CN111310210B - Double-authentication symmetric searchable encryption method based on password and secret signcryption - Google Patents

Double-authentication symmetric searchable encryption method based on password and secret signcryption Download PDF

Info

Publication number
CN111310210B
CN111310210B CN202010097171.6A CN202010097171A CN111310210B CN 111310210 B CN111310210 B CN 111310210B CN 202010097171 A CN202010097171 A CN 202010097171A CN 111310210 B CN111310210 B CN 111310210B
Authority
CN
China
Prior art keywords
algorithm
data
key
database
search
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010097171.6A
Other languages
Chinese (zh)
Other versions
CN111310210A (en
Inventor
王会歌
赵运磊
隋光烨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Fudan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fudan University filed Critical Fudan University
Priority to CN202010097171.6A priority Critical patent/CN111310210B/en
Publication of CN111310210A publication Critical patent/CN111310210A/en
Application granted granted Critical
Publication of CN111310210B publication Critical patent/CN111310210B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification

Abstract

The invention belongs to the technical field of passwords, and particularly relates to a double-authentication symmetric searchable encryption algorithm based on passwords and secret signcryption. Searchable encryption technology is a cryptographic primitive that allows users to retrieve ciphertext data, leveraging the powerful computing resources of cloud servers for keyword retrieval without revealing any information to the server that protects the data. The present invention presents a symmetric searchable encryption algorithm that is oriented to multiple data owners and has access control properties, authentication properties, and anonymity properties. The algorithm enhances the function and the safety of the existing searchable encryption scheme, provides the functions of user identity hiding and identity authentication, but is not obvious in the increase of the calculation time, and obtains the comprehensive performance advantage compared with the current international advanced symmetrical searchable scheme. The scheme is suitable for data communication systems of most of clients and servers.

Description

Double-authentication symmetric searchable encryption method based on password and secret signcryption
Technical Field
The invention belongs to the technical field of passwords, and particularly relates to a double-authentication symmetric searchable encryption method based on a password and an secret signcryption.
Background
In esorcics 2016, Sun et al propose an efficient non-interactive multi-client symmetric searchable encryption that improves the scheme in the CCS2013 of s.jarecki et al by reducing the communication overhead between the data owner and the data user. Specifically, the scheme in CCS2013 of s.janeki et al requires that a data user interact with the data owner each time a search is made on an encrypted database, whereas in esorcis 2016 of Sun et al, the data user must interact with the data owner no matter how many times the data user has. The query is executed and the data owner interacts only once with the query key as long as it is in the authorized set of keys determined by the owner. However, despite the many advantages of the solution in Sun et al ESORICS 2016, there are still many other problems that have yet to be resolved. For example, their solution is only applicable to single data owner/multiple data user settings, and how to design a solution applicable to multiple data owner/multiple data user settings remains an open question. In particular, in their solutions, the above solutions are vulnerable to masquerading attacks, since the identity information of the data user is publicly transmitted to the server, and authentication from the data user to the server is not provided when the data user interacts with the server. In addition, since the search token generated by the data user is sent in clear text and authentication is not provided to the server either, its solution is vulnerable to search attacks on plain text tokens. Based on the above, we present the following problems.
Motive machine 1: we can propose an SSE scheme that supports multiple data owner/multiple data user setup and has the same efficiency advantage as the Sun et al scheme.
An authentication protocol with identity hiding is an effective encryption tool that can be used to achieve secure end-to-end communication over the Internet. Implementing authentication and identity privacy in searchable encryption is important to enhance security and privacy. However, existing searchable encryption schemes, particularly in esorcis 2016, Sun et al's SSE scheme, fail to provide authentication, data protection, and identity concealment for communications between clients and servers, which may result in serious security risks. For example, an adversary may masquerade as a client to launch a large number of search queries to a server, resulting in a phasing attack and a DoS attack. Furthermore, if protection is not provided for a search token generated by a data user, an adversary may use a previously generated token to launch a large-scale search query against a server, resulting in a replay search attack. In addition, an adversary can obtain more sensitive information about the data user through identity information (through a meat search, etc.) without identity privacy, which would seriously compromise the privacy of the data user.
Intuitively, we should use standard protocols like TLS1.3 or Google's QUIC to solve the above problem. However, these protocols provide too many functions that we do not need, which will exacerbate the efficiency problem of SSE and make our solution less practical. In public key settings, authenticated encryption refers to signcryption (proposed by y. zheng in crypt 1997), which is also standardized by ISO-29150. The results show that signcryption is functionally equivalent to a single pass authenticated key exchange, which in turn can be used for asymmetric key encapsulation. Zheng's signcryption and onepass HMQV (HOMQV) are potential solutions to our problem, but they do not consider the ID hiding problem and their efficiency is still unsatisfactory. Identity is a fundamental privacy issue. Identity confidentiality is now mandated by a range of important standards (e.g. TLS1.3, EMV, QUIC and 3 GPP's 5G telecommunications standards). European union has also generally used the european union regulations (GDPR) for enforcing data protection that mandate protection of user identity privacy.
Higncryption is a cryptographic primitive proposed by Zhao in CCS16 that enables simultaneous identity hiding, identity verification and confidentiality in the system. Higncryption has similar efficiency compared to signcryption and HOMQV, but achieves greater security (e.g., CMIM, UKS, KCI, CNM, PFS, x publication, etc. readers are referred to the Zhao's paper in CCS16 for detailed information) and provides more functionality. Furthermore, Higncryption can be perfectly applied to TLS1.3 and QUIC protocols. Based on this, we propose the following problem.
An engine 2: whether we can propose a symmetric searchable encryption method, while also supporting identity hiding, authentication and confidentiality.
1. Symbol convention
If S is a finite set, then | S | represents the size of the set, and x ← S denotes uniform random selection of elements x from the set S. We define the concept of the probability state algorithm, C ← Alg means that the algorithm Alg runs and outputs a result C. If α is neither an algorithm nor a set, then x ← α represents a simple assignment. One string or value α is represented as a binary string, | α | is a binary length. For two strings x, y ∈ {0, 1}*And x | | y denotes their connection.
Let G' be an Abelian group of order N, G ═<g>Is the only subgroup of G' generated by the generator G of prime order q. In this context, all clusters are multiplicative clusters, with the length of q (i.e., q |) as a security parameter. 1GRepresenting a unit element of group G, G \1GRepresenting a set of elements other than a unit element in the group GAnd t is an cofactor value. When instantiated with an elliptic curve, G' is a set of points E (L) over a finite field L of the elliptic curve E, and G is a subset of a prime order q-point set E (L). For elliptic curve based clusters, the cofactor t is typically relatively small.
The discrete logarithm hypothesis based on G illustrates that given X ═ GxTo a
Figure GDA0003543836990000021
Without a Probabilistic Polynomial Time (PPT) algorithm, x is output with a non-negligible probability. The computational Diffie-Hellman (CDH) assumption means that, for
Figure GDA0003543836990000022
Given X ═ gx,Y=gyWithout probabilistic polynomial time algorithm, g is calculated with non-negligible probabilityxyI.e., CDH (X, Y).
2. Associated data authentication encryption
Briefly, an associated data Authentication Encryption (AEAD) scheme converts a message M and header information H (e.g., a packet header, IP address, etc.) into a ciphertext C. C provides both privacy protection for the message and message authentication for the ciphertext C and the header H [23 ]. In practice, when an AEAD is used in a cryptographic system, the associated data is typically implicitly determined by the content (e.g., running a hash protocol process or making some predefined declaration).
Safety of AEAD. Let SE be (K)seEnc, Dec) denotes a symmetric encryption protocol, probabilistic polynomial time algorithm KseA security parameter k is selected as input and is selected from a finite non-empty set
Figure GDA0003543836990000031
A key K is selected. For simplicity of description, we assume
Figure GDA0003543836990000032
Polynomial time encryption algorithm Enc: k x {0, 1}*×{0,1}*→{0,1}*U { [ T ], polynomial time solutionThe cryptographic algorithm Dec: k x {0, 1}*×{0,1}*→{0,1}*U { [ T ], any associated data H ∈ {0, 1}, and the like*And message M ∈ {0, 1}*If EncK(H, M) output C ≠ T, then DecK(C) M is always output. Here we assume that the ciphertext C uses the associated data H.
Order to
Figure GDA0003543836990000033
Indicating the probability of success of the adversary in the safety experiment of table 1. If the probability of adversary success for any polynomial time is negligible for a sufficiently large κ, we call the SE protocol AEAD safe.
Table 1: AEAD safety test
Figure GDA0003543836990000034
The AEAD safety described above is quite robust. In particular, this means that even if a polynomial amount of ciphertext is adaptively selected, an adversary may not generate new legitimate ciphertext if decryption is possible. And, for two independent keys K, K' ← KseWith arbitrary message M, header information H, probability Pr [ DecK′(EncK(H,M))≠⊥]Is negligible.
Disclosure of Invention
The object of the present invention is to provide a symmetric searchable encryption method that is oriented towards multiple data owners and has access control properties, authentication properties and anonymity properties.
The symmetric searchable encryption method provided by the invention is based on a dual authentication technology of a password and an secret sign and secret. The searchable encryption technology is a cryptographic primitive that allows a user to retrieve ciphertext data, using the powerful computing resources of a cloud server for keyword retrieval, without revealing any information to the server that protects the data.
The invention provides a double-authentication symmetrical searchable encryption method (icSSE for short) based on password and secret signcryption, which comprises eight PPT algorithms, and is abbreviated as: tup, LKeyGen, DWKeyGen, EDBGen, SKeyGen, ETokenGen, Search, Retrieve.
The details are respectively as follows:
(1)Setup(1λ): the algorithm is run by the owner of the data, who has a security parameter 1λAs input, and outputs a long-term key generation common parameter parLAnd the encrypted database identifier to generate the common parameter parEWherein parLFor generating long-term public and private keys, parEFor generating an encrypted database identifier.
(2)LKeyGen(parL,idU): the algorithm is run by a long-term key generation center LK-KGC which generates the long-term key into a common parameter parLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU)。
(3)DWKeyGen(1λ,idDW): the algorithm is run by a data owner key generation center DWK-KGC, which centers security parameters 1λAnd data owner identity idDWAs an input. It is the data owner idDWExporting an encrypted database public and private key pair (EPK)DW,ESKDW)。
(4)EDBGen(parE;EPKDW;ESKDW(ii) a DB; A) the method comprises the following steps The algorithm is composed of data owner idDWRun the idDWGenerating the encrypted database identifier into the common parameter parEEncrypted database public key EPK of data ownerDWAnd an encrypted database secret key ESKDWPlaintext database DB, access control structure a as input; the algorithm encrypts the database DB into the ciphertext database EDBDWAnd EDB is combinedDWAnd sending to the server.
(5)SKeyGen(EPKDW,ESKDw;S;w;idU): the algorithm is run by a data owner DW who encrypts the database public key EPK of the data ownerDWAnd encrypting the database secret key ESKDWAttribute set S, authorization key set w and data user identity idU∈{0,1}*As input, it is the data user idUGenerating search private Key SKU=(SKMS,U;SKS,U) Where SKUPrivate key SK by master searchMS,UAnd partial search private key SKs,UAnd (4) forming.
(6)ETokenGen(SKU;skU;pidU;pidv;Q;
Figure GDA0003543836990000042
): the algorithm is based on data user idURun, the user idUPrivate key SK for searching data userULong term private key skUPublic identity information pidU=(idU,pkU=U=gu,certU) Public identity information pid of serverv=(idv,pkv=V=gv,certV) Query Q and encryption database EDBDWOf (2)
Figure GDA0003543836990000041
As input, and outputting an encrypted search token est; note that the token est does not contain public identity information pidUAnd pidvWherein pidvPublic identity information representing the server.
(7)Search(skV;pidv;pidU(ii) a est; EDB): the algorithm is run by the server, which algorithm uses the server's long-term private key skVAnd public identity information pidvData user idUPublic identity information pid ofUThe encrypted search token est and the current fully encrypted database EDB are taken as input. Note that the encrypted database EDB contains all the partially encrypted databases EDB generated by some data owners DWDW(ii) a Finally, the matching result R is output to the data user idU
(8)Retrieve(SKU(ii) a R): the algorithm is based on data user idURun, the user idUWill search for the private key SKUAnd searchRetrieve result set R as input, and output with idUA given document index for which the search key w matches.
Published in Sun et alESORICS2016 (acronym for Sun), the prototype of the present invention can be used in both multiple data user and multiple data owner environments. Multiple data owners mean that multiple data owners can outsource their storage and services to the cloud server at the same time, while leaking information about queries and plain text data to the server as little as possible. In addition, the primitive may also prevent data users from performing any search queries on unauthorized keywords. In particular, it also captures authentication of the data user to the server, with the aim of preventing an adversary from launching a denial of service (DoS) attack. In addition, identity hiding and confidentiality of the search token is also achieved in the original system of the present invention, with the aim of resisting impersonation and token replay attacks, respectively.
The double authentication symmetrical searchable encryption method based on the password and the secret sign-on cipher provided by the invention has the following specific structure.
First, some basic cipher suites for constructing this scheme are listed:
an attribute-based encryption scheme, ABE ═ e (abe.setup, abe.keygen, abe.enc, abe.dec);
a hash function
Figure GDA0003543836990000051
Where l represents the length of the hash output;
using pseudorandom functions, using KDF, F and FpRepresents;
a symmetric encryption system, AEAD ═ AEAD (AEAD. gen, AEAD. enc, AEAD. dec).
(1)Setup(1λ): the algorithm uses a security parameter 1λFor input, a long-term key generation public parameter par is generatedL=(G′1,N,G1,g′,q′)←ɡ′(1λ) Generating a long-term key; the term "public/private key" refers to specifying the underlying set that GDH assumes to hold and generating an encrypted database identifierCommon parameter parEH, where H is a compression function; the algorithm finally outputs parLAnd parE
(2)LKeyGen(parL,idU): the algorithm is run by a long-term key generation center LK-KGC which generates the long-term key into a common parameter parLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU) (ii) a The algorithm sets and outputs a key pair (pk)U,skU) (ii) a User identity idUAnd the binding between the public key U thereof is authenticated by a certificate certA issued by the CA.
(3)DWKeyGen(1λ,idDW): the algorithm is run by a data owner key generation center named DWK-KGC, which centers the security parameter 1λAnd data owner identity idDWAs an input; it generates its generation (G)2,g,n,p,q)←ɡ(1λ) Where Ag is a random group generator G2Is a group of multiplication cycles, and G ← G2A random generator of order n and n ═ pq, p and q are two large prime numbers; it then checks whether (p; q) is already in the table Tab and if so, DWK-KGC will rerun g' (1)λ) Until (p; q) is not in Tab, and then (p; q) storing into Tab; next, K is randomly selectedX,KI,KZ,KE←K;g1,g2,g3←G2And calculates (mpk, msk) ← abeλ) Wherein K is a key space; the encryption database secret key and the public key of the data owner DW are set to ESK, respectivelyDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk) and EPKDW=(n,mpk)。
(4)EDBGen(parE;ESKDW;ESKDW(ii) a DB; A) the method comprises the following steps The algorithm is composed of data owner idDWRun the idDWGenerating the database identifier into parameter parEEncrypted database public key EPKDW= (n; mpk) and secret key ESKDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), database DB and access control structure a as inputs; it outputs an encrypted database
Figure GDA0003543836990000061
Wherein
Figure GDA0003543836990000062
Representing an encrypted database EDBDWAn identifier of (a); the detailed program code is demonstrated in algorithm 1, see appendix 1.
(5)
Figure GDA0003543836990000063
The algorithm is composed of data owner idDWRun, the data owner will encrypt the database public key EPKDW(n, mpk) and private key ESKDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), a set of keys w, a data owner identity idDWData user identity idUAnd encrypted database identifier
Figure GDA0003543836990000064
(assuming that once the data owner has generated an encrypted database, it records the corresponding identifier immediately) as input; assume allowed data user idUFor authorization key w ═ w1,...,wnCarrying out searching; data owner idDWFirst of all, calculate
Figure GDA0003543836990000065
Then calculates the attribute key skS← abe, keygen (msk, S), where S e U is the set of attributes of authorized data users, U is the attribute space; next, data owner idDWWill search for the private key SKU=(SKMSU,SKSU) Send to data user idUWherein
Figure GDA0003543836990000066
And SKSU=skSRespectively representing data user idUAnd partial search of the private key, and
Figure GDA0003543836990000067
of particular note is the encryption of database EDBDWOf (2)
Figure GDA0003543836990000068
Also included in the master search private key SKMSUIn order to data user idUBy means of
Figure GDA0003543836990000069
The database to be encrypted is easily found.
(6)
Figure GDA00035438369900000610
The algorithm is based on data user idURun, the user will search for the private key
Figure GDA00035438369900000611
Long-term private key skUU, public identity information pidU=(idU,pkU=U=gu,certU) Public identity information pid of serverv=(idv,pkv=V=gv,certV) A set of authorization keys
Figure GDA00035438369900000612
And an encrypted database identifier
Figure GDA00035438369900000613
As an input; when data user idUIntending to execute a query
Figure GDA00035438369900000614
When first determining s terms
Figure GDA00035438369900000615
Suppose that
Figure GDA00035438369900000616
And w'1Is the selected s term, and then computes the encrypted search token for that query (that is, the encrypted search token is computed according to the program code (algorithm 2))
Figure GDA00035438369900000617
). Algorithm 2 is seen in appendix 2.
(7)Search(skV;pidv;pidU(ii) a est; EDB): the algorithm is represented by the server idVRunning, the server will server idVLong-term private key skVAnd public identity information pidVPublic identity information pid of a serverUAs an input; data user, an encrypted search token
Figure GDA0003543836990000071
Currently complete encrypted database
Figure GDA0003543836990000072
Figure GDA0003543836990000073
Wherein
Figure GDA0003543836990000074
Representing a set of data owners registered on the cloud server; the algorithm first uses the long-term private key skVAnd public identity information pidVAnd pidUPerforming an authentication procedure and then recovering the search token st and the database identifier from the encrypted search token est
Figure GDA0003543836990000075
Next, the identifier is used
Figure GDA0003543836990000076
Screening encrypted database EDBDW(ii) a The server then uses the search token
Figure GDA0003543836990000077
Figure GDA0003543836990000078
Carrying out single keyword search and obtaining an encrypted document index set R matched with the search condition; the detailed search process is described in algorithm 3, which algorithm 3 is referred to in appendix 3.
(8)Retrieve(SKU(ii) a R): the algorithm is based on data user idUIn operation, the user will search for the private key SKUAnd an encrypted document index set R as input; it first uses part of the private key skS(contained in secret Key SKUIn) decrypt each element in R to obtain an authorized portion of the document index; in particular, for each e ∈ R, if the set of attributes of the data user S ∈ U satisfies the access control policy A associated with the ciphertext e (for the query and query)
Figure GDA0003543836990000079
The matching index ind is encrypted), then the index ind is calculated as abeS,e)。
The algorithm of the invention is characterized in that:
based on the work proposed in Sun et al ESORICS 2016 and zhao in CCS16, the present invention proposes an SSE scheme that supports any Boolean query and multiple data owner/multiple data user setup. In particular, the inventive arrangements not only meet the same security requirements as they specify, but also further enhance the security of the same class correlation scheme by providing identity concealment, authentication of the data user to the server, and confidentiality of the search, as compared to the Sun's arrangement. Identity hiding aims to provide privacy protection for data users by hiding their identity information, while authentication is protected against masquerading attacks by applying certificate-based mechanisms to the solution of the invention. Furthermore, the inventive arrangements provide a forward ID privacy attribute, meaning that even if a client's long-term private key is compromised, its ID privacy is preserved. Note that neither signcryption nor HOMQV can implement ID hiding and forward ID privacy. In particular, the confidentiality of the search token provides resistance to replay attacks by encrypting a clear text search token generated by the data user. In other similar works, an adversary may use a previously generated clear text search token to force the server to execute the same search query multiple times.
When the multi-data owner function is realized, the invention firstly establishes a data owner key generation center (DWKKGC) to generate an encrypted database public key/private key pair for the data owner. The plaintext database is then converted to a ciphertext database using the key pair. For identity concealment, authentication and confidentiality, the present invention is implemented by modifying and integrating the encryption scheme in Zhao's CCS16, specifically, first inserting Zhao's encryption algorithm after generating the search token, and then replacing the plaintext and sender's identity information with the search token and the data user's identity, respectively.
Like the Sun's solution, attribute-based encryption is also deployed in the present invention to allow fine-grained access control to the document index that is encrypted by the data user. In addition, through efficiency analysis, the scheme of the invention achieves performance comparable to that of the Sun scheme. In addition, like the encryption scheme in Zhao's CCS16, the inventive scheme can also be applied directly to 0-RTT authentication, which shows that the present invention is well suited and compatible with both QUIC-based and OPTLS-based SSE schemes.
Detailed Description
First, all algorithm participants should call Setup (1)λ): algorithm with security parameter 1λFor input, a long-term key generation public parameter par is generatedL=(G′1,N,G1,g′,q′)←ɡ′(1λ) Each participant of the algorithm saves the set of parameters and applies the parameters to participate in the subsequent operation.
Then, a long-term key generation center LK-KGC should be established, the LK-KGC calling LKEyGen (par)L,idU) Function, LK-KGC generates long-term key to public parameter par at call timeLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU). The algorithm sets and outputs a key pair (pk)U,skU). User identity idUAnd the binding between the public keys U is authenticated by a certificate certA issued by the CA, which is public to all. And each public key and private key pair is sent to the corresponding user by the LK-KGC. The user saves the public and private key pairs for later operation.
Then, a data owner key generation center DWK-KGC is also established, and the DWK-KGC calls DWKeyGen (1)λ,idDW) The algorithm. DWK-KG center assigns a safety parameter 1λAnd data owner identity idDWAs an algorithm input. The algorithm generates an encrypted database secret key and a public key. The encryption database secret key and the public key of the data owner DW are set to ESK, respectivelyDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk) and EPKDW= (n, mpk). The specific generation process is shown in the specification.
Then, when data owner idDWWhen wanting to share own data, idDWCalling EDBGen (par)E;EPKDW;ESKDW(ii) a DB; A) and (4) an algorithm. The idDWGenerating the database identifier into parameter parEEncrypted database public key EPKDW= (n; mpk) and secret key ESKDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), database DB and access control Structure A as inputs it outputs an encrypted database
Figure GDA0003543836990000081
Wherein
Figure GDA0003543836990000082
Representing an encrypted database EDBDWOf (2) is detected. EDBDWStored in the server and disclosed to all for access.
Then, assume data owner idDWWant to allow data user idUFor authorization key w ═ w1,...,wnCarry on the search. idDWCall out
Figure GDA0003543836990000083
And (4) an algorithm. The specific calling process is referred to the specification. Next, data owner idDWWill search for the private key SKU=(SKMSU,SKSU) Send to data user idUWherein
Figure GDA0003543836990000084
And SKSU=skSRespectively representing data user idUAnd partial search of the private key, and
Figure GDA0003543836990000085
of particular note is the encryption of database EDBDWOf (2)
Figure GDA0003543836990000086
Also included in the master search private key SKMSUIn order to data user idUBy means of
Figure GDA0003543836990000087
The database to be encrypted is easily found.
Then, when the data user idUWhen he wants to access the data he needs to generate a search token and pass it to the server. Data user idUInvoking
Figure GDA0003543836990000091
The function generates a search token. The specific calling process is referred to the specification.
Then, when the server idVUser id of received dataUWhen searching for a token, he calls Search (sk)V;pidv;pidU(ii) a est; EDB) algorithm. The server sends the server idVLong-term private key skVAnd public identity information pidVPublic identity information pid of a serverUAs an input. Encrypted search token for data users
Figure GDA0003543836990000092
The current complete encryption database
Figure GDA0003543836990000093
Wherein
Figure GDA0003543836990000094
Represents a collection of data owners registered on the cloud server. The algorithm first uses the long-term private key skVAnd public identity information pidVAnd pidUPerforming an authentication procedure and then recovering the search token st and the database identifier from the encrypted search token est
Figure GDA0003543836990000095
Next, the identifier is used
Figure GDA0003543836990000096
Screening encrypted database EDBDW. The server then uses the search token
Figure GDA0003543836990000097
A single keyword search is performed and an encrypted document index set R matching the search conditions is obtained. The detailed search process is described in algorithm 3 in the appendix. The document index set R is returned to the data user idU
Finally, when the data user idUReceiving server idVAfter returning to his document index set R, the data user idUCall Retrieve (SK)U(ii) a R) obtaining a search result by an algorithm. The user will search for the private key SKUAnd an encrypted document index set R as input. It first uses part of the private key skS(contained in secret Key SKUIn) decrypt each element in R to obtain the authorized portion of the document index. In particular, for each e ∈ R, if the set of attributes of the data user S ∈ U satisfies the access control policy A associated with the ciphertext e (for the query and query)
Figure GDA0003543836990000098
The matching index ind is encrypted), then the index ind is calculated as abeS,e)。
Appendix 1:
Figure GDA0003543836990000101
appendix 2:
Figure GDA0003543836990000111
appendix 3:
Figure GDA0003543836990000121

Claims (3)

1. a double-authentication symmetric searchable encryption method based on password and secret signcryption, abbreviated as icSSE, comprises eight probability polynomial time PPT algorithms, which are respectively described as follows:
(1)Setup(1λ): the algorithm is run by the owner of the data, who has a security parameter 1λAs input, and outputs a long-term key generation common parameter parLAnd the encrypted database identifier to generate the common parameter parEWherein parLFor generating long-term public and private keys, parEFor generating an encrypted database identifier;
(2)LKeyGen(parL,idU): the algorithm is run by a long-term key generation center LK-KGC which generates the long-term key into a common parameter parLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU);
(3)DWKeyGen(1λ,idDW): the algorithm is run by a data owner key generation center DWK-KGC, which centers security parameters 1λAnd data ownershipPerson identity idDWAs an input; it is the data owner idDWExporting an encrypted database public and private key pair (EPK)DW,ESKDW);
(4)EDBGen(parE;EPKDW;ESKDW(ii) a DB; A) the method comprises the following steps The algorithm is composed of data owner idDWRun the idDWGenerating the encrypted database identifier into the common parameter parEEncrypted database public key EPK of data ownerDWAnd encrypted database secret key ESKDWPlaintext database DB, access control structure a as input; the algorithm encrypts the database DB into the ciphertext database EDBDWAnd EDBDWSending to a server;
(5)SKeyGen(EPKDW,ESKDW;S;w;idU): the algorithm is run by a data owner DW who encrypts a database public key EPK of the data ownerDWAnd encrypting database secret key ESKDWAttribute set S, authorization key set w and data user identity idU∈{0,1}*As input, it is the data user idUGenerating a search private key SKU=(SKMS,U;SKS,U) Where SKUPrivate key SK by master searchMS,UAnd partial search private key SKS,UComposition is carried out;
(6)
Figure FDA0003543836980000013
the algorithm is based on data user idURun, the user idUPrivate key SK for searching data userULong term private key skUPublic identity information pidU=(idU,pkU=U=gu,certU) Public identity information pid of serverv=(idv,pkv=V=gv,certV) Query Q and encryption database EDBDWOf (2)
Figure FDA0003543836980000012
As a transfusionInputting and outputting an encrypted search token est; here, the token est does not contain public identity information pidUAnd pidvWherein pidvPublic identity information representing a server;
(7)Search(skV;pidv;pidU(ii) a est; EDB): the algorithm is run by the server and the algorithm is used for obtaining the long-term private key sk of the serverVAnd public identity information pidvData user idUPublic identity information pid ofUThe encrypted search token est and the current fully encrypted database EDB are taken as inputs; here, the encryption database EDB contains all the partial encryption databases EDB generated by some data owners DWDW(ii) a Finally, the matching result R is output to the data user idU
(8)Retrieve(SKU(ii) a R): the algorithm is based on data user idURun, the user idUWill search for the private key SKUAnd search result set R as input, and output with idUThe given document index matched with the search keyword w;
the specific process is as follows:
first, all algorithm participants invoke Setup (1)λ): algorithm with security parameter 1λFor input, a long-term key generation public parameter par is generatedL=(G′1,N,G1,g′,q′)←g′(1λ) Each participant of the algorithm stores the group of parameters and uses the parameters to participate in the subsequent operation;
then, a long-term key generation center LK-KGC is established, and the LK-KGC calls LKEyGen (par)L,idU) Algorithm, LK-KGC generates long-term key to public parameter par when calledLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU) (ii) a The algorithm sets and outputs a key pair (pk)U,skU) (ii) a User identity idUAnd the binding between the public keys U is authenticated by a certificate certA issued by CA, and the certificate is public to all persons; each public key and each private key pair are sent to the corresponding user by the LK-KGC; user securityStoring the public and private key pairs for later operation;
then, a data owner key generation center DWK-KGC is established, and the DWK-KGC calls DWKeyGen (1)λ,idDW) The algorithm; DWK-KG center assigns a safety parameter 1λAnd data owner identity idDWAs an algorithm input; the algorithm generates an encrypted database secret key and a public key; the encryption database secret key and the public key of the data owner DW are set to ESK, respectivelyDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk) and EPKDW=(n,mpk);
Then, when the data owner idDWWhen wanting to share own data, idDWCalling EDBGen (par)E;EPKDW;ESKDW(ii) a DB; A) an algorithm; the idDWGenerating the database identifier into parameter parEH, encrypted database public key EPKDW= (n; mpk) and secret key ESKDW(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), database DB and access control structure a as inputs; it outputs an encrypted database
Figure FDA00035438369800000210
Wherein
Figure FDA0003543836980000022
Representing an encrypted database EDBDWAn identifier of (a); EDBDWStored in a server and disclosed to all for access;
then, if the data owner idDWWant to allow data user idUFor authorization key w ═ w1,...,wnCarrying out searching; idDWCall out
Figure FDA00035438369800000211
An algorithm; next, data owner idDWWill search for the private key SKU=(SKMSU,SKSU) Send to data user idUWherein
Figure FDA00035438369800000212
Figure FDA00035438369800000213
And SKSU=skSRespectively representing data user idUAnd partial search of the private key, and
Figure FDA0003543836980000025
here, the database EDB is encryptedDWOf (2)
Figure FDA0003543836980000026
Also included in the master search private key SKMSUIn order to data user idUBy means of
Figure FDA0003543836980000027
Easily find the database to be encrypted;
then, when the data user idUWhen data is required to be accessed, a search token needs to be generated and transmitted to a server; data user idUInvoking
Figure FDA00035438369800000214
An algorithm generates a search token;
then, when the server idVUser id of received dataUSearch token (sk) is calledV;pidv;pidU(ii) a est; EDB) algorithm; the server maps the server idVLong-term private key skVAnd public identity information pidVPublic identity information pid of a serverUAs an input; data user encrypted search token
Figure FDA0003543836980000029
Is currently intactEncrypted database of
Figure FDA0003543836980000031
Wherein
Figure FDA0003543836980000032
Representing a set of data owners registered on the cloud server; the algorithm first uses the long-term private key skVAnd public identity information pidVAnd pidUPerforming an authentication procedure and then recovering the search token st and the database identifier from the encrypted search token est
Figure FDA0003543836980000033
Next, the identifier is used
Figure FDA0003543836980000034
Screening encrypted database EDBDW(ii) a The server then uses the search token
Figure FDA0003543836980000035
Carrying out single keyword search and obtaining an encrypted document index set R matched with the search condition; the document index set R is returned to the data user idU
Finally, when the data user idUReceiving server idVAfter returning to his document index set R, the data user idUCall Retrieve (SK)U(ii) a R) algorithm, and obtaining a search result.
2. The password and secret signcryption based dual authentication symmetric searchable encryption method according to claim 1, wherein each PPT algorithm is specifically structured as follows:
(1)Setup(1λ): the algorithm uses a security parameter 1λFor input, a long-term key generation public parameter par is generatedL=(G1′,N,G1,g′,q′)←g′(1λ) Generating a long-term key; the term "public/private key" refers to a designationThe GDH assumes the underlying set it holds and generates the encrypted database identifier generating the common parameter parEH, where H is a compression function; the algorithm finally outputs parLAnd parE
(2)LKeyGen(parL,idU): the algorithm is run by a long-term key generation center LK-KGC which generates the long-term key into a common parameter parLAnd user identity idU∈{0,1}*As input, and outputs the long-term public key, private key pair (pk) of the userU,skU) (ii) a The algorithm sets and outputs a key pair (pk)U,skU) (ii) a User identity idUAnd the binding between the public keys U is authenticated by a certificate certA issued by CA;
(3)DWKeyGen(1λ,idDW): the algorithm is run by a data owner key generation center named DWK-KGC, which centers the security parameter 1λAnd data owner identity idDWAs an input; it generates (G)2,g,n,p,q)←g′(1λ) Wherein G is a random group generator, G2Is a group of multiplication cycles, and G ← G2A random generator of order n and n ═ pq, p and q are two large prime numbers; it then checks whether (p; q) is already in the table Tab and if so, DWK-KGC will rerun g' (1)λ) Until (p; q) is not in Tab, and then (p; q) storing into Tab; next, it randomly selects KX,KI,KZ,KE←K;g1,g2,g3←G2And calculates (mpk, msk) ← abeλ) Wherein K is a key space; the encryption database secret key and the public key of the data owner DW are set to ESK, respectivelyDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk) and EPKDW=(n,mpk);
(4)EDBGen(parE;EPKDW;ESKDW(ii) a DB; A) the method comprises the following steps The algorithm is composed of data owner idDWRun the idDWGenerating the database identifier into parameter parE=H,Encrypted database public key EPKDW= (n; mpk) and secret key ESKDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk), database DB and access control structure a as inputs; it outputs an encrypted database
Figure FDA0003543836980000036
Wherein
Figure FDA0003543836980000037
Representing an encrypted database EDBDWAn identifier of (a);
(5)
Figure FDA0003543836980000041
the algorithm is composed of data owner idDWRun, the data owner will encrypt the database public key EPKDW(n, mpk) and private key ESKDW←(KX,KI,KZ,KE,p,q,g1,g2,g3Msk); a set of keywords w, data owner identity idDWData user identity idUAnd encrypted database identifier
Figure FDA00035438369800000423
(assuming that once the data owner has generated an encrypted database, it records the corresponding identifier immediately); assume allowed data user idUFor authorization key w ═ w1,...,wnCarrying out searching; data owner idDWFirst of all, calculate
Figure FDA0003543836980000042
Then calculates the attribute key skSC ° re abe. keygen (msk, S), where S ∈ U is the set of properties of authorized data users, U is the property space; next, data owner idDWWill search for the private key SKU=(SKMSU,SKSU) For sending to dataHousehold idUIn which
Figure FDA0003543836980000043
And SKSU=skSRespectively representing data user idUAnd partial search of the private key, and
Figure FDA0003543836980000044
here, the database EDB is encryptedDWOf (2)
Figure FDA0003543836980000045
Also included in the master search private key SKMSUIn order to data user idUBy means of
Figure FDA0003543836980000046
Easily find the database to be encrypted;
(6)
Figure FDA0003543836980000047
the algorithm is based on data user idURun, the user will search for the private key
Figure FDA0003543836980000048
Long-term private key skUU, public identity information pidU=(idU,pkU=U=gu,certU) Public identity information pid of serverv=(idv,pkv=V=gv,certV) A set of authorization keys
Figure FDA0003543836980000049
And an encrypted database identifier
Figure FDA00035438369800000410
As an input; when data user idUIntending to execute a query
Figure FDA00035438369800000411
When first determining s terms
Figure FDA00035438369800000412
Suppose that
Figure FDA00035438369800000413
And w'1Is the selected s term, and then computes the encrypted search token for that query, i.e.
Figure FDA00035438369800000414
(7)Search(skV;pidv;pidU(ii) a est; EDB): the algorithm is represented by the server idVRunning, the server will server idVLong-term private key skVAnd public identity information pidVPublic identity information pid of a serverUAs an input; data user, an encrypted search token
Figure FDA00035438369800000415
Currently complete encrypted database
Figure FDA00035438369800000416
Figure FDA00035438369800000417
Wherein
Figure FDA00035438369800000418
Representing a set of data owners registered on a cloud server; the algorithm first uses the long-term private key skVAnd public identity information pidVAnd pidUPerforming an authentication procedure and then recovering the search token st and the database identifier from the encrypted search token est
Figure FDA00035438369800000419
Then, using the logoSymbol
Figure FDA00035438369800000420
Screening encrypted database EDBDW(ii) a The server then uses the search token
Figure FDA00035438369800000421
Figure FDA00035438369800000422
Carrying out single keyword search and obtaining an encrypted document index set R matched with the search condition;
(8)Retrieve(SKU(ii) a R): the algorithm is based on data user idUIn operation, the user will search for the private key SKUAnd an encrypted document index set R as input; it first uses part of the private key skSDecrypting each element in R to obtain an authorized portion of the document index; specifically, for each e ∈ R, if the set of attributes of the data user S ∈ U satisfies the access control policy a associated with the ciphertext e, then ind ═ abeS,e)。
3. The dual authentication symmetric searchable encryption method based on password and secret signcryption according to claim 2, wherein when implementing multiple data owner functionality, a data owner key generation center DWKKGC is first established to generate an encrypted database public/private key pair for the data owner; then, the plain text database is converted into a ciphertext database by using the key pair; for identity concealment, authentication and confidentiality, this is achieved by modifying and integrating the encryption scheme of Zhao in CCS 16; specifically, Zhao's encryption algorithm is first inserted after the search token is generated, and then the plaintext and the sender's identity information are replaced with the search token and the identity of the data user, respectively.
CN202010097171.6A 2020-02-17 2020-02-17 Double-authentication symmetric searchable encryption method based on password and secret signcryption Active CN111310210B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010097171.6A CN111310210B (en) 2020-02-17 2020-02-17 Double-authentication symmetric searchable encryption method based on password and secret signcryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010097171.6A CN111310210B (en) 2020-02-17 2020-02-17 Double-authentication symmetric searchable encryption method based on password and secret signcryption

Publications (2)

Publication Number Publication Date
CN111310210A CN111310210A (en) 2020-06-19
CN111310210B true CN111310210B (en) 2022-06-17

Family

ID=71147132

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010097171.6A Active CN111310210B (en) 2020-02-17 2020-02-17 Double-authentication symmetric searchable encryption method based on password and secret signcryption

Country Status (1)

Country Link
CN (1) CN111310210B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112257096B (en) * 2020-11-23 2022-09-27 中电万维信息技术有限责任公司 Searching method for cloud storage ciphertext encrypted data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103390124A (en) * 2012-05-08 2013-11-13 迪斯克雷蒂克斯科技公司 Device, system, and method of secure entry and handling of passwords
CN107592195A (en) * 2017-09-12 2018-01-16 北京电子科技学院 A kind of accurate full homomorphism ciphertext data manipulation method and system
CN108737390A (en) * 2018-05-03 2018-11-02 华南农业大学 Protect the authentication method and system of user name privacy
CN109462481A (en) * 2018-11-23 2019-03-12 上海扈民区块链科技有限公司 It is a kind of that decryption method is signed based on hideing for asymmetric Bilinear map

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103390124A (en) * 2012-05-08 2013-11-13 迪斯克雷蒂克斯科技公司 Device, system, and method of secure entry and handling of passwords
CN107592195A (en) * 2017-09-12 2018-01-16 北京电子科技学院 A kind of accurate full homomorphism ciphertext data manipulation method and system
CN108737390A (en) * 2018-05-03 2018-11-02 华南农业大学 Protect the authentication method and system of user name privacy
CN109462481A (en) * 2018-11-23 2019-03-12 上海扈民区块链科技有限公司 It is a kind of that decryption method is signed based on hideing for asymmetric Bilinear map

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种有效的带关键字搜索的代理重加密方案;韩笑等;《计算机与现代化》;20191231(第3期);第117-120页 *

Also Published As

Publication number Publication date
CN111310210A (en) 2020-06-19

Similar Documents

Publication Publication Date Title
Halevi et al. Public-key cryptography and password protocols
Agrawal et al. PASTA: password-based threshold authentication
Chen et al. A robust mutual authentication protocol for wireless sensor networks
US7424615B1 (en) Mutually authenticated secure key exchange (MASKE)
KR100769482B1 (en) Systems, methods and software for remote password authentication using multiple servers
Jablon Strong password-only authenticated key exchange
US5535276A (en) Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography
US5737419A (en) Computer system for securing communications using split private key asymmetric cryptography
Hwang et al. Improvement on Peyravian-Zunic's password authentication schemes
JPH08507619A (en) Two-way public key verification and key matching for low cost terminals
JP2001313634A (en) Method for communication
JP2000502553A (en) Key agreement and transport protocol using intrinsic signature
Liaw et al. An efficient and complete remote user authentication scheme using smart cards
WO2005088892A1 (en) A method of virtual challenge response authentication
CN113612797A (en) Kerberos identity authentication protocol improvement method based on state cryptographic algorithm
CN111310210B (en) Double-authentication symmetric searchable encryption method based on password and secret signcryption
CN110784305B (en) Single sign-on authentication method based on careless pseudorandom function and signcryption
CN117155615A (en) Data encryption transmission method, system, electronic equipment and storage medium
Li et al. A secure two-factor authentication scheme from password-protected hardware tokens
CN114389808B (en) OpenID protocol design method based on SM9 blind signature
Yang et al. Security enhancement for protecting password transmission
Yeh et al. Password authenticated key exchange protocols among diverse network domains
Albrecht et al. Device-oriented group messaging: a formal cryptographic analysis of matrix’core
Murdoch et al. A Forward-secure Efficient Two-factor Authentication Protocol
Zhu et al. Improvement upon mutual password authentication scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant