CN111556048A - Attribute-based secure communication method and system supporting ciphertext mode matching - Google Patents
Attribute-based secure communication method and system supporting ciphertext mode matching Download PDFInfo
- Publication number
- CN111556048A CN111556048A CN202010338665.9A CN202010338665A CN111556048A CN 111556048 A CN111556048 A CN 111556048A CN 202010338665 A CN202010338665 A CN 202010338665A CN 111556048 A CN111556048 A CN 111556048A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- terminal
- data
- plaintext
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an attribute-based secure communication method and system supporting ciphertext mode matching, and belongs to the technical field of communication security.A first processor executes a system establishment algorithm to obtain system public parameters and a system master key, obtains a private key corresponding to an attribute set by using the system master key and a third processor attribute set, and returns the private key to the third processor; the second processor outputs a corresponding ciphertext; the third processor sends the query trapdoor to a cloud server; the cloud server executes a matching algorithm aiming at the query trapdoor and a part of ciphertext corresponding to the plaintext character string to obtain an index set and returns the index set to the third processor; the third processor judges whether the ciphertext contains the information expected by the ciphertext according to the index set, if so, downloads part of ciphertext of the plaintext data, and operates a decryption algorithm to obtain the plaintext data; the method and the device can realize the encryption and decryption functions based on the attributes, and simultaneously support the mode matching of the ciphertext, thereby realizing the query of the character string in the plaintext under the ciphertext state.
Description
Technical Field
The present disclosure relates to the field of communication security technologies, and in particular, to an attribute-based secure communication method and system supporting ciphertext pattern matching.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
With the development of big data and cloud computing technology, more and more users choose to store data on a cloud server, which brings great convenience to storage, management and use of data, but also brings risks of data leakage.
The inventor of the present disclosure finds that, in order to prevent data leakage, the conventional method is to encrypt data before uploading the data to a cloud server, but the conventional encryption method is generally not beneficial to data sharing and query, thereby reducing the efficiency of data sharing and query.
Disclosure of Invention
In order to solve the defects of the prior art, the present disclosure provides an attribute-based secure communication method and system supporting ciphertext mode matching, which can implement an encryption and decryption function based on attributes, and also support mode matching on a ciphertext, thereby implementing query on a character string in a plaintext text in a ciphertext state, and improving data sharing and query efficiency on the premise of ensuring data security.
In order to achieve the purpose, the following technical scheme is adopted in the disclosure:
the disclosure provides, in a first aspect, an attribute-based secure communication method supporting ciphertext pattern matching.
An attribute-based secure communication method supporting ciphertext mode matching is applied to a data query terminal;
the data query terminal sends the attribute set to the external encryption terminal and receives a private key of the attribute set sent back by the external encryption terminal;
the data query terminal sends a data query request to the data storage terminal, obtains a part of ciphertext corresponding to an access structure in the ciphertext, operates a part of decryption algorithm to decrypt, and obtains a token key if an attribute set owned by the data query terminal can meet the access structure;
when the data query terminal needs to query whether the ciphertext contains the first character string, operating a trapdoor generation algorithm, obtaining a query trapdoor corresponding to the first character string according to a private key and a token secret key of an attribute set of the data query terminal, and sending the query trapdoor to the data storage terminal;
the data query terminal acquires an index set obtained by the data storage terminal executing a matching algorithm according to the query trapdoor and a part of ciphertext corresponding to the character string in the ciphertext; and judging whether the ciphertext contains the information expected by the ciphertext according to the index set, if so, downloading partial ciphertext of the plaintext data in the ciphertext of the data storage terminal, and operating a decryption algorithm to obtain the plaintext data.
A second aspect of the present disclosure provides an attribute-based secure communications apparatus that supports ciphertext pattern matching.
An attribute-based secure communications apparatus supporting ciphertext mode matching, comprising a processor;
the processor sends the device attribute set to the external encryption terminal and receives a private key of the device attribute set sent back by the external encryption terminal;
the processor sends a data query request to the data storage terminal, obtains a part of ciphertext corresponding to the access structure in the ciphertext, operates a part of decryption algorithm to decrypt, and obtains a token key if an attribute set owned by the processor can meet the access structure;
when the processor needs to inquire whether the ciphertext contains the first character string, operating a trapdoor generation algorithm, obtaining an inquiry trapdoor corresponding to the first character string according to a private key and a token secret key of an attribute set of the processor, and sending the inquiry trapdoor to the data storage terminal;
the processor acquires an index set obtained by the data storage terminal executing a matching algorithm according to the query trapdoor and a part of ciphertext corresponding to the character string in the ciphertext; and judging whether the ciphertext contains the information expected by the ciphertext according to the index set, if so, downloading partial ciphertext of the plaintext data in the ciphertext of the data storage terminal, and operating a decryption algorithm to obtain the plaintext data.
A third aspect of the present disclosure provides an attribute-based secure communication method supporting ciphertext pattern matching.
An attribute-based secure communication method supporting ciphertext mode matching is applied to a data storage terminal;
the data storage terminal acquires and stores ciphertext obtained by inputting and encrypting the public parameter, the access structure, the plaintext character string and the plaintext data from the external terminal, wherein the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data;
the data storage terminal receives a query request of the data query terminal and returns part of ciphertext corresponding to the access structure to the data query terminal, so that the data query terminal judges that the owned attribute set can meet the access structure to obtain a token key;
the data storage terminal acquires a query trapdoor corresponding to a first character string obtained by the data query terminal according to a private key of an attribute set of the data query terminal and a token key of the data query terminal, executes a matching algorithm aiming at a part of ciphertext corresponding to the query trapdoor and a plaintext character string to obtain an index set, and returns the index set to the data query terminal so that the data query terminal can judge whether the ciphertext contains information which the data query terminal wants to obtain according to the index set;
the data storage terminal acquires a download command of the data query terminal and sends a part of ciphertext of the plaintext data to the data query terminal, so that the data query terminal obtains the plaintext data through a decryption algorithm.
A fourth aspect of the present disclosure provides a data storage device comprising a processor;
the processor acquires and stores a ciphertext obtained by encrypting the public parameter, the access structure, the plaintext character string and the plaintext data which are sent by the external terminal, wherein the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data;
the processor receives a query request of the data query terminal and returns part of ciphertext corresponding to the access structure to the data query terminal, so that the data query terminal judges that the owned attribute set can meet the access structure to obtain a token key;
the processor acquires a query trapdoor corresponding to a first character string obtained by the data query terminal according to a private key and a token private key of the attribute set of the data query terminal, executes a matching algorithm aiming at the query trapdoor and a part of ciphertext corresponding to a plaintext character string to obtain an index set, and returns the index set to the data query terminal; so that the data inquiry terminal judges whether the ciphertext contains the information expected by the data inquiry terminal according to the index set;
the processor acquires a downloading command of the data query terminal and sends a part of ciphertext of the plaintext data to the data query terminal so that the data query terminal obtains the plaintext data through a decryption algorithm.
The fifth aspect of the disclosure provides an attribute-based secure communication method supporting ciphertext mode matching.
An attribute-based secure communication method supporting ciphertext mode matching, which comprises a first terminal, a cloud server, a second terminal and a third terminal, and comprises the following steps:
the first terminal executes a system establishment algorithm to obtain a system public parameter and a system master key;
the third terminal applies for a key to the first terminal, the third terminal submits the attribute set of the key to the first terminal, and the first terminal runs a key generation algorithm to obtain a private key corresponding to the attribute set by using the system master key and the attribute set of the third terminal and returns the private key to the third terminal;
when the second terminal needs to encrypt the plaintext character string and the plaintext data, an encryption algorithm is operated, the public parameter, the access structure, the plaintext character string and the plaintext data are used as input, corresponding ciphertext is output, the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data, and the ciphertext is stored in the cloud server by the second terminal so that a third terminal can access the ciphertext;
when the cloud server receives a query request of a third terminal, returning part of ciphertext corresponding to the access structure to the third terminal, operating a part of decryption algorithm by the third terminal to decrypt, and if the attribute set owned by the third terminal can meet the access structure, obtaining a token key;
when the third terminal needs to inquire whether the ciphertext contains the first character string, operating a trapdoor generation algorithm to obtain an inquiry trapdoor corresponding to the first character string, and sending the inquiry trapdoor to the cloud server by the third terminal;
the cloud server executes a matching algorithm aiming at the query trapdoor and a part of ciphertext corresponding to the plaintext character string to obtain an index set, and the index set is returned to the third terminal;
and the third terminal judges whether the ciphertext contains the information expected by the third terminal according to the index set, if so, downloads part of the ciphertext of the plaintext data, and operates a decryption algorithm to obtain the plaintext data.
A sixth aspect of the present disclosure provides an attribute-based secure communication system supporting ciphertext pattern matching.
An attribute-based secure communication system supporting ciphertext pattern matching, comprising at least one first processor, at least one cloud server, at least one second processor, and at least one third processor, comprising:
the first processor executes a system establishment algorithm to obtain a system public parameter and a system master key;
the third processor applies for a key from the first processor, the third processor submits the attribute set of the key to the first processor, and the first processor runs a key generation algorithm to obtain a private key corresponding to the attribute set by using the system master key and the attribute set of the third processor and returns the private key to the third processor;
when the second processor needs to encrypt the plaintext character string and the plaintext data, an encryption algorithm is operated, corresponding ciphertext is output by taking the public parameter, the access structure, the plaintext character string and the plaintext data as input, the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data, and the ciphertext is stored in the cloud server by the second processor so that the third processor can access the ciphertext;
when the cloud server receives a query request of a third processor, returning part of ciphertext corresponding to the access structure to the third processor, operating a part of decryption algorithm by the third processor to decrypt, and if an attribute set owned by the third processor can meet the access structure, obtaining a token key;
when the third processor needs to inquire whether the ciphertext contains the first character string, operating a trapdoor generation algorithm to obtain an inquiry trapdoor corresponding to the first character string, and sending the inquiry trapdoor to the cloud server by the third processor;
the cloud server executes a matching algorithm aiming at the query trapdoor and a part of ciphertext corresponding to the plaintext character string to obtain an index set, wherein the index set points to the position of the first character string in the plaintext character string, and returns the index set to the third processor;
and the third processor judges whether the ciphertext contains the information expected by the ciphertext according to the index set, if so, downloads part of ciphertext of the plaintext data, and operates a decryption algorithm to obtain the plaintext data.
Compared with the prior art, the beneficial effect of this disclosure is:
1. the secure communication method, the device and the system can realize the encryption and decryption functions based on the attributes, and simultaneously support the mode matching of the ciphertext, thereby realizing the query of the character strings in the plaintext under the ciphertext state, and improving the data sharing and query efficiency on the premise of ensuring the data security.
2. According to the secure communication method, device and system, in the corresponding system, a data owner (a second terminal) encrypts data aiming at a specific access structure, and only a data user (a third terminal) with an attribute meeting the access structure can perform pattern matching query and decryption.
3. Compared with the standard attribute-based encryption, the attribute-based encryption supporting ciphertext mode matching provided by the invention has the capacity of querying the ciphertext, and a data user can query whether the ciphertext contains required content before downloading all the ciphertexts and decrypting, so that the communication and calculation expenses are saved.
4. Compared with the existing searchable attribute-based encryption, the secure communication method, the device and the system provided by the disclosure have the advantages that a data owner can perform pattern matching query on a text substring of a whole text ciphertext without presetting keywords.
5. Compared with the existing public key encryption supporting ciphertext mode matching, the secure communication method, the device and the system provided by the disclosure have the advantages that the access control function based on the attribute is added, and only the entity with the attribute meeting the access structure can be inquired and decrypted.
Drawings
Fig. 1 is a schematic flowchart of an attribute-based secure communication method supporting ciphertext pattern matching according to embodiment 5 of the present disclosure.
Fig. 2 is a schematic structural diagram of an attribute-based secure communication system supporting ciphertext pattern matching according to embodiment 6 of the present disclosure.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
The embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Example 1:
the embodiment 1 of the present disclosure provides an attribute-based secure communication method supporting ciphertext mode matching, which is applied to a data query terminal;
the data query terminal sends the attribute set to the external encryption terminal and receives a private key of the attribute set sent back by the external encryption terminal;
the data query terminal sends a data query request to the data storage terminal, obtains a part of ciphertext corresponding to an access structure in the ciphertext, operates a part of decryption algorithm to decrypt, and obtains a token key if an attribute set owned by the data query terminal can meet the access structure;
when the data query terminal needs to query whether the ciphertext contains the first character string, operating a trapdoor generation algorithm, obtaining a query trapdoor corresponding to the first character string according to a private key and a token secret key of an attribute set of the data query terminal, and sending the query trapdoor to the data storage terminal;
the data query terminal acquires an index set obtained by the data storage terminal executing a matching algorithm according to the query trapdoor and a part of ciphertext corresponding to the character string in the ciphertext; and judging whether the ciphertext contains the information expected by the ciphertext according to the index set, if so, downloading partial ciphertext of the plaintext data in the ciphertext of the data storage terminal, and operating a decryption algorithm to obtain the plaintext data.
The specific communication mode is as follows:
contains four types of entities, namely, Key Generation Center (KGC); a Cloud Server (CS), i.e., a data storage terminal; data Owner (Data Owner, DO); data User (DU), i.e. Data query terminal.
The method comprises the following steps:
(1) the key generation center KGC executes a system establishment algorithm to obtain a system public parameter PP and a system master key MSK, and secretly stores the MSK for the external public PP;
(2) a data user DU applies a secret key to a secret key generation center KGC, the DU submits an attribute set S to the KGC, the KGC runs a secret key generation algorithm, and a private key SK corresponding to S is obtainedSAnd returns it to DU;
(3) when the data owner DO wishes to match a plaintext wordWhen the character string T and the plaintext data D are encrypted, an encryption algorithm is operated to obtain a ciphertextThe DO stores the ciphertext in the cloud server CS so that the data user DU can access the ciphertext;
(4) when the cloud server CS receives the inquiry request of the data user DU, firstly part of the ciphertext is encryptedReturning to DU, DU runs partial decryption algorithm, if attribute set S owned by DU can satisfy access structureObtaining a token key TK;
(5) if the data user DU wants to inquire whether the ciphertext contains the character string W, the trapdoor generation algorithm is operated to obtain the inquiry trapdoor td corresponding to WW(ii) a DU to tdWSending the data to a cloud server CS;
(6) cloud Server CS for tdWAnd CTTExecuting matching algorithm to obtain index setAnd will beReturning to the data user DU;
(7) data user DU based onJudging whether the ciphertext contains the information expected by the ciphertext, if so, downloading partial ciphertext CTDAnd calculating a decryption algorithm to obtain plaintext data D;
the method specifically comprises the following algorithms:
(A) the system establishes an algorithm (Setup) that is run by KGC, inputs an attribute space U, which represents a set of all possible attributes in the system, and an integer n, which defines the maximum length of the plaintext string that can be encrypted, and outputs a public parameter PP and a master key MSK.
In particular, the method comprises the following steps of,
selecting a q-order bilinear groupAndwherein q is a prime number and g isThe bilinear map e exists:for each attribute in attribute space U, inIn the selection of | U | random elements
Selecting a standard symmetric encryption scheme(e.g., AES, etc.) having a plaintext SPACE SPACEMThe key SPACE is SPACEKThe encryption algorithm is Enc, and the decryption algorithm is Dec;
for theThere is m ═ Dec (K, Enc (K, m)). Let f1And f2For the purpose of the two pseudo-random functions,wherein
(B) Key generation algorithm (KeyGen): the algorithm is operated by KGC, a master key MSK and an attribute set S are used as input, and a private key SK corresponding to the attribute set S is outputS。
In particular, a master key MSK and a set of attributesAs an input; random selectionAnd returns to SKS:=(K0,K1,{K2,x}x∈S,K3) In which K is0=gαgβt,K1=gt,K3=(z,{σs}s∈S)。
(C) Encryption algorithm (Encrypt): the algorithm is run by the data owner DO with the common parameters PP, access structureThe plaintext character string T and the plaintext data D are input, and corresponding ciphertext CT is output, wherein the ciphertext CT comprises three parts: access structureCorresponding partial cipher textPartial cipher text CT corresponding to plaintext character string TTPartial ciphertext CT of plaintext data DD。
Note: in practical applications, T is usually a description of D, and | D | > | T |. The data user judges whether the ciphertext contains the information which the data user wants by performing the pattern matching of the character string on the T.
Specifically, orderAs an access structure, where M is oneThe matrix, p, is a function that maps the row numbers of the matrix M to the corresponding attributes, i.e.Random selectionAnd calculateThen CTD=Enc(f1(TK),D);
Random selectionOrder toThen, calculateWherein M isiA row vector composed of the ith row element of the matrix M; then, randomly selectAnd calculateThen
Let encryption string T ═ s0...sm-1Wherein m is less than or equal to n. First, r ═ f is calculated2(TK). Then, randomly selectFor i-0.., m-1, calculateThen
(D) Partial decryption algorithm (PDecrypt): the algorithm is run by the data consumer DU, with partial cipher textAnd a private key SKSFor input, if the attribute set S satisfies the access structureThe token key TK is output.
Specifically, when the cloud server CS receives the query request of the data user DU, it first sends the query request to the cloud server CSReturning to the DU, if the properties of the DU satisfy the access structure, there is a set of DUSo that ∑i∈Wωiλi=x0;
Then, the DU calculates:
(E) trapdoor generation algorithm (TDGen): the algorithm is run by the data user DU, with the character string W, private key SK to be inquiredSAnd the token key TK is used as input, and the query trapdoor td corresponding to the W is outputW。
Specifically, the data user DU calculates r ═ f2(TK) and generates the trapdoor td according to the following calculationWWherein the character string W ═ W0...wl-1。
For theInitializing the array Ind [ s ]]0; for theInitializing array L [ i ]]0; let the variable V be 0, c be 0;
the following is performed for i from 0 to l-1: if L [ Ind [ w ]i]]When being equal to 0, thenIn the random value is given to L [ c]Initializing a setLet c be c + 1; otherwise, it orders
(F) Matching algorithm (Match): the algorithm can be represented by holding tdWIn the present system, the algorithm is specified to be run by the cloud server CS, with part of the cryptogram CTTAnd trapdoor tdWOutputting as input a set of indices jPointing to the location where the string W appears in the plaintext string T.
Specifically, input tdWAnd CTTFor j-0.. and m-l, it is checked whether the following equations hold
(G) Decryption algorithm (Decrypt): the algorithm is run by the data consumer DU, with partial cipher text CTDAnd the token key TK is used as input, and plaintext data D is output.
Specifically, the partial ciphertext CT is processedDAnd a token key TK as input, and then D ═ Dec (f) is calculated1(TK),CTD)。
Example 2:
the embodiment 2 of the present disclosure provides an attribute-based secure communication apparatus supporting ciphertext mode matching, including a processor;
the processor sends the device attribute set to the external encryption terminal and receives a private key of the device attribute set sent back by the external encryption terminal;
the processor sends a data query request to the data storage terminal, obtains a part of ciphertext corresponding to the access structure in the ciphertext, operates a part of decryption algorithm to decrypt, and obtains a token key if an attribute set owned by the processor can meet the access structure;
when the processor needs to inquire whether the ciphertext contains the first character string, operating a trapdoor generation algorithm, obtaining an inquiry trapdoor corresponding to the first character string according to a private key and a token secret key of an attribute set of the processor, and sending the inquiry trapdoor to the data storage terminal;
the processor acquires an index set obtained by the data storage terminal executing a matching algorithm according to the query trapdoor and a part of ciphertext corresponding to the character string in the ciphertext; and judging whether the ciphertext contains the information expected by the ciphertext according to the index set, if so, downloading partial ciphertext of the plaintext data in the ciphertext of the data storage terminal, and operating a decryption algorithm to obtain the plaintext data.
The specific communication method is the same as the specific communication method in embodiment 1, and is not described herein again.
Example 3:
the embodiment 3 of the present disclosure provides an attribute-based secure communication method supporting ciphertext mode matching, which is applied to a data storage terminal;
the data storage terminal acquires and stores ciphertext obtained by inputting and encrypting the public parameter, the access structure, the plaintext character string and the plaintext data from the external terminal, wherein the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data;
the data storage terminal receives a query request of the data query terminal and returns part of ciphertext corresponding to the access structure to the data query terminal, so that the data query terminal judges that the owned attribute set can meet the access structure to obtain a token key;
the data storage terminal acquires a query trapdoor corresponding to a first character string obtained by the data query terminal according to a private key of an attribute set of the data query terminal and a token key of the data query terminal, executes a matching algorithm aiming at a part of ciphertext corresponding to the query trapdoor and a plaintext character string to obtain an index set, and returns the index set to the data query terminal so that the data query terminal can judge whether the ciphertext contains information which the data query terminal wants to obtain according to the index set;
the data storage terminal acquires a download command of the data query terminal and sends a part of ciphertext of the plaintext data to the data query terminal, so that the data query terminal obtains the plaintext data through a decryption algorithm.
The specific communication method is the same as the specific communication method in embodiment 1, and is not described herein again.
Example 4:
the embodiment 4 of the present disclosure provides a data storage device, including a processor, where the processor obtains and stores a ciphertext obtained by encrypting a public parameter, an access structure, a plaintext character string, and plaintext data, which are sent by an external terminal, as input, and the ciphertext includes a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string, and a part of ciphertext of the plaintext data;
the processor receives a query request of the data query terminal and returns part of ciphertext corresponding to the access structure to the data query terminal, so that the data query terminal judges that the owned attribute set can meet the access structure to obtain a token key;
the processor acquires a query trapdoor corresponding to a first character string obtained by the data query terminal according to a private key and a token private key of the attribute set of the data query terminal, executes a matching algorithm aiming at the query trapdoor and a part of ciphertext corresponding to a plaintext character string to obtain an index set, and returns the index set to the data query terminal; so that the data inquiry terminal judges whether the ciphertext contains the information expected by the data inquiry terminal according to the index set;
the processor acquires a downloading command of the data query terminal and sends a part of ciphertext of the plaintext data to the data query terminal so that the data query terminal obtains the plaintext data through a decryption algorithm.
The specific communication method is the same as the specific communication method in embodiment 1, and is not described herein again.
Example 5:
as shown in fig. 1, an attribute-based secure communication method supporting ciphertext pattern matching is provided in embodiment 1 of the present disclosure, where the system includes four types of entities, namely, a Key Generation Center (KGC), that is, a first terminal; a Cloud Server (CS); a Data Owner (DO), i.e. a second terminal; data User (DU), i.e. the third terminal.
The method specifically comprises the following steps:
(1) the key generation center KGC executes a system establishment algorithm to obtain a system public parameter PP and a system master key MSK, and secretly stores the MSK for the external public PP;
(2) a data user DU applies a secret key to a secret key generation center KGC, the DU submits an attribute set S to the KGC, the KGC runs a secret key generation algorithm, and a private key SK corresponding to S is obtainedSAnd returns it to DU;
(3) when the data owner DO wishes to encrypt the plaintext character string T and the plaintext data D, the encryption algorithm is run to obtain a ciphertextThe DO stores the ciphertext in the cloud server CS so that the data user DU can access the ciphertext;
(4) when the cloud server CS receives the inquiry request of the data user DU, firstly part of the ciphertext is encryptedReturning to DU, DU runs partial decryption algorithm, if attribute set S owned by DU can satisfy access structureObtaining a token key TK;
(5) if the data user DU wants to inquire whether the ciphertext contains the character string W, the trapdoor generation algorithm is operated to obtain the inquiry trapdoor td corresponding to WW(ii) a DU to tdWSending the data to a cloud server CS;
(6) cloud Server CS for tdWAnd CTTExecuting matching algorithm to obtain index setAnd will beReturning to the data user DU;
(7) data user DU based onJudging whether the ciphertext contains the information expected by the ciphertext, if so, downloading partial ciphertext CTDAnd calculating a decryption algorithm to obtain plaintext data D;
the specific communication method is the same as the specific communication method in embodiment 1, and is not described herein again.
Example 6:
the embodiment 6 of the present disclosure provides an attribute-based secure communication system supporting ciphertext pattern matching, including at least one first terminal, at least one cloud server, at least one second terminal, and at least one third terminal, including the following steps:
the first terminal executes a system establishment algorithm to obtain a system public parameter and a system master key;
the third terminal applies for a key to the first terminal, the third terminal submits the attribute set of the key to the first terminal, and the first terminal runs a key generation algorithm to obtain a private key corresponding to the attribute set by using the system master key and the attribute set of the third terminal and returns the private key to the third terminal;
when the second terminal needs to encrypt the plaintext character string and the plaintext data, an encryption algorithm is operated, the public parameter, the access structure, the plaintext character string and the plaintext data are used as input, corresponding ciphertext is output, the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data, and the ciphertext is stored in the cloud server by the second terminal so that a third terminal can access the ciphertext;
when the cloud server receives a query request of a third terminal, returning part of ciphertext corresponding to the access structure to the third terminal, operating a part of decryption algorithm by the third terminal to decrypt, and if the attribute set owned by the third terminal can meet the access structure, obtaining a token key;
when the third terminal needs to inquire whether the ciphertext contains the first character string, operating a trapdoor generation algorithm to obtain an inquiry trapdoor corresponding to the first character string, and sending the inquiry trapdoor to the cloud server by the third terminal;
the cloud server executes a matching algorithm aiming at the query trapdoor and a part of ciphertext corresponding to the plaintext character string to obtain an index set, the index set points to the position of the first character string in the plaintext character string, and the index set is returned to the third terminal;
and the third terminal judges whether the ciphertext contains the information expected by the third terminal according to the index set, if so, downloads part of the ciphertext of the plaintext data, and operates a decryption algorithm to obtain the plaintext data.
The specific communication method is the same as the specific communication method in embodiment 1, and is not described herein again.
The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure, and various modifications and changes may be made to the present disclosure by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.
Claims (10)
1. An attribute-based secure communication method supporting ciphertext mode matching is characterized by being applied to a data query terminal;
the data query terminal sends the attribute set to the external encryption terminal and receives a private key of the attribute set sent back by the external encryption terminal;
the data query terminal sends a data query request to the data storage terminal, obtains a part of ciphertext corresponding to an access structure in the ciphertext of the data storage terminal, operates a part of decryption algorithm to decrypt, and obtains a token key if an attribute set owned by the data query terminal can meet the access structure;
when the data query terminal needs to query whether the ciphertext contains the first character string, operating a trapdoor generation algorithm, obtaining a query trapdoor corresponding to the first character string according to a private key and a token secret key of an attribute set of the data query terminal, and sending the query trapdoor to the data storage terminal;
the data query terminal acquires an index set obtained by the data storage terminal executing a matching algorithm according to the query trapdoor and a part of ciphertext corresponding to the character string in the ciphertext; and judging whether the ciphertext contains the information expected by the ciphertext according to the index set, if so, downloading partial ciphertext of the plaintext data in the ciphertext of the data storage terminal, and operating a decryption algorithm to obtain the plaintext data.
2. The attribute-based secure communication method supporting ciphertext pattern matching as claimed in claim 1, wherein the index set points to a position where the first string appears in the plaintext string.
3. An attribute-based secure communications apparatus that supports ciphertext mode matching, comprising a processor;
the processor sends the device attribute set to the external encryption terminal and receives a private key of the device attribute set sent back by the external encryption terminal;
the processor sends a data query request to the data storage terminal, obtains a part of ciphertext corresponding to the access structure in the ciphertext, operates a part of decryption algorithm to decrypt, and obtains a token key if an attribute set owned by the processor can meet the access structure;
when the processor needs to inquire whether the ciphertext contains the first character string, operating a trapdoor generation algorithm, obtaining an inquiry trapdoor corresponding to the first character string according to a private key and a token secret key of an attribute set of the processor, and sending the inquiry trapdoor to the data storage terminal;
the processor acquires an index set obtained by the data storage terminal executing a matching algorithm according to the query trapdoor and a part of ciphertext corresponding to the character string in the ciphertext; and judging whether the ciphertext contains the information expected by the ciphertext according to the index set, if so, downloading partial ciphertext of the plaintext data in the ciphertext of the data storage terminal, and operating a decryption algorithm to obtain the plaintext data.
4. The attribute-based secure communications apparatus that supports ciphertext pattern matching as claimed in claim 1, wherein the set of indices point to a position where the first string appears in the plaintext string.
5. An attribute-based secure communication method supporting ciphertext mode matching is characterized by being applied to a data storage terminal;
the data storage terminal acquires and stores ciphertext obtained by inputting and encrypting the public parameter, the access structure, the plaintext character string and the plaintext data from the external terminal, wherein the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data;
the data storage terminal receives a query request of the data query terminal and returns part of ciphertext corresponding to the access structure to the data query terminal, so that the data query terminal judges that the owned attribute set can meet the access structure to obtain a token key;
the data storage terminal acquires a query trapdoor corresponding to a first character string obtained by the data query terminal according to a private key of an attribute set of the data query terminal and a token key of the data query terminal, executes a matching algorithm aiming at a part of ciphertext corresponding to the query trapdoor and a plaintext character string to obtain an index set, and returns the index set to the data query terminal so that the data query terminal can judge whether the ciphertext contains information which the data query terminal wants to obtain according to the index set;
the data storage terminal acquires a download command of the data query terminal and sends a part of ciphertext of the plaintext data to the data query terminal, so that the data query terminal obtains the plaintext data through a decryption algorithm.
6. The attribute-based secure communication method supporting ciphertext pattern matching as claimed in claim 5, wherein the index set points to a position where the first string appears in the plaintext string.
7. A data storage device comprising a processor;
the processor acquires and stores a ciphertext obtained by encrypting the public parameter, the access structure, the plaintext character string and the plaintext data which are sent by the external terminal, wherein the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data;
the processor receives a query request of the data query terminal and returns part of ciphertext corresponding to the access structure to the data query terminal, so that the data query terminal judges that the owned attribute set can meet the access structure to obtain a token key;
the processor acquires a query trapdoor corresponding to a first character string obtained by the data query terminal according to a private key and a token private key of the attribute set of the data query terminal, executes a matching algorithm aiming at the query trapdoor and a part of ciphertext corresponding to a plaintext character string to obtain an index set, and returns the index set to the data query terminal; so that the data inquiry terminal judges whether the ciphertext contains the information expected by the data inquiry terminal according to the index set;
the processor acquires a downloading command of the data query terminal and sends a part of ciphertext of the plaintext data to the data query terminal so that the data query terminal obtains the plaintext data through a decryption algorithm.
8. The data storage device of claim 7, wherein the index set points to a location in the plaintext string at which the first string occurs.
9. An attribute-based secure communication method supporting ciphertext mode matching is characterized in that a first terminal, a cloud server, a second terminal and a third terminal exist, and the method comprises the following steps:
the first terminal executes a system establishment algorithm to obtain a system public parameter and a system master key;
the third terminal applies for a key to the first terminal, the third terminal submits the attribute set of the key to the first terminal, and the first terminal runs a key generation algorithm to obtain a private key corresponding to the attribute set by using the system master key and the attribute set of the third terminal and returns the private key to the third terminal;
when the second terminal needs to encrypt the plaintext character string and the plaintext data, an encryption algorithm is operated, the public parameter, the access structure, the plaintext character string and the plaintext data are used as input, corresponding ciphertext is output, the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data, and the ciphertext is stored in the cloud server by the second terminal so that a third terminal can access the ciphertext;
when the cloud server receives a query request of a third terminal, returning part of ciphertext corresponding to the access structure to the third terminal, operating a part of decryption algorithm by the third terminal to decrypt, and if the attribute set owned by the third terminal can meet the access structure, obtaining a token key;
when the third terminal needs to inquire whether the ciphertext contains the first character string, operating a trapdoor generation algorithm to obtain an inquiry trapdoor corresponding to the first character string, and sending the inquiry trapdoor to the cloud server by the third terminal;
the cloud server executes a matching algorithm aiming at the query trapdoor and a part of ciphertext corresponding to the plaintext character string to obtain an index set, and the index set is returned to the third terminal;
and the third terminal judges whether the ciphertext contains the information expected by the third terminal according to the index set, if so, downloads part of the ciphertext of the plaintext data, and operates a decryption algorithm to obtain the plaintext data.
10. An attribute-based secure communication system supporting ciphertext pattern matching, comprising at least one first processor, at least one cloud server, at least one second processor, and at least one third processor, comprising:
the first processor executes a system establishment algorithm to obtain a system public parameter and a system master key;
the third processor applies for a key from the first processor, the third processor submits the attribute set of the key to the first processor, and the first processor runs a key generation algorithm to obtain a private key corresponding to the attribute set by using the system master key and the attribute set of the third processor and returns the private key to the third processor;
when the second processor needs to encrypt the plaintext character string and the plaintext data, an encryption algorithm is operated, corresponding ciphertext is output by taking the public parameter, the access structure, the plaintext character string and the plaintext data as input, the ciphertext comprises a part of ciphertext corresponding to the access structure, a part of ciphertext corresponding to the plaintext character string and a part of ciphertext of the plaintext data, and the ciphertext is stored in the cloud server by the second processor so that the third processor can access the ciphertext;
when the cloud server receives a query request of a third processor, returning part of ciphertext corresponding to the access structure to the third processor, operating a part of decryption algorithm by the third processor to decrypt, and if an attribute set owned by the third processor can meet the access structure, obtaining a token key;
when the third processor needs to inquire whether the ciphertext contains the first character string, operating a trapdoor generation algorithm to obtain an inquiry trapdoor corresponding to the first character string, and sending the inquiry trapdoor to the cloud server by the third processor;
the cloud server executes a matching algorithm aiming at the query trapdoor and a part of ciphertext corresponding to the plaintext character string to obtain an index set, wherein the index set points to the position of the first character string in the plaintext character string, and returns the index set to the third processor;
and the third processor judges whether the ciphertext contains the information expected by the ciphertext according to the index set, if so, downloads part of ciphertext of the plaintext data, and operates a decryption algorithm to obtain the plaintext data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010338665.9A CN111556048B (en) | 2020-04-26 | 2020-04-26 | Attribute-based secure communication method and system supporting ciphertext mode matching |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010338665.9A CN111556048B (en) | 2020-04-26 | 2020-04-26 | Attribute-based secure communication method and system supporting ciphertext mode matching |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111556048A true CN111556048A (en) | 2020-08-18 |
CN111556048B CN111556048B (en) | 2022-04-01 |
Family
ID=72004446
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010338665.9A Active CN111556048B (en) | 2020-04-26 | 2020-04-26 | Attribute-based secure communication method and system supporting ciphertext mode matching |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111556048B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112115506A (en) * | 2020-08-21 | 2020-12-22 | 山东师范大学 | Attribute base data searching method and system supporting Boolean query |
CN112732776A (en) * | 2020-12-25 | 2021-04-30 | 山东师范大学 | Secure approximate pattern matching method and system and electronic equipment |
CN113434555A (en) * | 2021-07-09 | 2021-09-24 | 支付宝(杭州)信息技术有限公司 | Data query method and device based on searchable encryption technology |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105323061A (en) * | 2015-12-02 | 2016-02-10 | 河海大学 | Outsourced key generation and decryption property-based system capable of realizing keyword search and decryption method |
CN105871543A (en) * | 2016-03-29 | 2016-08-17 | 西安电子科技大学 | Attribute-based multi-keyword ciphertext retrieval method under background of multiple data owners |
CN107948146A (en) * | 2017-11-20 | 2018-04-20 | 武汉科技大学 | A kind of connection keyword retrieval method based on encryption attribute in mixed cloud |
WO2018113563A1 (en) * | 2016-12-21 | 2018-06-28 | 哈尔滨工业大学深圳研究生院 | Database query method and system having access control function |
CN108390855A (en) * | 2018-01-11 | 2018-08-10 | 中国人民解放军战略支援部队信息工程大学 | A kind of attribute base keyword search encryption system and method towards cloud storage |
CN108494768A (en) * | 2018-03-22 | 2018-09-04 | 深圳大学 | A kind of cipher text searching method and system for supporting access control |
US20190207763A1 (en) * | 2017-12-29 | 2019-07-04 | Huazhong University Of Science And Technology | Method of searchable public-key encryption and system and server using the same |
-
2020
- 2020-04-26 CN CN202010338665.9A patent/CN111556048B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105323061A (en) * | 2015-12-02 | 2016-02-10 | 河海大学 | Outsourced key generation and decryption property-based system capable of realizing keyword search and decryption method |
CN105871543A (en) * | 2016-03-29 | 2016-08-17 | 西安电子科技大学 | Attribute-based multi-keyword ciphertext retrieval method under background of multiple data owners |
WO2018113563A1 (en) * | 2016-12-21 | 2018-06-28 | 哈尔滨工业大学深圳研究生院 | Database query method and system having access control function |
CN107948146A (en) * | 2017-11-20 | 2018-04-20 | 武汉科技大学 | A kind of connection keyword retrieval method based on encryption attribute in mixed cloud |
US20190207763A1 (en) * | 2017-12-29 | 2019-07-04 | Huazhong University Of Science And Technology | Method of searchable public-key encryption and system and server using the same |
CN108390855A (en) * | 2018-01-11 | 2018-08-10 | 中国人民解放军战略支援部队信息工程大学 | A kind of attribute base keyword search encryption system and method towards cloud storage |
CN108494768A (en) * | 2018-03-22 | 2018-09-04 | 深圳大学 | A kind of cipher text searching method and system for supporting access control |
Non-Patent Citations (2)
Title |
---|
F. DENG等: "Ciphertext-Policy Attribute-Based Signcryption With Verifiable Outsourced Designcryption for Sharing Personal Health Records", 《EEE ACCESS》 * |
徐秋霞等: "基于矩阵的内积函数加密", 《广州大学学报(自然科学版)》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112115506A (en) * | 2020-08-21 | 2020-12-22 | 山东师范大学 | Attribute base data searching method and system supporting Boolean query |
CN112732776A (en) * | 2020-12-25 | 2021-04-30 | 山东师范大学 | Secure approximate pattern matching method and system and electronic equipment |
CN112732776B (en) * | 2020-12-25 | 2022-08-26 | 山东师范大学 | Secure approximate pattern matching method and system and electronic equipment |
CN113434555A (en) * | 2021-07-09 | 2021-09-24 | 支付宝(杭州)信息技术有限公司 | Data query method and device based on searchable encryption technology |
Also Published As
Publication number | Publication date |
---|---|
CN111556048B (en) | 2022-04-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109768987B (en) | Block chain-based data file safe and private storage and sharing method | |
CN108632248B (en) | Data ciphering method, data query method, apparatus, equipment and storage medium | |
CN108599937B (en) | Multi-keyword searchable public key encryption method | |
CN111556048B (en) | Attribute-based secure communication method and system supporting ciphertext mode matching | |
CN109361644B (en) | Fuzzy attribute based encryption method supporting rapid search and decryption | |
CN105024802B (en) | Multi-user's multi-key word based on Bilinear map can search for encryption method in cloud storage | |
CN106487506B (en) | Multi-mechanism KP-ABE method supporting pre-encryption and outsourcing decryption | |
Xi et al. | Privacy preserving shortest path routing with an application to navigation | |
US20090138698A1 (en) | Method of searching encrypted data using inner product operation and terminal and server therefor | |
CN105553660B (en) | A kind of dynamic can search for public key encryption method | |
CN108111587B (en) | Cloud storage searching method based on time release | |
CN111902809A (en) | Ciphertext searching method, device and equipment based on CP-ABE under fog calculation and storage medium | |
CN108632385B (en) | Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure | |
WO2020144449A1 (en) | A client-server computer system | |
CN110035067B (en) | Attribute encryption method supporting efficient data deduplication and attribute revocation in cloud storage | |
CN111786786A (en) | Agent re-encryption method and system supporting equation judgment in cloud computing environment | |
CN114640458A (en) | Fine-grained multi-user secure searchable encryption method in cloud-edge collaborative environment | |
CN114142996B (en) | Searchable encryption method based on SM9 cryptographic algorithm | |
Sun et al. | A dynamic and non-interactive boolean searchable symmetric encryption in multi-client setting | |
CN111555861A (en) | Circular range query method and system in cloud environment based on position privacy protection | |
CN109274659B (en) | Certificateless online/offline searchable ciphertext method | |
CN113132345B (en) | Agent privacy set intersection method with searchable function | |
CN108920968B (en) | File searchable encryption method based on connection keywords | |
US11310045B2 (en) | Compression and oblivious expansion of RLWE ciphertexts | |
US20240015014A1 (en) | Dynamic and verifiable searchable encryption method and system based on updatable encryption and blockchain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |