CN113965320A - Ciphertext strategy attribute encryption method supporting quick revocation - Google Patents
Ciphertext strategy attribute encryption method supporting quick revocation Download PDFInfo
- Publication number
- CN113965320A CN113965320A CN202111157036.7A CN202111157036A CN113965320A CN 113965320 A CN113965320 A CN 113965320A CN 202111157036 A CN202111157036 A CN 202111157036A CN 113965320 A CN113965320 A CN 113965320A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- attribute
- key
- algorithm
- revocation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a ciphertext strategy attribute encryption method supporting quick revocation, which comprises the steps of initializing an algorithm, outputting a public key and a main key by a key center, and sending the public key and the main key to an encryptor and a storage center; after receiving a private key request of a decryptor, executing a key generation algorithm to generate a private key; the encryptor encrypts a data plaintext through an encryption algorithm to generate a primary generation ciphertext, and the primary generation ciphertext is transferred to a storage center; the storage center executes revocation algorithm encryption on the received primary ciphertext to generate a secondary ciphertext; the revocation algorithm updates the iteration ciphertext according to the request times; after receiving a decryption request of a decryptor, acquiring a time stamp of a moment when the decryptor requests to send, and executing a decryption algorithm; the attribute set of the decryptor meets the access policy, and the decryptor carries the timestamp which is consistent with the acquired timestamp for verification, so that the data plaintext can be acquired. The invention does not need the user to keep updating the private key on line through the quick revocation algorithm, reduces the calculation times during decryption, realizes instant revocation and reduces the decryption calculation amount.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a ciphertext policy attribute encryption method supporting quick revocation.
Background
Personal Health Record (PHR) sharing systems gradually exert advantages in Health management, but an encryption mechanism of an existing PHR sharing system needs to frequently update a private key online, so that a period of decryption operation is slow, and an existing attribute-based encryption system (ABE) is high in time complexity and space complexity, so that revocation often involves huge calculation amount, and even final decryption calculation is not complicated, so that many schemes cannot be directly applied to the PHR system, and usability of the PHR system is greatly reduced.
Disclosure of Invention
The purpose of the invention is as follows: the ciphertext strategy attribute encryption method supporting quick revocation is provided, and the problems that revocation work in the existing encryption mechanism is large in calculation amount, decryption speed is low, and revocation of a PHR system is not flexible enough are solved.
The technical scheme is as follows: a ciphertext strategy attribute encryption method supporting quick revocation comprises the following steps:
initializing an algorithm after the system is started, outputting a public key and a master key by a key center, and sending the public key and the master key to an encryptor and a storage center;
after receiving the private key request of the decryptor, the key center executes a key generation algorithm to generate a private key;
an encryptor encrypts a data plaintext by using a public key and an access strategy through an encryption algorithm to generate a first generation ciphertext, and the first generation ciphertext is transferred to a storage center;
the storage center executes revocation algorithm encryption on the received primary ciphertext to generate a secondary ciphertext;
after receiving the revocation request of a decryptor, the storage center executes the revocation algorithm again on the second-generation ciphertext to generate a third-generation ciphertext, and if the request times are more than one, the revocation algorithm updates the iteration ciphertext according to the request times;
after receiving the decryption request of the decryptor, the storage center acquires a time stamp of the moment when the decryptor requests to send, and executes a decryption algorithm;
and after the attribute set of the decryptor meets the access policy and the decryptor carries the timestamp which is verified to be consistent with the timestamp acquired in the storage center, the decryptor can acquire the data plaintext, otherwise, the decryption fails.
In a further embodiment, in the initialization algorithm, the public and master key generation process is as follows:
Inputting a safety parameter 1λThe algorithm generates a prime number p of length lambda bits and two cyclic groups of order pAnd
let g beGenerating a bilinear pairwise map e by an algorithm:a set of and attribute spacesCorresponding random number h1,h2,…,hnAnd two collision-resistant hash functionsAnd H1:{0,1}*→Zp;
In a further embodiment, the private key generation algorithm inputs the set of attributes S, the public key PK, and the master key MSK and then outputs the set of private keys SK and the session public key PK corresponding to the set attributessession,kThe specific process is as follows:
selecting a random number tau epsilon ZpAnd calculates a first private key D1=gα+βτAnd a second private key D2=gτ;
For any attribute att in attribute set SxCalculating the x private keyFor any user ukThe user himself selects a secret character sigmak∈{0,1}*Then generates a session private key SKsession,k=H(IDk,σk) And a session public keyWherein the IDkAn identity unique to the user; finally, outputting a private key related to the attribute set S:
in a further embodiment, the specific steps of the first generation ciphertext are as follows:
Generating corresponding LSSS access structuresWhereinThe method comprises the following steps that a matrix with l rows and m columns is adopted, and rho is a mapping function and is responsible for mapping any row of the matrix into a certain attribute in an access strategy;
secondly, a secret number s is generated to belong to ZpAnd one random vector v ═ s, v1,v2,…,vm) Wherein v is1,v2,…,vmAre all ZpA random number of (c);
computing a first ciphertext C1=M·e(g,g)αsAnd a second ciphertext C2=gs(ii) a Att for any one attributeρ(i)Computing initial ciphertext of Attribute iWhereinRepresenting a secret shared key share;
and outputting an initial ciphertext:
in a further embodiment of the method of the invention,
the first generation ciphertext executes a revocation (FIR) algorithm for the first time to generate FIR message header headers and FIR ciphertext CT, and the steps are as follows:
Selecting a secret random number gamma E ZpAnd generates a session public key PKsession=gγAnd a session private key SKsessionγ; and then calculate the user u with respect to anykFactor of (2)
Setting any one attribute groupThe number of users involved is d, and for this property group, the FIR algorithm generates a polynomialA set of elements P is then generated0=Kx+a0,P1=a1,…,Pd=adIn turn, with respect to the FIR message header of the attribute group: head devicex={P0=Kx+a0,P1=a1,…,Pd=ad};
From this, the global FIR header is:
the final FIR ciphertext is:
in a further embodiment, attribute att is revoked when a decryptor revokes ityThe method comprises the following specific steps:
then G'yAll users in the system generate their own randomThe number of machines;
The storage center calculates X 'according to the new conversation private key'k=(PK′session,k)γSubsequently, a new polynomial is generatedTo generate a new FIR header:
header′y={P0=K′y+a′0,P1=a′0,…,Pd′=a′d′};
the global FIR header will then be updated as:
attribute att is contained in all access strategiesyThe FIR ciphertext of (a) will be updated as:
in a further embodiment, the decryption algorithm steps are as follows:
after the decryption session is established, the timestamp t at this time is recorded, and then the global FIR message header is updated to be:
then, the updated global FIR message header and the FIR ciphertext are sent to the user;
the user firstly calculates the user factor by the time stamp t of the userAtt for arbitrary attributesxE to S, the decryption algorithm executes the following calculation to obtain a corresponding attribute group key:
after obtaining the attribute group key, the decryption algorithm performs the following calculations:
where ρ (i) ∈ S denotes a row specifying attribute,Dρ(i)each represents a private key encryption key pair, and K rho (i) · 1K rho (i) represents the ith row attribute key;represented as a hash-value algorithm, is,gτare all represented as the generator of the group G,ωi、βτλiωiare all represented as ZpA random number of the set.
In a further embodiment, it can be seen from the LSSS property that if the set of attributes does not satisfy the rights of the access policy, the secret s will not be recovered within the polynomial time and the decryption will fail; otherwise, the secret s can be recovered within the polynomial time, so that the decryption calculation formula is established:
the parameter obtained at this time is denoted as a, and then the following bilinear operation is continuously performed:
and recording the obtained parameter as B, and finally executing the following operation to obtain the correct message plaintext M:
has the advantages that: compared with the prior art, the invention has the following advantages:
a Fast and Immediate Revocation (FIR) algorithm is adopted, a user is not required to keep online to update a private key, and multiplication operation required for obtaining an attribute group key during decryption is reduced to only 1 time, so that decryption overhead is reduced while immediate revocation is ensured; improved revocation work calculation efficiency and flexibility and usability of the PHR system are achieved.
Drawings
Fig. 1 is a topological structure diagram of the ciphertext policy supporting quick revocation according to the present invention.
Fig. 2 is a graph comparing average encryption times in embodiment 2 of the present invention.
Fig. 3 is a graph comparing the average decryption time in embodiment 2 of the present invention.
Detailed Description
In order to more fully understand the technical content of the present invention, the technical solution of the present invention will be further described and illustrated with reference to the following specific embodiments, but not limited thereto.
Fig. 1 to fig. 3 are further used to explain an encryption method for supporting fast revocation ciphertext policy attribute, which includes the following steps:
initializing an algorithm after the system is started, outputting a public key and a master key by a key center, and sending the public key and the master key to an encryptor and a storage center;
after receiving the private key request of the decryptor, the key center executes a key generation algorithm to generate a private key;
an encryptor encrypts a data plaintext by using a public key and an access strategy through an encryption algorithm to generate a first generation ciphertext, and the first generation ciphertext is transferred to a storage center;
the storage center executes revocation algorithm encryption on the received primary ciphertext to generate a secondary ciphertext;
after receiving the revocation request of a decryptor, the storage center executes the revocation algorithm again on the second-generation ciphertext to generate a third-generation ciphertext, and if the request times are more than one, the revocation algorithm updates the iteration ciphertext according to the request times;
after receiving the decryption request of the decryptor, the storage center acquires a time stamp of the moment when the decryptor requests to send, and executes a decryption algorithm;
and after the attribute set of the decryptor meets the access policy and the decryptor carries the timestamp which is verified to be consistent with the timestamp acquired in the storage center, the decryptor can acquire the data plaintext, otherwise, the output indicates that the decryption fails.
In a further embodiment, in the initialization algorithm, the public and master key generation process is as follows:
Inputting a safety parameter 1λThe algorithm generates a prime number p of length lambda bits and two cyclic groups of order pAnd
let g beGenerating a bilinear pairwise map e by an algorithm:a set of and attribute spacesCorresponding random number h1,h2,…,hnAnd two collision-resistant hash functionsAnd H1:{0,1}*→Zp;
In a further embodiment, the private key generation algorithm inputs the set of attributes S, the public key PK, and the master key MSK and then outputs the set of private keys SK and the session public key PK corresponding to the set attributessession,kThe specific process is as follows:
selecting a random number tau epsilon ZpAnd calculates a first private key D1=gα+βτAnd a second private key D2=gτ;
For any attribute att in attribute set SxCalculating the x private keyFor any user ukThe user himself selects a secret character sigmak∈{0,1}*Then generates a session private key SKsession,k=H(IDk,σk) And a session public keyWherein the IDkAn identity unique to the user; finally, outputting a private key related to the attribute set S:
in a further embodiment, the specific steps of the first generation ciphertext are as follows:
Generating corresponding LSSS access structuresWhereinThe method comprises the following steps that a matrix with l rows and m columns is adopted, and rho is a mapping function and is responsible for mapping any row of the matrix into a certain attribute in an access strategy;
secondly, a secret number s is generated to belong to ZpAnd one random vector v ═ s, v1,v2,…,vm) Wherein v is1,v2,…,vmAre all ZpA random number of (c);
computing a first ciphertext C1=M·e(g,g)αsAnd a second ciphertext C2=gs(ii) a Att for any one attributeρ(i)Computing initial ciphertext of Attribute iWhereinRepresenting a secret shared key share;
and outputting an initial ciphertext:
in a further embodiment of the method of the invention,
the first generation ciphertext executes a revocation (FIR) algorithm for the first time to generate FIR message header headers and FIR ciphertext CT, and the steps are as follows:
Selecting a secret random number gamma E ZpAnd generates a session public key PKsession=gγAnd a session private key SKsessionγ; and then calculate the user u with respect to anykFactor of (2)
Setting any one attribute groupThe number of users involved is d, and for this property group, the FIR algorithm generates a polynomialA set of elements P is then generated0=Kx+a0,P1=a1,…,Pd=adIn turn, with respect to the FIR message header of the attribute group: head devicex={P0=Kx+a0,P1=a1,…,Pd=ad};
From this, the global FIR header is:
the final FIR ciphertext is:
in a further embodiment, attribute att is revoked when a decryptor revokes ityThe method comprises the following specific steps:
then G'yAll users in the system respectively generate random numbers of the users;
The storage center calculates X 'according to the new conversation private key'k=(PK′session,k)γSubsequently, a new polynomial is generatedTo generate a new FIR header:
header′y={P0=K′y+a′0,P1=a′0,…,Pd′=a′d′};
the global FIR header will then be updated as:
attribute att is contained in all access strategiesyThe FIR ciphertext of (a) will be updated as:
in a further embodiment, the decryption algorithm steps are as follows:
after the decryption session is established, the timestamp t at this time is recorded, and then the global FIR message header is updated to be:
then, the updated global FIR message header and the FIR ciphertext are sent to the user;
the user firstly calculates the user factor by the time stamp t of the userAtt for arbitrary attributesxE to S, the decryption algorithm executes the following calculation to obtain a corresponding attribute group key:
after obtaining the attribute group key, the decryption algorithm performs the following calculations:
where ρ (i) ∈ S denotes a row specifying attribute,Dρ(i)all represent a private key cryptographic key pair, Kρ(i)·1/Kρ(i)Representing the ith row attribute key;represented as a hash-value algorithm, is,gτare all represented as the generator of the group G,ωi、βτλiωiare all represented as ZpA random number of the set. A
In a further embodiment, it can be seen from the LSSS property that if the set of attributes does not satisfy the rights of the access policy, the secret s will not be recovered within the polynomial time and the decryption will fail; otherwise, the secret s can be recovered within the polynomial time, so that the decryption calculation formula is established:
the parameter obtained at this time is denoted as a, and then the following bilinear operation is continuously performed:
and recording the obtained parameter as B, and finally executing the following operation to obtain the correct message plaintext M:
from the above ciphertext composition, it can be seen that att is the attribute which is revokedyEven if it calculates the attribute group key K using the previously acquired message headeryDecryption to obtain the correct message plaintext cannot be completed either because the ciphertext has been updated at this time. Thus, the forward security of the scheme can be guaranteed.
For attribute att still contained in attribute setyOr just possess attribute attyWhen the user initiates decryption, the user can only obtain the re-encrypted message header and the re-encrypted ciphertext of the current time stamp, even if the user obtains the message header at a certain past momentThe user cannot know the specific session time, and therefore cannot extract the past attribute group key. Cannot be decrypted correctly even if it has downloaded past ciphertext; therefore, the backward safety of the scheme can be ensured.
The method is verified by the game employing the encryption mechanism in example 1, and the confidentiality of the CP-ABE-FR scheme is stipulated to the difficulty of the DBDH problem by the game. The game is played by the enemySimulatorAnd challengerThe joint participation is completed, and the process is as follows:
(1) an initialization stage: first enemyDirection simulatorSending a challenge access policySecond challengerGenerating a cyclic groupSelecting a generator g of the group and three secrets a, b, c ∈ ZpAnd g, A ═ ga、B=gb、C=gcAnd Z is sent to the simulatorThen simulatorSelecting a cyclic groupAnd a two-line pair map e:set of secret random numbers [ beta, r ]1,r2,…,rnAn attribute clusterAnd two random prediction machinesAnd H1:{0,1}*→Zp. Final simulatorTo the enemyThe following public key is sent:
(2) an inquiry stage: enemyDirection simulatorThe following two queries are sent a limited number of times:
a. private key challenge: first simulatorA List is maintained. Second enemyClustering on attributesIn which one user u is arbitrarily selectedk(memory user u)kIs represented as IDkAttribute set is S) parallel simulatorA private key request is issued for the set of attributes S. Then simulatorGenerating a random number R1,R2,R3∈ZpThen, the private key:
b. Encrypting the challenge: first enemySelecting a PHR data plaintext M and an access policyParallel simulatorSending a message about M andthe encryption request of (2). Second simulatorFirstly, generating a corresponding attribute group key set according to the attribute group setAnd generating and accessing policiesCorresponding LSSS access structure matrixSimultaneously selecting a secret number s ∈ ZpAnd one random vector v ═ s, v1,v2,…,vm) CalculatingThen simulatorGenerate the following cipher text to
Extracting user's public key PK from List at the same timesession,kAnd constructing a global re-encryption message header according to a real re-encryption algorithm. For users not in List, the simulatorA private key generator is invoked to generate a tuple corresponding to the user and add to the List. Final simulatorSending the ciphertext and the global re-encrypted message header corresponding to the timestamp at that time to the adversary
(3) A challenge stage: first enemyDirection simulatorSubmitting two PHR data plaintext M with same length1And M2. Second simulatorGenerating andcorresponding LSSS access structureAnd one random vector v ═ s, v1,v2,…,vm). And then for arbitrary attributesComputingWhereinFinal simulatorSelects a random bit value delta epsilon {0,1} and returns the following challenge ciphertext to
(4) An inquiry stage: as with step 2, the adversaryContinue to simulatorA limited number of private key challenges and encrypted challenges are sent. It is to be noted that all queries must satisfy the following constraints:
(5) Guessing: enemyOutput δ' ∈ {0,1} as a guess for δ. If delta is delta', enemyWin challenge game while simulatingOutput 1 indicates its guess Z ═ e (g, g)abc. If δ ≠ δ' then adversary challenge fails while the simulator is in progressOutput 0 represents guess Z ═ e (g, g)z。
When Z is equal to e (g, g)abcEncryption process of time, challenge phase andthe encryption process of the real CP-ABE-FR algorithm is the same. Suppose an adversaryThe advantage of breaking the CP-ABE-FR algorithm is epsilon', then the simulatorThe probability of outputting 1 is:
when Z is equal to e (g, g)zTime, enemyThe challenge cryptogram obtained is a completely random cryptogram, so that the adversaryThe guess of (a) is completely random. In such a case, the simulatorThe probability of outputting 1 is:
it can be concluded from this that if there is no polynomial time algorithm that can solve the DBDH problem with a non-negligible dominance epsilon, then there must be no polynomial time adversaryAnd breaking the CP-ABE-FR algorithm. The algorithm can well ensure confidentiality.
In the invention, various network attacks of private key stealing can be faced in the actual use process, the collusion attack is a typical network attack means, and the collusion attack means that a plurality of decryptors illegally generate a brand-new private key through respective private keys, and the brand-new private key can correctly realize correct decryption. If the attribute sets of these multiple decryptors do not conform to the access policy of the ciphertext, but can produce a legal private key through collusion, the security of the ciphertext will be greatly threatened.
In the method of the invention, each time a private key is generated, the algorithm generates a different random number τ and embeds this random number into the private key component, i.e. each private key has a different D ═ g α + β τ. Even if multiple message visitors attempt to collude, a legitimate private key cannot be obtained because different random numbers τ are embedded within the private key components from different message visitors. In summary, CP-ABE-FR is well resistant to collusion attack.
The comparison analysis of the LHS method and the Hur method in the embodiment 2 and the FIR algorithm in the invention is as follows:
definition of TmulAnd TexpThe time required to perform a single multiplication or exponentiation in generating the header and extracting the attribute group key, respectively
The comparison results are shown in Table 1, LHS method [19 ]]And Hur method [21]Generating a group of attributes GxThe message header of (1) needs to perform multiplication and exponent operation for 2d times, and the message header of (d) needs to perform multiplication and exponent operation for d (d +3)/2 times when extracting the attribute group key, where d is the attribute group GxThe number of users involved.
TABLE 1 revocation efficiency comparison
The FIR algorithm proposed herein is generating a group G of attributesxThe message header of (1) is needed to perform only 1 multiplication, and 2d exponential operations are reduced compared with the LHS method and the Hur method. Meanwhile, the FIR algorithm needs to execute d times of multiplication and d (d +1)/2 times of exponential operation when extracting the corresponding attribute group key, and d times of exponential operation are reduced compared with the two schemes. The FIR algorithm thus improves the computational efficiency of attribute revocation.
The experimental procedure in the codebase for the following examples is as follows:
the experiment is based on a 512-bit elliptic curve, the order of which is a large prime number of 120 bit. The PHR system access control model is established in experiments based on an LHS method, a Hur method and the scheme provided by the text, and the average encryption and decryption calculation time under the condition of different attribute quantities is recorded;
as shown in fig. 2, several system models have average encryption time under different attribute numbers, and both the LHS method and the Hur method support fine-grained instant revocation based on an attribute group, so that ciphertext needs to be encrypted again in the encryption process; while the encryption time of the Hur method is slightly shorter than that of the LHS method, the CP-ABE-FR-based PHR system access control model adds the FIR algorithm, but the FIR algorithm does not generate too much computational load to the encryption work of the system.
As shown in fig. 3, the average decryption time is calculated by using the distributed private key for decryption, but the decryption time is slightly longer in the LHS method. And CP-ABE-FR reduces PHR decryption time by about 9.3%; therefore, in general, the decryption computation efficiency of the PHR system access control model proposed by the present invention is considerable.
Through the rapid instant revocation (FIR) algorithm, a user is not required to keep online to update a private key, and the multiplication operation required for obtaining an attribute group key during decryption is reduced to only 1 time, so that instant revocation is ensured, and decryption overhead is reduced; improved revocation work calculation efficiency and flexibility and usability of the PHR system are achieved.
The present invention has been described above by way of illustration in the drawings, and it will be understood by those skilled in the art that the present disclosure is not limited to the embodiments described above, and various changes, modifications and substitutions may be made without departing from the scope of the present invention.
Claims (8)
1. A ciphertext strategy attribute encryption method supporting quick revocation is characterized by comprising the following steps:
initializing an algorithm after the system is started, outputting a public key and a master key by a key center, and sending the public key and the master key to an encryptor and a storage center;
after receiving the private key request of the decryptor, the key center executes a key generation algorithm to generate a private key;
an encryptor encrypts a data plaintext by using a public key and an access strategy through an encryption algorithm to generate a first generation ciphertext, and the first generation ciphertext is transferred to a storage center;
the storage center executes revocation algorithm encryption on the received primary ciphertext to generate a secondary ciphertext;
after receiving the revocation request of a decryptor, the storage center executes the revocation algorithm again on the second-generation ciphertext to generate a third-generation ciphertext, and if the request times are more than one, the revocation algorithm updates the iteration ciphertext according to the request times;
after receiving the decryption request of the decryptor, the storage center acquires a time stamp of the moment when the decryptor requests to send, and executes a decryption algorithm;
the attribute set of the decryptor meets the access policy, and the decryptor can acquire the data plaintext only after carrying the timestamp which is acquired from the storage center and verifying the consistency.
2. The method for encrypting the ciphertext policy attribute supporting the quick revocation according to claim 1, wherein in an initialization algorithm, the process of generating the public key and the master key is as follows:
Inputting a safety parameter 1λThe algorithm generates a prime number p of length lambda bits and two cyclic groups of order pAnd
let g beA generator for generating a bilinear pairwise map by an algorithmA set of and attribute spacesCorresponding random number h1,h2,…,hnAnd two collision-resistant hash functionsAnd H1:{0,1}*→Zp;
3. The method as claimed in claim 1, wherein the secret key generation algorithm inputs the attribute set S, the public key PK, and the master key MSK and then outputs the private key set SK and the session public key PK corresponding to the set attributessession,kThe specific process is as follows:
selecting a random number tau epsilon ZpAnd calculates a first private keyAnd a second private key D2=gτ;
For any user ukThe user himself selects a secret character sigmak∈{0,1}*Then generates a session private key SKsession,k=H(IDk,σk) And a session public keyWherein the IDkAn identity unique to the user; finally, outputting a private key related to the attribute set S:
4. the ciphertext policy attribute encryption method supporting quick revocation as claimed in claim 1, wherein the specific steps of the primary ciphertext are as follows:
Generating corresponding LSSS access structuresWhereinThe method comprises the following steps that a matrix with l rows and m columns is adopted, and rho is a mapping function and is responsible for mapping any row of the matrix into a certain attribute in an access strategy;
secondly, a secret number s is generated to belong to ZpAnd one random vector v ═ s, v1,v2,…,vm) Wherein v is1,v2,…,vmAre all ZpA random number of (c);
computing a first ciphertext C1=M·e(g,g)αsAnd a second ciphertext C2=gs(ii) a Att for any one attributeρ(i)Computing initial ciphertext of Attribute iWhereinRepresenting a secret shared key share;
and outputting an initial ciphertext:
5. the encryption method for supporting fast revocation of ciphertext policy attributes according to claim 1,
the first generation ciphertext executes a revocation (FIR) algorithm for the first time to generate FIR message header headers and FIR ciphertext CT, and the steps are as follows:
Selecting a secret random number gamma E ZpAnd generates a session public key PKsession=gγAnd dialoguePrivate key SKsessionγ; and then calculate the user u with respect to anykFactor of (2)
Setting any one attribute groupThe number of users involved is d, and for this property group, the FIR algorithm generates a polynomialA set of elements P is then generated0=Kx+a0,P1=a1,…,Pd=adIn turn, with respect to the FIR message header of the attribute group: head devicex={P0=Kx+a0,P1=a1,…,Pd=ad};
From this, the global FIR header is:
the final FIR ciphertext is:
6. the method as claimed in claim 1, wherein when attribute att is revoked by a decryptor, the ciphertext policy attribute encryption method supports fast revocationyThe method comprises the following specific steps:
then G'yAll users in the system respectively generate random numbers of the users;
The storage center calculates X 'according to the new conversation private key'k=(PK′session,k)γSubsequently, a new polynomial is generatedTo generate a new FIR header:
header′y={P0=K′y+a′0,P1=a′0,…,Pd′=a′d′};
the global FIR header will then be updated as:
attribute att is contained in all access strategiesyThe FIR ciphertext of (a) will be updated as:
7. the method for encrypting the ciphertext policy attribute supporting the quick revocation according to claim 1, wherein a decryption algorithm comprises the following steps:
after the decryption session is established, the timestamp t at this time is recorded, and then the global FIR message header is updated to be:
then, the updated global FIR message header and the FIR ciphertext are sent to the user;
the user firstly calculates the user factor by the time stamp t of the userAtt for arbitrary attributesxE to S, the decryption algorithm executes the following calculation to obtain a corresponding attribute group key:
after obtaining the attribute group key, the decryption algorithm performs the following calculations:
where ρ (i) ∈ S denotes a row specifying attribute,Dρ(i)all represent a private key cryptographic key pair, Kρ(i)·1/Kρ(i)Representing the ith row attribute key;represented as a hash-value algorithm, is,gτare all represented as generator, ω, of group Gi、Are all represented as ZpA random number of the set.
8. The encryption method for supporting fast revocation of ciphertext policy attributes according to claim 7,
according to the LSSS property, if the attribute set does not meet the authority of the access strategy, the secret s cannot be recovered within the polynomial time, and the decryption fails; otherwise, the secret s can be recovered within the polynomial time, so that the decryption calculation formula is satisfied:
the parameter obtained at this time is denoted as a, and then the following bilinear calculation is continuously performed:
and recording the obtained parameter as B, and finally executing the following operation to obtain the correct message plaintext M:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111157036.7A CN113965320A (en) | 2021-09-30 | 2021-09-30 | Ciphertext strategy attribute encryption method supporting quick revocation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111157036.7A CN113965320A (en) | 2021-09-30 | 2021-09-30 | Ciphertext strategy attribute encryption method supporting quick revocation |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113965320A true CN113965320A (en) | 2022-01-21 |
Family
ID=79462737
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111157036.7A Pending CN113965320A (en) | 2021-09-30 | 2021-09-30 | Ciphertext strategy attribute encryption method supporting quick revocation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113965320A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115277139A (en) * | 2022-07-18 | 2022-11-01 | 南京莱斯信息技术股份有限公司 | Flight plan data security sharing method based on lightweight attribute-based encryption |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108737391A (en) * | 2018-05-03 | 2018-11-02 | 西安电子科技大学 | Information service entities identity manages system and identifies quick cancelling method |
US20190020480A1 (en) * | 2017-07-14 | 2019-01-17 | International Business Machines Corporation | Establishing trust in an attribute authentication system |
-
2021
- 2021-09-30 CN CN202111157036.7A patent/CN113965320A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190020480A1 (en) * | 2017-07-14 | 2019-01-17 | International Business Machines Corporation | Establishing trust in an attribute authentication system |
CN108737391A (en) * | 2018-05-03 | 2018-11-02 | 西安电子科技大学 | Information service entities identity manages system and identifies quick cancelling method |
Non-Patent Citations (2)
Title |
---|
严新成;陈越;巴阳;贾洪勇;王仲辉;: "支持用户权限动态变更的可更新属性加密方案", 计算机研究与发展 * |
李维勇等: "支持快速撤销的ABE 算法在个人健康记录云中的研究", 《电子器件》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115277139A (en) * | 2022-07-18 | 2022-11-01 | 南京莱斯信息技术股份有限公司 | Flight plan data security sharing method based on lightweight attribute-based encryption |
CN115277139B (en) * | 2022-07-18 | 2023-07-21 | 南京莱斯信息技术股份有限公司 | Lightweight attribute-based encryption-based flight plan data secure sharing method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112019591B (en) | Cloud data sharing method based on block chain | |
CN108881314B (en) | Privacy protection method and system based on CP-ABE ciphertext under fog computing environment | |
Guo et al. | TABE-DAC: Efficient traceable attribute-based encryption scheme with dynamic access control based on blockchain | |
US20170244687A1 (en) | Techniques for confidential delivery of random data over a network | |
US20140006806A1 (en) | Effective data protection for mobile devices | |
CN106487506B (en) | Multi-mechanism KP-ABE method supporting pre-encryption and outsourcing decryption | |
CN111447192B (en) | Lightweight attribute base signcryption method for cloud and mist assisted Internet of things | |
CN114219483B (en) | Method, equipment and storage medium for sharing block chain data based on LWE-CPBE | |
CN113536389B (en) | Fine-grained controllable decentralized editable block chain construction method and system | |
CN111277412B (en) | Data security sharing system and method based on block chain key distribution | |
CN110838915B (en) | Cloud storage data sharing method for forward security key aggregation | |
CN107294696B (en) | Method for distributing full homomorphic keys for Leveled | |
CN110557248B (en) | Secret key updating method and system based on signcryption of certificateless cryptography | |
CN111211897A (en) | Time control encryption security enhancement method based on random prediction model | |
JP6863514B1 (en) | Key sharing method, key sharing system, authentication device, authentication target device, computer program and authentication method | |
CN111274594A (en) | Block chain-based secure big data privacy protection sharing method | |
CN112087422A (en) | Outsourcing access control method based on attribute encryption in edge calculation | |
CN110557367B (en) | Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography | |
Sammy et al. | An efficient blockchain based data access with modified hierarchical attribute access structure with CP-ABE using ECC scheme for patient health record | |
CN113098681B (en) | Port order enhanced and updatable blinded key management method in cloud storage | |
CN114697042A (en) | Block chain-based Internet of things security data sharing proxy re-encryption method | |
CN113965320A (en) | Ciphertext strategy attribute encryption method supporting quick revocation | |
CN114629640B (en) | White box disciplinable attribute-based encryption system and method for solving key escrow problem | |
CN106612173A (en) | Encryption scheme for trusted key in cloud storage | |
CN113792315A (en) | Cloud data access control method and system supporting block-level encryption and de-duplication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |