CN111310210A - Double-authentication symmetric searchable encryption algorithm based on password and secret signcryption - Google Patents

Double-authentication symmetric searchable encryption algorithm based on password and secret signcryption Download PDF

Info

Publication number
CN111310210A
CN111310210A CN202010097171.6A CN202010097171A CN111310210A CN 111310210 A CN111310210 A CN 111310210A CN 202010097171 A CN202010097171 A CN 202010097171A CN 111310210 A CN111310210 A CN 111310210A
Authority
CN
China
Prior art keywords
algorithm
data
key
database
search
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010097171.6A
Other languages
Chinese (zh)
Other versions
CN111310210B (en
Inventor
王会歌
赵运磊
隋光烨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Fudan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fudan University filed Critical Fudan University
Priority to CN202010097171.6A priority Critical patent/CN111310210B/en
Publication of CN111310210A publication Critical patent/CN111310210A/en
Application granted granted Critical
Publication of CN111310210B publication Critical patent/CN111310210B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification

Abstract

The invention belongs to the technical field of passwords, and particularly relates to a double-authentication symmetric searchable encryption algorithm based on passwords and secret signcryption. Searchable encryption technology is a cryptographic primitive that allows users to retrieve ciphertext data, leveraging the powerful computing resources of cloud servers for keyword retrieval without revealing any information to the server that protects the data. The present invention presents a symmetric searchable encryption algorithm that is oriented to multiple data owners and has access control properties, authentication properties, and anonymity properties. The algorithm enhances the function and the safety of the existing searchable encryption scheme, provides the functions of user identity hiding and identity authentication, but is not obvious in the increase of the calculation time, and obtains the comprehensive performance advantage compared with the current international advanced symmetrical searchable scheme. The scheme is suitable for data communication systems of most of clients and servers.

Description

Double-authentication symmetric searchable encryption algorithm based on password and secret signcryption
Technical Field
The invention belongs to the technical field of passwords, and particularly relates to a double-authentication symmetric searchable encryption algorithm based on a password and an secret signcryption.
Background
In esorcics 2016, Sun et al propose an efficient non-interactive multi-client symmetric searchable encryption that improves the scheme in the CCS2013 of s.jarecki et al by reducing the communication overhead between the data owner and the data user. Specifically, the scheme in CCS2013 of s.janeki et al requires that a data user interact with the data owner each time a search is made on an encrypted database, whereas in esorcis 2016 of Sun et al, the data user must interact with the data owner no matter how many times the data user has. The query is executed and the data owner interacts only once with the query key as long as it is in the authorized set of keys determined by the owner. However, despite the many advantages of the solution in Sun et al ESORICS 2016, there are still many other problems that have yet to be resolved. For example, their solution is only applicable to single data owner/multiple data user settings, and how to design a solution applicable to multiple data owner/multiple data user settings remains an open question. In particular, in their solutions, the above solutions are vulnerable to masquerading attacks, since the identity information of the data user is publicly transmitted to the server, and authentication from the data user to the server is not provided when the data user interacts with the server. In addition, since the search token generated by the data user is sent in clear text and authentication is not provided to the server either, its solution is vulnerable to search attacks on plain text tokens. Based on the above, we present the following problems.
Motive machine 1: we can propose an SSE scheme that supports multiple data owner/multiple data user setup and has the same efficiency advantage as the Sun et al scheme.
An authentication protocol with identity hiding is an efficient encryption tool that can be used to enable secure end-to-end communication over the Internet. Implementing authentication and identity privacy in searchable encryption is important to enhance security and privacy. However, existing searchable encryption schemes, particularly in esorcis 2016, Sun et al's SSE scheme, fail to provide authentication, data protection, and identity concealment for communications between clients and servers, which may result in serious security risks. For example, an adversary may masquerade as a client to launch a large number of search queries to a server, resulting in a phasing attack and a DoS attack. Furthermore, if protection is not provided for a search token generated by a data user, an adversary may use a previously generated token to launch a large-scale search query against a server, resulting in a replay search attack. In addition, an adversary can obtain more sensitive information about the data user through identity information (through a meat search, etc.) without identity privacy, which would seriously compromise the privacy of the data user.
Intuitively, we should use standard protocols like TLS1.3 or Google's QUIC to solve the above problem. However, these protocols provide too many functions that we do not need, which will exacerbate the efficiency problem of SSE and make our solution less practical. In public key settings, authenticated encryption refers to signcryption (proposed by y. zheng in crypt 1997), which is also standardized by ISO-29150. The results show that signcryption is functionally equivalent to a single pass authenticated key exchange, which in turn can be used for asymmetric key encapsulation. Zheng's signcryption and onepass HMQV (HOMQV) are potential solutions to our problem, but they do not consider the ID hiding problem and their efficiency is still unsatisfactory. Identity is a fundamental privacy issue. Identity confidentiality is now mandated by a range of important standards (e.g. TLS1.3, EMV, QUIC and 3 GPP's 5G telecommunications standards). European union has also generally used the european union regulations (GDPR) for enforcing data protection that mandate protection of user identity privacy.
Higncryption is a cryptographic primitive proposed by Zhao in CCS16 that enables simultaneous identity hiding, identity verification and confidentiality in the system. Higncryption has similar efficiency compared to signcryption and HOMQV, but achieves higher security (e.g., CMIM, UKS, KCI, CNM, PFS, x-publication, etc. the reader is referred to the Zhao paper in CCS16 for detailed information) and provides more functionality. Furthermore, Higncryption can be perfectly applied to TLS1.3 and QUIC protocols. Based on this, we propose the following problem.
An engine 2: whether we can propose a symmetric searchable encryption method, while also supporting identity hiding, authentication and confidentiality.
1. Symbol convention
If S is a finite set, | S | represents the size of the set, | S ← S represents the uniform random selection of elements x from the set S. We define the concept of a probability state algorithm, C ← Alg means that the algorithm Alg runs and outputs the result C. if α is neither an algorithm nor a set, x ← α represents a simple assignment.A string or value α is represented as a binary string, | α | is a binary length*And x | | y denotes their connection.
Let G' be an Abelian group of order N, G ═<g>Is the only subgroup of G' generated by the generator G of prime order q. In this context, all clusters are multiplicative clusters, with the length of q (i.e., q |) as a security parameter. 1GRepresenting a unit element of group G, G \1GRepresenting the set of elements in group G except for the unit cell, and t ═ N/q is the cofactor value. When instantiated with an elliptic curve, G' is a set of points E (L) over a finite field L of the elliptic curve E, and G is a subset of a prime order q-point set E (L). For elliptic curve based clusters, the cofactor t is typically relatively small.
The discrete logarithm hypothesis based on G illustrates that given X ═ GxTo a
Figure BDA0002385857920000021
Without a Probabilistic Polynomial Time (PPT) algorithm, x is output with a non-negligible probability. The computational Diffie-Hellman (CDH) assumption means that, for
Figure BDA0002385857920000022
Given X ═ gx,Y=gyWithout probabilistic polynomial time algorithm, g is calculated with non-negligible probabilityxyI.e., CDH (X, Y).
2. Associated data authentication encryption
Briefly, an associated data Authentication Encryption (AEAD) scheme converts a message M and header information H (e.g., a packet header, IP address, etc.) into a ciphertext C. C provides both privacy protection for the message and message authentication for the ciphertext C and the header H [23 ]. In practice, when an AEAD is used in a cryptographic system, the associated data is typically implicitly determined by the content (e.g., running a hash protocol process or making some predefined declaration).
Safety of AEAD. Let SE be (K)seEnc, Dec) denotes a symmetric encryption protocol, probabilistic polynomial time algorithm KseA security parameter k is selected as input and is selected from a finite non-empty set
Figure BDA0002385857920000031
A key K is selected. For simplicity of description, we assume
Figure BDA0002385857920000032
Polynomial time encryption algorithm Enc: k x {0, 1}*×{0,1}*→{0,1}*∪ { ⊥ }, polynomial time decryption algorithm Dec: Kx {0, 1}*×{0,1}*→{0,1}*∪ { ⊥ }, any associated data H ∈ {0, 1}, and so on*And message M ∈ {0, 1}*If EncK(H, M) output C ≠ ⊥, then DecK(C) M is always output. Here we assume that the ciphertext C uses the associated data H.
Order to
Figure BDA0002385857920000033
Indicating the probability of success of the adversary in the safety experiment of table 1. If the probability of adversary success for any polynomial time is negligible for a sufficiently large κ, we call the SE protocol AEAD safe.
Table 1: AEAD safety test
Figure BDA0002385857920000034
The AEAD safety described above is quite robust. In particular, this means that even if a polynomial amount of ciphertext is adaptively selected, an adversary may not generate new legitimate ciphertext if decryption is possible. And, for two independent keys K, K' ← KseWith arbitrary message M, headerPart information H, probability Pr [ DecK′(EncK(H,M))≠⊥]Is negligible.
Disclosure of Invention
The present invention aims to provide a symmetric searchable encryption algorithm that is oriented towards multiple data owners and has access control properties, authentication properties, and anonymity properties.
The symmetric searchable encryption algorithm provided by the invention is based on a password and secret sign-cipher double authentication technology. The searchable encryption technology is a cryptographic primitive that allows a user to retrieve ciphertext data, using the powerful computing resources of a cloud server for keyword retrieval, without revealing any information to the server that protects the data.
The double authentication symmetric searchable encryption algorithm (icSSE) based on the password and the secret signcryption comprises eight PPT algorithms, which are abbreviated as: tup, LKeyGen, DWKeyGen, EDBGen, SKeyGen, ETokenGen, Search, Retrieve.
The details are respectively as follows:
(1)Setup(1λ): the algorithm is run by the owner of the data, who has a security parameter 1λAs input, and outputs a long-term key generation common parameter parLAnd the encrypted database identifier to generate the common parameter pareWherein parLFor generating long-term public and private keys, parEFor generating an encrypted database identifier.
(2)LKeyGen(parL,idU): the algorithm is run by a long-term key generation center LK-KGC which generates the long-term key into a common parameter parLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU)。
(3)DWKeyGen(1λ,idDW): the algorithm is run by a data owner key generation center DWK-KGC, which centers security parameters 1λAnd data owner identity idDWAs an input. It is the data owner idDWOutputting an encrypted database public key and private key pair(EPKDW,ESKDW)。
(4)EDBGen(parE;EPKDW;ESKDW(ii) a DB; A) the method comprises the following steps The algorithm is composed of data owner idDWRun the idDWGenerating the encrypted database identifier into a common parameter parEEncrypted database public key EPK of data ownerDWAnd an encrypted database secret key ESKDWPlaintext database DB, access control structure a as input; the algorithm encrypts the database DB into the ciphertext database EDBDWAnd EDBDWAnd sending to the server.
(5)SKeyGen(EPKDW,ESKDW;S;w;idU): the algorithm is run by a data owner DW who encrypts a database public key EPK of the data ownerDWAnd encrypting the database secret key ESKDWAttribute set S, authorization key set w and data user identity idU∈{0,1}*As input, it is the data user idUGenerating a search private key SKU=(SKMS,U;SKS,U) Where SKUPrivate key SK by master searchMS,UAnd partial search private key SKS,UAnd (4) forming.
(6)
Figure BDA0002385857920000041
The algorithm is based on data user idURun, the user idUPrivate key SK for searching data userULong term private key skUPublic identity information pidU=(idU,pkU=U=gu,certU) Public identity information pid of serverv=(idv,pkv=V=gv,certv) Query Q and encryption database EDBDWOf (2)
Figure BDA0002385857920000042
As input, and outputting an encrypted search token est; note that the token est does not contain public identity information pidUAnd pidvWherein pidvPublic identity information representing the server.
(7)Search(skV;pidv;pidU(ii) a est; EDB): the algorithm is run by the server, which algorithm uses the server's long-term private key skVAnd public identity information pidvData user idUPublic identity information pid ofUThe encrypted search token est and the current fully encrypted database EDB are taken as input. Note that the encrypted database EDB contains all the partially encrypted databases EDB generated by some data owners DWDW(ii) a Finally, the matching result R is output to the data user idU
(8)Retrieve(SKU(ii) a R): the algorithm is based on data user idURun, the user idUWill search for the private key SKUAnd search result set R as input, and output with idUA given document index for which the search key w matches.
Published in Sun et alESORICS2016 (acronym for Sun), the prototype of the present invention can be used in both multiple data user and multiple data owner environments. Multiple data owners mean that multiple data owners can outsource their storage and services to the cloud server at the same time, while leaking information about queries and plain text data to the server as little as possible. In addition, the primitive may also prevent data users from performing any search queries on unauthorized keywords. In particular, it also captures authentication of the data user to the server, with the aim of preventing an adversary from launching a denial of service (DoS) attack. In addition, identity hiding and confidentiality of the search token is also achieved in the original system of the present invention, with the aim of resisting impersonation and token replay attacks, respectively.
The double authentication symmetrical searchable encryption algorithm based on the password and the secret sign-cipher is further explained as follows in specific structure.
First, some basic cipher suites for constructing this scheme are listed:
an attribute-based encryption scheme: ABE ═ (abe.setup, abe.keygen, abe.enc, abe.dec);
one Chinese character' haHight function
Figure BDA0002385857920000051
Where l represents the length of the hash output;
using pseudorandom functions, using KDF, F and FpRepresents;
a symmetric encryption system, AEAD ═ by (aead.gen, aead.enc, aead.dec).
(1)Setup(1λ): the algorithm uses a security parameter 1λFor input, a long-term key generation public parameter par is generatedL=(G′1,N,G1,g′,q′)←g′(1λ) Generating a long-term key; the term "public/private key" refers to the basic set that the GDH is supposed to hold and generates the encrypted database identifier to generate the public parameter parEH, where H is a compression function; the algorithm finally outputs parLAnd parE
(2)LKeyGen(parL,idU): the algorithm is run by a long-term key generation center LK-KGC which generates the long-term key into a common parameter parLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU) (ii) a The algorithm sets and outputs a key pair (pk)U,skU) (ii) a User identity idUAnd the binding between the public key U thereof is authenticated by a certificate certA issued by the CA.
(3)DWKeyGen(1λ,idDW): the algorithm is run by a data owner key generation center named DWK-KGC, which centers the security parameter 1λAnd data owner identity idDWAs an input; it generates its generation (G)2,g,n,p,q)←g(1λ) Wherein G is a random group generator, G2Is a group of multiplication cycles, and G ← G2A random generator of order n and n ═ pq, p and q are two large prime numbers; it then checks whether (p; q) is already in the table Tab and if so, DWK-KGC will rerun g (1)λ) Until (p; q) is not in Tab, and then (p; q) storing into Tab; next, K is randomly selectedX,KI,KZ,KE←K;g1,g2,g3←G2And calculates (mpk, msk) ← abeλ) Wherein K is a key space; the encryption database secret key and the public key of the data owner DW are set to ESK, respectivelyDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk) and EPKDW=(n,mpk)。
(4)EDBGen(parE;EPKDW;ESKDW(ii) a DB; A) the method comprises the following steps The algorithm is composed of data owner idDWRun the idDWGenerating the database identifier into parameter parEEncrypted database public key EPKDW= (n; mpk) and secret key ESKDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), database DB and access control structure a as inputs; it outputs an encrypted database
Figure BDA00023858579200000615
Wherein
Figure BDA00023858579200000616
Representing an encrypted database EDBDWAn identifier of (a); the detailed program code is demonstrated in algorithm 1, see appendix 1.
(5)
Figure BDA00023858579200000614
The algorithm is composed of data owner idDWRun, the data owner will encrypt the database public key EPKDW(n, mpk) and private key ESKDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), a set of keys w, a data owner identity idDWData user identity idUAnd encrypted database identifier
Figure BDA0002385857920000061
(assuming that once the data owner has generated an encrypted database, it records the corresponding identifier immediately) as input; assume allowed data user idUFor authorization key w ═ w1,...,wnCarrying out searching; data owner idDWFirst of all, calculate
Figure BDA0002385857920000062
Then calculates the attribute key skSC ° re abe. keygen (msk, S), where S ∈ U is the set of properties of authorized data users, U is the property space; next, data owner idDWWill search for the private key SKU=(SKMSU,SKSU) Send to data user idUWherein
Figure BDA0002385857920000063
And SKSU=skSRespectively representing data user idUAnd partial search of the private key, and
Figure BDA0002385857920000064
of particular note is the encryption of database EDBDWOf (2)
Figure BDA0002385857920000065
Also included in the master search private key SKMSUIn order to data user idUBy means of
Figure BDA0002385857920000066
The database to be encrypted is easily found.
(6)ETokenGen(SKU;skU;pidU;pidv;Q;
Figure BDA0002385857920000067
): the algorithm is based on data user idURun, the user will search for the private key
Figure BDA0002385857920000068
Long-term private key skUU, public identityInformation pidU=(idu,pkU=U=gu,certU) Public identity information pid of serverv=(idv,pkv=V=gv,certV) A set of authorization keys
Figure BDA00023858579200000617
And an encrypted database identifier
Figure BDA0002385857920000069
As an input; when data user idUIntending to execute a query
Figure BDA00023858579200000610
When first determining s terms
Figure BDA00023858579200000611
Suppose that
Figure BDA00023858579200000612
And w'1Is the selected s term, and then computes the encrypted search token for that query (that is, the encrypted search token is computed according to the program code (algorithm 2))
Figure BDA00023858579200000613
). Algorithm 2 is seen in appendix 2.
(7)Search(skV;pidv;pidU(ii) a est; EDB): the algorithm is represented by the server idVRunning, the server will server idVLong-term private key skVAnd public identity information pidVPublic identity information pid of a serverUAs an input; data user, an encrypted search token
Figure BDA0002385857920000071
Currently complete encrypted database
Figure BDA0002385857920000072
Figure BDA0002385857920000073
Wherein
Figure BDA0002385857920000074
Representing a set of data owners registered on a cloud server; the algorithm first uses the long-term private key skVAnd public identity information pidVAnd pidUPerforming an authentication procedure and then recovering the search token st and the database identifier from the encrypted search token est
Figure BDA0002385857920000075
Next, the identifier is used
Figure BDA0002385857920000076
Screening encrypted database EDBDW(ii) a The server then uses the search token
Figure BDA0002385857920000077
Figure BDA0002385857920000078
Carrying out single keyword search and obtaining an encrypted document index set R matched with the search condition; the detailed search process is described in algorithm 3, which algorithm 3 is referred to in appendix 3.
(8)Retrieve(SKU(ii) a R): the algorithm is based on data user idUIn operation, the user will search for the private key SKUAnd an encrypted document index set R as input; it first uses part of the private key skS(contained in secret Key SKUIn) decrypt each element in R to obtain an authorized portion of the document index; in particular, for each e ∈ R, if the set of attributes of the data user S ∈ U satisfies the access control policy A associated with the ciphertext e (for the query and query)
Figure BDA0002385857920000079
The matching index ind is encrypted), then the index ind is calculated as abeS,e)。
The algorithm of the invention is characterized in that:
based on the work proposed in Sun et al ESORICS 2016 and zhao in CCS16, the present invention proposes an SSE scheme that supports any Boolean query and multiple data owner/multiple data user setup. In particular, the inventive arrangements not only meet the same security requirements as they specify, but also further enhance the security of the same class correlation scheme by providing identity concealment, authentication of the data user to the server, and confidentiality of the search, as compared to the Sun's arrangement. Identity hiding aims to provide privacy protection for data users by hiding their identity information, while authentication is protected against masquerading attacks by applying certificate-based mechanisms to the solution of the invention. Furthermore, the inventive arrangements provide a forward ID privacy attribute, meaning that even if a client's long-term private key is compromised, its ID privacy is preserved. Note that neither signcryption nor HOMQV can implement ID hiding and forward ID privacy. In particular, the confidentiality of the search token provides resistance to replay attacks by encrypting a clear text search token generated by the data user. In other similar works, an adversary may use a previously generated clear text search token to force the server to execute the same search query multiple times.
When the multi-data owner function is realized, the invention firstly establishes a data owner key generation center (DWKKGC) to generate an encrypted database public key/private key pair for the data owner. The plaintext database is then converted to a ciphertext database using the key pair. For identity concealment, authentication and confidentiality, the present invention is implemented by modifying and integrating the encryption scheme in Zhao's CCS16, specifically, first inserting Zhao's encryption algorithm after generating the search token, and then replacing the plaintext and sender's identity information with the search token and the data user's identity, respectively.
Like the Sun's solution, attribute-based encryption is also deployed in the present invention to allow fine-grained access control to the document index that is encrypted by the data user. In addition, through efficiency analysis, the scheme of the invention achieves performance comparable to that of the Sun scheme. In addition, like the encryption scheme in Zhao's CCS16, the inventive scheme can also be applied directly to O-RTT authentication, which shows that the present invention is well suited and compatible with both QUIC-based and OPTLS-based SSE schemes.
Detailed Description
First, all algorithm participants should call Setup (1)λ): algorithm with security parameter 1λFor input, a long-term key generation public parameter par is generatedL=(G′1,N,G1,g′,q′)←g′(1λ) Each participant of the algorithm saves the set of parameters and applies the parameters to participate in the subsequent operation.
Then, a long-term key generation center LK-KGC should be established, the LK-KGC calling LKEyGen (par)L,idU) Function, LK-KGC generates long-term key to public parameter par at call timeLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU). The algorithm sets and outputs a key pair (pk)U,skU). User identity idUAnd the binding between the public keys U is authenticated by a certificate certA issued by the CA, which is public to all. And each public key and private key pair is sent to the corresponding user by the LK-KGC. The user saves the public and private key pairs for later operation.
Then, a data owner key generation center DWK-KGC is also established, and the DWK-KGC calls DWKeyGen (1)λ,idDW) The algorithm. DWK-KG center assigns a safety parameter 1λAnd data owner identity idDWAs an algorithm input. The algorithm generates an encrypted database secret key and a public key. The encryption database secret key and the public key of the data owner DW are set to ESK, respectivelyDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk) and EPKDW= (n, mpk). The specific generation process is shown in the specification.
Then, when the data owner idDWWhen wanting to share own data, idDWCalling EDBGen (par)e;EPKDW;ESKDW(ii) a DB; A) and (4) an algorithm. The idDWGenerating the database identifier into parameter parEEncrypted database public key EPKDW= (n; mpk) and secret key ESKDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), database DB and access control Structure A as inputs it outputs an encrypted database
Figure BDA0002385857920000081
Wherein
Figure BDA0002385857920000082
Representing an encrypted database EDBDWOf (2) is detected. EDBDWStored in a server and disclosed to all for access.
Then, assume data owner idDWWant to allow data user idUFor authorization key w ═ w1,...,wnCarry on the search. idDWCall out
Figure BDA0002385857920000083
And (4) an algorithm. The specific calling process is referred to the specification. Next, data owner idDWWill search for the private key SKU=(SKMSU,SKSU) Send to data user idUWherein
Figure BDA0002385857920000084
And SKSU=skSRespectively representing data user idUAnd partial search of the private key, and
Figure BDA0002385857920000085
of particular note is the encryption of database EDBDWOf (2)
Figure BDA0002385857920000086
Also included in the master search private key SKMSUIn order to data user idUBy means of
Figure BDA0002385857920000087
The database to be encrypted is easily found.
Then, when the data user idUWhen he wants to access the data he needs to generate a search token and pass it to the server. Data user idUInvoking
Figure BDA0002385857920000091
The function generates a search token. The specific calling process is referred to the specification.
Then, when the server idVUser id of received dataUWhen searching for a token, he calls Search (sk)V;pidv;pidU(ii) a est; EDB) algorithm. The server sends the server idVLong-term private key skVAnd public identity information pidVPublic identity information pid of a serverUAs an input. Encrypted search token for data users
Figure BDA0002385857920000092
The current complete encryption database
Figure BDA0002385857920000093
Wherein
Figure BDA0002385857920000094
Represents a collection of data owners registered on the cloud server. The algorithm first uses the long-term private key skVAnd public identity information pidVAnd pidUPerforming an authentication procedure and then recovering the search token st and the database identifier from the encrypted search token est
Figure BDA0002385857920000095
Next, the identifier is used
Figure BDA0002385857920000096
Screening encrypted database EDBDW. The server then uses the search token
Figure BDA0002385857920000097
A single keyword search is performed and an encrypted document index set R matching the search conditions is obtained. The detailed search process is described in algorithm 3 in the appendix. The document index set R is returned to the data user idU
Finally, when the data user idUReceiving server idVAfter returning to his document index set R, the data user idUCall Retrieve (SK)U(ii) a R) obtaining a search result by an algorithm. The user will search for the private key SKUAnd an encrypted document index set R as input. It first uses part of the private key skS(contained in secret Key SKUIn) decrypt each element in R to obtain the authorized portion of the document index. In particular, for each e ∈ R, if the set of attributes of the data user S ∈ U satisfies the access control policy A associated with the ciphertext e (for the query and query)
Figure BDA0002385857920000098
The matching index ind is encrypted), then the index ind is calculated as abeS,e)。
Appendix 1:
Figure BDA0002385857920000101
appendix 2:
Figure BDA0002385857920000111
appendix 3:
Figure BDA0002385857920000121

Claims (4)

1. a double authentication symmetric searchable encryption algorithm based on password and secret signcryption, abbreviated as icSSE, comprises eight PPT algorithms, which are respectively described as follows:
(1)Setup(1λ): the algorithm is run by the owner of the data, who has a security parameter 1λAs input, and outputs a long-term key generation common parameter parLAnd the encrypted database identifier to generate the common parameter parEWherein parLFor generating long-term public and private keys, parEFor generating an encrypted database identifier;
(2)LKeyGen(parL,idU): the algorithm is run by a long-term key generation center LK-KGC which generates the long-term key into a common parameter parLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU);
(3)DWKeyGen(1λ,idDW): the algorithm is run by a data owner key generation center DWK-KGC, which centers security parameters 1λAnd data owner identity idDWAs an input; it is the data owner idDWExporting an encrypted database public and private key pair (EPK)DW,ESKDW);
(4)EDBGen(parE;EPKDW;ESKDW(ii) a DB; A) the method comprises the following steps The algorithm is composed of data owner idDWRun the idDWGenerating the encrypted database identifier into a common parameter parEEncrypted database public key EPK of data ownerDWAnd an encrypted database secret key ESKDWPlaintext database DB, access control structure a as input; the algorithm encrypts the database DB into the ciphertext database EDBDWAnd EDBDWSending to a server;
(5)SKeyGen(EPKDW,ESKDW;S;w;idU): the algorithm is run by a data owner DW who encrypts a database public key EPK of the data ownerDWAnd encrypting the database secret key ESKDWAttribute set S, authorization key set w and data user identity idU∈{0,1}*As input, it is the data user idUGenerating a search private key SKU=(SKMS,U;SKS,U) Where SKUPrivate key SK by master searchMS,UAnd partial search private keySKS,UComposition is carried out;
(6)
Figure FDA0002385857910000011
the algorithm is based on data user idURun, the user idUPrivate key SK for searching data userULong term private key skUPublic identity information pidU=(idU,pkU=U=gu,certU) Public identity information pid of serverv=(idv,pkv=V=gv,certV) Query Q and encryption database EDBDWOf (2)
Figure FDA0002385857910000012
As input, and outputting an encrypted search token est; here, the token est does not contain public identity information pidUAnd pidvWherein pidvPublic identity information representing a server;
(7)Search(skv;pidv;pidU(ii) a est; EDB): the algorithm is run by the server, which algorithm uses the server's long-term private key skvAnd public identity information pidvData user idUPublic identity information pid ofUThe encrypted search token est and the current fully encrypted database EDB are taken as inputs; here, the encryption database EDB contains all the partial encryption databases EDB generated by some data owners DWDW(ii) a Finally, the matching result R is output to the data user idU
(8)Retrieve(SKU(ii) a R): the algorithm is based on data user idURun, the user idUWill search for the private key SKUAnd search result set R as input, and output with idUA given document index for which the search key w matches.
2. The password and secret signcryption based dual authentication symmetric searchable encryption algorithm according to claim 1, wherein each PPT algorithm is specifically configured as follows:
(1)Setup(1λ): the algorithm uses a security parameter 1λFor input, a long-term key generation public parameter par is generatedL=(G1′,N,G1,g′,q′)←ɡ′(1λ) Generating a long-term key; the term "public/private key" refers to the basic set that the GDH is supposed to hold and generates the encrypted database identifier to generate the public parameter parEH, where H is a compression function; the algorithm finally outputs parLAnd parE
(2)LKeyGen(parL,idU): the algorithm is run by a long-term key generation center LK-KGC which generates the long-term key into a common parameter parLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU) (ii) a The algorithm sets and outputs a key pair (pk)U,skU) (ii) a User identity idUAnd the binding between the public keys U is authenticated by a certificate certA issued by CA;
(3)DWKeyGen(1λ,idDW): the algorithm is run by a data owner key generation center named DWK-KGC, which centers the security parameter 1λAnd data owner identity idDWAs an input; it generates (G)2,g,n,p,q)←ɡ′(1λ) Where Ag is a random group generator, G2Is a group of multiplication cycles, and G ← G2A random generator of order n and n ═ pq, p and q are two large prime numbers; then it checks if (p; q) is already in table Tab, and if so DWK-KGC will rerun (1)λ) Until (p; q) is not in Tab, and then (p; q) storing into Tab; next, it randomly selects KX,KI,KZ,KE←K;g1,g2,g3←G2And calculates (mpk, msk) ← abeλ) Wherein K is a key space; the encryption database secret key and the public key of the data owner DW are set to ESK, respectivelyDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk) andEPKDW=(n,mpk);
(4)EDBGen(parE;EPKDW;ESKDW(ii) a DB; A) the method comprises the following steps The algorithm is composed of data owner idDWRun the idDWGenerating the database identifier into parameter parEEncrypted database public key EPKDW= (n; mpk) and secret key ESKDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), database DB and access control structure a as inputs; it outputs an encrypted database
Figure FDA0002385857910000021
Wherein
Figure FDA0002385857910000022
Representing an encrypted database EDBDWAn identifier of (a);
(5)
Figure FDA0002385857910000023
the algorithm is composed of data owner idDWIn operation, the data owner encrypts database public key EPWDW(n, mpk) and private key ESKDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk); a set of keywords w, data owner identity idDWData user identity idUAnd encrypted database identifier
Figure FDA0002385857910000024
(assuming that once the data owner has generated an encrypted database, it records the corresponding identifier immediately) as input; assume allowed data user idUFor authorization key w ═ w1,…,wnCarrying out searching; data owner idDWFirst of all, calculate
Figure FDA0002385857910000031
Then calculate the attribute keyKey skSC ° re abe. keygen (msk, S), where S ∈ U is the set of properties of authorized data users, U is the property space; next, data owner idDWWill search for the private key SKU=(SKMSU,SKSU) Send to data user idUWherein
Figure FDA0002385857910000032
And SKSU=skSRespectively representing data user idUAnd partial search of the private key, and
Figure FDA0002385857910000033
here, the database EDB is encryptedDWOf (2)
Figure FDA0002385857910000034
Also included in the master search private key SKMSUIn order to data user idUBy means of
Figure FDA0002385857910000035
Easily find the database to be encrypted;
(6)
Figure FDA0002385857910000036
the algorithm is based on data user idURun, the user will search for the private key
Figure FDA0002385857910000037
Long-term private key skUU, public identity information pidU=(idU,pkU=U=gu,certU) Public identity information pid of serverv=(idv,pkv=V=gv,certV) A set of authorization keys
Figure FDA0002385857910000038
And an encrypted database identifier
Figure FDA0002385857910000039
As an input; when data user idUIntending to execute a query
Figure FDA00023858579100000310
When first determining s terms
Figure FDA00023858579100000311
Suppose that
Figure FDA00023858579100000312
And w'1Is the selected s term, and then computes the encrypted search token for that query, i.e.
Figure FDA00023858579100000313
(7)Search(skV;pidv;pidU(ii) a est; EDB): the algorithm is represented by the server idVRunning, the server will server idVLong-term private key skVAnd public identity information pidVPublic identity information pid of a serverUAs an input; data user, an encrypted search token
Figure FDA00023858579100000314
Currently complete encrypted database
Figure FDA00023858579100000315
Figure FDA00023858579100000316
Wherein
Figure FDA00023858579100000317
Representing a set of data owners registered on a cloud server; the algorithm first uses the long-term private key skVAnd public identity information pidVAnd pidUPerforming an authentication procedure and then recovering the search from the encrypted search token estToken st and database identifier
Figure FDA00023858579100000318
Next, the identifier is used
Figure FDA00023858579100000319
Screening encrypted database EDBDW(ii) a The server then uses the search token
Figure FDA00023858579100000320
Figure FDA00023858579100000321
Carrying out single keyword search and obtaining an encrypted document index set R matched with the search condition;
(8)Retrieve(SKU(ii) a R): the algorithm is based on data user idUIn operation, the user will search for the private key SKUAnd an encrypted document index set R as input; it first uses part of the private key skSDecrypting each element in R to obtain an authorized portion of the document index; specifically, for each e ∈ R, if the set of attributes of the data user S ∈ U satisfies the access control policy a associated with the ciphertext e, then ind ═ abeS,e)。
3. The password and secret signcryption based dual authentication symmetric searchable encryption algorithm of claim 2, wherein in implementing multiple data owner functionality, a data owner key generation center DWKKGC is first established to generate an encrypted database public/private key pair for the data owner; then, the plain text database is converted into a ciphertext database by using the key pair; for identity concealment, authentication and confidentiality, this is achieved by modifying and integrating the encryption scheme in Zhao's CCS 16; specifically, Zhao's encryption algorithm is first inserted after the search token is generated, and then the plaintext and the sender's identity information are replaced with the search token and the identity of the data user, respectively.
4. The password and secret signcryption based dual authentication symmetric searchable encryption algorithm according to claim 3, characterized in that the specific flow is as follows:
first, all algorithm participants invoke Setup (1)λ): algorithm with security parameter 1λFor input, a long-term key generation public parameter par is generatedL=(G′1,N,G1,g′,q′)←ɡ′(1λ) Each participant of the algorithm stores the group of parameters and uses the parameters to participate in the subsequent operation;
then, a long-term key generation center LK-KGC is established, and the LK-KGC calls LKEyGen (par)L,idU) Algorithm, LK-KGC generates long-term key into public parameter par at call timeLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU) (ii) a The algorithm sets and outputs a key pair (pk)U,skU) (ii) a User identity idUAnd the binding between the public keys U is authenticated by a certificate certA issued by CA, and the certificate is public to all persons; each public key and each private key pair are sent to the corresponding user by the LK-KGC; the user saves the public and private key pairs for later operation;
then, a data owner key generation center DWK-KGC is established, and the DWK-KGC calls DWKeyGen (1)λ,idDW) The algorithm; DWK-KG center assigns a safety parameter 1λAnd data owner identity idDWAs an algorithm input; the algorithm generates an encrypted database secret key and a public key; the encryption database secret key and the public key of the data owner DW are set to ESK, respectivelyDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk) and EPKDW=(n,mpk);
Then, when the data owner idDWWhen wanting to share own data, idDWCalling EDBGen (par)E;EPKDW;ESKDW(ii) a DB; A) an algorithm; the idDWGenerating the database identifier into parameter parEEncrypted number HDatabase public key EPKDW= (n; mpk) and secret key ESKDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), database DB and access control structure a as inputs; it outputs an encrypted database
Figure FDA0002385857910000041
Wherein
Figure FDA0002385857910000042
Representing an encrypted database EDBDWAn identifier of (a); EDBDWStored in a server and disclosed to all for access;
then, if the data owner idDWWant to allow data user idUFor authorization key w ═ w1,...,wnCarrying out searching; idDWCall out
Figure FDA0002385857910000043
An algorithm; next, data owner idDWWill search for the private key SKU=(SKMSU,SKSU) Send to data user idUWherein
Figure FDA0002385857910000044
Figure FDA0002385857910000045
And SKSU=skSRespectively representing data user idUAnd partial search of the private key, and
Figure FDA0002385857910000046
here, the database EDB is encryptedDWOf (2)
Figure FDA0002385857910000047
Also included in the master search private key SKMSUIn order to data user idUBy means of
Figure FDA0002385857910000048
Easily find the database to be encrypted;
then, when the data user idUWhen the data is required to be accessed, a search token needs to be generated and transmitted to the server; data user idUInvoking
Figure FDA0002385857910000049
An algorithm generates a search token;
then, when the server idvUser id of received dataUSearch token (sk) is calledv;pidv;pidU(ii) a est; EDB) algorithm; the server sends the server idVLong-term private key skVAnd public identity information pidVPublic identity information pid of a serverUAs an input; encrypted search token for data users
Figure FDA0002385857910000051
The current complete encryption database
Figure FDA0002385857910000052
Wherein
Figure FDA0002385857910000053
Representing a set of data owners registered on a cloud server; the algorithm first uses the long-term private key skVAnd public identity information pidVAnd pidUPerforming an authentication procedure and then recovering the search token st and the database identifier from the encrypted search token est
Figure FDA0002385857910000054
Next, the identifier is used
Figure FDA0002385857910000055
Screening encrypted database EDBDW(ii) a Then, the clothesServer use search token
Figure FDA0002385857910000056
Carrying out single keyword search and obtaining an encrypted document index set R matched with the search condition; the document index set R is returned to the data user idU
Finally, when the data user idUReceiving server idVAfter returning to his document index set R, the data user idUCall Retrieve (SK)U(ii) a R) algorithm, and obtaining a search result.
CN202010097171.6A 2020-02-17 2020-02-17 Double-authentication symmetric searchable encryption method based on password and secret signcryption Active CN111310210B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010097171.6A CN111310210B (en) 2020-02-17 2020-02-17 Double-authentication symmetric searchable encryption method based on password and secret signcryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010097171.6A CN111310210B (en) 2020-02-17 2020-02-17 Double-authentication symmetric searchable encryption method based on password and secret signcryption

Publications (2)

Publication Number Publication Date
CN111310210A true CN111310210A (en) 2020-06-19
CN111310210B CN111310210B (en) 2022-06-17

Family

ID=71147132

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010097171.6A Active CN111310210B (en) 2020-02-17 2020-02-17 Double-authentication symmetric searchable encryption method based on password and secret signcryption

Country Status (1)

Country Link
CN (1) CN111310210B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112257096A (en) * 2020-11-23 2021-01-22 中电万维信息技术有限责任公司 Searching method for cloud storage ciphertext encrypted data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103390124A (en) * 2012-05-08 2013-11-13 迪斯克雷蒂克斯科技公司 Device, system, and method of secure entry and handling of passwords
CN107592195A (en) * 2017-09-12 2018-01-16 北京电子科技学院 A kind of accurate full homomorphism ciphertext data manipulation method and system
CN108737390A (en) * 2018-05-03 2018-11-02 华南农业大学 Protect the authentication method and system of user name privacy
CN109462481A (en) * 2018-11-23 2019-03-12 上海扈民区块链科技有限公司 It is a kind of that decryption method is signed based on hideing for asymmetric Bilinear map

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103390124A (en) * 2012-05-08 2013-11-13 迪斯克雷蒂克斯科技公司 Device, system, and method of secure entry and handling of passwords
CN107592195A (en) * 2017-09-12 2018-01-16 北京电子科技学院 A kind of accurate full homomorphism ciphertext data manipulation method and system
CN108737390A (en) * 2018-05-03 2018-11-02 华南农业大学 Protect the authentication method and system of user name privacy
CN109462481A (en) * 2018-11-23 2019-03-12 上海扈民区块链科技有限公司 It is a kind of that decryption method is signed based on hideing for asymmetric Bilinear map

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
韩笑等: "一种有效的带关键字搜索的代理重加密方案", 《计算机与现代化》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112257096A (en) * 2020-11-23 2021-01-22 中电万维信息技术有限责任公司 Searching method for cloud storage ciphertext encrypted data

Also Published As

Publication number Publication date
CN111310210B (en) 2022-06-17

Similar Documents

Publication Publication Date Title
US11070366B2 (en) Dynamic anonymous password-authenticated key exchange (APAKE)
Agrawal et al. PASTA: password-based threshold authentication
Halevi et al. Public-key cryptography and password protocols
US7424615B1 (en) Mutually authenticated secure key exchange (MASKE)
KR100769482B1 (en) Systems, methods and software for remote password authentication using multiple servers
Chen et al. A robust mutual authentication protocol for wireless sensor networks
Jablon Strong password-only authenticated key exchange
US5535276A (en) Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography
Tsai et al. Novel anonymous authentication scheme using smart cards
US5737419A (en) Computer system for securing communications using split private key asymmetric cryptography
JP2001313634A (en) Method for communication
JPH08507619A (en) Two-way public key verification and key matching for low cost terminals
Liaw et al. An efficient and complete remote user authentication scheme using smart cards
WO2005088892A1 (en) A method of virtual challenge response authentication
CN113612797A (en) Kerberos identity authentication protocol improvement method based on state cryptographic algorithm
Gaharana et al. Dynamic id based remote user authentication in multi server environment using smart cards: a review
CN111310210B (en) Double-authentication symmetric searchable encryption method based on password and secret signcryption
CN110784305B (en) Single sign-on authentication method based on careless pseudorandom function and signcryption
Chai et al. Efficient password-based authentication and key exchange scheme preserving user privacy
Sun et al. Password-based authentication and key distribution protocols with perfect forward secrecy
Yang et al. Security enhancement for protecting password transmission
Yeh et al. Password authenticated key exchange protocols among diverse network domains
Albrecht et al. Device-oriented group messaging: a formal cryptographic analysis of matrix’core
Yoon et al. An efficient password authentication schemes without using the server public key for grid computing
Wang et al. Efficient sse with forward id-privacy and authentication in the multi-data-owner settings

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant