CN111901328A - Attribute-based encryption method based on prime order group - Google Patents

Abstract

The invention discloses an attribute-based encryption method based on prime order groups, which comprises the following steps: (1) the authentication center generates a prime order group and generates a public parameter and a main private key according to the security parameter; (2) the authentication center generates a user private key associated with the user attribute set according to the public parameter, the main private key and the user attribute set; (3) the data publisher encrypts a plaintext according to the public parameters and the required access control strategy, and outputs a ciphertext and the access control strategy only with the attribute name set; (4) and the data acquirer verifies whether the attribute set meets the access control strategy according to the private key, the public parameter and the ciphertext related to the personal attribute set, and then decrypts to acquire the plaintext. The invention is constructed based on prime order group, meets the complete safety of composite order group construction, effectively shortens the public parameter and the key length, simultaneously improves the operation and storage efficiency, and meets the operation and storage requirements of limited equipment in intelligent medical treatment.

Description

Attribute-based encryption method based on prime order group

Technical Field

The invention relates to an encryption method applied to intelligent medical treatment, in particular to an attribute-based encryption method based on prime order groups.

Background

The intelligent medical treatment is a great innovation of the existing medical system, the intelligent medical system utilizes advanced technologies such as the Internet of things and the cloud, and the user side collects health data of the user in real time through intelligent wearable equipment and wireless sensors and uploads the data to the cloud through the network. The doctor can acquire user data from the cloud and give corresponding suggestions and treatment schemes.

Although intelligent medical treatment greatly improves medical efficiency through technologies such as cloud and internet of things, the problem of user data privacy is also brought. Because the health data of the users need to be uploaded to the cloud after being collected, the data of the cloud is shared, all the users can acquire the desired data through the cloud, and malicious users can acquire the privacy data of other users through the cloud, so that the privacy safety and the personal safety of legal users can be threatened.

The traditional public key encryption scheme can only meet the encryption and decryption of a single public and private key pair, and data encrypted by a public key can be decrypted only by a corresponding private key, does not have a flexible authorization and authentication function, and does not meet the requirement of data sharing on the cloud. Attribute-based encryption provides more flexible access control functionality, but a traditional ciphertext policy based on an attribute encryption scheme (CP-ABE) may include an access control policy in plaintext form in ciphertext, and upload the ciphertext to the cloud at the same time, while the access control structure may carry part of the user's private information, for example, the access control policy is "affinity: City Hospital and address: Cardiologist", which specifies that users with the attributes "City Hospital" and "Cardiologist" may decrypt, and other users may deduce that the encrypted information is related to heart disease although the user cannot decrypt, and the data publisher may have heart disease, which is not desired by the user.

Yinghui Zhang et al proposed an attribute-based encryption scheme with partially hidden policy (Zhang Y, ZhengD, Deng R H.Security and privacy in smart health: Efficient policy-based access control [ J ]. IEEE Internet of threads Journal,2018,5(3): 2130-.

However, in order to achieve complete security, the scheme of Yinghui Zhang et al is constructed based on a complex order group, the time required for the pairing and exponential operation on the complex order group is long, and the key and public parameter of the complex order group scheme are long, and the Aurore guillemic (guillemic a. matching the pairing and exponential over complex-order and prime-order iterative curves [ C ]// International Conference on applied cryptography and Network security. springer, Berlin, Heidelberg,2013:357 and 372.) studies and verifies that the construction efficiency of the complex order group is far lower than that of the prime number group construction, and suggests to avoid the complex group construction scheme as much as possible. The intelligent medical treatment can involve computing limited devices such as sensors, the storage resources and the computing resources of the devices are limited, and the scheme of Yinghui Zhuang and the like cannot completely meet the application scene of the intelligent medical treatment.

Disclosure of Invention

The technical problem to be solved by the invention is as follows: aiming at the existing problems, the method can meet the requirement of flexible access control on data on the cloud, and meanwhile, based on a prime order group construction scheme, the method meets the requirements of efficient calculation and shorter keys of limited equipment in the Internet of things, and simultaneously meets the same complete safety property in the homozygote order group construction.

The technical scheme adopted by the invention is as follows:

an attribute-based encryption method based on prime order groups comprises the following steps:

(1) in the initialization stage, the authentication center generates a prime order group, and generates a public parameter and a main private key according to the security parameter:

(1.1) the authentication center selects two groups with the same prime order p

And

and corresponding bilinear map

Order to

Randomly selecting 5-dimensional linearly independent vectors on 5 p-order finite fields

And require for all i>2, i ≠ j

When i is j

Randomly selecting a generator

Order to

Let G1 be equal to<γ₁，γ₂>Represents G₁Is a group formed by tuples consisting of the two elements, with the same pair 2 ≦ i ≦ 4, G_i＝<γ_i+1>(ii) a Finally defining a pairing operation on a new group

Outputting the newly defined groups and corresponding pairing: (G, G)₁，G₂，G₃，G₄，G_t，e)；

(1.2) setting the attribute field to

The alpha is randomly selected and the alpha is randomly selected,

g，h∈_RG₁，X₃∈_RG₃，Z，X₄∈_RG₄calculating Y ═ e (g, g)^αAnd H-hZ;

(1.3) outputting public parameter PK ═ N, g^a，Y，H，X₄) And the main private key MK ═ (alpha, h, X)₃)；

(2) In the key generation stage, the authentication center generates a user private key associated with the user attribute set according to the public parameters, the master private key and the user attribute set:

(2.1) the authentication center confirms the set of attributes of the user who needs to distribute the key

Wherein

The name of the attribute is represented by,

representing the attribute value corresponding to the attribute name;

(2.2) random selection

And R, R', Ri ∈_RG₃Wherein

Calculating K ═ g^αg^atR，K′＝g^tR′，

(2.3) outputting the private key of the user

And sending to the user;

(3) and in the encryption stage, a data publisher encrypts a plaintext according to the public parameters and the required access control strategy, and outputs a ciphertext and the access control strategy only with the attribute name set:

(3.1) data publisher determines access control structures needed for decryption

Wherein A is an l × n matrix; ρ is a mapping that maps each row A in the matrix_xMapping to an attribute name;

an attribute value representing a corresponding attribute name;

(3.2) for plaintext M ∈ G_TRandomly selecting two vectors

Wherein upsilon is (s, v)₂，…，υ_n)，υ′＝(s′，υ′₂，…，υ′_n) (ii) a Based on X₄Random selection of Z_Δ∈_RG₄And Z_Δ，x，Z_c，x，Z_d，x∈_RG₄Random selection of

(3.3) calculation of

And

and (3) outputting a ciphertext:

(4) in the decryption stage, a data acquirer verifies whether the attribute set meets an access control strategy according to a private key, a public parameter and a ciphertext related to the personal attribute set, and then obtains a plaintext through decryption:

(4.1) a verification stage: calculating I from (A, ρ)_A，ρRepresenting a minimum set of attributes satisfying the access control structure, verifying whether the set of user attributes consists of a subset

Satisfy the requirement of

And

wherein the content of the first and second substances,

is a constant set satisfies

If it is

If not, it indicates that the decryptor data set does not satisfy the access control structure, and if calculated

Entering a decryption stage;

(4.2) decryption stage: and (3) calculating:

then, the plaintext is obtained through decryption:

in summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:

1. the invention is constructed based on prime order group, meets the complete safety of composite order group construction, can effectively shorten the public parameter and the key length, simultaneously improves the operation and storage efficiency, and meets the operation and storage requirements of limited equipment in intelligent medical treatment.

2. The invention is also a partially hidden attribute-based encryption method, can provide a flexible access control method, and hides the user privacy data value in the access control structure, thereby ensuring the privacy of the user data on the cloud.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.

FIG. 1 is a block diagram of a process of an attribute-based encryption method based on prime order groups according to the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the detailed description and specific examples, while indicating the preferred embodiment of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.

The features and properties of the present invention are described in further detail below with reference to examples.

As shown in fig. 1, an attribute-based encryption method based on prime order group includes the following steps:

(1) in the initialization stage, the authentication center generates a prime order group, and generates a public parameter and a main private key according to the security parameter:

(1.1) the authentication center selects two groups with the same prime order p

And

and corresponding bilinear map

Order to

Randomly selecting 5-dimensional linearly independent vectors on 5 p-order finite fields

And when all i > 2, i ≠ j are required

When i is j

Randomly selecting a generator

Order to

Let G₁＝<γ₁，γ₂>Represents G₁Is a group formed by tuples consisting of the two elements, with the same pair 2 ≦ i ≦ 4, G_i＝<γ_i+1>(ii) a Finally defining a pairing operation on a new group

Outputting the newly defined groups and corresponding pairing: (G, G)₁，G₂，G₃，G₄，G_t，e)；

(1.2) setting the attribute field to

The alpha is randomly selected and the alpha is randomly selected,

g，h∈RG₁，X₃∈_RG₃，Z，X₄∈_RG₄calculating Y ═ e (g, g)^αAnd H ═ HZ;

(1.3) outputting public parameter PK ═ N, g^a，Y，H，X₄) And the main private key MK ═ (alpha, h, X)₃)；

(2) In the key generation stage, the authentication center generates a user private key associated with the user attribute set according to the public parameters, the master private key and the user attribute set:

(2.1) the authentication center confirms the set of attributes of the user who needs to distribute the key

Wherein

The name of the attribute is represented by,

representing the attribute value corresponding to the attribute name;

(2.2) random selection

And R, R', R_i∈_RG₃Wherein

Calculating K ═ g^αg^atR，K′＝gtR′，K_i＝(g^sih)^tR_i；

(2.3) outputting the private key of the user

And sending to the user;

(3) and in the encryption stage, a data publisher encrypts a plaintext according to the public parameters and the required access control strategy, and outputs a ciphertext and the access control strategy only with the attribute name set:

(3.1) data publisher determines access control structures needed for decryption

Wherein A is an l × n matrix; ρ is a mapping that maps each row A in the matrix_xMapping to an attribute name;

an attribute value representing a corresponding attribute name;

(3.2) for plaintext M ∈ G_TRandomly selecting two vectors

Wherein upsilon is (s, v)₂，…，υ_n)，υ′＝(s′，υ′₂，…，υ′_n) (ii) a Based on X₄Random selection of Z_Δ∈_RG₄And Z_Δ，x，Z_c，x，Z_d，x∈_RG₄Random selection of

(3.3) calculation of

And

and (3) outputting a ciphertext:

(4) in the decryption stage, a data acquirer verifies whether the attribute set meets an access control strategy according to a private key, a public parameter and a ciphertext related to the personal attribute set, and then obtains a plaintext through decryption:

(4.1) a verification stage: calculating I from (A, ρ)_A，ρRepresenting a minimum set of attributes satisfying the access control structure, verifying whether the set of user attributes consists of a subset

Satisfy the requirement of

And

wherein the content of the first and second substances,

is a constant set satisfies

If it is

If not, it indicates that the decryptor data set does not satisfy the access control structure, and if calculated

Entering a decryption stage; the verification stage can quickly verify whether the attribute set of the decryptor meets the access control structure, decryption can be carried out after verification is passed, and plaintext information cannot be exposed even if ciphertext is not required to be decrypted in the verification stage;

(4.2) decryption stage: and (3) calculating:

then, the plaintext is obtained through decryption:

the above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (1)

1. An attribute-based encryption method based on prime order groups is characterized by comprising the following steps:

(1) in the initialization stage, the authentication center generates a prime order group, and generates a public parameter and a main private key according to the security parameter:

(1.1) the authentication center selects two groups with the same prime order p

And

and corresponding bilinear map

Order to

Randomly selecting 5-dimensional linearly independent vectors on 5 p-order finite fields

And when all i > 2, i ≠ j are required

When i is j

Randomly selecting a generator

Order to

Let G₁＝<γ₁，γ₂>Represents G₁Is a group formed by tuples consisting of the two elements, with the same pair 2 ≦ i ≦ 4, G_i＝<γ_i+1Above (S); finally defining a pairing operation on a new group

Outputting the newly defined groups and corresponding pairing: (G, G)₁，G₂，G₃，G₄，G_t，e)；

(1.2) setting the attribute field to

The alpha is randomly selected and the alpha is randomly selected,

g，h∈_RG₁，X₃∈_RG₃，Z，X₄∈_RG₄calculating Y ═ e (g, g)^αAnd H-hZ;

(1.3) outputting public parameter PK ═ N, g^a，Y，H，X₄) And the main private key MK ═ (alpha, h, X)₃)；

(2) In the key generation stage, the authentication center generates a user private key associated with the user attribute set according to the public parameters, the master private key and the user attribute set:

(2.1) the authentication center confirms the set of attributes of the user who needs to distribute the key

Wherein

The name of the attribute is represented by,

representing the attribute value corresponding to the attribute name;

(2.2) random selection

And R, R', R_i∈_RG₃Wherein

Calculating K ═ g^αg^atR，K′＝g^tR′，

(2.3) outputting the private key of the user

And sending to the user;

(3) and in the encryption stage, a data publisher encrypts a plaintext according to the public parameters and the required access control strategy, and outputs a ciphertext and the access control strategy only with the attribute name set:

(3.1) data publisher determines access control structures needed for decryption

Wherein A is an l × n matrix; ρ is a mapping that maps each row A in the matrix_xMapping to an attribute name;

an attribute value representing a corresponding attribute name;

(3.2) for plaintext M ∈ G_TTwo vectors v are randomly selected,

wherein upsilon ═ s，υ₂，…，υ_n)，υ′＝(s′，υ′₂，…，υ′_n) (ii) a Based on X₄Random selection of Z_Δ∈_RG₄And Z_Δ，x，Z_c，x，Z_d，x∈_RG₄Random selection of

(3.3) calculation of

And

and (3) outputting a ciphertext:

(4) in the decryption stage, a data acquirer verifies whether the attribute set meets an access control strategy according to a private key, a public parameter and a ciphertext related to the personal attribute set, and then obtains a plaintext through decryption:

(4.1) a verification stage: calculating I from (A, ρ)_A，ρRepresenting a minimum set of attributes satisfying the access control structure, verifying whether the set of user attributes consists of a subset

Satisfy the requirement of

And

wherein the content of the first and second substances,

is a constant set satisfies

If it is

If not, it indicates that the decryptor data set does not satisfy the access control structure, and if calculated

Entering a decryption stage;

(4.2) decryption stage: and (3) calculating:

then, the plaintext is obtained through decryption:

Images