CN110933052A - Encryption and policy updating method based on time domain in edge environment - Google Patents

Abstract

The invention discloses an encryption and strategy updating method based on a time domain in an edge environment. The method specifically comprises a system initialization process, a user registration process, a data encryption process, a user private key generation process and a ciphertext decryption process. Considering that time is an important factor in practical application, the invention adds the time information into the attribute-based encryption method, so that the access control of data can be more flexible. Secondly, due to the edge computing distributed computing and storage resource structure, the computing pressure of terminal equipment can be well shared according to the architecture of a plurality of authorization mechanisms and the characteristics of outsourcing decryption, the energy consumption of the equipment is reduced, and the attribute-based encryption system is safer and more reliable. The invention also provides an efficient dynamic strategy updating method, so that the data owner can update the old ciphertext without redeeming the ciphertext from the network and re-encrypting and releasing the ciphertext to ensure the confidentiality of the data.

Description

Encryption and policy updating method based on time domain in edge environment

Technical Field

The invention relates to the technical field of computer information security, in particular to a ciphertext policy attribute-based encryption method and a policy updating method thereof for data acquisition and sharing in an edge computing environment.

Background

With the development of the internet of things and the popularization of 5G networks, more and more terminal devices are scattered at the edge of the network, and the devices generate massive data, which brings new computational and security challenges. In addition, increasing user demand has facilitated the development of low latency complex applications and services, such as augmented reality, virtual reality, intelligent transportation, and smart cities. To meet the needs of the above applications and improve the user experience, edge computing is proposed as a new computing paradigm for distributed processing to solve the above problems. Edge computing refers to an open platform for integrating connection, computation and storage on the edge side of a network close to a terminal or a data source. The advantages of edge computing are twofold compared to cloud computing: first, it can improve the response time of the user by taking advantage of the available computing and storage resources of the edge nodes near the user. Secondly, as mass data does not need to be transmitted to the cloud any more, the required transmission bandwidth is also saved.

The new structure and the larger amount of data in edge computation also cause the problem of data security to be more serious. Data encryption is a common solution for protecting data security and privacy, and an attribute-based encryption method as a fine-grained access control method has become one of the hot spots of data security research in recent years. However, in cloud computing, there is typically only one authority in an attribute-based encryption method. It needs to be responsible for the authorization and key generation and distribution of all attributes in the system. Therefore, this structure undoubtedly causes some problems. First, it presents a performance bottleneck, if a large number of users send out requests for distribution of the private key to an authority at the same time, the time for these users to obtain the private key will be much longer than the average private key distribution time. Secondly, there is also a single point of failure of security, since the authority knows the private parameters of all attributes, when it is subject to malicious intrusion, the attacker can make any private key he wants, resulting in a crash of the whole system. Therefore, data in the entire system is exposed to the intruder. To solve these problems, a multi-authority attribute-based scheme is proposed, i.e. one attribute authority is responsible for the authorization and distribution of only part of the attributes. The distributed characteristic in the edge calculation perfectly supports the application scene of multiple authorities. Furthermore, most terminal devices in the internet of things are resource-constrained. Therefore, to increase the access speed of data and reduce the power consumption of the device, computationally complex decryption operations are often outsourced to computationally intensive nodes. Compared with a remote cloud server, the edge node is closer to the terminal device in the geographic position, has sufficient computing and storage capacity, can shorten a data transmission path after pre-decryption, and reduces the risk of exposing a semi-decrypted state ciphertext.

In addition, in many practical applications, time is an important factor in defining the usefulness and validity of data, especially in the case of massive amounts of data. For example, when tracking a suspect using video captured by a road camera, the video data can play a greater role if the data is close to the time at which a crime occurred. Time should be considered in data acquisition and sharing. Taking the fire situation as an example, if the smart home device detects a fire in a house, it may temporarily share private real-time surveillance video and smoke sensor data to a property manager and firefighters. After knowing one hand information about the fire they can prepare better and reduce the disaster losses as much as possible. Therefore, there is a need for a multi-authority attribute-based encryption method based on time domain and outsourcing decryption to more fully and efficiently support data collection and sharing in an edge computing environment.

Furthermore, the role change of the user and the high mobility of the device are also of the edge computing nature. As various factors change, such as location, time, and user role, the original ciphertext may need to be formulated with a new access policy. A secure and efficient dynamic policy update mechanism is also necessary in view of the computational overhead and bandwidth cost of updating policies.

Disclosure of Invention

The invention provides an encryption and policy updating method based on a time domain in an edge environment. The time attribute is introduced to the original attribute-based encryption method, so that the access mechanism of the data can be more flexibly formulated; a multi-authorization mechanism structure is introduced, so that not only is a distributed structure of edge computing matched, but also a user request can be responded more quickly and safely; outsourcing decryption is supported, and the calculation pressure brought by terminal equipment when accessing data is reduced; meanwhile, a safe and efficient dynamic strategy updating mechanism is provided, and the access strategy of the ciphertext can be modified on line, so that a data generator does not need to retrieve the ciphertext and then release the ciphertext after the ciphertext is encrypted again.

The technical scheme adopted by the invention for solving the technical problem is as follows:

the method comprises a system initialization process, a user registration process, a data encryption process, a user private key generation process and a ciphertext decryption process; the method comprises the following specific steps:

s1, the system initialization process means that the central authority generates a system public parameter and a pair of verification and signature keys based on the security parameters, and each attribute authority registers with the central authority, and sets its own responsible attribute set and generates its own private key and public key.

S2, the user registration process means that the user newly joining the system registers to the central authority to obtain the own identity certificate and the identity private key.

S3, the data encryption process means that a data owner sets time parameters for time attribute sets belonging to different authorization mechanisms in an access strategy, then performs symmetric encryption on plaintext data to generate a data ciphertext, and then further encrypts a symmetric secret key based on a system public parameter, a mechanism public key and the access strategy to obtain a secret key ciphertext.

S4, the user private key generating process means that the data visitor initiates a private key request to the corresponding attribute authority based on the authorized attribute set thereof, obtains a corresponding general private key and a time private key, and then converts the private keys obtained from the attribute authorities into an edge private key and a local private key.

And S5, in the ciphertext decryption process, the data visitor requests the edge computing node to perform outsourcing decryption on the key ciphertext, then executes local decryption to obtain a symmetric key, and then decrypts the data ciphertext by using the symmetric key to obtain plaintext data.

Further, in step S1: the system common parameters are expressed as: GP ═ G (G, G)_T，g，h，e，F)；

Wherein G and G_TTwo bilinear groups with the order of p, and G and h are two generator elements of G; e: g → G_TIs a symmetric bilinear map which is responsible for operating on elements in two Gs and mapping the result to G_TOf (1). F is a hash function of collision avoidance: {0,1}^*→ G, responsible for mapping properties to elements in G. Let II_AARepresenting all attribute authorities in the system, Z_pRepresenting an integer field from 1 to p. Per attribute authority AA_jRandom selection α_j，β_j∈Z_p(ii) a Then:

the private key of the organization is expressed as:

the public key of the organization is expressed as:

further, in step S2: the identity certificate is expressed as:

the identity private key is expressed as:

wherein uid is the number of the user, u_uid∈Z_pIs randomly selected, sk_CAA signing key representing a central authority,

indicating the use of the signature Key sk_CAU to user_uidA signature algorithm is performed.

Further, step S3 specifically includes:

the data owner first specifies the access policy (a, ρ) for the plaintext data. Where a is an l × n matrix, and l represents the number of attributes included in the access policy, i.e., each row of the matrix a corresponds to an attribute. The function p is a function responsible for mapping the rows in the matrix a to the corresponding attributes. And authorizing the organization AA according to the attributes belonging to different attributes in the access policy_jIs randomly selected r_j∈Z_pAnd setting time parameters for the time attribute set, and then safely sending the time parameters to an attribute authority to which the time attribute set belongs for time private key making.

Then, a symmetric key is selected to symmetrically encrypt plaintext data to obtain a data ciphertext, and the k symmetric key is further encrypted to generate a key ciphertext CT based on the system public parameter, the organization public key and the access strategy_FID。

The time parameter setting formula comprises:

wherein

The key cryptograph with the number of FID belongs to the authorization mechanism AA_jIs set of time attributes, [ T [ [ T ]_begin，T_end]Representing the access time limit range of the set of time attributes.

The data ciphertext generating formula comprises: CT_dataEnc (M, k); where the function Enc (M, k) represents symmetric encryption of the plaintext data M using a symmetric key k.

The key ciphertext generating formula comprises:

wherein FID is the number of the cipher text of the key, s is belonged to Z_pAs secret value, is a randomly chosen element. To share the secret value s, y is also randomly chosen₂，...，y_n∈Z_pMake it form a vector with s

Is a shared value of s, where A_xCorresponding to row x in the access matrix a. t is t₁，t₂，...，t_x，...，t_l∈Z_pAlso randomly chosen elements.

Further, in step S4:

the general private key generation formula comprises:

the time private key production comprises the following steps:

wherein S_j，uidIndicating that the data accessor DU is at the attribute authority AA_jIn an authorized generic attribute set, S_{j，uid，FID}Indicating that the DU is at the authority AA_jThe intersection of the authorized set of time attributes and the set of time attributes contained in the key ciphertext FID. z is a radical of_j，z_j′∈Z_pAre randomly selected elements.

The edge key conversion formula comprises:

the local key generation formula comprises: lk (Lk)_FID，uidQ; wherein q ∈ Z_pIs a randomly selected element。

Further, in step S5:

the outsourcing decryption process formula comprises:

wherein

Is that

An intermediate process in the operation. I is_AACT representing cipher text of secret key_FIDSet of attribute authorities referred to in, N_AA＝|I_AA|，

It represents a set of subscripts of some rows in the access matrix a, the attributes corresponding to these rows being the intersection of the set of attributes corresponding to the private key set of the DU and the set of attributes contained in the access matrix,

it indicates that the preceding set of indices belong to the attribute authority AA_jThe portion of the set of subscripts.

The local decryption process formula comprises:

Dec(CT_data，k)＝M；

wherein the function Dec (CT)_dataK) denotes the use of a symmetric key k for the data cipher CT_dataSymmetric decryption is performed.

A dynamic policy updating method corresponding to the encryption method of claim 1, comprising a time range updating procedure and an access policy updating procedure; the specific process is as follows:

t1, the time range updating process is a process of setting a new time parameter for an expired time attribute in the key cipher text, that is, setting a new access time range, generating an updated key of the old key cipher text, and updating the cipher text structure corresponding to the time attribute in the old key cipher text;

t2, the access policy updating process is a process of replacing an old access policy (a, ρ) in the key cipher text with a new access policy (a ', ρ'), and specifically includes a comparison between the old and new access policies, and an updating process of making an updated key and an updating process of an old key cipher text based on a comparison result;

further, in T1:

the generation formula of the new time parameter comprises:

wherein [ T'_begin，T′_end]Is a new access time limit range, r'_j∈Z_pIs an element that is selected at random and is,

belonging to authority AA in cipher text with secret key still being numbered FID_jA set of temporal attributes.

The updating key formula of the old key ciphertext comprises:

the formula for updating the ciphertext structure corresponding to the time attribute in the old key ciphertext comprises:

further, T2 is specifically: comparing the new access strategy with the old access strategy, comparing the new access strategy with the old access strategy to obtain three attribute sets and a set of two attribute authorization mechanisms, manufacturing updated secret keys corresponding to the three attribute sets and the set of two attribute authorization mechanisms, and executing an updated algorithm of an old secret key ciphertext based on the updated secret keys;

the three attribute sets obtained by comparing the new access policy and the old access policy are respectively as follows:

case 1: the attributes in the new and old access policies are the same, but the number of the attributes existing in the new policy does not exceed the attribute set in the old policy;

case 2: the attributes in the new and old access policies are the same, but the number of the attributes existing in the new policy exceeds the attribute set in the old policy;

case 3: the attribute set is not existed in the old access policy, but only exists in the attribute set of the new access policy;

the two attribute authority sets obtained by comparing the new access policy and the old access policy are respectively as follows:

(I_AA-AS_1，A′): wherein I_AARepresenting the set of all attribute authorities, AS, involved in the old access policy_1，A′The method comprises the steps of representing a set of attribute authorities related to new and old access policies, namely representing a set of attribute authorities only appearing in the old access policies by the formula;

AS_2，A′: a set of attribute authorities that exist only in the new access policy;

the formula for generating the updated keys of the three attribute sets comprises:

Case 1：

where (x, i) denotes the subscript of the row corresponding to the attribute ρ (x) in the old and new access matrices a' and a, respectively. If the old property ρ (i) and the new property ρ (x) are the same state, K_2，xIs empty; if ρ (i) is a temporal attribute and ρ (x) is a generic attribute, then

If ρ (i) is a generic attribute and ρ (x) is a temporal attribute, then

Wherein the function T (att) is responsible for mapping attributes to their corresponding attribute authority, t'_x＝t_i，

Is a new secret shared value, A'_xThen it is the x-th row in the new access matrix a',

is a new vector composed of the newly selected random element and the original secret value s.

It is a randomly selected element.

Case 2：

If the old property ρ (i) and the new property ρ (x) are the same state, K_2，xIs empty; if ρ (i) is a time attribute and ρ (x) is a general attribute, then

If ρ (i) is a generic attribute and ρ (x) is a temporal attribute, then

Wherein t'_x＝v_x·t_i；v_x，r′_T(ρ(x))∈Z_pAre randomly selected elements.

Case 3：

If the new property ρ (x) is a generic property, then

If the new property ρ (x) is a temporal property, then

Wherein t'_x∈Z_pAre randomly selected elements.

The generation formula of the updated keys of the two attribute authority sets comprises:

wherein the key is updated

Mainly used for updating old key ciphertext CT_FIDC in (1)₀And (5) structure. The updating algorithm of the old key ciphertext executed based on the updating key comprises the following steps:

Case 1：C′_2，x＝C_2，i·K_1，x，C′_3，x＝C_3，i. If there is an update key K_2，xThen, it also needs to be for C_4，iC 'is updated'_4，x＝C_4，i·K_2，xOtherwise C'_4，x＝C_4，i。

Case 2：

If there is an update key K_2，xThen, it is also necessary to C_4，iPerform the update

Otherwise C'_4，x＝C_4，i。

Case 3：C′_2，x＝K_1，x，C′_3，x＝K_2，x，C′_4，x＝K_3，x。

Old key cipher text C₀The update formula of the structure is: c'₀＝C₀·UK₁·UK₂。

The specific structure of the new key ciphertext after the update algorithm is executed is as follows:

the invention has the beneficial effects that: the invention can ensure the confidentiality of plaintext data under the premise that attribute authorization mechanisms related to ciphertext are not all invaded and malicious users share respective private keys mutually in the edge computing environment. In addition, the importance of time in a real application scene is considered, and the time information is also embedded into an encryption mechanism, so that the user and the cloud end at the edge end can more flexibly access data. Secondly, due to the edge computing distributed computing and storage resource structure, the structure of a plurality of authorization mechanisms and the characteristics of outsourcing decryption can be matched, the computing pressure of terminal equipment is well shared, the energy consumption of the equipment is reduced, and the attribute-based encryption is safer and more reliable. In addition, in order to solve the problem of the change of ciphertext access strategies caused by high mobility of users and equipment in the edge computing environment and the confidentiality of the ciphertext after the access aging is overdue, an efficient dynamic strategy updating method is further provided based on the attribute-based encryption method, so that a data owner can update the old ciphertext without redeeming the ciphertext from the network and encrypting and releasing the ciphertext again, and the confidentiality of the data is ensured.

Drawings

FIG. 1 is a diagram of an attribute based encryption scheme;

figure 2 attribute based encryption flow diagram.

Detailed Description

As shown in fig. 1, the components of the present invention include:

central Authority (CA): the CA is a trusted party that is not responsible for distributing the public and private keys of any attribute, but only for setting the system public parameters and registering the user and the attribute authority.

Cloud (Cloud): cloud provides the function of permanently storing the ciphertext for all users in the system, and is also responsible for distributing the updated key of the old ciphertext to all storage nodes that cache the old ciphertext. In this patent it is assumed that it is semi-honest, i.e. it will correctly perform the requests sent by the user or the edge node, but it will make curiosity about the content of the user's stored information.

Attribute Authority (AA): each AA is assigned a set of attributes within its domain that can exist in two states, a generic attribute and a time attribute. The AA is responsible for making the corresponding private key for each user authorized for these attributes. If the attribute is a generic attribute state, the private key can access any ciphertext satisfying the combined key in conjunction with a generic private key of any other attribute. But if the attribute is a time attribute, the time attribute must be specific to a certain key ciphertext FID. After receiving the time parameter of the data owner about the key ciphertext FID, the AA determines whether to make a corresponding time private key according to whether the private key request time of the user is within a limited range. If the attribute is in the time range, the time private key of the attribute is made and returned to the user, otherwise, the private key request is refused.

Edge Node (Edge Node): the edge nodes are divided into Edge Storage Nodes (ESNs) and Edge Compute Nodes (ECNs). The ESN, like the cloud, can provide a storage function, and is a storage node closest to the end user, and therefore is the first node to receive ciphertext data submitted by the data owner, and then sends the ciphertext to the cloud for permanent storage according to the congestion condition of the network. And if the terminal user in the area covered by the terminal user initiates an access request of a certain ciphertext, the terminal user can reach the node firstly, and if the terminal user does not store the ciphertext, the terminal user can send a storage request of the corresponding cipher key ciphertext and the corresponding data ciphertext to the cloud end, and then the cipher key ciphertext and the corresponding data ciphertext obtained from the cloud end are cached. The ECN is responsible for providing the compute-aiding function, i.e., it can pre-decrypt the ciphertext that the data visitor wants to access, and does not obtain any information about the plaintext data. If an edge node has both stronger computing power and storage power, it can simultaneously act as an edge storage node and an edge computing node.

Data Owner (DO): the DO is a generator of the ciphertext, and firstly specifies an access policy of plaintext data, sets a time parameter for a time attribute set included in the access policy, and shares the time parameter to a corresponding attribute authority. And then, selecting a symmetric key to symmetrically encrypt the plaintext data to obtain a data ciphertext, and further encrypting the symmetric key to obtain a key ciphertext. The data ciphertext and key ciphertext are packed together and uploaded to the ESN closest to them.

Data accessor (DU): the DU is a visitor of the ciphertext, and the DU firstly requests the ESN nearest to the DU to access the secret key ciphertext and the data ciphertext, and if the ESN does not have the ciphertext, the ESN continuously sends a storage request to the cloud. Considering the complexity of decryption computation and the limited energy of the terminal device, the ESN forwards the ciphertext that the DU wants to access to the ECN specified by the DU, so that the ECN bears the computation pressure brought by a part of the access to the ciphertext. After receiving the edge key sent by the DU, the ECN performs outsourcing decryption operation, and returns the intermediate ciphertext after outsourcing decryption and the data ciphertext to the DU. Note that the decryption operation will only decrypt the key ciphertext accurately if both the set of properties to which the DU is entitled and the access time satisfy the access policy in the ciphertext.

As shown in fig. 2, the present embodiment specifically includes the following steps:

s1, the system initialization process means that the central authority generates a system public parameter and a pair of verification and signature keys based on the security parameters, and each attribute authority registers with the central authority, and sets its own responsible attribute set and generates its own private key and public key.

S1.1, initialization of the central authority CA. CA selects two multiplication cyclic groups G and G with prime number P_TA symmetric bilinear map e: g → G_TIt is responsible for operating on elements in two G's and mapping the result to G_TOf (1). Then randomly selecting two generators G of G, h belongs to G, and setting a collision-resistant hash function F: {0,1}^*→ G, which is responsible for mapping attributes to elements in G, and generating a pair of signature and authentication keys (sk)_CA，vk_CA) (ii) a System common parameter GP ═ G, G_TG, h, e, F) will be published on the public bulletin board of the system for any device in the system to performAnd (6) obtaining.

S1.2, Attribute Authority AA_j(j∈II_AA) Registering the authority with a central authority CA to obtain a globally unique authority number AID and a verification key vk of the CA_CAThe user identity certificate can be verified through the verification secret key to obtain the user u_uidAnd is assigned a set of attributes for which it is responsible, a generic or temporal private key for which the attribute is authorized being made for the user, wherein II_AAIs the set of all authorities.

S1.3, initialization of Attribute Authority, order

Representing an attribute authority AA_jAnd the attribute sets are distributed, wherein no intersection exists between the attribute sets which are responsible for the attribute authorities. AA_jRandomly selecting two elements α_j，β_j∈Z_pAn organization private key as the authority

Wherein Z_pIt represents an integer field from 1 to p. Then calculates the public key of the organization as

Similarly, the public key of the organization is also issued on the public bulletin board of the system for any user to obtain, and the private key of the organization is stored by the authority.

S2, the user registration process means that the user who newly joins the system registers to the central authority to obtain the own identity voucher and identity private key;

s2.1, the central authority CA assigns a globally unique user number uid to each user newly joining the system and then selects a random element u_uid∈Z_pAs an identity parameter of the user, by means of a signature key sk_CASigning the identity parameter to obtain the identity certificate of the user

Function(s)

Indicating the use of the signature Key sk_CAAnd carrying out a signature algorithm on the identity parameters of the user. Then calculating the identity private key of the user

Finally, the tuple (uid, Cert)_uid，K_uid) And securely sent to the user.

And S3, the data encryption process is a process that a data owner sets time parameters for time attribute sets belonging to different authorization mechanisms in an access strategy, then performs symmetric encryption on plaintext data to generate a data ciphertext, and then further encrypts a symmetric key based on a system public parameter, an organization public key and the access strategy to obtain a key ciphertext.

S3.1, the data owner DO first specifies an access policy (a, ρ) for the plaintext data, where a is an l × n matrix, and l represents the number of attributes included in the access policy, i.e. each row of the matrix a corresponds to an attribute. The function p is a function responsible for mapping the rows in the matrix a to the corresponding attributes. The DO also needs to set time parameters for some attributes if the plaintext data has access time restrictions for those attributes. For the sake of coarse granularity and uncomplicated encryption structure, we assume that the attribute sets for which an attribute authority is responsible are similar in content and role, so it can be considered that the time-bound ranges of time attributes belonging to the same authority in an access policy are consistent, but time attributes belonging to different attribute authorities can share different time-bound ranges. Order to

Indicating that the current ciphertext belongs to the attribute authority AA_jHas an access time T_begin，T_end]Set of restricted temporal attributes, [ T ]_begin，T_end]Is a period of time. DO randomly selects an element r_j∈Z_PAs a time parameter for encryption tdopam_j，FID＝r_jAnd then calculates that the ciphertext corresponds to the authority AA_jTime parameter of

Followed by TAAParam_j，FIDSent to an Attribute Authority AA_j，AA_jIt is used to calculate a temporal private key specific to the ciphertext.

S3.2, for high efficiency of symmetric encryption, the DO selects a symmetric key first, and carries out symmetric encryption CT on plaintext data_dataEnc (M, k), where Enc (M, k) denotes symmetric encryption of plaintext data M using a symmetric key k.

S3.3, further encrypting the symmetric secret key by the data owner DO based on the system public parameter, the organization public key and the access strategy to obtain a secret key ciphertext CT_FIDWhere FID is the number of the key ciphertext. Secret key ciphertext CT_FIDThe specific calculation process of (2) is as follows, DO then randomly selects an element s ∈ Z_pAs secret value, y is also randomly selected₂，...，y_n∈Z_pAnd s, to form a vector with s,

for the

Calculating a shared value of s

Wherein A is_xCorresponding to the x-th row in matrix a. If one attribute set S satisfies the access requirement, let I ═ I: rho (i) epsilon S represents a set of subscripts, and the attributes corresponding to the subscripts have one-to-one correspondence with the attributes in the attribute set S. There is a set of constants c_i∈Z_p}_i∈ISo that ∑_i∈Ic_iλ_iThe secret value s can be recovered. And these constants c_iAre found within polynomial time. To is pairCannot be recovered in polynomial time if the required attribute set is not satisfied_s. DO also requires the random selection of the element t₁，t₂，...，t_l∈Z_p. Secret key ciphertext CT_FIDThe generating formula of (1) includes:

s4, the user private key generating process refers to a process in which the data visitor initiates a private key request to the corresponding attribute authority based on the authorized attribute set thereof to obtain a corresponding general private key and a time private key, and then converts the private keys obtained from the attribute authorities into an edge private key and a local private key.

S4.1, generating a general private key of the data visitor DU. Order S_j，uidIndicating that the data accessor DU is at the attribute authority AA_jIs authorized. DU sends its own identity certificate Cert_uidAnd a common attribute set S_j，uidTo the authority AA_j. Authorization institution AA_jAfter obtaining the universal key request sent by DU, the authentication key vk is passed_CAIdentity certificate Cert for user_uidVerifying to obtain the identity parameter u of the user_uidThen randomly selecting an element z_j∈Z_p. The formula of the user general private key is as follows:

s4.2, time private key generation process of DU. The DU compares the attribute set owned by itself with the time attribute set contained in the ciphertext numbered FID to be accessed, and obtains the intersection ST of the two attribute sets_uid，FID. And then, a time private key request of the attributes in the intersection is sent to the corresponding attribute authority to obtain a time private key aiming at the ciphertext. Let ST_{j，uid，FID}Representing intersection ST_uid，FIDFrom authority AA_jA set of time attributes. DU provisionCiphertext number FID and time attribute set ST needing to be accessed_{j，uid，FID}And its own identity certificate Cert_uidAttribute authority AA_jThereafter, AA_jAccording to the time parameter TAAParam_j，FIDDetermining whether the key request is in the time limit of the ciphertext [ T ]_begin，T_end]If not, the private key request is directly rejected. Otherwise, AA_jSelecting a random element z_j′∈Z_pThen calculates the time private key UTsk of DU_{j，uid，FID}. It should be noted that the time private key must be matched with the general private key to correctly decrypt the ciphertext. The time private key formula is as follows:

and S4.3, a private key conversion process. Data accessor DU receives general private key (Usk) sent by each authorization mechanism_j，uidAnd time private key UTsk_{j，uid，FID}After that, it needs to be converted into a pair of edge keys Ekuid, FID for sending to the edge computing node for outsourcing decryption and its local key Lk for local decryption_uid，FID. The computational overhead of key translation is also acceptable for resource-constrained access devices, since only one exponential operation needs to be performed for each private key component. DU selects a random element q ∈ Z_pThe specific calculation formula is as follows:

and S5, in the ciphertext decryption process, the data visitor requests the edge computing node to perform outsourcing decryption on the key ciphertext, then executes local decryption to obtain a symmetric key, and then decrypts the data ciphertext by using the symmetric key to obtain plaintext data.

S5.1, outsourcing a decryption process. The edge compute nodes ECN and the edge storage nodes ESN are edge nodes with relatively sufficient computing power and storage power, respectively, nearest to the user. DU firstAnd applying for ciphertext access with the number of FID from the ESN closest to the ESN, and if the secret key ciphertext and the data ciphertext do not exist in the ESN, performing a ciphertext storage request to the cloud. After obtaining the key ciphertext and the data ciphertext, the ESN further forwards the ciphertext to the ECN, according to the ECN specified by the DU. DU will also convert the edge key Ek_uid，FIDSent to the ECN, which encrypts a key ciphertext CT in the ciphertext according to the edge key_FIDPerforming outsourcing decryption to obtain intermediate ciphertext ICT of the key ciphertext, and then performing ICT and data ciphertext CT_dataAre sent to the DU together. Let I_AARepresenting a set of attribute authorities, N, contained in a key cipher_AA＝|I_AA|，

A set of subscripts representing some rows of the matrix in the access policy (a, p), the attributes corresponding to these rows being the intersection of the set of attributes corresponding to the private key set of the DU and the set of attributes contained in the access policy,

it indicates that the preceding set of indices belong to the attribute authority AA_jThe portion of the set of subscripts. The specific formula of outsourcing decryption is as follows:

wherein

Is that

An intermediate process in the operation. The structure of the intermediate ciphertext includes:

s5.2, local decryption process. After receiving the intermediate ciphertext ICT returned by the ECN, the data accessor DU utilizes the local secret key Lk_uid，FIDPerforming local decryption

A symmetric key k is obtained. Then, the data ciphertext CT is processed_dataPerforming symmetric decryption Dec (CT)_dataAnd k) is M, and the plaintext M of the data which is finally desired to be accessed is obtained.

A dynamic policy updating mechanism corresponding to the encryption method specifically comprises a time range updating process and an access policy updating process.

T1, the time range updating process is a process of setting a new time parameter, i.e., a new access time range, to the expired time attribute in the key cipher text, generating a key cipher text updating key, and updating the cipher text structure corresponding to the time attribute in the old key cipher text.

The updating method aims at how to ensure the confidentiality of the key ciphertext and the data ciphertext after the limit time of the time attribute in the access strategy of the key ciphertext expires. That is, a new time range needs to be set for the expired time attribute in the key ciphertext, and the ciphertext structure corresponding to the time attribute is updated. If the ciphertext still has open rights to the time attribute, then a new reasonable unexpired time range T 'needs to be set'_begin，T′_end](T′_begin≤T′_end) Otherwise, an unreasonable time range | T 'is set'_begin，T′_end|(T′_begin＞T′_end). Whether the cipher text module is reasonable or not, the cipher text module needs to be updated, and the threat of old time private keys to the confidentiality of the cipher text is prevented. DO selects a random element r'_j∈Z_pThen, the formula of the new time parameter includes:

the generation formula of the updated secret key of the old secret key ciphertext comprises the following steps:

DO then requires the new time parameter TAAParam'_j，FIDSent to an Attribute Authority AA_jFor making a new temporal private key. And the update key UK of the old key ciphertext_jThen the encrypted data is sent to the cloud end to perform an update operation on the old key ciphertext. The cloud end is also responsible for updating the secret key UK_jAnd continuing to forward to the ESN nodes storing the key ciphertext, assuming that the ESN nodes and the cloud end all execute the update algorithm of the key ciphertext correctly. The formula for updating the ciphertext structure corresponding to the time attribute in the old key ciphertext based on the updated key comprises the following steps:

t2, the access policy updating process refers to a process of replacing an old access policy (a, ρ) in the key cipher text with a new access policy (a ', ρ'), and specifically includes a comparison between the old and new access policies, and an updating process of making an updated key based on a comparison result and an updating process of an old key cipher text.

The process is directed to the scenario that in the edge computing environment, the access policy of the old key ciphertext generated by part of the users or terminal devices due to role change or device movement also needs to be changed accordingly, that is, the old access policy (a, ρ) needs to be replaced by a new access policy (a ', ρ'). Wherein the access matrix a ' is a matrix of l ' × n '. To mitigate the transmission overhead required for DO redemption of the old ciphertext reissue, as well as the computational overhead required for re-encryption. The patent also provides a dynamic strategy updating algorithm, which can use the existing structure of the old key ciphertext as much as possible, does not need to encrypt the symmetric key again, and only needs to transmit the updated key required by updating the key ciphertext, thereby greatly reducing the transmitted data volume and avoiding the pressure of ciphertext transmission on bandwidth.

T2.1, New and old visitA policy comparison algorithm is consulted. First, a policy comparison algorithm needs to be performed on the old and new access policies, and the algorithm can divide the attributes in the new access policies into three sets. Wherein Case 1 represents the attribute sets contained in the new and old access policies, but the number of the attributes in the new access policy does not exceed the number in the old access policy, and the corresponding set S_1，A′The index x of the row of the attribute ρ (x) in the new access matrix and the minimum index i of the row corresponding to the attribute in the old access matrix are saved. Case 2 also indicates the attributes contained in the old and new access policies, but the number of the attributes in the new access policy exceeds the number in the old access policy, and the corresponding set S_2，A′The subscript of the property ρ (x) on the row in the new access policy is also saved_xAnd the minimum index i of the row corresponding to that attribute in the old access policy. Case 3 indicates that the attribute set exists only in the new access policy, and the attribute set corresponding to the old access policy does not exist_3，A′The index x of the row in the new access policy and the index 0 representing the absence in the old access policy are saved.

In addition, because of C in the secret key cipher₀The public parameters of the attribute authority that are no longer involved in the new access policy need to be removed from the ciphertext structure and added to the public parameters of the attribute authority that are only involved in the new access policy. The policy comparison algorithm therefore also generates two sets of attribute authorities, respectively a set of attribute authorities that only appear in the old access policy and a set of attribute authorities that only exist in the new access policy.

Because the number of attributes included in the two access policies may be different, DO requires the reselection of a random vector

Resetting the shared value of the secret value s, wherein

Is randomly selected. New secret sharing value

Wherein x ∈ [1, l']。

And T2.2, updating the generation process of the secret key. Let function t (att) represent a function responsible for mapping attributes to their corresponding authorities. For each attribute ρ (x) (x ∈ [1, l' ]), its corresponding update key is also classified into three classes.

Case 1：(x，i)∈S_1，A′Let t'_x＝t_i. Since the states of the old and new attributes may be different, their update keys are also different. But partially updating the key

Are the same.

1) If the attribute states of rho (i) and rho (x) are consistent, the update key is UK_x，i＝K_1，x。

2) If the attribute states of rho (i) and rho (x) are not consistent, the structure of the updating secret key is UK_x，i＝(K_1，x，K_2，x). If ρ (i) is a temporal attribute and ρ (x) is a generic attribute, then

And when ρ (i) is a general attribute and ρ (x) is a time attribute, DO randomly selects an element r 'first if the time parameter corresponding to the time attribute is not set yet'_T(ρ(x))∈Z_pAnd setting a new time range [ T_begin，T_end]. Then the new time parameter

Sent to an Attribute Authority AA_jSame as that

Belonging to authority AA in cipher text with secret key still being numbered FID_jHas an access timeA set of restricted temporal attributes. Then calculate

Case 2：(x，i)∈S_2，A′DO first requires the random selection of an element v_x∈Z_pTo randomize the old ciphertext structure and let t'_x＝v_x·t_i. Similarly, the update keys for attributes of this type are also partially identical

The generation formula of the updated key is as follows:

1) if the attribute states of rho (i) and rho (x) are consistent, the update key is UK_x，i＝(K_1，x，v_x)。

2) If the attribute states of rho (i) and rho (x) are not consistent, the structure of the updating secret key is UK_x，i＝(K_1，x，v_x，K_2，x). If ρ (i) is a temporal attribute and ρ (x) is a generic attribute, then

And when ρ (i) is a general attribute and ρ (x) is a time attribute, likewise, if the time parameter corresponding to the time attribute has not been set, DO repeats the operation similar to that in Case 1, but K_2，xThe calculation process of (a) is not consistent.

Case 3：(x，0)∈S_3，A′DO first selects a random element t'_x∈Z_p. The same partial formula for updating the key for the attributes of different states is as follows:

they are all UK_x，i＝(K_1，x，K_2，x，K_3，x)。

1) If ρ(x) Is a general attribute, then

2) If ρ (x) is a time attribute, likewise, when the time parameter corresponding to the time attribute has not been set, DO repeats the operation of the similar Case in Case 1. K_3，xThe calculation is as follows:

since C in the old key cipher is also needed₀The ciphertext structure is updated, I_AAStill representing the set of all attribute authorities, AS, involved in the old access policy_1，A′Representing the set of attribute authorities involved in both the old and new access policies, and the set AS_2，A′It represents the set of authorities that only appear in the new access policy. Then C in the old key cipher text₀The structure of the update key of the ciphertext structure is as follows:

wherein the updated key

Mainly used for updating old key ciphertext CT_FIDC in (1)₀And (5) structure.

T2.3, update procedure of old key ciphertext. According to the three attribute sets and the two attribute authority sets defined above, the updating algorithm of the old key cryptographs corresponding to the three attribute sets and the two attribute authority sets comprises the following steps:

Case 1：C′_2，x＝C_2，i·K_1，x，C′_3，x＝C_3，i. If there is an update key K_2，xThen, it also needs to be for C_4，iC 'is updated'_4，x＝C_4，i·K_2，xOtherwise C'_4，x＝C_4，i。

Case 2：

If there is an update key K_2，xThen, it is also necessary to C_4，iPerform the update

Otherwise C'_4，x＝C_4，i。

Case 3：C′_2，x＝K_1，x，C′_3，x＝K_2，x，C′_4，x＝K_3，x。

Old key ciphertext CT_FIDC in₀The update formula of the structure is: c'₀＝C₀·UK₁·UK₂。

The specific structure of the updated new key ciphertext is as follows:

the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents and are included in the scope of the present invention.

Claims (9)

1. An edge environment encryption method based on a time domain is characterized by comprising a system initialization process, a user registration process, a data encryption process, a user private key generation process and a ciphertext decryption process; the method comprises the following steps:

s1, the system initialization process means that the central authority generates system public parameters and a pair of verification and signature secret keys based on the security parameters, each attribute authority registers to the central authority, sets the attribute set in charge of the authority and generates the own private key and public key of the authority;

s2, the user registration process means that the user who newly joins the system registers to the central authority to obtain the own identity voucher and identity private key;

s3, in the data encryption process, a data owner sets time parameters for time attribute sets belonging to different authorization mechanisms in an access strategy, then performs symmetric encryption on plaintext data to generate a data ciphertext, and further encrypts a symmetric secret key based on a system public parameter, an organization public key and the access strategy to obtain a secret key ciphertext;

s4, the user private key generating process means that the data accessor sends a private key request to the corresponding attribute authority based on the authorized attribute set to obtain a corresponding general private key and a time private key, and then converts the private keys obtained from each attribute authority into an edge private key and a local private key;

and S5, in the ciphertext decryption process, the data visitor requests the edge computing node to perform outsourcing decryption on the key ciphertext, then executes local decryption to obtain a symmetric key, and then decrypts the data ciphertext by using the symmetric key to obtain plaintext data.

2. The method according to claim 1, wherein in step S1:

the system common parameters are expressed as: GP ═ G (G, G)_T,g,h,e,F)；

Wherein G and G_TTwo bilinear groups with the order of p, and G and h are two generator elements of G; e: GXG → G_TIs a symmetric bilinear map which is responsible for operating on elements in two Gs and mapping the result to G_TThe elements of (1); f is a hash function of collision avoidance: {0,1}^*→ G, responsible for mapping properties to elements in G; let II_AARepresenting all attribute authorities in the system, Z_pRepresents an integer field from 1 to p; per attribute authority AA_jRandom selection α_j,β_j∈Z_p(ii) a Then:

the private key of the organization is expressed as:

the public key of the organization is expressed as:

3. the method according to claim 1, wherein in step S2:

the identity certificate is expressed as:

the identity private key is expressed as:

wherein uid is the number of the user, u_uid∈Z_pIs randomly selected, sk_CAA signing key representing a central authority,

indicating the use of the signature Key sk_CAU to user_uidA signature algorithm is performed.

4. The method according to claim 1, wherein step S3 is specifically:

the data owner first specifies the access policy (a, ρ) for the plaintext data; wherein A is an l × n matrix, and l represents the number of attributes contained in the access policy, that is, each row of the matrix A corresponds to one attribute; the function ρ is a function responsible for mapping rows in the matrix a to corresponding attributes; and authorizing the organization AA according to the attributes belonging to different attributes in the access policy_jIs randomly selected r_j∈Z_pSetting time parameters for the time attribute set, and then safely sending the time parameters to an attribute authorization mechanism to which the time attribute set belongs for making a time private key;

then, a symmetric secret key is selected to symmetrically encrypt plaintext data to obtain data ciphertext, and the data ciphertext is based on the system public parameter, the organization public key and the access policySlightly further encrypting the k symmetric key to generate a key ciphertext CT_FID；

The time parameter setting formula comprises:

wherein

The key cryptograph with the number of FID belongs to the authorization mechanism AA_jIs set of time attributes, [ T [ [ T ]_begin,T_end]An access time limit range representing the set of time attributes;

the data ciphertext generating formula comprises: CT_dataEnc (M, k); wherein the function Enc (M, k) represents symmetric encryption of the plaintext data M using a symmetric key k;

the key ciphertext generating formula comprises:

wherein FID is the number of the cipher text of the key, s is belonged to Z_pAs a secret value, is a randomly selected element; to share the secret value s, y is also randomly chosen₂,…,y_n∈Z_pMake it form a vector with s

Is a shared value of s, where A_xCorresponding to row x in the access matrix a; t is t₁,t₂,…,t_x,…,t_l∈Z_pAlso randomly chosen elements.

5. The method according to claim 1, wherein in step S4:

the general private key generation formula is as follows:

the time private key generation formula is as follows:

wherein S_j,uidIndicating that the data accessor DU is at the attribute authority AA_jIn an authorized generic attribute set, S_j,uid,FIDIndicating that the DU is at the authority AA_jThe intersection of the authorized time attribute set and the time attribute set contained in the key ciphertext FID; z is a radical of_j,z_j′∈Z_pIs a randomly selected element;

the edge key conversion formula comprises:

the local key generation formula comprises: lk (Lk)_FID,uidQ; wherein q ∈ Z_pAre randomly selected elements.

6. The method according to claim 1, wherein in step S5:

the outsourcing decryption process formula comprises:

wherein

Is that

An intermediate process in the operation; i is_AACT representing cipher text of secret key_FIDSet of attribute authorities referred to in, N_AA＝|I_AA|，

A set of subscripts representing a number of rows in the access matrix a, the attributes corresponding to these rows being the intersection of the set of attributes corresponding to the data accessor's private key set and the set of attributes contained in the access matrix,

it indicates that the preceding set of indices belong to the attribute authority AA_jThe set of partial subscripts of;

the local decryption process formula comprises:

Dec(CT_data,k)＝M；

wherein the function Dec (CT)_dataK) denotes the use of a symmetric key k for the data cipher CT_dataSymmetric decryption is performed.

7. A dynamic policy updating method corresponding to the encryption method of claim 1, comprising a time range updating procedure and an access policy updating procedure; the specific process is as follows:

t1, the time range updating process is a process of setting a new time parameter for an expired time attribute in the key cipher text, that is, setting a new access time range, generating an updated key of the old key cipher text, and updating the cipher text structure corresponding to the time attribute in the old key cipher text;

t2, the access policy updating process refers to a process of replacing an old access policy (a, ρ) in the key cipher text with a new access policy (a ', ρ'), and specifically includes a comparison between the old and new access policies, and an updating process of making an updated key based on a comparison result and an updating process of an old key cipher text.

8. The method of claim 7, wherein in T1:

the generation formula of the new time parameter comprises:

wherein [ T'_begin,T′_end]Is a new access time limit range, r'_j∈Z_pIs an element that is selected at random and is,

belonging to authority AA in cipher text with secret key still being numbered FID_jA set of temporal attributes;

the updating key formula of the old key ciphertext comprises:

the formula for updating the ciphertext structure corresponding to the time attribute in the old key ciphertext comprises:

9. the method according to claim 7, characterized in that T2 is in particular: comparing the new access strategy with the old access strategy, comparing the new access strategy with the old access strategy to obtain three attribute sets and a set of two attribute authorization mechanisms, manufacturing updated secret keys corresponding to the three attribute sets and the set of two attribute authorization mechanisms, and executing an updated algorithm of an old secret key ciphertext based on the updated secret keys;

the three attribute sets obtained by comparing the new access policy and the old access policy are respectively as follows:

case 1: the attributes in the new and old access policies are the same, but the number of the attributes existing in the new policy does not exceed the attribute set in the old policy;

case 2: the attributes in the new and old access policies are the same, but the number of the attributes existing in the new policy exceeds the attribute set in the old policy;

case 3: the attribute set is not existed in the old access policy, but only exists in the attribute set of the new access policy;

the two attribute authority sets obtained by comparing the new access policy and the old access policy are respectively as follows:

(I_AA-AS_1,A′): wherein I_AARepresenting the set of all attribute authorities, AS, involved in the old access policy_1,A′The method comprises the steps of representing a set of attribute authorities related to new and old access policies, namely representing a set of attribute authorities only appearing in the old access policies by the formula;

AS_2,A′: a set of attribute authorities that exist only in the new access policy;

the formula for generating the updated keys of the three attribute sets comprises:

Case 1：

where (x, i) denotes the subscript of the row corresponding to the attribute ρ (x) in the old and new access matrices a' and a, respectively; if the old property ρ (i) and the new property ρ (x) are the same state, K_2,xIs empty; if ρ (i) is a temporal attribute and ρ (x) is a generic attribute, then

If ρ (i) is a generic attribute and ρ (x) is a temporal attribute, then

Wherein the function T (att) is responsible for mapping attributes to their corresponding attribute authority, t'_x＝t_i，

Is newOf secret sharing value, A'_xThen it is the x-th row in the new access matrix a',

is a new vector composed of a newly selected random element and an original secret value s; r'_T(ρ(x))∈Z_pThen is a randomly selected element;

Case 2：

if the old property ρ (i) and the new property ρ (x) are the same state, K_2,xIs empty; if ρ (i) is a time attribute and ρ (x) is a general attribute, then

If ρ (i) is a generic attribute and ρ (x) is a temporal attribute, then

Wherein t'_x＝v_x·t_i；v_x,r′_T(ρ(x))∈Z_pIs a randomly selected element;

Case 3：

if the new property ρ (x) is a generic property, then

If the new property ρ (x) is a temporal property, then

Wherein t'_x∈Z_pIs a randomly selected element;

the generation formula of the updated keys of the two attribute authority sets comprises:

wherein the key is updated

Mainly used for updating old key ciphertext CT_FIDC in (1)₀Structure; the updating algorithm of the old key ciphertext executed based on the updating key comprises the following steps:

Case 1：C′_2,x＝C_2,i·K_1,x,C′_3,x＝C_3,i(ii) a If there is an update key K_2,xThen, it also needs to be for C_4,iC 'is updated'_4,x＝C_4,i·K_2,xOtherwise C'_4,x＝C_4,i；

Case 2：

If there is an update key K_2,xThen, it is also necessary to C_4,iPerform the update

Otherwise C'_4,x＝C_4,i；

Case 3：C′_2,x＝K_1,x,C′_3,x＝K_2,x,C′_4,x＝K_3,x；

Old key cipher text C₀The update formula of the structure is: c'₀＝C₀·UK₁·UK₂；

The specific structure of the new key ciphertext after the update algorithm is executed is as follows:

Images