CN110378144A - The method for secret protection and system of range query are supported under data, that is, service mode - Google Patents
The method for secret protection and system of range query are supported under data, that is, service mode Download PDFInfo
- Publication number
- CN110378144A CN110378144A CN201910481273.5A CN201910481273A CN110378144A CN 110378144 A CN110378144 A CN 110378144A CN 201910481273 A CN201910481273 A CN 201910481273A CN 110378144 A CN110378144 A CN 110378144A
- Authority
- CN
- China
- Prior art keywords
- data
- hash
- signature
- item
- section
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The present invention relates to method for secret protection and system that range query is supported under a kind of data, that is, service mode.It is in the management mode serviced in data, the security strategy of data service quotient is possible and incomplete, and data owner not fully trusts it.Under such circumstances, design one can it is complete, can guarantee that the mechanism of data query relative efficiency is necessary to data-privacy safety simultaneously.Existing data are that there are the risks that time low efficiency and privacy information are attacked in the management mode serviced.The present invention proposes a complete, personal secrets and supports the scheme of range query and data verification, and core is by the way that data subregion, the data in same subregion take the mode of hash function part sum to be indexed;In order to avoid false hiting data and data verification in range query, inquiry precision and validation matrix are introduced.By experimental verification, the present invention has good time efficiency, while can reduce data information leakage well.
Description
Technical field
The invention belongs to the technical field of data security such as data management, secret protection, and it is hidden specifically to design a kind of guarantee user
The data of private safety service (DaaS) Db Management Model.
Background technique
Data are to service the Db Management Model that (DaaS) has been cloud computing era.Data organization person passes through purchase service
Mode obtain on-demand data storage service, be placed on cloud by the way that task will be stored, it is possible to reduce the expense of enterprise, increase number
According to managerial ability.But data-privacy becomes safely an item data organizer and has to consider the problems of, privacy of user is let out at present
Dew already leads to serious social concern.
It is first exactly that reasonable access authority mechanism is set, illegal identity cannot in user privacy protection technique
Obtain the access authority of data.Next is exactly to carry out data encryption technology, to critical data or total data encryption storage, is deposited
Data of the storage by encryption.When using data, initial data is obtained by ciphertext data, then specifically statisticallyd analyze.
Currently, data, that is, service model (DaaS) is the effective means that data management uses.Often there are the clothes of data service quotient in data
It is engaged in device.Data consumer needs to obtain data from the server of data service quotient when using data.Data service mould
The advantages of type is that data access is enabled to be not limited to when and where, and data organization person does not have to take using corresponding hardware
Build data server.But data are stored in the hidden danger that data-privacy leakage is increased in data service quotient.
In DaaS mode, entire operation flow role can be divided into three: (1) data organization person.It is the institute of data
The person of having.(2) data service quotient.Store the encrypted data of user.(3) data use client.Using data service, quotient is provided
Service inquired.As shown in Fig. 1, data use the data storage service of data service quotient using client.Such as data
The data TRADE (tno cost, date) of oneself is deployed in data service quotient by organizer, hidden first of all for protection data
Private submits to data service quotient after data item encryption is obtained Entrypt (TRADE).Data are obtaining data group using client
The agreement for the person of knitting and after obtaining code book, i.e. inquiry data simultaneously decrypt and obtaining initial data.Trusting relationship kimonos between them
Business mode is also as shown in Fig. 1.Using client and data organizer there are trusting relationship, data can be obtained data using client
The Password Policy of data obtains data query service.And data service quotient and they there is no absolute trusting relationship, data
Service provider is incredible the reason is that their storage strategy is not fully reliable, may exist illegally stolen and distorted can
It can property.
For data-privacy safety, under data service quotient and incredible situation, need to carry out encryption storage to data,
And when carrying out query service, the data inquiry request of operation is also handled, data service quotient is made not know specific number
According to.It needs to improve the operability in encryption data simultaneously and query result can be verified.
Range query in encryption data and be to guarantee data and service available core to the verifying of query result
Technology.There are the Encryption Algorithm and bucket point-score of holding sequence in the method for carrying out range query to encryption technology.It is suitable using holding
When the encryption of sequence, that is to say, that number d1<d2When, there is Encrypt (d after encryption1)<Encrypt(d2).This method is
There is algorithm realization, related algorithm includes OPE, OPES, but the above method compares the consuming time, and when being inserted into new data
Complexity is higher, can consume more computing resources.The method of bucket point is that data area is divided into several discrete sections, often
One identifier of a barrel of distribution, in the state of ideal, if the most data of each bucket, there is no the vacations of inquiry in this way
The case where hit, but in practical situations, data are frequently not equally distributed, and inquire and often will appear false hit
Situation.In the verification technique to data, technology is generally verified using Merkle Hash tree at present, and this mode is for multidimensional
The comparison of data is difficult, relatively high for space requirement.Such as 2-D data, the space complexity needed is O
(n2).Simultaneously in more new data, needs to update the cryptographic Hash of all father nodes of the Merkle node of the data, need data
The data for collecting all participate in calculating.
Summary of the invention
The present invention is in view of the above-mentioned problems, provide a kind of data-privacy guarantor that can verify that in data service model (DaaS)
Maintaining method can support range query simultaneously, and support the verification of correctness of query result.
Overall technological scheme of the invention is as follows:
1. being classified as N number of section by dividing codomain section U, unique identifier is distributed in each section.This section
The updating unit of hash index and hash signature chain, is the updating unit of security strategy when being data insertion.Security strategy is more
Newly referring to can prevent that encryption can also be changed because access frequency is by important sexual assault by updating the identifier in section
Key makes certain data automatically expired using the data permission of user, data access authority can be prevented to be abused in this way.
2. introducing inquiry precision Φ and mark record can be determined in this way when carrying out range-based searching according to bounds
Specific position is arrived in position.
3. the hash index being consistent with the sequence of the attribute value of data is obtained by calculation in the same subregion.?
When the hash index for the sequence that is maintained, sequence is kept by the hash function value for the partition element that adds up.
4. the present invention has counted a kind of hash signature chain and validation matrix carries out data verification.Each Hash in hash signature chain
Signature is obtained by the Hash of data item and data item adjacent thereto.Hash signature chain is stored in data service quotient
, in order to verify hash signature chain and data item, the present invention devises validation matrix and carrys out revene lookup result.Pass through verifying
Matrix can pass through card certainly, its card, altogether three kinds of mode verify data correctness of card and integrality.
Specifically, The technical solution adopted by the invention is as follows:
The method for secret protection of range query is supported under a kind of data, that is, service mode, comprising the following steps:
1) codomain of data is divided into several sections by data organization end, and unique identifier is distributed in each section, section with
The a part of mapping relations as code book between identifier;Code book is licensed to trusted data by data organization end to be made
With end;
2) hash index of holding sequence is established at data organization end to the data item in the same section, and calculates Hash label
Name chain;Each hash signature is obtained by the Hash of data item itself and the data item being attached thereto in the hash signature chain;
3) when data organization end insertion data, the setting mark record in hash index, then by the encryption in each section
Data item and corresponding hash index, hash signature chain submit to data service end;
4) when data carry out range-based searching to data service end using end, the inquiry precision that is set by data organization end and
Mark record, navigates to specific position according to bounds;
5) after data receive the data that data service end returns using end, the code book logarithm of data organization end authorization is utilized
According to being decrypted, data are verified using the validation matrix of hash signature.
The intimacy protection system of range query, including data organization end, data clothes are supported under a kind of data, that is, service mode
Business end and data use end;
The codomain of data is divided into several sections by data organization end, and unique identifier, section and mark are distributed in each section
Know a part of the mapping relations between symbol as code book;Code book is licensed to trusted data and used by data organization end
End;
The hash index of holding sequence is established at data organization end to the data item in the same section, and calculates hash signature
Chain;Each hash signature is obtained by the Hash of data item itself and the data item being attached thereto in the hash signature chain;
When data are inserted at data organization end, the setting mark record in hash index, then by the encryption in each section
Data item and corresponding hash index, hash signature chain submit to data service end;
When data carry out range-based searching to data service end using end, the inquiry precision and mark that are set by data organization end
Will record, navigates to specific position according to bounds;
After data receive the data of data service end return using end, using the code book of data organization end authorization to data
It is decrypted, data is verified using the validation matrix of hash signature.
The present invention devises a kind of data service model (DaaS) of highly effective and safe, by data submission, inquiry and
The design of aspect is verified, safety guarantee can be provided in the Life cycle of data, one can be provided with good time efficiency
A complete, safe DaaS model simultaneously provides data management, guarantees data-privacy safety.The program have the following advantages that and
Effect:
1, it can be realized the accurate range query in encryption data, query result the case where there is no false hits.Pass through
Definition inquiry precision Φ, can navigate to side in data set in the data boundary of range query not in data set
Boundary.
2, there is good time efficiency.By domain partition, for data set totality n, all operations can be
Time complexity be O (1) in the case where complete.Data all have effect of good time in submission, update and query process
Rate.
3, the verification of correctness to query result is increased.The data hash signature of data verification is stored in data service
Shang Zhong utilizes the service of data service quotient to greatest extent, while for more perfect verifying, by validation matrix to signature with
And data item is verified by three kinds of modes, can be verified to data with the presence or absence of deleting, forging and destroying situation.
4, data Life cycle data-privacy safeguard protection.It is submitted from data, arrives data storage, data query, data
The entire data transmission procedure of verification of correctness protects data personal secrets, effectively reduces truthful data leakage and prevents logarithm
According to the statistical analysis for carrying out malice.
5, by data subregion, can press subregion is that unit upgrades Data Security.By pressing subregion step by step more
New Data Flag symbol and data subregion, enable to the code book in data consumer's hand to fail, and are conducive to the safety control of data
System.
Detailed description of the invention
Fig. 1 is the organization chart of data service model (DaaS) and the schematic diagram of their trusting relationships.
Fig. 2 is the whole schematic flow diagram of the present invention program.Mainly point three parts, data organization person, data service quotient,
Data use client.The data management interface and its query interface of five interfaces, data organization person and data service provider, data make
With the match query and data verification interface of client.
Fig. 3 is the hash signature schematic diagram of the present invention program design, and wherein character d indicates data item, and s is indicated and the data
The hash signature that item stores together.
Fig. 4 is description the present invention program in multi-dimensional query data, the hash signature schematic diagram of data.Wherein A, B are indicated
The attribute of two inquiries, the data item in the subregion of an attribute A are also to maintain sequence by attribute B.
Fig. 5 is the schematic diagram of the data area inquiry of the present invention program, and Q represents inquiry, and a, b are query context boundary, id
It is the identifier of specific domain partition.
Fig. 6 is the processing time comparison result figure of CPS inquiry.
Fig. 7 is the comparison result figure of data index value Yu data original value.
Specific embodiment
The main technical essential of the present invention has codomain to divide, obtains hash index, calculate hash signature chain and submission, look into
It askes and the core procedures such as verify data.Fig. 2 is the whole schematic flow diagram of the present invention program, mainly point three parts, data group
The person of knitting, data service quotient, data use client.This three parts can also be referred to as data organization end, data service end, data make
With end.The implementation of every part is illustrated in detail below.
1. codomain divides.
The codomain of the index entry for the inquiry that data organization person will establish is set as U, is classified as N number of area according to its distribution
Between, an identifier id is distributed in each sectioni.This identifier can one section of unique match, each section is identified with it
The a part of mapping relations as code book between symbol, while this code book, that is, data organization person is possessed.
2. obtaining hash index.
This part is principally obtaining hash index in order, is completed by data organization person.For data d1<d2, rope
Draw value Index (d1)<Index(d2).The cryptographic Hash of this holding sequence in order to obtain, while can rapidly calculate this Kazakhstan
Uncommon value, using the part of cryptographic Hash and to obtain in same subregion.I.e. for subregion UiData Di={ d1,d2,...,
dNi}.Its hash index obtains in the following manner:
3. obtaining hash signature chain and validation matrix.
This part primarily to revene lookup result correctness and integrality, completed by data organization person.Hash
The unit of account of signature chain is also subregion.In each data record, as shown in Fig. 3, data item sorts in order, often
A data item records the hash signature being calculated jointly by the cryptographic Hash of data item and next data item.Signature is public
Formula are as follows:
S (data)=MaxP (SHash (di), 1/ ε1)+MaxP(SHash(di-1), 1/ ε2) (1)
Wherein ε1, ε2It is the parameter calculated, S (data) indicates that the hash signature of data data, MaxP (a, b) represent less than a
The maximum common multiple of the integer b of (a needs not be integer), SHash are applied in data item diHash function.ε1, ε2Determine signature
The collision rate of formula works as ε according to signature formula1, ε2It is smaller, simultaneouslyWhen taking prime number, signature formula collision rate is lower.
ε simultaneously1, ε2It should be determined by data organization person, reliable for data verification, the parameter is unknowable for data service quotient.
It can be proved by three kinds of modes by each data item of this formula or hash signature: 1) from card.2) he
Card.Hash signature proves that data item is proved by previous hash chain by the latter data item.3) it demonstrate,proves altogether.It is public to meet signature
Formula.It is then based on the validation matrix of this one hash signature of design:
WhereinsijIndicate whether hash signature or data item meet three kinds of mode of proof.He
Card and the mode demonstrate,proved certainly are following formula (2), (3).Wherein siIt is the data d that request data obtains from data service quotienti's
Hash signature.s11,s12,s13Indicate whether hash signature meets from card, he demonstrate,proves and total card, s21,s22,s23Respectively indicate data item
Whether meet from card, he demonstrate,proves and total card.1 indicates to meet, 0 foot with thumb down.
Whereinβ1=1- ε1,β2=1- ε2, β3Show the error β of three kinds of proofs3=1- ε1·ε2.Simultaneously
Definition calculates " * ":
Au=S*A, auij=max (Sik×akj)。
Wherein, sikThe element of representing matrix S, i and k indicate the subscript of row and column;akjThe element of representing matrix A, k and j table
Show the subscript of row and column.
4. submitting data
In terms of data organization person relates generally to two when data service quotient submits data item, hash index and Hash label
The calculating of name.It is the identifier id of the subregion of data to be obtained first, after being matched to data identifier id by code book, in order to
So that the hash index and hash signature of data keep correct in same subregion, needs to be consulted and request according to the id to data service and ask this
Subregion all data (request the subregion all data be data insertion general step, if it is first time submit number
According to obtaining empty data after then requesting).It is inserted into the new data to be submitted and to the data sorting in subregion, later basis
Signature formula and index formula obtain hash index and hash signature.It finally obtains and all data of the subregion is submitted to data clothes
It is engaged in quotient.
When obtaining index, it may be necessary to insertion mark record.For subregion [a, b), inquire precision Φ, need insert
The data v entered is previously inserted into mark data, i.e. mark record v '.According to the method for acquisition hash index above it is known that right
The boundary data values being not present are concentrated in a data, are unable to get the smallest value greater than it and the maximum value less than it.
It is that can not position boundary value c and d namely for query range Q (c, d).In order to solve this problem inquiring precision is exactly.It looks into
Ask the minimum inquiry precision for the data that precision Φ is a section.Inquiry precision is that array organization person determines.Data consumer
Need to know inquiry precision in inquiry, this information is that data organization person gives.If subregion [a, b) inquiry precision be
Φ, so that it may by section [a, b) be divided into the discrete data of { a, a+ Φ ..., a+i Φ ..., b }, at this time inquire boundary c and d
A+i Φ can be just converted to respectively, which can navigate to the specific location of data set by mark record v '.Mark record v '
< v, in the subregion, index is still able to maintain sequence, records v ', v '=a+i Φ simultaneously for mark, needs to record mark record
Added value i, the mark record partition identifier id it is identical as data v.The calculation formula of i is (v-a)/Φ, while taking this
Value is integer.
It for Φ, should be defined according to the data distribution of subregion, while the Φ of different partition definitions is not necessarily identical, data
Than sparse, then Φ can be relatively intensive for data in subregion more greatly, Φ is relatively small, such as the number of integer type
According to Φ can be set as 1.Φ is also unknowable for data service quotient simultaneously.
When submitting a data item, a record may be indexed with the presence of multiple attributes.Subregion on different attribute is
Different, in order to calculate index value and the hash signature of multiple attributes, need to operate by attribute sequence.Assuming that
There are two attributes of A and B for a data item of insertion, the number of entire subregion is obtained according to the partition identifier of A value first
According to item, index and hash signature are recalculated after being inserted into entire data item.Then it is obtained by obtaining the partition identifier of attribute B
The data item of all subregions updates the index and signed data and the clothes being submitted in data service quotient of these data item later
Business device.As shown in figure 4, wherein A, B indicate the attribute of two inquiries, the data item in an attribute section A is also by attribute B
Holding sequence.
5. inquiring data
When to data range-based searching, range areas can be divided into two classes: 1) entire interval censored data all meets inquiry.2)
It, partially may not be in query context in the section on inquiry boundary.After range is divided into these two types, partition identifier and meter are matched
Index value and mark record added value are calculated, after these information to be submitted to the server in data service quotient, server is returned
Data are to data consumer.Data consumer obtains ciphertext data (the code book logarithm authorized using data organization person after data
According to being decrypted) and verify data.Schematic diagram when Fig. 5 is range query, wherein q1、q2Indicate that numerical value a and b are calculated
Mark record.
For data consumer after the data after being inquired, each data include data item diWith hash signature si.Then root
The signature matrix of each data i is calculated accordinglyAccording to the definition of front Au, can be judged by Au following
Result: a possibility that not lacked before the data item be au12, a possibility that not lacking data behind the data item is au22,
A possibility that data item is correct is au21, the hash signature it is correct a possibility that be au11。
6. experimental data and conclusion
The present invention program based on time efficiency and data distribution come proof scheme, demonstrate the feasibility of the program with
There is good time efficiency in time.Below by the advantage of further experimental analysis this programme.This programme is simulated at one
The data set TRADE (tno cost, date) of a generation and public database TLSPD from service statistics.
1) time efficiency is verified.
A main performance indicator of the invention is exactly time efficiency.The time efficiency of our schemes first.This is sent out
The time of the implementation procedure of bright scheme is compared with OPHF, as shown in table 1.OPHF is a kind of sequence rope without using subregion
Draw algorithm.
Table 1: different schemes execute time statistical form (millisecond/each data item)
Subregion number (N) | All Time | Encryption and decryption time | Data query pretreatment time | The query time of data service quotient |
500 | 54.90754 | 0.52868 | 0.3628 | 54.01606 |
1000 | 54.6431 | 0.45218 | 0.22302 | 53.9679 |
2000 | 52.6859 | 0.40784 | 0.14428 | 52.13378 |
OPHF | 4957.006 | 4.842 | 4929.932 | 22.096 |
During the experiment, analogue data TRADE (tno cost, date) have 10000 datas, wherein cost be from
0 to 10000000 ranges are equally distributed to be randomly generated.During the experiment, the scheme CPS for taking us first, to cost
Attribute is indexed, and is tested in the way of demarcation interval number 500,1000,2000, and experimental result is as shown in fig. 6, can be with
See it is smaller in interval division, then the time consumed is fewer.But demarcation interval is fewer, data owner needs the number recorded
Just contain the data crossed very much according to code book.Simultaneously by the way that compared with OPHF, the solution of the present invention has good time efficiency.
2) data-privacy is protected
This part chief proof data directory of the invention will not leak data privacy.Mainly including will not leak data
Distribution and data maximum, minimum value.Experimental result is as shown in Figure 7, it can be seen that data directory is in same subregion
It is incremental, and increase be it is linear, it is unrelated with data distribution.(a) figure is the equally distributed data that simulation generates in Fig. 7,
And (b), figure is actual database, it can be seen that the distribution regardless of real data, as long as subregion is rationally arranged, so that each
Data item in subregion is as identical as possible, then can attack to avoid importance.The dynamic of the identifier of each subregion simultaneously
Update avoids maliciously being analyzed according to enquiry frequency.
This programme has carried out experimental verification from time efficiency and the angle of data personal secrets, and experiment shows that the program has
Good time efficiency.In the calculating consumption that data are submitted, data query and data Qualify Phase are all only seldom.And the party
Case is a complete scheme, and in data relationship model, scheme through the invention can efficiently and safely manage number
According to, can safely and effectively inquire encryption data under data service quotient and incredible situation, and be able to verify that inquiry knot
The integrality and correctness of fruit.
Another embodiment of the present invention provides the intimacy protection system that range query is supported under a kind of data, that is, service mode, packets
It includes data organization end, data service end and data and uses end;
The codomain of data is divided into several sections by data organization end, and unique identifier, section and mark are distributed in each section
Know a part of the mapping relations between symbol as code book;Code book is licensed to trusted data and used by data organization end
End;
The hash index of holding sequence is established at data organization end to the data item in the same section, and calculates hash signature
Chain;Each hash signature is obtained by the Hash of data item itself and the data item being attached thereto in the hash signature chain;
When data are inserted at data organization end, the setting mark record in hash index, then by the encryption in each section
Data item and corresponding hash index, hash signature chain submit to data service end;
When data carry out range-based searching to data service end using end, the inquiry precision and mark that are set by data organization end
Will record, navigates to specific position according to bounds;
After data receive the data of data service end return using end, using the code book of data organization end authorization to data
It is decrypted, data is verified using the validation matrix of hash signature.
The above embodiments are merely illustrative of the technical solutions of the present invention rather than is limited, the ordinary skill of this field
Personnel can be with modification or equivalent replacement of the technical solution of the present invention are made, without departing from the spirit and scope of the present invention, this
The protection scope of invention should be subject to described in claims.
Claims (10)
1. supporting the method for secret protection of range query under a kind of data, that is, service mode, which comprises the following steps:
1) codomain of data is divided into several sections by data organization end, and unique identifier, section and mark are distributed in each section
The a part of mapping relations as code book between symbol;Code book is licensed to trusted data and used by data organization end
End;
2) hash index of holding sequence is established at data organization end to the data item in the same section, and calculates hash signature
Chain;Each hash signature is obtained by the Hash of data item itself and the data item being attached thereto in the hash signature chain;
3) when data organization end insertion data, the setting mark record in hash index, then by the number of the encryption in each section
Data service end is submitted to according to item and corresponding hash index, hash signature chain;
4) when data carry out range-based searching to data service end using end, the inquiry precision and mark that are set by data organization end
Record, navigates to specific position according to bounds;
5) data using end receive data service end return data after, using data organization end authorization code book to data into
Row decryption, verifies data using the validation matrix of hash signature.
2. the method as described in claim 1, which is characterized in that hash index and Hash when each section is insertion data
The updating unit of signature chain, is the updating unit of security strategy;The update of security strategy refers to the identifier by updating section
To prevent from weighing certain data using the data of user by important sexual assault, and change encryption key due to accessing frequency
Limit is automatic expired, so that data access authority be prevented to be abused.
3. the method as described in claim 1, which is characterized in that when establishing the hash index of the holding sequence, by folded
Add the hash function value of section interior element to keep sequence.
4. the method as described in claim 1, which is characterized in that the inquiry precision can be to navigate to inquiry in range query
Boundary, different inquiry precision, which is arranged, in different sections not will cause data distribution leakage;In range query by comparing mark
The label and boundary value of record avoid the false hit of inquiry.
5. the method as described in claim 1, which is characterized in that the hash index is in the same section, index value and number
It is identical according to record sequence, in range query, it is only necessary to find the positioning on boundary, it will be able to the range inquired.
6. the method as described in claim 1, which is characterized in that the validation matrix is calculated according to hash signature, Hash
Signature and data item can be verified;Data are demonstrate,proved certainly using end, he demonstrate,proves, three kinds of mode of proof of notarization test data
Card can verify data with the presence or absence of deleting, forging and destroying situation.
7. method as claimed in claim 6, which is characterized in that the calculation formula of the hash signature are as follows:
S (data)=MaxP (SHash (di), 1/ ε1)+MaxP(SHash(di-1), 1/ ε2)
Wherein, ε1, ε2It is the parameter calculated, S (data) indicates that the hash signature of data data, MaxP (a, b) represent less than a's
The maximum common multiple of integer b, SHash are applied in data item diHash function;ε1, ε2Determine the collision rate of signature formula, root
According to signature formula, work as ε1, ε2It is smaller, simultaneouslyWhen taking prime number, signature formula collision rate is lower.
8. the method for claim 7, which is characterized in that the validation matrix are as follows:
Wherein,sijIndicate whether hash signature or data item meet three kinds of mode of proof, s11, s12,
s13
Indicate whether hash signature meets from card, he demonstrate,proves and total card, s21, s22, s23Respectively indicate data item whether meet from card,
He demonstrate,proves and demonstrate,proves altogether;
Wherein,β1=1- ε1, β2=1- ε2, β3Show the error of three kinds of proofs, β3=1- ε1·ε2;
Wherein, Au=S*A, auij=max (sik×akj);sikThe element of representing matrix S, i and k indicate the subscript of row and column;akj
The element of representing matrix A, k and j indicate the subscript of row and column.
9. the method as described in claim 1, which is characterized in that the data are using holding after the data after being inquired, often
A data include data item diWith hash signature si, the signature matrix of each data i is then calculated according to thisWherein: a possibility that not lacking before the data item is au12, do not lack data behind the data item
Possibility is au22, a possibility that data item is correct is au21, the hash signature it is correct a possibility that be au11。
10. supporting the intimacy protection system of range query under a kind of data, that is, service mode, which is characterized in that including data organization
End, data service end and data use end;
The codomain of data is divided into several sections by data organization end, and unique identifier, section and identifier are distributed in each section
Between a part as code book of mapping relations;Code book is licensed to trusted data and uses end by data organization end;
The hash index of holding sequence is established at data organization end to the data item in the same section, and calculates hash signature chain;
Each hash signature is obtained by the Hash of data item itself and the data item being attached thereto in the hash signature chain;
When data are inserted at data organization end, the setting mark record in hash index, then by the data of the encryption in each section
Item and corresponding hash index, hash signature chain submit to data service end;
When data carry out range-based searching to data service end using end, the inquiry precision and mark set by data organization end is remembered
Record, navigates to specific position according to bounds;
After data receive the data of data service end return using end, data are carried out using the code book of data organization end authorization
Decryption, verifies data using the validation matrix of hash signature.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910481273.5A CN110378144B (en) | 2019-06-04 | 2019-06-04 | Privacy protection method and system supporting range query in data-as-a-service mode |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910481273.5A CN110378144B (en) | 2019-06-04 | 2019-06-04 | Privacy protection method and system supporting range query in data-as-a-service mode |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110378144A true CN110378144A (en) | 2019-10-25 |
CN110378144B CN110378144B (en) | 2021-09-07 |
Family
ID=68249693
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910481273.5A Active CN110378144B (en) | 2019-06-04 | 2019-06-04 | Privacy protection method and system supporting range query in data-as-a-service mode |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110378144B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113536379A (en) * | 2021-07-19 | 2021-10-22 | 建信金融科技有限责任公司 | Private data query method and device and electronic equipment |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070038579A1 (en) * | 2005-08-12 | 2007-02-15 | Tsys-Prepaid, Inc. | System and method using order preserving hash |
US7539661B2 (en) * | 2005-06-02 | 2009-05-26 | Delphi Technologies, Inc. | Table look-up method with adaptive hashing |
CN102346747A (en) * | 2010-08-04 | 2012-02-08 | 鸿富锦精密工业(深圳)有限公司 | Method for searching parameters in data model |
CN103024035A (en) * | 2012-12-11 | 2013-04-03 | 上海交通大学 | Safe and energy-saving encryption searching method based on mobile cloud platform |
US20140095490A1 (en) * | 2012-09-28 | 2014-04-03 | International Business Machines Corporation | Ranking supervised hashing |
CN103927357A (en) * | 2014-04-15 | 2014-07-16 | 上海新炬网络技术有限公司 | Data encryption and retrieval method for database |
CN108075921A (en) * | 2016-11-18 | 2018-05-25 | 阿里巴巴集团控股有限公司 | A kind of monitoring method, device and the server of big data system service performance |
-
2019
- 2019-06-04 CN CN201910481273.5A patent/CN110378144B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7539661B2 (en) * | 2005-06-02 | 2009-05-26 | Delphi Technologies, Inc. | Table look-up method with adaptive hashing |
US20070038579A1 (en) * | 2005-08-12 | 2007-02-15 | Tsys-Prepaid, Inc. | System and method using order preserving hash |
CN102346747A (en) * | 2010-08-04 | 2012-02-08 | 鸿富锦精密工业(深圳)有限公司 | Method for searching parameters in data model |
US20140095490A1 (en) * | 2012-09-28 | 2014-04-03 | International Business Machines Corporation | Ranking supervised hashing |
CN103024035A (en) * | 2012-12-11 | 2013-04-03 | 上海交通大学 | Safe and energy-saving encryption searching method based on mobile cloud platform |
CN103927357A (en) * | 2014-04-15 | 2014-07-16 | 上海新炬网络技术有限公司 | Data encryption and retrieval method for database |
CN108075921A (en) * | 2016-11-18 | 2018-05-25 | 阿里巴巴集团控股有限公司 | A kind of monitoring method, device and the server of big data system service performance |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113536379A (en) * | 2021-07-19 | 2021-10-22 | 建信金融科技有限责任公司 | Private data query method and device and electronic equipment |
CN113536379B (en) * | 2021-07-19 | 2022-11-29 | 建信金融科技有限责任公司 | Private data query method and device and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN110378144B (en) | 2021-09-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | Fast range query processing with strong privacy protection for cloud computing | |
Yiu et al. | Enabling search services on outsourced private spatial data | |
Guo et al. | Towards public verifiable and forward-privacy encrypted search by using blockchain | |
Liu et al. | Nonlinear order preserving index for encrypted database query in service cloud environments | |
US7519835B2 (en) | Encrypted table indexes and searching encrypted tables | |
CN101512525A (en) | Encrypted data search | |
CN107423632A (en) | Customizable sensitive data desensitization method and system | |
CN110392038B (en) | Multi-key searchable encryption method capable of being verified in multi-user scene | |
CN110069946B (en) | Safe indexing system based on SGX | |
CN105743905B (en) | A kind of method that realizing secure log, unit and system | |
CN109088719B (en) | Outsourced database multi-key word can verify that cipher text searching method, data processing system | |
CN109241352A (en) | The acquisition methods and server of Profile information | |
CN114579998A (en) | Block chain assisted medical big data search mechanism and privacy protection method | |
Li et al. | Towards efficient verifiable boolean search over encrypted cloud data | |
CN113434555B (en) | Data query method and device based on searchable encryption technology | |
CN114969406A (en) | Sub-graph matching method and system for privacy protection | |
CN109918451A (en) | Data base management method and system based on block chain | |
Guo et al. | LuxGeo: Efficient and Security-Enhanced Geometric Range Queries | |
Li et al. | BEIR: A blockchain-based encrypted image retrieval scheme | |
CN110378144A (en) | The method for secret protection and system of range query are supported under data, that is, service mode | |
Tian et al. | EAFS: An efficient, accurate, and forward secure searchable encryption scheme supporting range search | |
WO2019191579A1 (en) | System and methods for recording codes in a distributed environment | |
Ausekar et al. | Dynamic verifiable outsourced database with freshness in cloud computing | |
Lopes et al. | A framework for investigating the performance of sum aggregations over encrypted data warehouses | |
Li et al. | Verifiable range query processing for cloud computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |