CN113489591A - Traceable comparison attribute encryption method based on multiple authorization centers - Google Patents
Traceable comparison attribute encryption method based on multiple authorization centers Download PDFInfo
- Publication number
- CN113489591A CN113489591A CN202110624902.2A CN202110624902A CN113489591A CN 113489591 A CN113489591 A CN 113489591A CN 202110624902 A CN202110624902 A CN 202110624902A CN 113489591 A CN113489591 A CN 113489591A
- Authority
- CN
- China
- Prior art keywords
- user
- key
- attribute
- data
- authorization center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
- H04L9/0836—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a traceable comparison attribute encryption method based on multiple authorization centers, which overcomes the problems of high cost and single-point performance bottleneck of a single central authorization center along with data increase in the prior art, and comprises the following steps: s1, initializing the system; s2, encrypting the data; s3, user verification and final data generation; s4, decrypting the data; and S5, tracking. The invention provides an effective method of 0 code and 1 code, which can make the comparable attributes be used for random comparison, and the method is suitable for an ABE system, averagely reduces half of the expanded storage cost, greatly reduces the cost calculation amount of encryption and decryption, adopts a central authorization center and an attribute authorization center, reduces the burden of the central authorization center, accelerates the identity verification and the secret key generation of a user, avoids the single-point performance bottleneck, and adds a tracking mechanism so as to supervise the attribute authorization center.
Description
Technical Field
The invention relates to the technical field of cryptography, in particular to a traceable comparison attribute encryption method based on multiple authorization centers.
Background
ATTRIBUTE-BASED encryption (ABE) is a popular research topic in the field of cryptography in recent years. It provides a flexible way to perform fine-grained access control, and can flexibly manage the association between ciphertexts and the effective security keys of users. Thus ABE is applicable in many situations such as cloud computing, cloud medical services, social networking, and the like.
There are two different implementations of ABE, key policy attribute based encryption (KP-ABE) and ciphertext policy attribute based encryption (CP-ABE). The main difference between these two categories is the method of embedding the access policy. In KP-ABE, the access policy is embedded in the user's security key, and the ciphertext is associated with several attributes. And in contrast, the access policy of the CP-ABE is embedded into the corresponding ciphertext, and the user key is associated with the attribute. Both methods use the same rule: successful decryption is possible if and only if the attributes of an entity satisfy the access policy of an element.
In the current ABE system, the comparison of the attributes of the security key and the ciphertext is not flexible enough in practical application, and is difficult to be applied in practical application. There are always some attributes in the access policy that are represented as a range of values, such as: "{ age >18 }". Like the range values of such attributes, it is not comparable using the boolean function. Since the results of comparisons between "{ age ═ 20 }" and "{ age >18 }" with boolean functions are not in agreement. One simple way to handle comparable attributes in current ABEs is to use all allowed attribute values to represent a range, i.e., to change the range values to a union, such as: "V" { age ═ 19} "V" { age ═ 20} "V. But this approach increases linearly with increasing data overhead.
Bethencourt et al made preliminary attempts to solve the above-mentioned problems. Their solution is to divide these numerical attributes into several sub-attributes in bits to solve this problem. However, the mechanism for designing the numerical comparison strategy is too complex, and the most fundamental problem is that the overhead is still relatively high.
Furthermore, most existing ABE systems are designed around a central authority, in which case a central authority needs to perform time-consuming user authentication and key distribution. This also results in a single central authority becoming a single point performance bottleneck, e.g., inefficiency, etc., for a large-scale distributed cloud system. Cloud services will also be affected if this central authority is broken or offline.
Disclosure of Invention
The invention aims to overcome the problem of high cost along with data increase in the prior art, provides a traceable comparative attribute encryption method based on multiple authorization centers, provides a hierarchical authorization center structure, comprises a central authorization center and a plurality of independent attribute authorization centers, and solves the problem of high calculation cost caused by performance bottleneck, namely certificate authentication of authorized users and distribution of keys to the authorization centers, of the traditional single authorization center based on an attribute ciphertext retrieval algorithm.
A second object of the present invention is to solve the problem of single-point performance bottleneck of a single central authority, allowing not only an arbitrary attribute authority to perform a part of key generation operations, but also the central authority to perform final key generation, and allowing the central authority to track a malicious attribute authority.
In order to achieve the purpose, the invention adopts the following technical scheme:
a traceable comparison attribute encryption method based on multiple authorization centers comprises the following steps:
s1, initializing the system;
s2, encrypting the data;
s3, user verification and final data generation;
s4, decrypting the data;
and S5, tracking.
The data owner encrypts the data and well establishes an access strategy, for the compared attributes in the model essay strategy, a 0 code and a 1 code are used for expanding an attribute set, then an access decision is established, the encrypted data and the access decision tree are uploaded to a cloud server by the data owner, and each user can obtain a unique identifier Uid from a central authorization center. In order to generate a final key for each user, the central authorization center and the attribute authorization center selected by the user cooperate, authorized users firstly obtain certificates from the central authorization center and submit the certificates to the selected attribute authorization center, then the attribute authorization center verifies the legality of the user certificates and generates intermediate keys for the user certificates according to the attribute set of the users, finally the central authorization center generates the final keys for the users by using the intermediate keys generated by the attribute authorization center, the users can download ciphertext data interested by the users from the cloud server, and the users can decrypt the ciphertext data only when the key attributes in the users are matched with the access decision tree.
In the system model of the scheme, five entities are involved: a Central Authority (CA), an Attribute Authority (AAs), a user (data user, DU), a Data Owner (DO), and a Cloud Service Provider (CSP).
CA: the CA is a key generation management center of the system. Unique identifications are generated for AAs and DUs, as well as their certificates. And generates a final key for the DU after receiving the intermediate key from the AA authentication DU. In addition, the CA may track malicious AAs of intermediate keys generated for suspect DUs.
AA: each AA has sufficient storage and computing power to authenticate any user independently. The AA will perform its certificate validation based on the properties submitted by the DU and generate the corresponding intermediate key on behalf of the CA. It is worth mentioning that: the purpose of introducing multiple AAs is to alleviate the burdensome task of CA certificate validation and key generation, further reducing the possibility of a single point of performance bottleneck.
CSP: the CSP has a huge storage space and a strong computing power, and can provide data storage and information retrieval services for the DU and the DO, respectively.
DO: the DO formulates an access policy for its data and encrypts the file according to the defined policy. And sends the encrypted whole data and the encrypted symmetric key to the CSP. So as to share its data with multiple DUs and can significantly reduce the local storage and computational burden.
DU: the DU gets a unique identity from the CA and has itself a set of attributes related to the information. The DU will select any one of the AAs for authentication of the identity information, and after authentication of the AA, the CA generates a final key associated with its set of attributes. The DU can obtain the encrypted data of interest from the CSP. The user can decrypt the encrypted data if and only if the set of properties of the DU satisfies the access policy embedded in the encrypted data.
Preferably, the S1 includes the following contents:
the central authority selects two multiplication cyclic groups G and G with the same prime orderpWherein the parameter G is the generator of G, and a binary mapping e is defined on G, G → GpThen the central authorization center randomly selects a, b, alpha, beta epsilon Zp *As master key, also for each attribute Atti(i ═ 1, 2.., V) randomly generates a public key Q1,Q2,...,QV;
Is provided with H (0,1)*→ G is a hash function, mapping any binary string to the random element of G;
the published public key is as follows:
PK=Gp,G,H,g,gα,h=gβ,e(g,g)α,Q1,Q2,...,QV
the master key is as follows:
MSK=a,b,α,β,gα
the master key will be hidden inside the system.
Preferably, the S1 further includes the following contents:
the central authorization center is also responsible for registering each attribute authorization center and the user;
first, the central authority generates a pair of keys (sk)CA,vkCA) For signing and verifying, wherein vkCAIs open, and may be made known to every entity in the system;
during registration, each attribute authority sends a registration request to the central authority, and for each legal attribute authority, the central authority assigns a unique identifier Aid ∈ Zp *Then randomly selecting a private key kAid∈Zp *And calculates its corresponding public key PKAid=gkAid;
The central authority will then generate a certificate containing the public key PKAidCertificate of (Cert)AidAnd compares it with the corresponding private key kAidSending the data together to an attribute authorization center with an identity Aid;
in addition, each user needs to obtain own Uid and private key k from a central authorization centerUidAnd certificate CertUid。
Preferably, the S2 includes the following steps:
s21, encrypting the data;
and S22, constructing a strategy tree T.
Preferably, the S21 includes the following contents:
the data owner completes the encryption of the data by himself;
to improve system performance, the data owner selects a random number K ∈ GpAs symmetric key, s is from Zp *Encrypting the plaintext data M by using a symmetric encryption algorithm;
Preferably, the S22 includes the following contents:
all nodes of the policy tree T are assigned a secret number from the root R to the leaf nodes, with the following rules:
the root R is given a secret s corresponding to C generated in the previous step;
for being assigned a secret spP with a threshold of kpThe algorithm randomly generates a polynomial qpIt contains the following three characters:
polynomial qpThe number of times of (d) must be satisfiedp=kp-1;
The values of this polynomial are: q. q.sp(0)=sp(ii) a This property associates the polynomial with the secret of the corresponding node x;
each having a value q of different index zp(z) each child node assigned to p;
for leaf node P, it has been assigned a secret spAnd represents an attribute AttiCalculating CAtti'=gsp,
CAtti"=H(y)sp,y∈X1;
The ciphertext is as follows:
preferably, the S3 includes the following steps:
S31、Uj→AAi: when having the unique identifier UidjUser U ofjWhen sending out an application for obtaining the secret key, the user selects a legal attribute authorization center with a unique identifier Aid through a certain scheduling algorithm, and sends a certificate CertUidjAnd some can display UjA proof of the owned property set;
S32、AAi→ CA: the user authentication process may be designed to be manual or AAiAn authentication protocol executed;
after the user identity authentication is successful, the AAiObtaining the current time point as a threshold TS, and calculating t1=H1(UidjTS 0) and t2=H1(UidjTS 1) and generates an intermediate keyThe method comprises the following specific steps:
will be provided withThe generated intermediate secret key is sent to a central authorization center;
S33、CA→AAi→Uj: central authority receiving AAiAfter the intermediate key according to AAiAid ofiTo obtain the corresponding storage public key
Then the central authority checks whether the time interval Tt of the transmission delay is within the allowed time interval range;
assuming that the current time is T ', if T' -TS > Tt, the central authority will stop executing and send a request-denied message to the AAi;
If T' -TS < Tt, the central authority recalculates T1=H1(UidjTS 0) and t2=H1(UidjTS 1), ensure t1And t2Are not reused by the same user;
this step can prevent collusion attack of the attribute authority; then the central authorization center generates a final secret key for the user and returns the final secret key to the user through the attribute authorization center;
the final key (FUSK) is specified as follows:
whereinx belongs to Att; mu and r are two types of security parameters, not known to the user, ryRepresenting different r-class parameters.
Preferably, the S4 includes the following steps:
s41, obtaining a secret S corresponding to the root of the access policy tree T;
the access decision tree is processed as follows:
for any X2One of the attributes is matched with the attribute represented by the leaf node in the access decision tree, the corresponding attribute is set as y, and the secret value is set as sx(ii) a The algorithm is as follows:
for a non-leaf node p, if there is no less than k in its children nodespPasses the decryption algorithm, the set of decrypted child nodes is denoted SpThe following algorithm continues to be executed:
in the above formulaSx,zDenotes an S without z elementpSet, this equation will return TRUE because the nodes are in the same polynomial and sxIs the secret value of this polynomial;
when the root node returns a true value, we get S ═ e (g, g)μ·sAs input parameters for the second step;
s42, decrypting the data content by using the reconstructed S;
the algorithm is as follows:
extended attribute set X only when user2When the access policy tree T is matched with the user, the user can decrypt the data by using the security key; otherwise, the user cannot decrypt the ciphertext even if downloading all the ciphertexts from the cloud server.
Preferably, the S5 includes the following contents:
after the attribute authorization center successfully verifies the identity of the user, an intermediate secret key is generated and sent to the central authorization center, and after the central authorization center receives the intermediate secret key, the identity of the user is not verified secondarily, but a final secret key is directly issued;
the system also comprises a tracking mechanism which is executed periodically so as to supervise the attribute authorization center; the tracking mechanism is specifically as follows:
when the central authority starts to track, in order to confirm the key ownership of the user, the central authority enforces that the suspicious user U is requiredjSubmitting L, K', TS in the final secret key, randomly selecting x from the attributes of suspicious users, and calculating t by the central authorization center1=H1(Uidj||TS||0)、t2=H1(UidjTS 1) and Kx'=Qx αt2·g-b(t1+t2)Then, it is verified whether the following equation holds:
e(Qx,L)=e(g,K'Kx')
if the equation is established, continuing to execute the next step; what is next to be confirmed is which AA replaces the suspect UjGenerating an intermediate key;
the CA uses the master key MSK to recover the public key corresponding to a particular AA as follows:
PK'=(L·g-αt2)1/βt1=gkAidiβt1/βt1=gkAidi
CA searches for AA using PK' as an index;
if a unique identifier is AidiAA of (A)iHaving a public key equal to PK', it means that AAiMaliciously or erroneously verifying the UjThe validity of (2); the discovered malicious property rights issuer should be penalized.
Since the attribute authority is an incompletely trusted authority and user validity verification is performed manually, the attribute authority may maliciously or erroneously generate intermediate keys for unverified attribute sets. Furthermore, a malicious user will attempt any possible method to obtain the key associated with a particular set of attributes to obtain data access rights. Under this assumption, the user often has some abnormal behavior. In order to prevent the above situation, it is necessary to add a tracking mechanism, which is periodically executed to supervise the attribute authority.
Therefore, the invention has the following beneficial effects:
1. an efficient method of 0 coding and 1 coding is proposed, so that comparable attributes can be used for arbitrary comparison, and the method is suitable for ABE system;
2. a lightweight and efficient CABE structure is provided; compared with other related schemes, the structure reduces the expanded storage cost by half on average, and greatly reduces the cost calculation amount of encryption and decryption;
3. in the scheme, a central authorization center and an attribute authorization center are adopted, so that the burden of the central authorization center is reduced, the authentication of a user and the generation of a secret key are accelerated, and the single-point performance bottleneck is avoided;
4. a tracking mechanism is added to supervise the attribute authority.
Drawings
Fig. 1 is a system model diagram of the present embodiment.
Fig. 2 is an access policy model of embodiment 2.
Detailed Description
The invention is further described with reference to the following detailed description and accompanying drawings.
Example 1:
the embodiment provides a traceable comparison attribute encryption method based on multiple authorization centers, as shown in fig. 1, the following system model is adopted, and the method mainly involves five entities: a Central Authority (CA), an Attribute Authority (AAs), a user (data user, DU), a Data Owner (DO), and a Cloud Service Provider (CSP).
CA: the CA is a key generation management center of the system. Unique identifications are generated for AAs and DUs, as well as their certificates. And generates a final key for the DU after receiving the intermediate key from the AA authentication DU. In addition, the CA may track malicious AAs of intermediate keys generated for suspect DUs.
AA: each AA has sufficient storage and computing power to authenticate any user independently. The AA will perform its certificate validation based on the properties submitted by the DU and generate the corresponding intermediate key on behalf of the CA. It is worth mentioning that: the purpose of introducing multiple AAs is to alleviate the burdensome task of CA certificate validation and key generation, further reducing the possibility of a single point of performance bottleneck.
CSP: the CSP has a huge storage space and a strong computing power, and can provide data storage and information retrieval services for the DU and the DO, respectively.
DO: the DO formulates an access policy for its data and encrypts the file according to the defined policy. And sends the encrypted whole data and the encrypted symmetric key to the CSP. So as to share its data with multiple DUs and can significantly reduce the local storage and computational burden.
DU: the DU gets a unique identity from the CA and has itself a set of attributes related to the information. The DU will select any one of the AAs for authentication of the identity information, and after authentication of the AA, the CA generates a final key associated with its set of attributes. The DU can obtain the encrypted data of interest from the CSP. The user can decrypt the encrypted data if and only if the set of properties of the DU satisfies the access policy embedded in the encrypted data.
The embodiment comprises the following steps:
s1, initializing the system;
CA selects two multiplication cycle groups G and G with the same prime orderp(the parameter G is the generator of G) and defines a binary mapping e on G: G → GpThen CA randomly selects a, b, alpha, beta epsilon Zp *As master key, also for each attribute Atti(i=1,2, V) randomly generating a public key Q1,Q2,...,QV. Then, let H (0,1)*→ G is a hash function that maps an arbitrary binary string to a random element of G. The published public key is as follows:
PK=Gp,G,H,g,gα,h=gβ,e(g,g)α,Q1,Q2,...,QV
the master key is as follows:
MSK=a,b,α,β,gα
the master key will be hidden inside the system and not available to other entities.
The CA also has to do the registration responsible for AAs and users. First, the CA generates a pair of keys (sk)CA,vkCA) For signing and verifying, wherein vkCAIs disclosed and may be made known to each entity in the system. During registration, each AA sends a registration request to the CA. For each legal AA, the CA will assign a uniquely identified Aid ∈ Zp *Then randomly selecting a private key kAid∈Zp *And calculates its corresponding public key PKAid=gkAid. The CA will then generate a key PK containing the public keyAidCertificate of (Cert)AidAnd compares it with the corresponding private key kAidSent together to the AA with the identity Aid. In addition, each user needs to obtain own Uid and private key k from CAUidAnd certificate CertUid。
S2, encrypting the data;
in order to implement data sharing of the DO under the access policy T, the following two steps must be done: 1. encrypting the data; 2. and constructing a strategy tree T.
In the first step, the DO itself completes the encryption of the data. To improve system performance, DO chooses a random number K ∈ GpAs symmetric key, s is from Zp *The plaintext data M is encrypted using a symmetric encryption algorithm. The encrypted data is recorded asC=hs,
In the second step, all nodes of T are allocated with a secret number from the root R to the leaf node, and the rule is as follows:
the root R is given a secret s corresponding to C generated in the previous step. For being assigned a secret spIs a non-leaf node p (including R) with a threshold value kpThe algorithm randomly generates a polynomial qpIt contains the following three characters:
polynomial qpThe number of times of (d) must be satisfiedp=kp-1
The values of this polynomial are: q. q.sp(0)=sp. This property associates the polynomial with the secret of the corresponding node x.
Each having a value q of different index zp(z) is assigned to each child node of p.
For leaf node P, it has been assigned a secret spAnd represents an attribute AttiCalculating CAtti'=gsp,CAtti"=H(y)sp,y∈X1。
The ciphertext is as follows:
s3, user verification and final data generation;
this process involves the designated user, the selected AA and CA. The method comprises the following 3 steps:
Uj→AAi: when having the unique identifier UidjUser U ofjWhen sending out an application for obtaining a secret key, a user selects a legal AA with a unique identifier Aid through a certain scheduling algorithm and sends a certificate CertUidjAnd some can display UjProof of the owned property set.
(2)AAi→ CA: the user authentication process may be designed to be manual orIs AAiThe authentication protocol executed. After the user identity authentication is successful, the AAiObtaining the current time point as a threshold TS, and calculating t1=H1(UidjTS 0) and t2=H1(UidjTS 1) and generates an intermediate keyThe method comprises the following specific steps:
CA→AAi→Uj: CA receiving AAiAfter the intermediate key according to AAiAid ofiTo obtain the corresponding storage public key PKAidi. The CA then checks whether the time interval Tt of the transmission delay is within the allowed time interval. Assuming that the current time is T ', if T' -TS > Tt, the CA will stop executing and send a reject request message to the AAi. If T' -TS < Tt, CA recalculates T1=H1(UidjTS 0) and t2=H1(UidjTS 1), ensure t1And t2Not reused by the same user. This step can prevent collusion attack by AA. The CA then generates a final key for the user and returns it to the user via the AA. The final key (FUSK) is specified as follows:
whereinx belongs to Att; mu and r are two types of security parameters, not known to the user, ryRepresenting different r-class parameters.
S4, decrypting the data;
the decryption operation is also divided into two steps, the first step being aimed at obtaining the secret s corresponding to the secret hidden in the root of the access decision tree T; and secondly, decrypting the data content by using the reconstructed s.
In the first step, the access decision tree is processed as follows:
for any X2One of the attributes is matched with the attribute represented by the leaf node in the access decision tree, the corresponding attribute is set as y, and the secret value is set as sx. The algorithm is as follows:
for a non-leaf node p, if there is no less than k in its children nodespPasses the decryption algorithm, the set of decrypted child nodes is denoted SpThe following algorithm continues to be executed:
in the above formulaSx,zDenotes an S without z elementpSet, this equation will return TRUE because the nodes are in the same polynomial and sxIs the secret value of this polynomial.
When the root node returns a true value, we get S ═ e (g, g)μ·sAs input parameters for the second step. In the second step, the algorithm is as follows:
extended attribute set X only when user2When matching with the access policy tree T, the user can decrypt the number using the security keyAccordingly. Otherwise, the user cannot decrypt the ciphertext even if downloading all the ciphertexts from the cloud server.
S5, tracking;
after the AA successfully verifies the identity of the user, an intermediate key is generated and sent to the CA. After receiving the intermediate key, the CA does not perform secondary authentication of the user's identity, but directly issues the final key to the CA. Since the AA is an incompletely trusted authority and user validation is performed manually, the AAs may maliciously or erroneously generate intermediate keys for an unverified set of attributes. Furthermore, a malicious user will attempt any possible method to obtain the key associated with a particular set of attributes to obtain data access rights. Under this assumption, the user often has some abnormal behavior. To prevent this, it is necessary to add a tracking mechanism, which is periodically executed to supervise the AA. The tracking mechanism is specifically as follows:
when the CA starts to track, in order to confirm the key ownership of the user, the CA compels the suspicious user UjSubmitting L, K', TS in the final secret key, randomly selecting x ∈ Att in the attribute of the suspicious user, and then, calculating t by CA1=H1(Uidj||TS||0)、t2=H1(UidjTS 1) and Kx'=Qx αt2·g-b(t1+t2)Then, it is verified whether the following equation holds: e (Q)x,L)=e(g,K'Kx')
If the equation is true, the next step is continued. What is next to be confirmed is which AA replaces the suspect UjAn intermediate key is generated. The CA uses the master key MSK to recover the public key corresponding to a particular AA as follows:
PK'=(L·g-αt2)1/βt1=gkAidiβt1/βt1=gkAidi
the CA uses PK' as an index to search for AA. If a unique identifier is AidiAA of (A)iHaving a public key equal to PK', it means that AAiMaliciously or erroneously verifying the UjThe validity of (2). Malicious AA discovered should be punished.
Example 2:
as shown in fig. 2, the structure of the access policy model of this embodiment is an access policy tree.
In the access policy of CP-ABE/KP-ABE there are always some attributes represented as a range of values, for example: "{ age >18 }". Like the range values of such attributes, it is not comparable using the boolean function. Since the results of comparisons between "{ age ═ 20 }" and "{ age >18 }" with boolean functions are not in agreement. Unless the range values are changed to a union, such as: "V" { age ═ 19} "V" { age ═ 20} "V. But this approach increases linearly with increasing data overhead.
Our scheme uses 0-coding and 1-coding for such range value attributes. We assume an n-bit binary number x.
x=x1x2...xn∈{0,1}n
And (3) coding: convert x into a set if xi(i.ltoreq.n) is equal to 0, xiConvert to 1 and take the number of the first i bits as one element.
Xx 0={x1x2...xi-11|xi=0,1≤i≤n}
1, encoding: convert x into a set if xi(i.ltoreq.n) is equal to 1, the number of the first i bits being taken as one element.
Xx 1={x1x2...xi|xi=1,1≤i≤n}
For comparison of sizes, assuming two n-bit binary numbers y and z, y is coded with 1 to convert to Xy 1Conversion of z to X by 0 codingz 0. If X isy 1And Xz 0The intersection set of y is not an empty set, so that y can be judged>z. In turn, Xy 0And Xz1The intersection of (A) is an empty set, and y can be judged out in the same way>z. The formula is as follows:
as a specific example, assume that there are two 4-bit binary numbers y equal to 11 (1011)2) And z is 6 (0110)2) Their 0 code and 1 code are as follows.
Xy 0={11} Xy 1={1,101,1011}
Xz 0={1,0111} Xz 1={01,011}
Let attribute set Att ═ Att1,Att2,...,AttvWhen ati(i 1, 2.., V.) indicates a range value, if Atti> e, extend this attribute to Setie0(Atti,e)={(Atti||">e"||c)|c∈Xei 0}; if it is Atti< e, extend this attribute to Setie1(Atti,e)={(Atti||"<e"||c)|c∈Xei 1}; these two combinations are called extended set X1. If it is AttiExtend this attribute into two sets Setie0(Atti,e)={(Atti||">e"||c)|c∈Xei 0And Setie1(Atti,e)={(Atti||"<e"||c)|c∈Xei 1This is called an extended set X2。
In general, the scoped attribute of an access policy will be extended to X1The user's attribute will be extended to X2. The attribute values herein all refer to comparable numerical types, not including character types.
In FIG. 2, the nodes of the tree are represented by "circles", and the circle with "A" represents an attribute; the circle with "OR" represents an exclusive OR gate. Each triangle represents someA subtree consisting of nodes, a 'threshold gate' consists of a plurality of non-leaf nodes; the "0 coding sub-tree" and the "1 coding sub-tree" are respectively single-layer sub-trees composed of an exclusive-or gate and leaf nodes, and the leaf nodes respectively represent Setie0(AttiE) or Setie1(AttiAnd e) elements of (a).
Each non-leaf node of the access policy tree T actually represents a threshold based on its number of child nodes and the threshold of the sharing policy. Such as: for a non-sub-leaf node x, if its sharing policy is (t, n), its number of sub-nodes is n, and t represents its threshold. If t is 1, the threshold is an "OR" gate, AND if t is n, the threshold is an "AND" gate.
The above embodiments are described in detail for the purpose of further illustrating the present invention and should not be construed as limiting the scope of the present invention, and the skilled engineer can make insubstantial modifications and variations of the present invention based on the above disclosure.
Claims (9)
1. A traceable comparison attribute encryption method based on multiple authorization centers is characterized by comprising the following steps:
s1, initializing the system;
s2, encrypting the data;
s3, user verification and final data generation;
s4, decrypting the data;
and S5, tracking.
2. The method of claim 1, wherein said S1 comprises the following contents:
the central authority selects two multiplication cyclic groups G and G with the same prime orderpWherein the parameter G is the generator of G, and a binary mapping e is defined on G, G → GpThen the central authority randomly selectsAs master key, also for each attribute Atti(i ═ 1, 2.., V) randomly generates a public key Q1,Q2,...,QV;
Is provided with H (0,1)*→ G is a hash function, mapping any binary string to the random element of G;
the published public key is as follows:
PK=Gp,G,H,g,gα,h=gβ,e(g,g)α,Q1,Q2,...,QV
the master key is as follows:
MSK=a,b,α,β,gα
the master key will be hidden inside the system.
3. The method of claim 2, wherein said S1 further comprises the following steps:
the central authorization center is also responsible for registering each attribute authorization center and the user;
first, the central authority generates a pair of keys (sk)CA,vkCA) For signing and verifying, wherein vkCAIs open, and may be made known to every entity in the system;
during registration, each attribute authority sends a registration request to the central authority, and for each legal attribute authority, the central authority assigns a unique identifier Aid ∈ Zp *Then randomly selecting a private key kAid∈Zp *And calculates its corresponding public key PKAid=gkAid;
The central authority will then generate a certificate containing the public key PKAidCertificate of (Cert)AidAnd compares it with the corresponding private key kAidSending the data together to an attribute authorization center with an identity Aid;
in addition, each user needs to obtain own Uid and private key k from a central authorization centerUidAnd certificate CertUid。
4. The method of claim 1, wherein said S2 comprises the following steps:
s21, encrypting the data;
and S22, constructing a strategy tree T.
5. The method of claim 4, wherein said S21 comprises the following contents:
the data owner completes the encryption of the data by himself;
to improve system performance, the data owner selects a random number K ∈ GpAs symmetric key, s is from Zp *Encrypting the plaintext data M by using a symmetric encryption algorithm;
6. The method of claim 4, wherein said S22 comprises the following contents:
all nodes of the policy tree T are assigned a secret number from the root R to the leaf nodes, with the following rules:
the root R is given a secret s corresponding to C generated in the previous step;
for being assigned a secret spP with a threshold of kpThe algorithm randomly generates a polynomial qp that contains the following three characters:
polynomial qpThe number of times of (d) must be satisfiedp=kp-1;
The values of this polynomial are: q. q.sp(0)=sp(ii) a This property associates the polynomial with the secret of the corresponding node x;
each having a value q of different index zp(z) each child node assigned to p;
for leaf node P, it has been assigned a secret spAnd represents an attribute AttiCalculating CAtti'=gsp,CAtti"=H(y)sp,y∈X1;
The ciphertext is as follows:
7. the method of claim 1, wherein said S3 comprises the following steps:
S31、Uj→AAi: when having the unique identifier UidjUser U ofjWhen sending out an application for obtaining the secret key, the user selects a legal attribute authorization center with a unique identifier Aid through a certain scheduling algorithm, and sends a certificate CertUidjAnd some can display UjA proof of the owned property set;
S32、AAi→ CA: the user authentication process may be designed to be manual or AAiAn authentication protocol executed;
after the user identity authentication is successful, the AAiObtaining the current time point as a threshold TS, and calculating t1=H1(UidjTS 0) and t2=H1(UidjTS 1) and generates an intermediate key ICAidi,UidjThe method comprises the following steps:
will { Uidj,Aidi,Att,ICAidi,UidjTS, sending the generated intermediate secret key to a central authorization center;
S33、CA→AAi→Uj: central authority receiving AAiAfter the intermediate key according to AAiAid ofiTo obtain the corresponding storage public key PKAidi;
Then the central authority checks whether the time interval Tt of the transmission delay is within the allowed time interval range;
assuming that the current time is T ', if T' -TS > Tt, the central authority will stop executing and send a request-denied message to the AAi;
If T' -TS < Tt, the central authority recalculates T1=H1(UidjTS 0) and t2=H1(UidjTS 1), ensure t1And t2Are not reused by the same user;
this step can prevent collusion attack of the attribute authority; then the central authorization center generates a final secret key for the user and returns the final secret key to the user through the attribute authorization center;
the final key (FUSK) is specified as follows:
wherein L ═ P (PK)Aidi)βt1gαt2=(gkAidi)βt1gαt2,K'=Qx kAidiβt1·gb(t1+t2)X ∈ Att; mu and r are two types of security parameters, not known to the user, ryRepresenting different r-class parameters.
8. The method of claim 1, wherein said S4 comprises the following steps:
s41, obtaining a secret S corresponding to the root of the access policy tree T;
the access decision tree is processed as follows:
for any X2One of the attributes is matched with the attribute represented by the leaf node in the access decision tree, the corresponding attribute is set as y, and the secret value is set as sx(ii) a The algorithm is as follows:
for a non-leaf node p, if there is no less than k in its children nodespPasses the decryption algorithm, the set of decrypted child nodes is denoted SpThe following algorithm continues to be executed:
in the above formulaSx,zDenotes an S without z elementpSet, this equation will return TRUE because the nodes are in the same polynomial and sxIs the secret value of this polynomial;
when the root node returns a true value, we get S ═ e (g, g)μ·sAs input parameters for the second step;
s42, decrypting the data content by using the reconstructed S;
the algorithm is as follows:
extended attribute set X only when user2When the access policy tree T is matched with the user, the user can decrypt the data by using the security key; otherwise, the user cannot decrypt the ciphertext even if downloading all the ciphertexts from the cloud server.
9. The method of claim 1, wherein said S5 comprises the following contents:
after the attribute authorization center successfully verifies the identity of the user, an intermediate secret key is generated and sent to the central authorization center, and after the central authorization center receives the intermediate secret key, the identity of the user is not verified secondarily, but a final secret key is directly issued;
the system also comprises a tracking mechanism which is executed periodically so as to supervise the attribute authorization center; the tracking mechanism is specifically as follows:
when the central authority starts to track, in order to confirm the key ownership of the user, the central authority enforces that the suspicious user U is requiredjSubmitting L, K', TS in the final secret key, randomly selecting x from the attributes of suspicious users, and calculating t by the central authorization center1=H1(Uidj||TS||0)、t2=H1(UidjTS 1) and Kx'=Qx αt2·g-b(t1+t2)Then, it is verified whether the following equation holds:
e(Qx,L)=e(g,K'Kx')
if the equation is established, continuing to execute the next step; what is next to be confirmed is which AA replaces the suspect UjGenerating an intermediate key;
the CA uses the master key MSK to recover the public key corresponding to a particular AA as follows:
PK'=(L·g-αt2)1/βt1=gkAidiβt1/βt1=gkAidi
CA searches for AA using PK' as an index;
if a unique identifier is AidiAA of (A)iHaving a public key equal to PK', it means that AAiMaliciously or erroneously verifying the UjThe validity of (2); the discovered malicious property rights issuer should be penalized.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110624902.2A CN113489591B (en) | 2021-06-04 | 2021-06-04 | Traceable comparison attribute encryption method based on multiple authorization centers |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110624902.2A CN113489591B (en) | 2021-06-04 | 2021-06-04 | Traceable comparison attribute encryption method based on multiple authorization centers |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113489591A true CN113489591A (en) | 2021-10-08 |
CN113489591B CN113489591B (en) | 2023-09-12 |
Family
ID=77934717
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110624902.2A Active CN113489591B (en) | 2021-06-04 | 2021-06-04 | Traceable comparison attribute encryption method based on multiple authorization centers |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113489591B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114430321A (en) * | 2022-04-07 | 2022-05-03 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | DFA self-adaptive security-based black box traceable key attribute encryption method and device |
CN114629640A (en) * | 2022-03-10 | 2022-06-14 | 东南大学 | White-box accountable attribute-based encryption system and method for solving key escrow problem |
CN115001730A (en) * | 2022-03-02 | 2022-09-02 | 上海交通大学 | Role attribute-based access control system and method in distributed scene |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012039244A (en) * | 2010-08-04 | 2012-02-23 | Nippon Hoso Kyokai <Nhk> | Content server, content receiver, attribute key issue server, user key issue server, access control system, content distribution program, and content reception program |
CN103401839A (en) * | 2013-07-02 | 2013-11-20 | 河海大学 | Attribute protection based multiple authorization center encryption method |
CN106549758A (en) * | 2016-12-09 | 2017-03-29 | 四川师范大学 | Support the encryption method based on attribute of non-monotonic access structure |
CN110830473A (en) * | 2019-11-08 | 2020-02-21 | 浙江工业大学 | Multi-authorization access control system and method based on attribute encryption |
-
2021
- 2021-06-04 CN CN202110624902.2A patent/CN113489591B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012039244A (en) * | 2010-08-04 | 2012-02-23 | Nippon Hoso Kyokai <Nhk> | Content server, content receiver, attribute key issue server, user key issue server, access control system, content distribution program, and content reception program |
CN103401839A (en) * | 2013-07-02 | 2013-11-20 | 河海大学 | Attribute protection based multiple authorization center encryption method |
CN106549758A (en) * | 2016-12-09 | 2017-03-29 | 四川师范大学 | Support the encryption method based on attribute of non-monotonic access structure |
CN110830473A (en) * | 2019-11-08 | 2020-02-21 | 浙江工业大学 | Multi-authorization access control system and method based on attribute encryption |
Non-Patent Citations (1)
Title |
---|
徐洁如;陈克非;沈忠华;徐晓栋;刘艳;: "改进的基于证书条件代理重加密方案", 密码学报, no. 04 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115001730A (en) * | 2022-03-02 | 2022-09-02 | 上海交通大学 | Role attribute-based access control system and method in distributed scene |
CN115001730B (en) * | 2022-03-02 | 2023-09-05 | 上海交通大学 | Access control system and method based on role attribute in distributed scene |
CN114629640A (en) * | 2022-03-10 | 2022-06-14 | 东南大学 | White-box accountable attribute-based encryption system and method for solving key escrow problem |
CN114629640B (en) * | 2022-03-10 | 2024-01-09 | 东南大学 | White box disciplinable attribute-based encryption system and method for solving key escrow problem |
CN114430321A (en) * | 2022-04-07 | 2022-05-03 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | DFA self-adaptive security-based black box traceable key attribute encryption method and device |
Also Published As
Publication number | Publication date |
---|---|
CN113489591B (en) | 2023-09-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112019591B (en) | Cloud data sharing method based on block chain | |
Xu et al. | Secure fine-grained access control and data sharing for dynamic groups in the cloud | |
CN109257184B (en) | Linkable ring signature method based on anonymous broadcast encryption | |
JP5130318B2 (en) | Certificate-based encryption and public key structure infrastructure | |
CN113489591B (en) | Traceable comparison attribute encryption method based on multiple authorization centers | |
CN114039790B (en) | Fine-grained cloud storage security access control method based on blockchain | |
WO2021022246A1 (en) | Systems and methods for generating signatures | |
CN111130757A (en) | Multi-cloud CP-ABE access control method based on block chain | |
Tian et al. | Policy-based chameleon hash for blockchain rewriting with black-box accountability | |
CN110933033B (en) | Cross-domain access control method for multiple Internet of things domains in smart city environment | |
Xu et al. | Multi-authority proxy re-encryption based on CPABE for cloud storage systems | |
CN113111373A (en) | Random number generation method of VBFT (visual basic FT) consensus mechanism and consensus mechanism system | |
CN111147460A (en) | Block chain-based cooperative fine-grained access control method | |
Lai et al. | Identity-based encryption secure against selective opening chosen-ciphertext attack | |
CN114362940B (en) | Server-free asynchronous federation learning method for protecting data privacy | |
CN110035067B (en) | Attribute encryption method supporting efficient data deduplication and attribute revocation in cloud storage | |
CN113905047A (en) | Space crowdsourcing task allocation privacy protection method and system | |
CN109819323B (en) | Video content access method in mixed cloud system | |
CN115426136B (en) | Cross-domain access control method and system based on block chain | |
Zhao et al. | A verifiable hidden policy CP‐ABE with decryption testing scheme and its application in VANET | |
Tiwari et al. | SecCloudSharing: Secure data sharing in public cloud using ciphertext‐policy attribute‐based proxy re‐encryption with revocation | |
CN114978533A (en) | Verifiable security aggregation method based on weighted layered asynchronous federated learning | |
Tian et al. | Accountable fine-grained blockchain rewriting in the permissionless setting | |
CN116599659B (en) | Certificate-free identity authentication and key negotiation method and system | |
CN111245613B (en) | Identity-based three-level key negotiation method for in-vehicle and out-vehicle networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |