 Ciphertext strategy attribute encryption method supporting attribute revocation in lattice manner Active CN110247761B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910526965.7A CN110247761B (en) 2019-06-18 2019-06-18 Ciphertext strategy attribute encryption method supporting attribute revocation in lattice manner

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910526965.7A CN110247761B (en) 2019-06-18 2019-06-18 Ciphertext strategy attribute encryption method supporting attribute revocation in lattice manner

Publications (2)

Publication Number Publication Date
CN110247761A CN110247761A (en) 2019-09-17
CN110247761B true CN110247761B (en) 2021-04-20

Family

ID=67887763

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910526965.7A Active CN110247761B (en) 2019-06-18 2019-06-18 Ciphertext strategy attribute encryption method supporting attribute revocation in lattice manner

Country Status (1)

Country Link
CN (1) CN110247761B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111970106B (en) * 2020-08-19 2021-11-05 北京邮电大学 Short ciphertext attribute-based encryption method and system supporting full homomorphism in lattice
CN112383550B (en) * 2020-11-11 2022-07-26 郑州轻工业大学 Dynamic authority access control method based on privacy protection

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546161A (en) * 2010-12-08 2012-07-04 索尼公司 Ciphertext policy based revocable attribute-based encryption method and equipment and system utilizing same
CN104113408A (en) * 2014-07-11 2014-10-22 西安电子科技大学 Method for realizing timely user attribute cancel based on ciphertext-policy attribute-based encryption
CN106452735A (en) * 2016-07-04 2017-02-22 广东工业大学 Outsourcing attribute encryption method supporting attribute cancellation
CN108512662A (en) * 2018-04-12 2018-09-07 上海海事大学 The hiding multimachine structure encryption method of support policy on a kind of lattice
CN108810004A (en) * 2018-06-22 2018-11-13 西安电子科技大学 More authorization center access control methods, cloud storage system can be revoked based on agency
CN108880801A (en) * 2018-07-09 2018-11-23 西南交通大学 The distributed nature base encryption method of fine granularity attribute revocation is supported on a kind of lattice

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546161A (en) * 2010-12-08 2012-07-04 索尼公司 Ciphertext policy based revocable attribute-based encryption method and equipment and system utilizing same
CN104113408A (en) * 2014-07-11 2014-10-22 西安电子科技大学 Method for realizing timely user attribute cancel based on ciphertext-policy attribute-based encryption
CN106452735A (en) * 2016-07-04 2017-02-22 广东工业大学 Outsourcing attribute encryption method supporting attribute cancellation
CN108512662A (en) * 2018-04-12 2018-09-07 上海海事大学 The hiding multimachine structure encryption method of support policy on a kind of lattice
CN108810004A (en) * 2018-06-22 2018-11-13 西安电子科技大学 More authorization center access control methods, cloud storage system can be revoked based on agency
CN108880801A (en) * 2018-07-09 2018-11-23 西南交通大学 The distributed nature base encryption method of fine granularity attribute revocation is supported on a kind of lattice

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"Attribute-Based Encryption with Attribute Revocation and Grant Function Using Proxy Re-encryption and Attribute Key for Updating";Yoshiaki Shiraishi等;《Human-centric Computing and Information Sciences》;20160205;第1-13页 *
"云存储环境下基于属性的密文策略访问控制机制研究";熊安萍;《中国博士学位论文全文数据库信息科技辑》;20160315;第I137-14页 *
"外包环境下格上可撤销的属性基加密方案";于金霞等;《计算机科学与探索》;20190612;第244-251页 *
"边缘计算数据安全与隐私保护研究综述";张佳乐等;《通信学报》;20180325;第39卷(第3期);第1-21页 *
"隐私保护且支持用户撤销的属性基加密方案";李继国等;《计算机研究与发展》;20151015;第52卷(第10期);第2281-2292页 *

Also Published As

Publication number Publication date
CN110247761A (en) 2019-09-17

Similar Documents

Publication Publication Date Title
Fu et al. NPP: A new privacy-aware public auditing scheme for cloud data sharing with group users
US10903991B1 (en) Systems and methods for generating signatures
Perlner et al. Quantum resistant public key cryptography: a survey
CN111342976B (en) Verifiable ideal on-grid threshold proxy re-encryption method and system
US20130191632A1 (en) System and method for securing private keys issued from distributed private key generator (d-pkg) nodes
CN110830236B (en) Identity-based encryption method based on global hash
CN102420691B (en) Certificate-based forward security signature method and system thereof
CN114219483B (en) Method, equipment and storage medium for sharing block chain data based on LWE-CPBE
CN104168114A (en) Distributed type (k, n) threshold certificate-based encrypting method and system
CN106713349B (en) Inter-group proxy re-encryption method capable of resisting attack of selecting cipher text
Xiong et al. Scalable and forward secure network attestation with privacy-preserving in cloud-assisted internet of things
KR20210063378A (en) Computer-implemented systems and methods that share common secrets
CN110247761B (en) Ciphertext strategy attribute encryption method supporting attribute revocation in lattice manner
CN110784300B (en) Secret key synthesis method based on multiplication homomorphic encryption
CN117201132A (en) Multi-committee attribute base encryption method capable of achieving complete decentralization and application of multi-committee attribute base encryption method
CN113098681B (en) Port order enhanced and updatable blinded key management method in cloud storage
CN108809996B (en) Integrity auditing method for duplicate deletion stored data with different popularity
CN108763944B (en) Multi-center large-attribute domain attribute-based encryption method capable of being safely revoked in fog computing
CN114095171A (en) Identity-based wearable proxy re-encryption method
Yao et al. A Collusion‐Resistant Identity‐Based Proxy Reencryption Scheme with Ciphertext Evolution for Secure Cloud Sharing
CN115941180A (en) Key distribution method and system based on post-quantum security and identity identification
Zhang et al. New application of partitioning methodology: identity‐based dual receiver encryption
Yang et al. Efficient certificateless encryption withstanding attacks from malicious KGC without using random oracles
CN112733176B (en) Identification password encryption method based on global hash
CN115208656A (en) Supply chain data sharing method and system based on block chain and authority management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant