CN111310214A - Attribute-based encryption method and system capable of preventing key abuse - Google Patents

Abstract

The invention relates to an attribute-based encryption method and system capable of preventing key abuse, wherein the method comprises the following steps: s1: the attribute authorization center generates a master key and a system public parameter; s2: the attribute authorization center calculates the user attribute key by using a key generation algorithm according to the master key, the system public parameters, the user identity, the user attribute set and the key series number; s3: the data owner calculates a ciphertext by using an encryption algorithm according to a plaintext, a system public parameter and an access structure; s4: the data user calculates a plaintext according to the system public parameter, the ciphertext, the user attribute key and the user identity; s5: if the data owner suspects that a certain data user key is abused, sending the key to an audit center; and the auditing center searches for the data user with the same key serial number as the suspicious data user in a comparison manner, if the data user is found, the found data user is judged to be a malicious user, otherwise, the attribute authorization center is judged to be malicious. The method and the system are beneficial to tracking and revoking the malicious users.

Description

Attribute-based encryption method and system capable of preventing key abuse

Technical Field

The invention relates to the technical field of cloud computing security, in particular to an attribute-based encryption method and system capable of preventing key abuse.

Background

Cloud computing is a computer network-based computing model in which a large number of computers interconnected by a network participate, and shared software/hardware resources can be provided to the computers and other electronic devices on demand. Cloud computing, as a representative of new service models, has received a great deal of attention from the industry and academia with its advantages of low cost, rapid deployment, green environmental protection, and flexible scaling. However, when the cloud computing service runs on a third-party cloud platform provider, a trusted relationship cannot be established between the user and the cloud service and the cloud platform, which may cause leakage of data information and privacy of the user, and thus, a plurality of security problems may occur. An attribute-based encryption (ABE) system can realize one-to-many encryption and fine-grained access control, and can well solve key problems of access control, data security, privacy and the like in cloud computing. Although ABE is considered a promising technology in cloud computing to enable secure data transmission, storage, and sharing, challenges remain when deploying to applications in the real world. For example, a data user intentionally divulges its attribute key to an unauthorized user, or constructs a decryption device using its key, and provides decryption services to an unauthorized user. How to track and revoke malicious users is a great challenge. Since the attribute key of the ABE does not have relevant information for identifying the user identity, a malicious user may share his attribute key with multiple users in order to earn the benefit of a business without having to assume any legal responsibility. Therefore, designing an efficient ABE executable on internet of things resource constrained devices with accountability is a great challenge.

Disclosure of Invention

The invention aims to provide an attribute-based encryption method and system capable of preventing key abuse, which are beneficial to tracking and revoking malicious users.

In order to achieve the purpose, the invention adopts the technical scheme that: an attribute-based encryption method capable of preventing key abuse, comprising the steps of:

step S1: attribute authority entry security parameter 1^λGenerating a master key MSK and a system public parameter PK;

step S2: the attribute authorization center inputs a master key MSK, a system public parameter PK, a user identity ID and a user attribute set

And a key series number KFN, calculating a user attribute key SK using a key generation algorithm, wherein the ID and the KFN are embedded in the SK;

step S3: data owner inputs plaintext m, system public parameters PK and access structure

Calculating a ciphertext CT by using an encryption algorithm;

step S4: the data user calculates the plaintext according to the system public parameter PK, the ciphertext CT, the user attribute key SK and the user identity ID, if so, the data user calculates the plaintext

I.e. user attribute set

Satisfying access structure embedded in ciphertext CT

Then the plaintext m is output, otherwise

I.e. user attribute set

Unsatisfied access structure embedded in ciphertext CT

The ciphertext cannot be decrypted to obtain the plaintext;

step S5: if the data owner suspects a certain data user key SK_suspectedMisuse, then suspect data user key SK_suspectedSending the data to an auditing center; audit center inputs suspicious data user key SK_suspectedRunning a tracking algorithm and outputting a user ID and a KFN; then, the auditing center searches for the data user which is the same as the KFN of the suspicious data user in a comparison way, if the data user is found, the auditing center judges that the found data user is a malicious user, namely a key leakage person, otherwise, the auditing center judges that the attribute authorization center is malicious, namely the key leakage person.

Further, the step S1 specifically includes the following steps:

step S11: attribute authority entry security parameter 1^λI.e. a 0,1 bit string of length lambda, outputs a bilinear group (p, G)_TE) in which G_TAnd G is a prime number p factorial cyclic group, G is a generator of group G, e: G → G_TIs a bilinear map;

step S12, randomly selecting u, h, w, v ∈ G, (α, x, y) ∈ Z_pCalculating X ═ g^x,Y＝g^yWherein Z is_pRepresenting the set {0,1,2, …, p-1}, wherein u, h, w, v, α, x and y are random numbers;

step S13: attribute authority publication PK ═ p, G, G_T,e),u,h,w,v,X,Y,e(g,g)^α) For system public parameters, MSK ═ (α, x, y) is the master key, kept secret by the attribute authority.

Further, in step S2, the step of calculating the user attribute key SK by using the key generation algorithm specifically includes the following steps:

step S21: the data user first submits its own ID and attribute set

Giving an attribute authority wherein

Is an attribute value, n and n_iIs an integer;

step S22: data user random selection

Represents the set 1,2, …, p-1; calculating the commitment value R ═ w^kAnd sending R to the attribute authorization center;

step S23: the data user proves that the data user has a k value corresponding to the commitment value R to the attribute authorization center by using zero knowledge proof;

step S24: the attribute authority center checks whether the zero knowledge proof is valid, if so, the step S25 is carried out, and if not, the step S26 is carried out;

step S25: inputting system public parameter PK ═ ((p, G, G)_T,e),u,h,w,v,X,Y,e(g,g)^α) Random selection of d, r by attribute authority₁,r₂,...,r_n∈Z_pK is calculated using the master key MSK ═ (α, x, y)₀＝g^α/(x+ID+yd)w^rk,K₁＝g^r,K₂＝g^xr,K₃＝g^yr,T₁＝ID,T₃＝d,

If x + ID + ydmodp is 0, reselecting the value d; if x + ID + ydmodp is not equal to 0, the attribute authorization center generates an attribute key for the data user

In which SK embeds a user identity T₁ID and key series number T₂＝k；

Step S26: generation of the attribute key for the data user is stopped.

Further, the step S3 specifically includes the following steps:

step S31: data owner input system public parameter PK ═ ((p, G)_T,e),u,h,w,v,X,Y,e(g,g)^α) Message m ∈ G_TAnd an access nodeStructure of the organization

Wherein

W_iIs a list of attributes, S_iIs an attribute; selecting a random number s, s₁,s₂,...,s_n-1∈Z_pCalculating

Where s is the shared secret value;

step S32: the data owner selects n random numbers t₁,t₂,...,t_n∈Z_pCalculating C ═ me (g, g)^αs,C₁＝g^s,C₂＝g^xs,C₃＝g^ys,

Step S33: to hide the access structure, the data owner generates a corresponding value for each attribute value

When in use

Time, calculate

When in use

Only randomly choose

Finally, the data owner outputs the ciphertext

Further, in step S4, the calculation of the plaintext m specifically includes the following steps:

step S41: data user input system public parameter PK ═ ((p, G, G)_T,e),u,h,w,v,X,Y,e(g,g)^α)，

And attribute set

Associated attribute keys

For each attribute in the attribute set

Data user selection

Computing

Step S42: and the data user calculates m as C/B.

Further, the step S5 specifically includes the following steps:

step S51: if the data owner suspects a certain data user key SK_suspectedMisuse, then suspect data user key SK_suspectedSending the data to an auditing center; audit center inputs suspicious data user key SK_suspectedRunning the tracking algorithm, outputting T₁＝ID,T₂＝k；

Step S52: the audit center compares and searches the key serial number T of the suspicious data user₂K is the same as KFN of which data user identity ID registered in the audit center, that is, k is k_IDIf the identity ID is found, the audit center judges that the data user with the identity ID is a malicious user, namely a key divulger, otherwise, k is not equal to k_IDAnd the auditing center judges that the attribute authorization center is malicious, namely a key leakage person.

The invention also provides an attribute-based encryption system capable of preventing key abuse, which comprises:

the attribute authorization center is used for generating a master key MSK and a system public parameter PK; and is also used for processing the data according to the master key MSK, the system public parameter PK, the user identity ID and the user attribute set

And a key series number KFN, calculating a user attribute key SK by using a key generation algorithm;

data owner for accessing the structure according to the plaintext m, the system disclosure parameter PK

Calculating a ciphertext CT by using an encryption algorithm; and also for using the suspect data user key SK_suspectedSending the data to an auditing center;

the data user is used for calculating a plaintext according to the system public parameter PK, the ciphertext CT, the user attribute key SK and the user identity ID; and

an audit center for using the user key SK according to the suspicious data_suspectedAnd running a tracking algorithm, outputting the user ID and the KFN, then comparing and searching for the data user which is the same as the KFN of the suspicious data user, if the data user is found, judging that the found data user is a malicious user, namely a key divulger, and if the data user is not found, judging that the attribute authorization center is malicious, namely the key divulger.

Compared with the prior art, the invention has the following beneficial effects: the method and the system are designed based on an attribute-based cryptosystem and can realize one-to-many access control. The method and the system not only can realize fine-grained access control, but also can realize the functions of tracking and cancelling malicious users by embedding the key serial number which can uniquely identify the identity of the data user in the attribute key of the data user, and have strong practicability and wide application prospect.

Drawings

FIG. 1 is a schematic block diagram of a system of an embodiment of the present invention.

Detailed Description

The invention is further described with reference to the following figures and specific embodiments.

It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.

The invention provides an attribute-based encryption method capable of preventing key abuse, which comprises the following steps:

step S1: attribute authority entry security parameter 1^λThe master key MSK and the system public parameter PK are generated.

In this embodiment, the step S1 specifically includes the following steps:

step S11: attribute authority entry security parameter 1^λI.e. a 0,1 bit string of length lambda, outputs a bilinear group (p, G)_TE) in which G_TAnd G is a prime number p factorial cyclic group, G is a generator of group G, e: G → G_TIs a bilinear map;

step S12, randomly selecting u, h, w, v ∈ G, (α, x, y) ∈ Z_pCalculating X ═ g^x,Y＝g^yWherein Z is_pRepresenting the set {0,1,2, …, p-1}, wherein u, h, w, v, α, x and y are random numbers;

step S13: attribute authority publication PK ═ p, G, G_T,e),u,h,w,v,X,Y,e(g,g)^α) For system public parameters, MSK ═ (α, x, y) is the master key, kept secret by the attribute authority.

Step (ii) ofS2: the attribute authorization center inputs a master key MSK, a system public parameter PK, a user identity ID and a user attribute set

And a key series number KFN, calculating a user attribute key SK using a key generation algorithm, wherein the SK embeds an ID and the KFN.

In this embodiment, calculating the user attribute key SK by using the key generation algorithm specifically includes the following steps:

step S21: the data user first submits its own ID and attribute set

Giving an attribute authority wherein

Is an attribute value, n and n_iIs an integer;

step S22: data user random selection

Represents the set 1,2, …, p-1; calculating the commitment value R ═ w^kAnd sending R to the attribute authorization center;

step S23: the data user proves that the data user has a k value corresponding to the commitment value R to the attribute authorization center by using zero knowledge proof;

step S24: the attribute authority center checks whether the zero knowledge proof is valid, if so, the step S25 is carried out, and if not, the step S26 is carried out;

step S25: inputting system public parameter PK ═ ((p, G, G)_T,e),u,h,w,v,X,Y,e(g,g)^α) Random selection of d, r by attribute authority₁,r₂,...,r_n∈Z_pK is calculated using the master key MSK ═ (α, x, y)₀＝g^α/(x+ID+yd)w^rk,K₁＝g^r,K₂＝g^xr,K₃＝g^yr,T₁＝ID,T₃＝d,

Wherein the unexplained parameters are random numbers or calculated values; if x + ID + ydmodp is 0, reselecting the value d; if x + ID + ydmodp is not equal to 0, the attribute authorization center generates an attribute key for the data user

In which SK embeds a user identity T₁ID and T₂K, i.e., the key series number KFN;

step S26: generation of the attribute key for the data user is stopped.

Step S3: data owner inputs plaintext m, system public parameters PK and access structure

The ciphertext CT is computed using an encryption algorithm.

In this embodiment, the step S3 specifically includes the following steps:

step S31: data owner input system public parameter PK ═ ((p, G)_T,e),u,h,w,v,X,Y,e(g,g)^α) Message m ∈ G_TAnd access structure

Wherein

W_iIs a list of attributes, S_iIs an attribute; selecting a random number s, s₁,s₂,...,s_n-1∈Z_pCalculating

Where s is the shared secret value;

step S32: the data owner selects n random numbers t₁,t₂,...,t_n∈Z_pCalculating C ═ me (g, g)^αs,C₁＝g^s,C₂＝g^xs,C₃＝g^ys,

Step S33: to hide the access structure, the data owner generates a corresponding value for each attribute value

When in use

Time, calculate

When in use

Only randomly choose

Finally, the data owner outputs the ciphertext

Step S4: the data user calculates the plaintext according to the system public parameter PK, the ciphertext CT, the user attribute key SK and the user identity ID, if so, the data user calculates the plaintext

I.e. user attribute set

Satisfying access structure embedded in ciphertext CT

Then the plaintext m is output, otherwise

I.e. user attribute set

Unsatisfied access structure embedded in ciphertext CT

The ciphertext cannot be decrypted to obtain the plaintext.

The calculation of the plaintext m specifically comprises the following steps:

step S41: data user input system public parameter PK ═ ((p, G, G)_T,e),u,h,w,v,X,Y,e(g,g)^α)，

And attribute set

Associated attribute keys

For each attribute in the attribute set

Data user selection

Computing

Step S42: and the data user calculates m as C/B.

Step S5: if the data owner suspects a certain data user key SK_suspectedMisuse (e.g. intentional disclosure to other unauthorized data users for interest), the suspect data user key SK_suspectedSending the data to an auditing center; audit center inputs suspicious data user key SK_suspectedRunning a tracking algorithm and outputting a user ID and a KFN; then, the auditing center compares and searches for the data user which is the same as the KFN of the suspicious data user, if the data user is found, the auditing center judges that the found data user is a malicious user, namely a key leakage person, otherwise, the auditing center judges that the attribute authorization center is maliciousI.e. the key issuer.

In this embodiment, the step S5 specifically includes the following steps:

step S51: if the data owner suspects a certain data user key SK_suspectedMisuse, then suspect data user key SK_suspectedSending the data to an auditing center; audit center inputs suspicious data user key SK_suspectedRunning the tracking algorithm, outputting T₁＝ID,T₂＝k；

Step S52: the audit center compares and searches the key serial number T of the suspicious data user₂K is the same as KFN of which data user identity ID registered in the audit center, that is, k is k_IDIf the identity ID is found, the audit center judges that the data user with the identity ID is a malicious user, namely a key divulger, otherwise, k is not equal to k_IDAnd the auditing center judges that the attribute authorization center is malicious, namely a key leakage person.

The invention also provides an attribute-based encryption system capable of preventing key abuse based on the method, which comprises an attribute authorization center, a data owner, a data user and an audit center, as shown in figure 1.

The attribute authorization center is used for generating a master secret key MSK and a system public parameter PK and is also used for generating a master secret key MSK, a system public parameter PK, a user identity ID and a user attribute set according to the master secret key MSK, the system public parameter PK, the user identity ID and the user attribute set

And a key series number KFN, which calculates the user attribute key SK using a key generation algorithm.

The data owner is used to access the structure according to the plaintext m, the system disclosure parameters PK

Calculating the ciphertext CT using an encryption algorithm, and using the ciphertext CT to use the user key SK for the suspect data_suspectedAnd sending the data to an auditing center.

And the data user is used for calculating a plaintext according to the system public parameter PK, the ciphertext CT, the user attribute key SK and the user identity ID.

The audit center is used for user key SK according to suspicious data_suspectedAnd running a tracking algorithm, outputting the user ID and the KFN, then comparing and searching for the data user which is the same as the KFN of the suspicious data user, if the data user is found, judging that the found data user is a malicious user, namely a key divulger, and if the data user is not found, judging that the attribute authorization center is malicious, namely the key divulger.

The invention has the main characteristic advantage of realizing one-to-many access control, user tracking and attribute key revocation. The method not only can realize fine-grained access control, but also can realize the functions of malicious user tracking and attribute key revocation by embedding the key serial number which can uniquely identify the identity of the data user in the attribute key of the data user, and the scheme has higher safety and better performance.

As shown in fig. 1, the attribute authority generates system public parameters and issues attribute keys to data owners and data users. And the data owner encrypts the message by using the related access structure and outsources the ciphertext to the cloud server. Each ciphertext is associated with an access structure and a private key of a data user is associated with a set of attributes. The outsourced data can be successfully decrypted if the set of attributes of the authorized data users satisfies the access structure. When the data owner suspects the key leakage or key abuse, the auditing center starts an auditing and canceling program and returns the tracking and auditing results to the data owner and the data user. According to the invention, the key series number of the corresponding identity is embedded in the user attribute key, and when a user shares the attribute key with other people for commercial benefit, the key series number of the user can be tracked through a key tracking algorithm, so that the malicious data user identity is determined, and the problems of key abuse and attribute key revocation are solved.

The foregoing is directed to preferred embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow. However, any simple modification, equivalent change and modification of the above embodiments according to the technical essence of the present invention are within the protection scope of the technical solution of the present invention.

Claims (7)

1. An attribute-based encryption method capable of preventing key abuse, comprising the steps of:

step S1: attribute authority entry security parameter 1^λGenerating a master key MSK and a system public parameter PK;

step S2: the attribute authorization center inputs a master key MSK, a system public parameter PK, a user identity ID and a user attribute set

And a key series number KFN, calculating a user attribute key SK using a key generation algorithm, wherein the ID and the KFN are embedded in the SK;

step S3: data owner inputs plaintext m, system public parameters PK and access structure

Calculating a ciphertext CT by using an encryption algorithm;

step S4: the data user calculates the plaintext according to the system public parameter PK, the ciphertext CT, the user attribute key SK and the user identity ID, if so, the data user calculates the plaintext

I.e. user attribute set

Satisfying access structure embedded in ciphertext CT

Then the plaintext m is output, otherwise

I.e. user attribute set

Discontent withAccess structure embedded in ciphertext CT

The ciphertext cannot be decrypted to obtain the plaintext;

step S5: if the data owner suspects a certain data user key SK_suspectedMisuse, then suspect data user key SK_suspectedSending the data to an auditing center; audit center inputs suspicious data user key SK_suspectedRunning a tracking algorithm and outputting a user ID and a KFN; then, the auditing center searches for the data user which is the same as the KFN of the suspicious data user in a comparison way, if the data user is found, the auditing center judges that the found data user is a malicious user, namely a key leakage person, otherwise, the auditing center judges that the attribute authorization center is malicious, namely the key leakage person.

2. The method for attribute-based encryption capable of preventing key abuse according to claim 1, wherein said step S1 specifically comprises the following steps:

step S11: attribute authority entry security parameter 1^λI.e. a 0,1 bit string of length lambda, outputs a bilinear group (p, G)_TE) in which G_TAnd G is a prime number p factorial cyclic group, G is a generator of group G, e: G → G_TIs a bilinear map;

step S12, randomly selecting u, h, w, v ∈ G, (α, x, y) ∈ Z_pCalculating X ═ g^x,Y＝g^yWherein Z is_pRepresenting the set {0,1,2, …, p-1}, wherein u, h, w, v, α, x and y are random numbers;

step S13: attribute authority publication PK ═ p, G, G_T,e),u,h,w,v,X,Y,e(g,g)^α) For system public parameters, MSK ═ (α, x, y) is the master key, kept secret by the attribute authority.

3. The method for attribute-based encryption capable of preventing key abuse according to claim 2, wherein in step S2, the step of calculating the user attribute key SK by using the key generation algorithm specifically comprises the following steps:

step S21: the data user first submits its own ID and attribute set

Giving an attribute authority wherein

Is an attribute value, n and n_iIs an integer;

step S22: data user random selection

Represents the set 1,2, …, p-1; calculating the commitment value R ═ w^kAnd sending R to the attribute authorization center;

step S23: the data user proves that the data user has a k value corresponding to the commitment value R to the attribute authorization center by using zero knowledge proof;

step S24: the attribute authority center checks whether the zero knowledge proof is valid, if so, the step S25 is carried out, and if not, the step S26 is carried out;

step S25: inputting system public parameter PK ═ ((p, G, G)_T,e),u,h,w,v,X,Y,e(g,g)^α) Random selection of d, r by attribute authority₁,r₂,…,r_n∈Z_pK is calculated using the master key MSK ═ (α, x, y)₀＝g^α/(x+ID+yd)w^rk,K₁＝g^r,K₂＝g^xr,K₃＝g^yr,T₁＝ID,T₃＝d,

If x + ID + ydmodp is 0, reselecting the value d; if x + ID + ydmodp is not equal to 0, the attribute authorization center generates an attribute key for the data user

In which SK embeds a user identity T₁ID and key series number T₂＝k；

Step S26: generation of the attribute key for the data user is stopped.

4. The method of claim 3, wherein said step S3 specifically comprises the following steps:

step S31: data owner input system public parameter PK ═ ((p, G)_T,e),u,h,w,v,X,Y,e(g,g)^α) Message m ∈ G_TAnd access structure

Wherein

W_iIs a list of attributes, S_iIs an attribute; selecting a random number s, s₁,s₂,…,s_n-1∈Z_pCalculating

Where s is the shared secret value;

step S32: the data owner selects n random numbers t₁,t₂,…,t_n∈Z_pCalculating C ═ me (g, g)^αs,C₁＝g^s,C₂＝g^xs,C₃＝g^ys,

Step S33: to hide the access structure, the data owner generates a corresponding value for each attribute value

When in use

Time, calculate

When in use

Only randomly choose

Finally, the data owner outputs the ciphertext

5. The method for attribute-based encryption capable of preventing key abuse according to claim 4, wherein in step S4, the calculation of plaintext m specifically comprises the following steps:

step S41: data user input system public parameter PK ═ ((p, G, G)_T,e),u,h,w,v,X,Y,e(g,g)^α)，

And attribute set

Associated attribute keys

For each attribute in the attribute set

Data user selection

Computing

Step S42: and the data user calculates m as C/B.

6. The method of claim 5, wherein said step S5 specifically comprises the following steps:

step S51: if the data owner suspects a certain data user key SK_suspectedMisuse, then suspect data user key SK_suspectedSending the data to an auditing center; audit center inputs suspicious data user key SK_suspectedRunning the tracking algorithm, outputting T₁＝ID,T₂＝k；

Step S52: the audit center compares and searches the key serial number T of the suspicious data user₂K is the same as KFN of which data user identity ID registered in the audit center, that is, k is k_IDIf the identity ID is found, the audit center judges that the data user with the identity ID is a malicious user, namely a key divulger, otherwise, k is not equal to k_IDAnd the auditing center judges that the attribute authorization center is malicious, namely a key leakage person.

7. A key abuse resistant attribute-based encryption system employing the method of any one of claims 1-6, comprising:

the attribute authorization center is used for generating a master key MSK and a system public parameter PK; and is also used for processing the data according to the master key MSK, the system public parameter PK, the user identity ID and the user attribute set

And a key series number KFN, calculating a user attribute key SK by using a key generation algorithm;

data owner for accessing the structure according to the plaintext m, the system disclosure parameter PK

Calculating a ciphertext CT by using an encryption algorithm; and also for using the suspect data user key SK_suspectedSending the data to an auditing center;

the data user is used for calculating a plaintext according to the system public parameter PK, the ciphertext CT, the user attribute key SK and the user identity ID; and

an audit center for using the user key SK according to the suspicious data_suspectedAnd running a tracking algorithm, outputting the user ID and the KFN, then comparing and searching for the data user which is the same as the KFN of the suspicious data user, if the data user is found, judging that the found data user is a malicious user, namely a key divulger, and if the data user is not found, judging that the attribute authorization center is malicious, namely the key divulger.

Images