CN113055164A - Cipher text strategy attribute encryption algorithm based on state cipher - Google Patents

Cipher text strategy attribute encryption algorithm based on state cipher Download PDF

Info

Publication number
CN113055164A
CN113055164A CN202110264139.7A CN202110264139A CN113055164A CN 113055164 A CN113055164 A CN 113055164A CN 202110264139 A CN202110264139 A CN 202110264139A CN 113055164 A CN113055164 A CN 113055164A
Authority
CN
China
Prior art keywords
node
algorithm
access
tree
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110264139.7A
Other languages
Chinese (zh)
Inventor
陈序
龚生智
马小峰
万强
叶蔚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Tongji Blockchain Research Institute Co ltd
Original Assignee
Suzhou Tongji Blockchain Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Tongji Blockchain Research Institute Co ltd filed Critical Suzhou Tongji Blockchain Research Institute Co ltd
Priority to CN202110264139.7A priority Critical patent/CN113055164A/en
Publication of CN113055164A publication Critical patent/CN113055164A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Abstract

The invention relates to a cipher text strategy attribute encryption algorithm based on a national cipher, which is composed of a Setup algorithm, a KeyGen algorithm, an Encrypt algorithm and a Decrypt algorithm. The invention can improve the safety and the practicability.

Description

Cipher text strategy attribute encryption algorithm based on state cipher
Technical Field
The invention relates to a cipher text strategy attribute encryption algorithm based on a national password.
Background
Because of the traditional public key encryption technology and the encryption based on the identity, the public key of a single user is only allowed to be used for encrypting data for only one user to check; if the data is shared by a plurality of users, the data needs to be encrypted for a plurality of times. The role-based encryption scheme can satisfy the condition that one person encrypts multi-person access, but cannot realize fine-grained access control. The prototype of attribute encryption is based on fuzzy identity encryption, and the problems of safe storage and fine-grained access control of network space data are solved. The attribute encryption ensures the confidentiality of data and also realizes the anonymity to a certain extent.
The attribute encryption technology perfectly combines a cryptographic algorithm with an access control strategy, and can realize a flexible and fine-grained access strategy by programming while encrypting data.
Ciphertext policy attribute encryption (CP-ABE) ciphertext policy attribute encryption based encryption. There is no need for direct communication between the data owner and the user in the CP-ABE algorithm. If the user cannot decrypt the acquired data, whether the attribute information of the user is matched with the access structure of the owner or not is detected according to the attribute information of the ciphertext. The access structure is formed by combining structures in various forms, so that the same ciphertext can be decrypted by a plurality of users, but the same private key can decrypt different ciphertexts, and the traditional one-to-one encryption mode is developed into a multi-to-multi mode meeting the practical application requirement.
With the rise and development of novel computing technologies such as cloud computing, internet of things and big data, global informatization causes deep change in the world, and dependence of various aspects such as national economy, social development and people's life on information technology reaches unprecedented level. A global information sharing mechanism is established, and the method plays an important role in strengthening economy, science and technology, education cooperation and cultural communication between the world. The network information technology provides high-efficiency information service for government departments, enterprise and public institutions and individuals, and meanwhile, the openness and the shareability of the network bring some potential safety hazards which restrict the healthy development of the government departments, the enterprise and public institutions and the individuals. The information security problem relates to various fields of society such as finance, medical treatment, electric power, social security, tourism and the like, and has the characteristics of diversified attack forms, complicated threat, wide influence, serious consequences, emergent events and the like. The security problem in the information network is a common challenge in the information development process of countries in the world, the information security problem in the big data environment becomes a hotspot of the research in the information security field, and the core of the information network is the management of massive and complex data resources in a large network application system and big data management. The international organization for standardization (ISO) defines 5 hierarchical security services in ISO7498-2, namely, an authentication service, an access control service, a data confidentiality service, a data integrity service, and a non-repudiation service, and indicates that access control is an important component thereof. The united states Department of Defense also explicitly proposes that access control is a core technology for ensuring data security in the Computer field in the Computer System security standard of secure Trusted Computer System Evaluation criterion ("orange book").
Access control is a method of explicitly allowing or restricting the user's access capability and scope through some way, is an important basis for system confidentiality, integrity, availability and legitimacy, and is one of the key policies for network security and resource protection. In order to ensure that network resources are used in a controlled and legal manner, access control ensures that only users with corresponding authorities can access, copy, modify, delete and the like data in the information system, thereby preventing illegal users from accessing system resources and preventing legal users from unauthorized access. When accessing resources, a user must access the resources according to the authority of the user, and cannot implement access behaviors exceeding the authority of the user, because the access control adopts the minimum privilege principle: when the user applies for the right, the system administrator allocates the lowest right for completing the task of the user according to the characteristics of the user, and the user can not obtain any right exceeding the working range of the user. Colloquially, access control solves the problem of what you can do and what you have permission.
The basic goals of access control are: preventing unauthorized access to protected data resources by unauthorized users and also allowing authorized users to gain reasonable access to protected resources is a necessary feature of a security system. In access control implementations, there are generally three steps: (1) verifying the identity of the user; (2) selecting a control strategy and a management control strategy; (3) and managing unauthorized operation of illegal users or legal users. The location of the access control in the security system is shown in fig. 1.
As a core technology of complex data resource management, access control still faces many difficulties in an untrusted network environment, such as confidentiality of data, access right management, fine-grained authorization, application in a heterogeneous environment, and the like. Especially in the novel computing modes of mobile computing, cloud computing, named data networks and the like, the network environment presents the characteristics of heterogeneity and diversity, and the access control faces new problems:
1. big data, multi-user data access control problem
Because of the openness of the network and the security defects of the communication protocol, the data information transmitted and stored on the network is easy to leak and be damaged, and the secure access control of the data resource management of the computer network system can be realized by utilizing the encryption technology. In conventional access control and role-based access control, for each piece of shared data, a corresponding access key is issued and managed for each user. However, under the current global scene of the information network, the amount of shared data is increased sharply, the scale of users is increased, the requirement of data access control is complex, the existing access control method of authority cannot meet the requirement of access control of big data and multiple users, and the problems of privacy protection of big data, large-scale user authorization management and concurrent access processing become the current access control.
2. Third-party storage causes the problems of unauthorized access and information disclosure of privileged users
With the advent of new network modalities and data storage models, users migrated data to third party data servers, which also contained some confidential and sensitive data, in order to solve the problem of insufficient storage resources. For example: the cloud storage integrates different types of storage devices dispersed in different areas in a network to cooperatively work by utilizing application software through functions of distributed file system technology, grid technology, cluster application and the like, and provides a storage function and a data access function for various users in the network. Since these network services effectively utilize the enormous storage resources in the network, a large amount of storage costs are saved for the user. However, the third-party data service organization is not always completely trusted, on one hand, data resources are not completely controlled by an owner, on the other hand, the cloud server can override access to stored data contents, and the confidentiality of data is not guaranteed, so that users are reluctant to put information related to core secrets into the third-party data server, and the development of the third-party data server is limited.
3. Multi-party communication and 'cross-domain' communication mode access control problem
Under novel network and data service modes such as cloud computing, internet of things and big data, a network space security demand mode is changed from a mode that two communication parties are single users to a mode that at least one communication party is multi-user, namely, the traditional one-to-one unilateral communication mode is gradually changed into a one-to-many, many-to-one and many-to-many multiparty communication mode, meanwhile, the same-domain communication is changed into cross-domain communication, namely, a data owner and a service provider are possibly in two different regions. Therefore, in a new network form and a data service scenario, how to satisfy access control of multi-user access and "cross-domain" communication becomes one of the problems to be solved in the current application of access control technology.
4. Fine grained authorization management requirement problem
With the complexity of computer network systems across industries and expanding platforms, in order to meet various application requirements, large-scale users have diversified requirements on permissions and have finer granularity, that is, the users do not meet the requirement of obtaining single, rough and uniform access permissions, but obtain different and fine-grained permissions at different times, different states and different requirements, and fine-grained permission management provides new requirements for access control.
The existing treatment methods are as follows,
KP-ABE
almost all attribute encryption schemes can be classified into key-policy attribute encryption (KP-ABE) and ciphertext-policy attribute encryption (CP-ABE).
The KP-ABE regimen was first proposed in 2006 by Goyal et al. The ciphertext is identified by a set of attributes, and the private key is associated with the access structure (which controls which ciphertext a user may decrypt). The access structure is monotonic, supporting all operations including AND, OR, and thresholding. The key access formula in this scheme cannot contain "no" constraints, which may be problematic in scenarios where the interests conflict. Ostrovsky et al, in 2007, add support for 'not', can support a non-monotonic access structure, has stronger expression capability, and is suitable for both KP-ABE and CP-ABE.
The main drawback of the schemes of Goyal et al and Ostrovsky et al is that the size of the private key is enlarged by logn (n being the maximum number of attributes), more precisely, there are o (logn) group elements per "not" attribute in the private key. Whereas in Lewko et al, there are only two group elements per "not" attribute. In practical applications, the storage of the private key will be reduced by an order of magnitude.
In all previous ABE constructions of basic models, a small general size or attribute set number limit needs to be initially determined, and the solution proposed by Lewko and Waters avoids such a limit.
In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes. The first of Attrapadung et al proposed a KP-ABE scheme that allows non-monotonic access to the structure, with constant ciphertext size. The disadvantage is that the private key is the square size of the number of attributes.
CP-ABE
Bethencourt et al first proposed a CP-ABE protocol in 2007. In this scheme, attributes are used to describe the user's credentials, and the party encrypting the data decides who can decrypt by describing the attributes or credentials. The user's private key is associated with an attribute that is represented as a string. In other words, the party encrypting the message specifies an access structure for the attributes. The user can decrypt the ciphertext only if the user's attributes conform to the access structure of the ciphertext. In KP-ABE, the encryptor has no control over who can access the data he encrypts, except for specifying the attributes to which the data conforms. In addition, he must trust the key distributor.
Cheung and Newport first proposed a CP-ABE scheme of choosing plaintext security (under the deterministic bilinear Diffie-Hellman assumption), whose access structure is an and gate that can take both positive and negative.
Goyal et al first proposed the construction of CP-ABE (security certification is based on standard number theory assumptions and supports advanced access structures), which either supported only very limited access structures or was based on a generic group model. The access structure supported herein is expressed in terms of a limited-size access tree with a threshold as its node. The restricted size of the access tree is determined at system set-up (depth of tree, number of children per non-leaf node), and then the scheme is generalized to support non-monotonic access policies. Liang et al improved the scheme of Goyal et al by providing faster encryption/decryption algorithms and shorter cipher text sizes.
The Ibraiimi et al scheme may express any formula expressed in terms of AND or operations, and additionally, introduces an operation of. It does not use a threshold scheme and uses an n-ary tree.
Bobba et al focuses on improving the flexibility of expressing user attributes in keys, proposing ciphertext-policy attribute set encryption (CP-ASBE), which, unlike the existing CP-ABE expressing user attributes as an integral set in keys, organizes user attributes into a structure-based recursive set, allowing users to demonstrate how the attributes are dynamically constrained. CP-ASBE may support combined attributes, with multi-valued numerical attributes.
In the previous scheme, the length of the ciphertext depends on the number of attributes, Emura et al propose a new CP-ABE scheme, whose ciphertext length is constant, and in addition, the computation of bilinear pairs is also constant, and the access structure is composed of AND gates with multi-valued attributes. However, this scheme does not support wildcards in the access policies, which would result in an exponential increase in the number of access policies. In addition, in order to decrypt the ciphertext, the attribute of the decryptor needs to match the access policy exactly, in other words, this pattern is also a one-to-one model. The scheme proposed by Zhou and Huang reduces the ciphertext size to a fixed size, the access structure is an and gate with any given number of attributes, each ciphertext requires two elements in a bilinear group under ciphertext security selection, and is certified under plaintext security selection.
In the conventional CP-ABE scheme, an access structure is explicitly sent with the ciphertext, and anyone who can obtain the ciphertext can know the access structure associated with the ciphertext. In some applications, the access structure contains sensitive information that is only visible to users who satisfy the private key attribute access structure. Lai et al first proposed a CP-ABE model with a partially hidden access structure. The security of this scheme relies on some non-standard complexity assumptions. One direction in the future is to find solutions based on simple assumptions.
Layering
In identity-based cryptography, while having a separate Private Key Generator (PKG) can eliminate the trouble of online lookup, it is not desirable in large networks because the PKG will become a bottleneck. PKGs not only have computational overhead, but also need to verify identity. A secure channel is established to transmit the private key. In hierarchical identity-based encryption (HIBE), the root PKG need only generate private keys for domain PKGs, after which the domain PKGs can generate private keys for the PKGs of the next layer in turn until finally generating private keys for the user. In this way, authentication and private key transfer can be done locally. The leakage of keys from the lower PKG does not affect the higher PKG. While the proposal of the hierarchical attribute encryption scheme (HABE) mainly depends on the combination of HIBE and ABE.
When confidential data outsourced by an enterprise user is used for sharing on a cloud server, an adopted encryption system not only supports fine-grained access control, but also can provide high performance, complete authorization and expandability so as to best meet the requirement of accessing the data anytime and anywhere. Wang et al propose a scheme to help enterprises effectively share confidential data on a cloud server through the combination of HIBE and CP-ABE. However, this scheme uses a separation paradigm strategy, assuming that all attributes in a connection clause are managed by the same domain. Thus, the same attribute may be managed by multiple domains through a particular policy. ABE is often blamed for too high an overhead due to the large number of bilinear pairs of operations required. Li et al improve the efficiency of ABE by using a tree hierarchy.
In the previous construction of HIBE for the basic model, the maximum number of levels needs to be initially determined. The Lewko and Waters approach avoids such limitations. Wan and GU extended CP-ABE. The system has a layered structure, and the scalability is achieved. Wang et al propose a hierarchical attribute encryption scheme (HABE) that combines a hierarchical identity-based encryption system (HIBE) and a KP-ABE system to provide fine-grained access control, full authorization, and high performance. And then, a scalable user right revocation scheme is provided by applying proxy re-encryption and lazy re-encryption to the HABE scheme.
Wan et al propose a new scalable secure access hierarchical key update scheme, design and implement a scalable and privacy-preserving access control framework (supporting lazy revocation and access layering) for existing untrusted cloud services, propose a KP-ABE-based signature scheme, and provide a first open-source implementation of a cryptographic library that supports layered identity-based encryption and KP-ABE schemes.
Revocation
Revocation mechanisms are required for any encryption scheme involving multiple users, since attributes are invalid as they expire, and users may misuse the private key. There are two ABE withdrawal schemes (direct and indirect). Direct revocation means that it is performed by the sender specifying a revocation list at the time of encryption. Indirect revocation is achieved by the key authority periodically issuing key updates, in which case only users that have not been revoked may update the key, and thus the key of the revoked user becomes implicitly useless. The advantage of indirect revocation is that the sender does not need to know the revocation list, and the advantage of direct revocation is that all non-revoked user interactions with the key authority do not include the rekeying phase.
Attrapadung and Imai build the ABE system in broadcast ABE by using a direct revocation mechanism. Direct revocation has a useful property that revocation can be accomplished without affecting other users. For KP-ABE, the system is the first fully functional direct revocable solution. For CP-ABE, the system is more efficient than the best previous revocation schemes, and in particular, one of the schemes allows the size of keys and ciphertexts to be consistent with that of the currently best (non-revocable) CP-ABE. After that, Attrapadung and Imai first proposed a mixed ABE revocation scheme, allowing the sender to choose the direct or indirect revocation mode upon encryption. This solution thus combines the advantages of both solutions
Ibrimi et al extend CP-ABE to have the capability of transient attribute revocation. In the scheme, the private key is shared by the mediator and the user, and in order to decrypt data, the user has to contact the mediator to obtain a decryption token. The mediator maintains a revocation list of attributes for which the revocation of attributes is denied decryption tokens. Without the token, the user cannot decrypt the ciphertext, so the attribute is implicitly revoked. Liang et al propose an efficient CP-ABE scheme that can be certified secure under standard models, using linear secret sharing and binary tree techniques, with each user assigned a unique identifier. A user is easily revoked by using his identifier.
Yu et al implement a new scheme for revoking user attributes through proxy re-encryption. This scheme undoes the user attributes at a minimal cost and allows the organization to delegate most of the laborious work to the proxy server.
Wang et al propose a scalable revocation scheme by applying proxy re-encryption and lazy re-encryption to the HABE scheme. Xu and Martin enable updating of system keys and removal of user access rights without distributing new keys. Sahai et al allow the storage server to update the stored ciphertext to disqualify users from accessing the data, and the rekey broadcast may dynamically revoke selected users. Xie et al propose that attribute revocation and user revocation schemes are more efficient.
Traceability of
In the existing ABE scheme, there is also a problem of key abuse (key abuse). There are mainly two types of key abuse problems: (1) illegal key sharing among colluding users; (2) and the semi-trusted attribute authority illegally distributes keys. In an attribute encryption access control system, the attribute private key directly implies the user's access rights to the protected resource. In current attribute encryption schemes, such a key abuse problem exists because the attribute private key assigned to a user is only associated with a general shared user attribute and does not include any user-specific information. Hinek et al first proposed a solution to the problem of key abuse by users, but it was not practical to require a third party to participate in the decryption operation of the user.
Li et al propose CP-ABE with traceability to prevent illegal key sharing between colluding users. Traceability of a user is achieved by embedding additional user-specific information in the attribute private key distributed to the user. Traceability of semi-trusted attribute authorities is achieved by including in the user's attribute private key the user's secret of the user that is unknown to the attribute authority. The key to these methods is to treat the user-specific information or secrets as another default attribute. Although Li et al address this issue, they are only user traceability addressed in anonymous ABE specific applications, and need to carefully consider this issue when the system is used in a cloud computing environment. Li et al enable traceability of users in a cloud computing environment by using traitor tracing.
Key abuse attacks in KP-ABE may prevent its widespread use, especially in copyright sensitive systems, the KP-ABE scheme proposed by Yu et al, may be such that when a key is abused it is detected, the output of a private device under some specific input is observed to track the ID of an illegal key distributor. After that, Yu et al achieve traceability of users in a cloud computing environment.
Disclosure of Invention
In order to solve the technical problems, the invention aims to provide a cipher text strategy attribute encryption algorithm based on a national password.
In order to achieve the purpose, the invention adopts the following technical scheme:
a cipher text strategy attribute encryption algorithm based on national cipher is composed of a Setup algorithm, a KeyGen algorithm, an Encrypt algorithm and a Decrypt algorithm respectively,
wherein
Setup algorithm, which selects a p-order cyclic group G1,G2Wherein p is a prime number, g1,g2Are each G1,G2The random number alpha, beta belongs to Z is selectedp
And (3) generating a public key:
PK=e(g1,g2)a,h=g1 β
and a master key:
MK=β,g2 a
the KeyGen algorithm, the key generation algorithm of the KeyGen algorithm inputs the attribute set S and the master key, the output is the key marked by S, the algorithm firstly selects the random number r belonging to ZpThen, for each j ∈ S, a random number r is selectedj∈ZpFinally calculate out
Private key
Figure BDA0002971284030000091
The encryption algorithm encrypts the message M under the access tree structure tau, and firstly selects a polynomial q for each node x of the tau, including leaf nodesx(ii) a Starting from the root node R of the tree, a polynomial is selected from top to bottom, the polynomial q of node xxDegree d ofxIs greater than the threshold value k of the nodexLess than 1, i.e. dx=kx-1;
The algorithm selects a random number s ∈ Z from a root node RpAnd is provided with qR(0) S, then the algorithm randomly selects a polynomial qRD ofRPoints to fully define qRLet q be the other vertex xx(0)=qparent(x)(index (x)), randomly selecting other dxOne vertex to fully define qx
Let the set of all leaf nodes in τ be Y, then τ computes the ciphertext under the given tree access structure
Figure BDA0002971284030000092
C=hs
Figure BDA0002971284030000093
C′v=H(att(y)qy(0))
The Decrypt algorithm firstly defines a recursion algorithm DecryptNode (PK, CT, x), and takes a node x in a private key SK associated with a ciphertext CT and an attribute set S as input;
when node x is a leaf node, let i attr (x), if i ∈ S, then
Figure BDA0002971284030000101
If it is not
Figure BDA0002971284030000102
Then DecryptNode (PK, CT, x) ═ t;
when node x is a non-leaf node, F is calculated for all children z of xzDecrypt (PK, CT, z), let SxIs kxSize satisfies FzA set of child nodes z ≠ ≠ if no such set exists, then this node is not satisfied and the function returns ≠ j;
otherwise, calculating
Figure BDA0002971284030000103
After defining the DecryptNode function, a decryption algorithm is defined, the decryption algorithm first calls DecryptNode (CT, SK, R), R is the root node of the tree, if the tree satisfies S,
order to
Figure BDA0002971284030000104
The algorithm now decrypts by the following calculation
Figure BDA0002971284030000111
Preferably, in the ciphertext policy attribute encryption algorithm based on national password, e in the Setup algorithm is G1×G2→GTIf e satisfies the following three properties, then e is called a valid slave G1To G2Bilinear mapping of (2):
1) bilinear:
Figure BDA0002971284030000116
e(g1 a,g2 b)=e(g1,g2)ab
2) non-degradability:
e(g1,g2)≠1;
3) calculability:
Figure BDA0002971284030000113
e (u, v) can be calculated efficiently;
wherein e is calculated using R-ate bilinear pairings
Let A, B, a, B ∈ Z, A ═ aB + B, Miller function fQ,A(P) has the following properties:
Figure BDA0002971284030000114
definition of R-ate pairs as
Figure BDA0002971284030000115
The R-ate pair in sm9bn256 elliptic curves can be calculated as follows:
inputting: p ∈ E (F)q)[r],
Figure BDA0002971284030000121
a=6t+2
And (3) outputting: ra(Q,P)
(1)
Figure BDA0002971284030000122
aL-1=1
(2) Let T be Q, f be 1;
(3)for(i=L-2;i>0;i-)
(3.1)f=f2·gT,Q(P),T=[2]T
(3.2) if ai=1,f=f2·gT,Q(P),T=T+Q
(4)Q1=πq(Q),
Figure BDA0002971284030000123
(5)
Figure BDA0002971284030000124
T=T+Q1
(6)
Figure BDA0002971284030000125
T=T-Q2
(7)
Figure BDA0002971284030000126
(8) And f is output.
By the scheme, the invention at least has the following advantages:
1. the invention adopts the R-ate bilinear couple based on the elliptic curve to replace the Weil bilinear couple, and utilizes the characteristics of low computation complexity and high algorithm execution efficiency of the R-ate bilinear couple to ensure that the scheme has smaller computation amount and higher computation speed, and has outstanding advantages particularly in the environment with limited processing capacity, storage space, bandwidth, power consumption and the like, thereby being beneficial to the practicability of ciphertext strategy attribute encryption.
2. The invention adopts SM4 symmetric encryption to replace AES symmetric encryption, and the SM4 algorithm and the AES algorithm are both symmetric block encryption algorithms, so that the algorithm adopts a more advanced and safe algorithm.
3. The invention adopts SM9bn256 elliptic curves to replace bn256 elliptic curves, realizes ciphertext strategy attribute encryption based on SM9 national commercial cipher algorithm, can achieve the encryption strength equivalent to RSA3072 bit, requires about 2500 billion high-performance computers to calculate for 10 million years for decryption, and has advantages in safety and performance.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a logical model of the security system of the present invention;
FIG. 2 is a schematic structural view of the present invention;
fig. 3 is a schematic diagram of the structure of the access tree of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects to be solved by the present invention more clearly apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Examples
As shown in figure 2 of the drawings, in which,
a cipher text strategy attribute encryption algorithm based on national cipher is composed of a Setup algorithm, a KeyGen algorithm, an Encrypt algorithm and a Decrypt algorithm respectively,
wherein
Setup algorithm, which selects a p-order cyclic group G1,G2Wherein p is a prime number, g1,g2Are each G1,G2The random number alpha, beta belongs to Z is selectedp
And (3) generating a public key:
PK=e(g1,g2)a,h=g1 β
and a master key:
MK=β,g2 a
the KeyGen algorithm, the key generation algorithm of the KeyGen algorithm inputs the attribute set S and the master key, the output is the key marked by S, the algorithm firstly selects the random number r belonging to ZpThen, for each j ∈ S, a random number r is selectedj∈ZpFinally calculate out
Private key
Figure BDA0002971284030000141
The encryption algorithm encrypts the message M under the access tree structure tau, and firstly selects a polynomial q for each node x of the tau, including leaf nodesx(ii) a Starting from the root node R of the tree, a polynomial is selected from top to bottom, the polynomial q of node xxDegree d ofxIs greater than the threshold value k of the nodexLess than 1, i.e. dx=kx-1;
The algorithm selects a random number s ∈ Z from a root node RpAnd is provided with qR(0) S, then the algorithm randomly selects a polynomial qRD ofRPoints to fully define qRLet q be the other vertex xx(0)=qparent(x)(index (x)), randomly selecting other dxOne vertex to fully define qx
Let the set of all leaf nodes in τ be Y, then τ computes the ciphertext under the given tree access structure
Figure BDA0002971284030000142
C=hs
Figure BDA0002971284030000143
C′v=H(att(y)qy(0))
The Decrypt algorithm firstly defines a recursion algorithm DecryptNode (PK, CT, x), and takes a node x in a private key SK associated with a ciphertext CT and an attribute set S as input;
when node x is a leaf node, let i attr (x), if i ∈ S, then
Figure BDA0002971284030000144
If it is not
Figure BDA0002971284030000145
Then DecryptNode (PK, CT, x) ═ t;
when node x is a non-leaf node, F is calculated for all children z of xzDecrypt (PK, CT, z), let SxIs kxSize satisfies FzA set of child nodes z ≠ ≠ if no such set exists, then this node is not satisfied and the function returns ≠ j;
otherwise, calculating
Figure BDA0002971284030000151
After defining the DecryptNode function, a decryption algorithm is defined, the decryption algorithm first calls DecryptNode (CT, SK, R), R is the root node of the tree, if the tree satisfies S,
order to
Figure BDA0002971284030000152
The algorithm now decrypts by the following calculation
Figure BDA0002971284030000153
In the above embodiment, the cipher text policy attribute encryption algorithm based on the national cipher text needs some related mathematical knowledge and theorem
The contents are as follows:
access tree
An access tree represents a decryption control strategy, the decryption control strategy based on the access tree is more abundantly expressed, and not only the strategy expression in a threshold mode is supported, but also the strategy expression comprising logical operation of OR and AND is supported. To facilitate access to the representation of the tree, the following operations are defined for a node x in the tree:
parent (x): a parent node of node x, this operation being valid only for nodes other than the root node;
children (x): all children of node x;
num (x): the number of child nodes of node x;
index (x): the sequence number of node x in all its siblings and satisfies 1 ≦ index (x) ≦ num (parent (x));
attr (x): given the properties of node x, this operation is valid only for leaf nodes.
Each internal node of the access tree represents a threshold, and for an internal node x, its threshold vxV is more than or equal to 1xNum (x) or less; when v isxWhen 1, internal node x represents an or gate; when v isxWhen num (x), the internal node x represents an and gate.
Each leaf node of the access tree represents an attribute.
Assuming that a, B, C, D represent 4 attributes, for the decryption control policy (a ═ B) — u (C ∞ D), the corresponding access tree is as shown in fig. 3.
In CP-ABE the access structure is an access tree, the encryption key used to hide the source data, and its shape structure is a tree. The leaf node sets the attribute and attribute value for the data owner and the secret value transmitted to the node by the father node, and encrypts the attribute value, and only the data visitor has the attribute to decrypt the secret value of the node; the non-leaf node is a threshold node, and the data visitor needs to satisfy the threshold minimum value to decrypt the secret value of the node, for example, the threshold is 3/5, the node has 5 child nodes, and the data visitor needs to satisfy at least 3 child nodes to decrypt the secret value.
The data owner defines the CP-ABE according to an access control tree structure. CP-ABE is well protected against system threats, especially against partner collusion, and will not be affected when an individual user gets available ciphertext.
(II) Lagrange interpolation
Given n +1 points (x)i,yi) Uniquely, an nth order polynomial f can be determined, and the calculation formula is as follows:
Figure BDA0002971284030000161
for i, S ∈ ZpThe lagrangian Coefficient (Lagrange Coefficient) is defined as:
Figure BDA0002971284030000171
(III) bilinear mapping
G1,G2Is a cyclic group of order p (p is a prime number), g1,g2Are each G1,G2Is a generator of, e is G1×G2→GTIf e satisfies the following three properties, then e is called a valid slave G1To G2Bilinear mapping of (2):
bilinear:
Figure BDA0002971284030000172
e(g1 a,g2 b)=e(g1,g2)ab
non-degradability: e (g)1,g2)≠1;
Calculability:
Figure BDA0002971284030000173
e (u, v) can be calculated efficiently;
wherein e is calculated using R-ate bilinear pairings
Let A, B, a, B ∈ Z, A ═ aB + BQ,A(P) has the following properties:
Figure BDA0002971284030000174
definition of R-ate pairs as
Figure BDA0002971284030000175
The R-ate pair in sm9bn256 elliptic curves can be calculated as follows:
inputting: p ∈ E (F)q)[r],
Figure BDA0002971284030000181
a=6t+2
And (3) outputting: ra(Q,P)
(1)
Figure BDA0002971284030000182
aL-1=1
(2) Let T be Q, f be 1;
(3)for(i=L-2;i>0;i-)
(3.1)f=f2·gT,Q(P),T=[2]T
(3.2) if ai=1,f=f2·gT,Q(P),T=T+Q
(4)Q1=πq(Q),
Figure BDA0002971284030000183
(5)
Figure BDA0002971284030000184
T=T+Q1
(6)
Figure BDA0002971284030000185
T=T-Q2
(7)
Figure BDA0002971284030000186
(8) And f is output.
(IV) elliptic Curve parameters
The invention uses a BN curve of 256 bits in the sm9 algorithm.
Elliptic curve equation: y is2=x3+b。
The curve parameters are as follows:
a parameter t: 600000000058F 98A;
trace tr (t) 6t2+1:D8000000 019062ED 0000B98B 0CB27659;
Base domain feature q (t) 36t4+36t3+24t2+6t+1:
B6400000 02A3A6F1 D603AB4F F58EC745 21F2934B 1A7AEEDB E56F9B27 E351457D;
Equation parameters b: 05
Order of group N (t) 36t4+36t3+18t2+6t+1:
B6400000 02A3A6F1 D603AB4F F58EC744 49F2934B 18EA8BEE E56EE19C D69ECF25;
The remaining factor cf: 1;
embedding times k: 12;
parameter β of the torsion curve:
Figure BDA0002971284030000191
factor d of k1=1,d2=2;
Curve identifier cid: 0x 12;
group G1Generating element of
Figure BDA0002971284030000192
Coordinates of the object
Figure BDA0002971284030000193
93DE051D 62BF718F F5ED0704 487D01D6E1E40869 09DC3280 E8C4E481 7C66DDDD
Coordinates of the object
Figure BDA0002971284030000194
21FE8DDA 4F21E607 63106512 5C395BBC 1C1C00CB FA602435 0C464CD7 0A3EA616
Group G2Generating element of
Figure BDA0002971284030000195
Coordinates of the object
Figure BDA0002971284030000196
(85AEF3D0 78640C98 597B6027B441A01F F1DD2C19 0F5E93C4 54806C11 D8806141
37227552 92130B08 D2AAB97F D34EC120 EE265948D19C17AB F9B7213B AF82D65B);
Coordinates of the object
Figure BDA0002971284030000197
(17509B09 2E845C12 66BA0D26 2CBEE6ED 0736A96F A347C8BD 856DC76B 84EBEB96
A7CF28D5 19BE3DA6 5F317015 3D278FF2 47EFBA98 A71A0811 6215BBA5 C999A7C7);
Identifier of bilinear pair eid: 0x 04.
Security analysis
The security of the scheme is based on q-BDHE (q-bilinear difference-Hellman expenent association).
(deterministic q-BDHE), G1,G2Is a cyclic group of order p (p is a prime number), g1,g2Are each G1,G2Is a generator of, e is G1×G2→GTA bilinear pair of from ZpTwo elements a, s are randomly selected from the Chinese character 'Zhong', namely a, s belongs to ZpAnd (3) calculating, namely calculating,
if a vector is given:
Figure BDA0002971284030000201
let any Probabilistic Polynomial Time (PPT) algorithm solve the q-BDHE hypothesis with a probability of
Figure BDA0002971284030000202
The conditions for deterministic q-BDHE hold are: if for any PPT algorithm, it solves the assumed probability Advq-BDHEAre negligible, i.e. there is no algorithm that can distinguish with non-negligible probability in polynomial time
Figure BDA0002971284030000203
And GTAnd (4) medium random elements.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, it should be noted that, for those skilled in the art, many modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (5)

1. A cipher text strategy attribute encryption algorithm based on a national cipher is characterized by comprising a Setup algorithm, a KeyGen algorithm, an Encrypt algorithm and a Decrypt algorithm respectively,
wherein
Setup algorithm, which selects a p-order cyclic group G1,G2Wherein p is a prime number, g1,g2Are each G1,G2The random number alpha, beta belongs to Z is selectedp
And (3) generating a public key:
PK=e(g1,g2)a,h=g1 β
and a master key:
MK=β,g2 a
KeyGen algorithm, the input of the key generation algorithm of the KeyGen algorithm is an attribute set S and a master key, the output is a key marked by S, and the algorithmFirstly, selecting a random number r epsilon ZpThen, for each j ∈ S, a random number r is selectedj∈ZpFinally calculate out
Private key
Figure FDA0002971284020000011
The encryption algorithm encrypts the message M under the access tree structure tau, and firstly selects a polynomial q for each node x of the tau, including leaf nodesx(ii) a Starting from the root node R of the tree, a polynomial is selected from top to bottom, the polynomial q of node xxDegree d ofxIs greater than the threshold value k of the nodexLess than 1, i.e. dx=kx-1;
The algorithm selects a random number s ∈ Z from a root node RpAnd is provided with qR(0) S, then the algorithm randomly selects a polynomial qRD ofRPoints to fully define qRLet q be the other vertex xx(0)=qparent(x)(index (x)), randomly selecting other dxOne vertex to fully define qx
Let the set of all leaf nodes in τ be Y, then τ computes the ciphertext under the given tree access structure
Figure FDA0002971284020000012
Figure FDA0002971284020000013
The Decrypt algorithm firstly defines a recursion algorithm DecryptNode (PK, CT, x), and takes a node x in a private key SK associated with a ciphertext CT and an attribute set S as input;
when node x is a leaf node, let i attr (x), if i ∈ S, then
Figure FDA0002971284020000021
If it is not
Figure FDA0002971284020000022
Then DecryptNode (PK, CT, x) ═ t;
when node x is a non-leaf node, F is calculated for all children z of xzDecrypt (PK, CT, z), let SxIs kxSize satisfies FzA set of child nodes z ≠ ≠ if no such set exists, then this node is not satisfied and the function returns ≠ j;
otherwise, calculating
Figure FDA0002971284020000023
After defining the DecryptNode function, a decryption algorithm is defined, the decryption algorithm first calls DecryptNode (CT, SK, R), R is the root node of the tree, if the tree satisfies S,
order to
Figure FDA0002971284020000024
The algorithm now decrypts by the following calculation
Figure FDA0002971284020000025
2. The cipher text policy attribute encryption algorithm based on the national cipher text according to claim 1, characterized in that: e in the Setup algorithm is G1×G2→GTIf e satisfies the following three properties, then e is called a valid slave G1To G2Bilinear mapping of (2):
1) bilinear:
Figure FDA0002971284020000031
2) non-degradability:
e(g1,g2)≠1;
3) calculability:
Figure FDA0002971284020000032
the calculation can be effectively carried out;
wherein e is calculated using R-ate bilinear pairings,
let A, B, a, B ∈ Z, A ═ aB + BQ,A(P) has the following properties:
Figure FDA0002971284020000033
definition of R-ate pairs as
Figure FDA0002971284020000034
The R-ate pair in sm9bn256 elliptic curves can be calculated as follows:
inputting: p ∈ E (F)q)[r],
Figure FDA0002971284020000041
a=6t+2
And (3) outputting: ra(Q,P)
(1)
Figure FDA0002971284020000042
aL-1=1
(2) Let T be Q, f be 1;
(3)for(i=L-2;i>0;i-)
(3.1)f=f2·gT,Q(P),T=[2]T
(3.2) if ai=1,f=f2·gT,Q(P),T=T+Q
(4)Q1=πq(Q),
Figure FDA0002971284020000043
(5)
Figure FDA0002971284020000044
T=T+Q1
(6)
Figure FDA0002971284020000045
T=T-Q2
(7)
Figure FDA0002971284020000046
(8) And f is output.
3. The cipher text policy attribute encryption algorithm based on the national cipher text according to claim 1, characterized in that: the defining of the access tree for a node x in the tree comprises the following operations:
parent (x): a parent node of node x, this operation being valid only for nodes other than the root node;
children (x): all children of node x;
num (x): the number of child nodes of node x;
index (x): the sequence number of node x in all its siblings and satisfies 1 ≦ index (x) ≦ num (parent (x));
attr (x): given the properties of node x, this operation is valid only for leaf nodes.
4. The cipher text policy attribute encryption algorithm based on the national cipher text according to claim 1 or 3, characterized in that: each internal node of the access tree represents a threshold, and for an internal node x, its threshold vxV is more than or equal to 1xNum (x) or less; when v isxWhen 1, internal node x represents an or gate; when v isxWhen num (x), the internal node x representsAn and gate.
5. The cipher text policy attribute encryption algorithm based on the national cipher text according to claim 4, characterized in that: each leaf node of the access tree represents an attribute.
CN202110264139.7A 2021-03-11 2021-03-11 Cipher text strategy attribute encryption algorithm based on state cipher Pending CN113055164A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110264139.7A CN113055164A (en) 2021-03-11 2021-03-11 Cipher text strategy attribute encryption algorithm based on state cipher

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110264139.7A CN113055164A (en) 2021-03-11 2021-03-11 Cipher text strategy attribute encryption algorithm based on state cipher

Publications (1)

Publication Number Publication Date
CN113055164A true CN113055164A (en) 2021-06-29

Family

ID=76511547

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110264139.7A Pending CN113055164A (en) 2021-03-11 2021-03-11 Cipher text strategy attribute encryption algorithm based on state cipher

Country Status (1)

Country Link
CN (1) CN113055164A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039730A (en) * 2021-11-08 2022-02-11 福建师范大学 SM 9-based key strategy attribute-based encryption method
CN114244504A (en) * 2021-12-01 2022-03-25 福建师范大学 Outsourcing decryption and multi-ciphertext batch auditing method based on Twin-SM9 key encapsulation mechanism

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112217641A (en) * 2020-10-21 2021-01-12 桂林电子科技大学 Ciphertext strategy attribute-based encryption method based on ADD (additive addition) supporting read-write function
WO2021005748A1 (en) * 2019-07-10 2021-01-14 日本電信電話株式会社 Cryptosystem, key generation device, encryption device, decryption device, method, and program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021005748A1 (en) * 2019-07-10 2021-01-14 日本電信電話株式会社 Cryptosystem, key generation device, encryption device, decryption device, method, and program
CN112217641A (en) * 2020-10-21 2021-01-12 桂林电子科技大学 Ciphertext strategy attribute-based encryption method based on ADD (additive addition) supporting read-write function

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王腾飞 天津大学: "双线性对密码算法的高效并行硬件实现", 万方数据知识服务平台, pages 12 *
黄艳 广东工业大学: "云计算环境下基于属性的访问控制技术研究", 万方数据知识服务平台, pages 33 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039730A (en) * 2021-11-08 2022-02-11 福建师范大学 SM 9-based key strategy attribute-based encryption method
CN114039730B (en) * 2021-11-08 2023-05-12 福建师范大学 SM 9-based key strategy attribute base encryption method
CN114244504A (en) * 2021-12-01 2022-03-25 福建师范大学 Outsourcing decryption and multi-ciphertext batch auditing method based on Twin-SM9 key encapsulation mechanism
CN114244504B (en) * 2021-12-01 2023-05-05 福建师范大学 Outsourcing decryption and multi-ciphertext batch auditing method based on Tain-SM 9 key packaging mechanism

Similar Documents

Publication Publication Date Title
Riad et al. A dynamic and hierarchical access control for IoT in multi-authority cloud storage
Yu et al. Achieving secure, scalable, and fine-grained data access control in cloud computing
Xu et al. Dynamic user revocation and key refreshing for attribute-based encryption in cloud storage
CN108111540B (en) Hierarchical access control system and method supporting data sharing in cloud storage
Liu et al. Hierarchical attribute-based access control with authentication for outsourced data in cloud computing
Shabir et al. Analysis of classical encryption techniques in cloud computing
Ramu et al. Fine-grained access control of EHRs in cloud using CP-ABE with user revocation
Zhao et al. RL-ABE: A revocable lattice attribute based encryption scheme based on R-LWE problem in cloud storage
Tiwari et al. SecCloudSharing: Secure data sharing in public cloud using ciphertext‐policy attribute‐based proxy re‐encryption with revocation
CN115426136A (en) Cross-domain access control method and system based on block chain
Liu et al. Dynamic attribute-based access control in cloud storage systems
He et al. A fine-grained and lightweight data access control scheme for WSN-integrated cloud computing
CN113055164A (en) Cipher text strategy attribute encryption algorithm based on state cipher
Sabitha et al. Multi-level on-demand access control for flexible data sharing in cloud
More et al. Cloud data security using attribute-based key-aggregate cryptosystem
Chaudhari et al. A review on attribute based encryption
Vahidhunnisha et al. Survey on multi authority attribute based encryption for personal health record in cloud computing
Priya et al. A survey: attribute based encryption for secure cloud
Saravanakumar et al. Hybrid Cloud Security by Revocable KUNodes-Storage with Identity-Based Encryption.
Muhammad et al. Current Issues in Ciphertext Policy-Attribute Based Scheme for Cloud Computing: A Survey
Wang et al. Dynamic data access control for multi-authority cloud storage
Feng et al. Secure data sharing solution for mobile cloud storage
Ghoubach et al. Efficient and secure data sharing with outsourced decryption and efficient revocation for cloud storage systems
Thangavel et al. A comparative study of attribute-based encryption schemes for secure cloud data outsourcing
Shree et al. An multi-authority attribute based encryption for personal health record in cloud computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination