CN113179164A - Multi-authority ciphertext policy attribute-based encryption method based on ideal lattices - Google Patents

Abstract

The invention belongs to the technical field of data encryption in information security, and particularly relates to a multi-authority ciphertext strategy attribute-based encryption method based on an ideal lattice. The lattice-based attribute encryption method is constructed based on the ideal lattice, and encryption and decryption operations are all performed by taking an integer polynomial ring as a unit, so that multi-bit plaintext is encrypted once. The invention adopts a G-lattice-based trapdoor generation and primary image sampling method, and solves the problems of larger public and private key size and low calculation efficiency of the traditional lattice-based encryption method. The invention realizes the partition and reconstruction of the key by using the threshold secret sharing technology, so that a plurality of authorization mechanisms jointly distribute and manage the user key, the workload of a central authorization mechanism is effectively reduced, the performance and safety bottleneck existing in the encryption method of a single authorization mechanism are solved, the operation efficiency of the system is improved, the flexible and fine-grained access control of encrypted data is realized, and the application requirement of a distributed cloud storage environment is better met.

Description

Multi-authority ciphertext policy attribute-based encryption method based on ideal lattices

Technical Field

The invention belongs to the technical field of data encryption in information security, and particularly relates to a multi-authority ciphertext strategy attribute-based encryption method based on an ideal lattice.

Background

The cloud computing technology can provide dynamic, expandable and strong-universality data remote storage and resource sharing services, effectively reduces the cost and burden of local data maintenance, and becomes a research hotspot in the field of information technology. However, because the openness of the internet and the cloud service provider are not completely trusted, how to ensure the security of data in the cloud and protect the data from being illegally accessed or tampered becomes an important problem which needs to be researched urgently.

An Attribute-Based Encryption (ABE) mechanism is an extension of an Identity-Based Encryption system (IBE), is proposed by Sahai and Waters in the European conference 2005, allows an encryptor to make an access control strategy according to the Attribute of a receiver in an Encryption algorithm, and can successfully decrypt only when an Attribute set of the receiver meets the access control strategy, so that the confidentiality of data can be effectively protected, and 'one-to-many' data sharing and flexible and fine-grained access control can be realized. However, most of the existing attribute-based encryption schemes are constructed based on the bilinear mapping principle, and cannot resist the attack of the quantum algorithm. In order to deal with new security threats in the post-quantum era, researchers have proposed a quantum attack resistant cryptosystem in recent years, wherein the trellis cryptosystem not only can effectively resist the quantum attack, but also achieves good balance in the aspects of security, computational efficiency and the like, and is paid attention to in the post-quantum cryptosystem.

The existing lattice-based attribute encryption scheme mainly has the following two problems, namely firstly, most of the lattice-based attribute encryption schemes are constructed based on LWE problems on standard lattices, the encryption and decryption operations of the lattice-based attribute encryption schemes mainly depend on matrix operation, and the problems of large public and private key sizes and low calculation efficiency exist; secondly, the existing lattice-based attribute encryption scheme generally adopts a single trusted authority to distribute and manage keys, and when the number of attributes in the system is large, the central authority may be overloaded and easily attacked in a centralized manner, which causes performance and security bottlenecks of the system. In addition, with the development of the distributed cloud storage technology, different attributes are authenticated and managed independently by corresponding authorization mechanisms, and the encryption mode of a single authorization mechanism cannot meet the actual application requirements.

Disclosure of Invention

The invention aims to solve the problems of trust dispersion and excessive load of a central authority in an encryption system, and provides a multi-authority ciphertext strategy attribute-based encryption method based on ideal lattices, which can effectively resist quantum attack, realize a flexible and fine-grained access control strategy, keep higher operation efficiency and be used for realizing safe data sharing in a distributed cloud environment.

The purpose of the invention is realized by the following technical scheme: the method comprises the following steps:

step 1: central authority CA runs the global initialization algorithm CASETup (1) of the system^λ) Generating a system common parameter pp ═ (q, n, k, σ)_s,f,u)；

Wherein q is a prime number, q ═ q (λ); n and k are positive integers, n ═ n (λ),

sigma and sigma_sIs a gaussian distribution parameter, σ ═ σ (λ), σ_s＝σ_s(λ); f is an irreducible polynomial and,

u∈R_q，R_qrepresenting an integer multiple ring;

step 2: inputting the system public parameter pp into each attribute authority AA_θIn each attribute authority AA_θExecuting an authorization mechanism initialization algorithm, and calculating to obtain an authorization mechanism public key APK of the authorization mechanism_θAnd an authority private key ASK_θ；

Step 2.1: calling trapdoor generation algorithm trappen generation

And

m＝k+2；

step 2.2: attribute authority AA_θProperty set for self management

Each attribute x in_iSelecting a uniform random vector pair

Wherein the content of the first and second substances,

l_θauthorizing an organization AA for an attribute_θThe number of attributes managed;

step 2.3: each authority AA_θObtaining the public key of the authority

And an authority private key

And step 3: the data owner appoints the data mu to be encrypted and makes an access control strategy

Representing an attribute authority AA_θManaging the set of attributes that an authorized user must hold within a domain,

representing an attribute authority AA_θManaging a set of attributes that an authorized user cannot hold within a domain; converting the plaintext message mu into mu₀,μ₁,…,μ_n-1}∈{0,1}ⁿExpressed as a ring polynomial μ (x) ═ μ₀+μ₁x+…+μ_n-1x^n-1，μ(x)∈R_q；

Step 3.1: encryptionThe player randomly selects s ←_UR_q，e←D_R,σCalculating

Obtained by random sampling of discrete Gauss

Computing

c₀∈R_q；

Step 3.2: to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

finally, generating the ciphertext

And 4, step 4: the user gid interacts with each authorization mechanism respectively according to the attribute set held by the user gid to obtain the private key SK_gid；

And 5: the public key APK of the public parameter pp and the attribute authority is used by the user gid_θAnd a private key SK_gidAnd decrypting the ciphertext ct.

The present invention may further comprise:

in the step 4, the user gid interacts with each authorization mechanism respectively according to the attribute set held by the user gid to obtain the private key SK_gidThe method comprises the following steps:

step 4.1: the CA of the central authority authenticates the identity of the authority and randomly selects a polynomial of degree N-1

a_j←_UR_qPartition the parameter u in pp into N shared shares { u }₁,…,u_N}，u_θP (θ), and mixing u_θDistribute to corresponding authorities AA_θ；

Step 4.2: attribute authority AA_θProperty set for self management

Each attribute x in_iPerforming discrete Gaussian sampling to obtain

If x_i∈S_gid,θThen give an order

Otherwise, it orders

Wherein the content of the first and second substances,

S_gid,θrepresenting an attribute authority AA_θA set of attributes owned by the user gid;

step 4.3: AA_θCalling ring pre-image sampling algorithm

To obtain

User acquisition of a complete secret key SK_gid＝{w_gid,θ}_θ∈[N]，

Wherein the content of the first and second substances,

δ_θ∈R_q；

in said step 5, the user gid uses the public parameter pp and the public key APK of the attribute authority_θAnd a private key SK_gidThe method for decrypting the ciphertext ct specifically comprises the following steps:

step 5.1: authorizing an agency AA for each attribute_θCalculating

Step 5.2: attribute authority AA_θManaged property sets

Each attribute x in_iIf property

Calculating a_θ,i＝(c_θ,i)^T·w_θ,i(ii) a If attribute x_i∈S_gid,θCalculating

Otherwise, calculating

Step 5.3: computing

And

step 5.4: for all d e [0, n-1]If, if

Then order

Otherwise make

Obtaining a decrypted set

I.e. the original plaintext encrypted by the data owner

The invention has the beneficial effects that:

the lattice-based attribute encryption method is constructed based on the ideal lattice, and encryption and decryption operations are all performed by taking an integer polynomial ring as a unit, so that multi-bit plaintext is encrypted once. The invention adopts a G-lattice-based trapdoor generation and primary image sampling method, and solves the problems of larger public and private key size and low calculation efficiency of the traditional lattice-based encryption method. The invention realizes the partition and reconstruction of the key by using the threshold secret sharing technology, so that a plurality of authorization mechanisms jointly distribute and manage the user key, the workload of a central authorization mechanism is effectively reduced, the performance and safety bottleneck existing in the encryption method of a single authorization mechanism are solved, the operation efficiency of the system is improved, the flexible and fine-grained access control of encrypted data is realized, and the application requirement of a distributed cloud storage environment is better met.

Drawings

Fig. 1 is a framework diagram of the present invention.

Fig. 2 is a flow chart of the present invention.

Detailed Description

The invention is further described below with reference to the accompanying drawings.

The invention belongs to the technical field of data encryption in information security, and particularly relates to a multi-authority ciphertext strategy attribute-based encryption method based on an ideal lattice. The lattice-based attribute encryption method is constructed based on the ideal lattice, multi-bit plaintext can be encrypted once, quantum attack resistance can be effectively resisted, on the basis, a flexible and fine-grained access control strategy is realized, and higher operation efficiency is kept. The invention realizes the segmentation and reconstruction of the user key by using the threshold secret sharing technology, effectively reduces the workload of an authorization mechanism and further improves the system operation efficiency; the method introduces multiple authorization mechanisms, and effectively solves the problems of distributed trust in the encryption system and excessive load of a central authorization mechanism. The invention can be used for realizing safe data sharing in a distributed cloud environment.

A multi-authority ciphertext strategy attribute-based encryption method based on an ideal lattice comprises the following steps:

step 1: central authority CA runs the global initialization algorithm CASETup (1) of the system^λ) Generating a system common parameter pp ═ (q, n, k, σ)_s,f,u)；

Wherein q is a prime number, q ═ q (λ); n and k are positive integers, n ═ n (λ),

sigma and sigma_sIs a gaussian distribution parameter, σ ═ σ (λ), σ_s＝σ_s(λ); f is an irreducible polynomial and,

u∈R_q，R_qrepresenting an integer multiple ring;

step 2: inputting the system public parameter pp into each attribute authority AA_θIn each attribute authority AA_θExecuting an authorization mechanism initialization algorithm, and calculating to obtain an authorization mechanism public key APK of the authorization mechanism_θAnd an authority private key ASK_θ；

Step 2.1: calling trapdoor generation algorithm trappen generation

And

m＝k+2；

step 2.2: attribute authority AA_θProperty set for self management

Each attribute x in_iSelecting a uniform random vector pair

Wherein the content of the first and second substances,

l_θauthorizing an organization AA for an attribute_θThe number of attributes managed;

step 2.3: each authority AA_θObtaining the public key of the authority

And an authority private key

And step 3: the user gid interacts with each authorization mechanism respectively according to the attribute set held by the user gid to obtain the private key SK_gid；

Step 3.1: the CA of the central authority authenticates the identity of the authority and randomly selects a polynomial of degree N-1

a_j←_UR_qPartition the parameter u in pp into N shared shares { u }₁,…,u_N}，u_θP (θ), and mixing u_θDistribute to corresponding authorities AA_θ；

Step 3.2: attribute authority AA_θProperty set for self management

Each attribute x in_iPerforming discrete Gaussian sampling to obtain

If x_i∈S_gid,θThen give an order

Otherwise, it orders

Wherein the content of the first and second substances,

S_gid,θrepresenting an attribute authority AA_θA set of attributes owned by the user gid;

step 3.3: AA_θCalling ring pre-image sampling algorithm

To obtain

User acquisition of a complete secret key SK_gid＝{w_gid,θ}_θ∈[N]，

Wherein the content of the first and second substances,

δ_θ∈R_q；

and 4, step 4: the data owner appoints the data mu to be encrypted and makes an access control strategy

Representing an attribute authority AA_θManaging the set of attributes that an authorized user must hold within a domain,

representing an attribute authority AA_θManaging a set of attributes that an authorized user cannot hold within a domain; converting the plaintext message mu into mu₀,μ₁,…,μ_n-1}∈{0,1}ⁿExpressed as a ring polynomial μ (x) ═ μ₀+μ₁x+…+μ_n-1x^n-1，μ(x)∈R_q；

Step 4.1: the encryptor chooses s ← at random_UR_q，e←D_R,σCalculating

Obtained by random sampling of discrete Gauss

Computing

c₀∈R_q；

Step 4.2: to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

finally, generating the ciphertext

And 5: the public key APK of the public parameter pp and the attribute authority is used by the user gid_θAnd a private key SK_gidThe method for decrypting the ciphertext ct specifically comprises the following steps:

step 5.1: authorizing an agency AA for each attribute_θCalculating

Step 5.2: attribute authority AA_θManaged property sets

Each attribute x in_iIf property

Calculating a_θ,i＝(c_θ,i)^T·w_θ,i(ii) a If attribute x_i∈S_gid,θCalculating

Otherwise, calculating

Step 5.3: computing

And

step 5.4: for all d e [0, n-1]If, if

Then order

Otherwise make

Obtaining a decrypted set

I.e. the original plaintext encrypted by the data owner

The invention has the beneficial effects that:

the lattice-based attribute encryption method is constructed based on the ideal lattice, and encryption and decryption operations are all performed by taking an integer polynomial ring as a unit, so that multi-bit plaintext is encrypted once. Meanwhile, the trap door generation and original image sampling method based on the G-lattice is adopted in the scheme, so that the problems that the public and private keys are large in size and low in calculation efficiency in the traditional lattice-based encryption method are solved, the method can resist quantum attack and has high operation efficiency.

The invention realizes the partition and reconstruction of the key by using the threshold secret sharing technology, so that a plurality of authorization mechanisms jointly distribute and manage the user key, the workload of a central authorization mechanism is effectively reduced, the performance and safety bottleneck existing in the encryption method of a single authorization mechanism are solved, the operation efficiency of the system is improved, the flexible and fine-grained access control of encrypted data is realized, and the application requirement of a distributed cloud storage environment is better met.

Example 1:

the invention aims to provide a multi-authority ciphertext strategy attribute-based encryption method based on an ideal lattice. The method can effectively resist quantum attack resistance, support the multi-attribute authorization mechanism, effectively solve the problems of distributed trust in the encryption system and excessive load of the central authorization mechanism, and improve the operation efficiency. The method can be used for realizing safe data sharing in a distributed cloud environment.

Fig. 1 is a framework diagram of the present invention, in which the main entities involved and their functions are as follows: the Central Authority (CA) is mainly responsible for executing system initialization operation, generating system global public parameters, authenticating identities of all users and attribute authorities in the system, receiving registration requests of the system users and the attribute authorities, and issuing globally unique user identity identifications gid and authority identifications theta for the users and the attribute authorities respectively; each Attribute Authority (AA) independently manages a part of attributes in the system and generates a corresponding key for the user, wherein each attribute is managed by only one authority; the Data Owner (DO) is responsible for making an access control strategy according to the requirement on the attribute of the receiver and encrypting the data by using an encryption algorithm to generate a ciphertext; the Cloud Server (CS) is mainly used as a third-party platform to provide storage and downloading services of encrypted data for the user; the system user (DU) holds the attribute set of the system user, ciphertext can be downloaded from the Cloud Server (CS), and if the attribute set of the system user (DU) meets the access strategy set by the Data Owner (DO), plaintext data can be obtained through successful decryption by using a decryption algorithm. The method specifically comprises the following steps:

1. the central authority CA performs system initialization operations, generates system public parameters pp, and issues identification θ and gid to the authority and the user applying for registration.

2. Each authority AA_θ(θ∈[N]) Executing the initialization operation of the authorization mechanism by using the system public parameter pp to generate the public key APK of the authorization mechanism_θAnd an authority private key ASK_θ。

3. CA uses threshold secret sharing technology to share secret parameter u in public parameter pp among authorization organizations, and each authorization organization AA_θGenerating shared shares u_θ。

4. The data owner DO makes an access strategy according to the security requirement of the data owner DO, the access strategy comprises the steps of setting an attribute set which must be held by an authorized user and an attribute set which cannot be held by the authorized user, and the public parameter pp and the public key { APK (authorization authority key) } of the public parameter are utilized_θ}_θ∈[N]And encrypting the data by the access strategy to generate a ciphertext ct, and uploading the ct to the cloud server CS.

5. The system user DU interacts with the authorization organization one by one, and submits to the organization AA_θAttribute set S held under administrative domain_gid,θAuthorization institution AA_θThe user attribute is authenticated and authorized to generate an attribute set S_gid,θThe corresponding private key is sent to a system user DU, and finally the DU obtains a complete user private key SK_gid。

6. The system user DU downloads the ciphertext ct from the cloud server CS and utilizes the user private key SK acquired by the system user DU_gidPublic parameter pp and authority public key { APK_θ}_θ∈[N]And (4) decrypting ct, and if and only if the attribute set of the user meets the access policy set by the data owner, successfully decrypting the ct to obtain the plaintext.

FIG. 2 is a flowchart of a multi-authority ciphertext policy attribute based encryption method based on an ideal lattice according to the present invention. The method comprises the following specific implementation steps:

the CASetup stage:

central authority CA runs the global initialization algorithm CASETup (1) of the system^λ) Generating a system common parameter pp ═ (q, n, k, σ)_sF, u) where q ═ q (λ) is a prime number, n ═ n (λ) and

is a positive integer, σ ═ σ (λ) and σ_s＝σ_s(lambda) is a Gaussian distribution parameter,

is an irreducible polynomial, u ∈ R_q。

AASetup phase:

the attribute authority executes the authority initialization algorithm, and inputs the system public parameter pp, the authority number theta and the authority AA_θNumber of managed attributes l_θFirstly calling trapdoor generation algorithm TrapGen generation

And

wherein m is k + 2; is provided with

Indicating authority AA_θA managed set of attributes. For collections

The ith attribute x in (1)_i，AA_θSelecting uniform and random vector pairs

Wherein

Finally returning the public key of the authority

And an authority private key

KeyGen stage:

and the user interacts with each authorization mechanism respectively according to the attribute set held by the user and requests to obtain the corresponding private key. Let l_θIndicating authority AA_θNumber of attributes managed, S_gid＝U_θ∈[N]S_gid,θThe attribute set owned by the user gid is represented, and the specific implementation process is as follows:

KeyGen stage 1:

per attribute authority AA_θApplying for registration to CA, CA certifies authority identity, and utilizes Shamir threshold secret sharing technique to make u belong to R_qSplit into N shared shares { u }₁,…,u_NN is the number of authorities. Specifically, a polynomial of degree N-1 is randomly selected

Wherein a is_i←_uR_qAnd shares the secret u_θ＝P(θ)∈R_qDistribute to corresponding authorities AA_θ。

KeyGen stage 2:

for each attribute in the administrative domain

Authorization institution AA_θFirstly, discrete Gaussian sampling is carried out to obtain

Wherein

If x_i∈S_gid，θIs provided with

Otherwise

Is provided with

Is provided with

KeyGen stage 3:

AA_θcalling ring pre-image sampling algorithm

To obtain

Finally, the user gets the complete key SK_gid＝{w_gid，θ}_θ∈[N]Wherein

Encrypt phase:

the Data Owner (DO) specifies the data mu to be encrypted and makes an access control policy

Wherein

Indicating authority AA_θManaging the set of attributes that an authorized user must hold within a domain,

represents AA_θManaging collections of attributes that an authorized user cannot hold within a domain. Converting the plaintext message mu into mu₀，μ₁，…，μ_n-1}∈{0，1}ⁿExpressed as a ring polynomial μ (x) ═ μ₀+μ₁x+…+μ_n-1x^n-1∈R_q. The encryptor chooses s ← at random_UR_q，e←D_R，σCalculating

Obtained by random sampling of discrete Gauss

And (3) calculating:

and then for each authority AA_θ(θ∈[N]) Managed attributes

The following operations are performed:

to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

finally, the ciphertext is output

The Decrypt stage:

the user inputs the public parameter pp, the public key of the authority { APK_θ}_θ∈[N]Ciphertext ct and user Key SK_gid. First, toEach authority AA_θ(θ∈[N]) Calculating

Then, for the authority AA_θManaged attributes

For attribute

Calculating a_θ，i＝(c_θ，i)^T·w_θ，i(ii) a For attribute x_i∈S_gid，θCalculating

For attribute

Computing

Final calculation

And

wherein

For all i e [0, n-1]If, if

Order to

Otherwise make

Finally, the plaintext is obtained

The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (3)

1. A multi-authority ciphertext strategy attribute-based encryption method based on an ideal lattice is characterized by comprising the following steps:

step 1: central authority CA runs the global initialization algorithm CASETup (1) of the system^λ) Generating a system common parameter pp ═ (q, n, k, σ)_s,f,u)；

Wherein q is a prime number, q ═ q (λ); n and k are positive integers, n ═ n (λ), k ═ log (q) +1](ii) a Sigma and sigma_sIs a gaussian distribution parameter, σ ═ σ (λ), σ_s＝σ_s(λ); f is an irreducible polynomial and,

u∈R_q，R_qrepresenting an integer multiple ring;

step 2: inputting the system public parameter pp into each attribute authority AA_θIn each attribute authority AA_θExecuting an authorization mechanism initialization algorithm, and calculating to obtain an authorization mechanism public key APK of the authorization mechanism_θAnd an authority private key ASK_θ；

Step 2.1: calling trapdoor generation algorithm trappen generation

And

m＝k+2；

step 2.2: attribute authority AA_θProperty set for self management

Each attribute x in_iSelecting a uniform random vector pair

Wherein the content of the first and second substances,

l_θauthorizing an organization AA for an attribute_θThe number of attributes managed;

step 2.3: each authority AA_θObtaining the public key of the authority

And an authority private key

And step 3: the data owner appoints the data mu to be encrypted and makes an access control strategy

Representing an attribute authority AA_θManaging the set of attributes that an authorized user must hold within a domain,

representing an attribute authority AA_θManaging a set of attributes that an authorized user cannot hold within a domain; converting the plaintext message mu into mu₀,μ₁,…,μ_n-1}∈{0,1}ⁿExpressed as a ring polynomial μ (x) ═ μ₀+μ₁x+…+μ_n-1x^n-1，μ(x)∈R_q；

Step 3.1: the encryptor chooses s ← at random_UR_q，e←D_R,σCalculating

Obtained by random sampling of discrete Gauss

Computing

Step 3.2: to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

to pair

Obtaining by discrete Gaussian random sampling

And (3) calculating a ciphertext:

finally, generating the ciphertext

And 4, step 4: the user gid interacts with each authorization mechanism respectively according to the attribute set held by the user gid to obtain the private key SK_gid；

And 5: the public key APK of the public parameter pp and the attribute authority is used by the user gid_θAnd a private key SK_gidAnd decrypting the ciphertext ct.

2. The idealised lattice-based multi-authority ciphertext policy attribute-based encryption method of claim 1, wherein: in the step 4, the user gid interacts with each authorization mechanism respectively according to the attribute set held by the user gid to obtain the private key SK_gidThe method comprises the following steps:

step 4.1: the CA of the central authority authenticates the identity of the authority and randomly selects a polynomial of degree N-1

a_j←_UR_qPartition the parameter u in pp into N shared shares { u }₁,…,u_N}，u_θP (θ), and mixing u_θDistribute to corresponding authorities AA_θ；

Step 4.2: attribute authority AA_θFor self-managed attribute set x_θEach attribute x in_iPerforming discrete Gaussian sampling to obtain

If x_i∈S_gid,θThen give an order

Otherwise, it orders

Wherein the content of the first and second substances,

S_gid,θrepresenting an attribute authority AA_θA set of attributes owned by the user gid;

step 4.3: AA_θCalling ring pre-image sampling algorithm

To obtain

User acquisition of a complete secret key SK_gid＝{w_gid,θ}_θ∈[N]，

Wherein the content of the first and second substances,

δ_θ∈R_q；

3. the idealised lattice-based multi-authority ciphertext policy attribute-based encryption method of claim 2, wherein: in said step 5, the user gid uses the public parameter pp and the public key APK of the attribute authority_θAnd a private key SK_gidThe method for decrypting the ciphertext ct specifically comprises the following steps:

step 5.1: authorizing an agency AA for each attribute_θCalculating

Step 5.2: attribute authority AA_θManaged attribute set χ_θEach attribute x in_iIf property

Calculating a_θ,i＝(c_θ,i)^T·w_θ,i(ii) a If attribute x_i∈S_gid,θCalculating

Otherwise, calculating

Step 5.3: computing

And

step 5.4: for all d e [0, n-1]If, if

Then order

Otherwise make

Obtaining a decrypted set

I.e. the original plaintext encrypted by the data owner

Images