CN113965320A - Ciphertext strategy attribute encryption method supporting quick revocation - Google Patents

Abstract

The invention discloses a ciphertext strategy attribute encryption method supporting quick revocation, which comprises the steps of initializing an algorithm, outputting a public key and a main key by a key center, and sending the public key and the main key to an encryptor and a storage center; after receiving a private key request of a decryptor, executing a key generation algorithm to generate a private key; the encryptor encrypts a data plaintext through an encryption algorithm to generate a primary generation ciphertext, and the primary generation ciphertext is transferred to a storage center; the storage center executes revocation algorithm encryption on the received primary ciphertext to generate a secondary ciphertext; the revocation algorithm updates the iteration ciphertext according to the request times; after receiving a decryption request of a decryptor, acquiring a time stamp of a moment when the decryptor requests to send, and executing a decryption algorithm; the attribute set of the decryptor meets the access policy, and the decryptor carries the timestamp which is consistent with the acquired timestamp for verification, so that the data plaintext can be acquired. The invention does not need the user to keep updating the private key on line through the quick revocation algorithm, reduces the calculation times during decryption, realizes instant revocation and reduces the decryption calculation amount.

Description

Ciphertext strategy attribute encryption method supporting quick revocation

Technical Field

The invention belongs to the technical field of information security, and particularly relates to a ciphertext policy attribute encryption method supporting quick revocation.

Background

Personal Health Record (PHR) sharing systems gradually exert advantages in Health management, but an encryption mechanism of an existing PHR sharing system needs to frequently update a private key online, so that a period of decryption operation is slow, and an existing attribute-based encryption system (ABE) is high in time complexity and space complexity, so that revocation often involves huge calculation amount, and even final decryption calculation is not complicated, so that many schemes cannot be directly applied to the PHR system, and usability of the PHR system is greatly reduced.

Disclosure of Invention

The purpose of the invention is as follows: the ciphertext strategy attribute encryption method supporting quick revocation is provided, and the problems that revocation work in the existing encryption mechanism is large in calculation amount, decryption speed is low, and revocation of a PHR system is not flexible enough are solved.

The technical scheme is as follows: a ciphertext strategy attribute encryption method supporting quick revocation comprises the following steps:

initializing an algorithm after the system is started, outputting a public key and a master key by a key center, and sending the public key and the master key to an encryptor and a storage center;

after receiving the private key request of the decryptor, the key center executes a key generation algorithm to generate a private key;

an encryptor encrypts a data plaintext by using a public key and an access strategy through an encryption algorithm to generate a first generation ciphertext, and the first generation ciphertext is transferred to a storage center;

the storage center executes revocation algorithm encryption on the received primary ciphertext to generate a secondary ciphertext;

after receiving the revocation request of a decryptor, the storage center executes the revocation algorithm again on the second-generation ciphertext to generate a third-generation ciphertext, and if the request times are more than one, the revocation algorithm updates the iteration ciphertext according to the request times;

after receiving the decryption request of the decryptor, the storage center acquires a time stamp of the moment when the decryptor requests to send, and executes a decryption algorithm;

and after the attribute set of the decryptor meets the access policy and the decryptor carries the timestamp which is verified to be consistent with the timestamp acquired in the storage center, the decryptor can acquire the data plaintext, otherwise, the decryption fails.

In a further embodiment, in the initialization algorithm, the public and master key generation process is as follows:

let global attribute space be

Initial clustering of attributes

Inputting a safety parameter 1^λThe algorithm generates a prime number p of length lambda bits and two cyclic groups of order p

And

let g be

Generating a bilinear pairwise map e by an algorithm:

a set of and attribute spaces

Corresponding random number h₁,h₂,…,h_nAnd two collision-resistant hash functions

And H₁:{0,1}^*→Z_p；

Finally outputting the public key

And master key MSK ═ g^α,β}。

In a further embodiment, the private key generation algorithm inputs the set of attributes S, the public key PK, and the master key MSK and then outputs the set of private keys SK and the session public key PK corresponding to the set attributes_session,kThe specific process is as follows:

selecting a random number tau epsilon Z_pAnd calculates a first private key D₁＝g^α+βτAnd a second private key D₂＝g^τ；

For any attribute att in attribute set S_xCalculating the x private key

For any user u_kThe user himself selects a secret character sigma_k∈{0,1}^*Then generates a session private key SK_session,k＝H(ID_k,σ_k) And a session public key

Wherein the ID_kAn identity unique to the user; finally, outputting a private key related to the attribute set S:

in a further embodiment, the specific steps of the first generation ciphertext are as follows:

for an access policy

Note that it contains a total number of attributes of l

Generating corresponding LSSS access structures

Wherein

The method comprises the following steps that a matrix with l rows and m columns is adopted, and rho is a mapping function and is responsible for mapping any row of the matrix into a certain attribute in an access strategy;

secondly, a secret number s is generated to belong to Z_pAnd one random vector v ═ s, v₁,v₂,…,v_m) Wherein v is₁,v₂,…,v_mAre all Z_pA random number of (c);

computing a first ciphertext C₁＝M·e(g,g)^αsAnd a second ciphertext C₂＝g^s(ii) a Att for any one attribute_ρ(i)Computing initial ciphertext of Attribute i

Wherein

Representing a secret shared key share;

and outputting an initial ciphertext:

in a further embodiment of the method of the invention,

the first generation ciphertext executes a revocation (FIR) algorithm for the first time to generate FIR message header headers and FIR ciphertext CT, and the steps are as follows:

clustering by attributes

Generate a corresponding set of attribute group keys

Selecting a secret random number gamma E Z_pAnd generates a session public key PK_session＝g^γAnd a session private key SK_sessionγ; and then calculate the user u with respect to any_kFactor of (2)

Setting any one attribute group

The number of users involved is d, and for this property group, the FIR algorithm generates a polynomial

A set of elements P is then generated₀＝K_x+a₀,P₁＝a₁,…,P_d＝a_dIn turn, with respect to the FIR message header of the attribute group: head device_x＝{P₀＝K_x+a₀,P₁＝a₁,…,P_d＝a_d}；

From this, the global FIR header is:

the final FIR ciphertext is:

in a further embodiment, attribute att is revoked when a decryptor revokes it_yThe method comprises the following specific steps:

the attribute cluster is updated to:

wherein G'_yThe attribute group of the user is removed;

the attribute group key set is updated as:

wherein K'_yIs an updated attribute group key;

then G'_yAll users in the system generate their own randomThe number of machines;

let user u_kThe new random number generated is σ'_kAnd calculates a new public key for the session

The storage center calculates X 'according to the new conversation private key'_k＝(PK′_session,k)^γSubsequently, a new polynomial is generated

To generate a new FIR header:

header′_y＝{P₀＝K′_y+a′₀,P₁＝a′₀,…,P_d′_＝a′_d′}；

the global FIR header will then be updated as:

attribute att is contained in all access strategies_yThe FIR ciphertext of (a) will be updated as:

in a further embodiment, the decryption algorithm steps are as follows:

after the decryption session is established, the timestamp t at this time is recorded, and then the global FIR message header is updated to be:

then, the updated global FIR message header and the FIR ciphertext are sent to the user;

the user firstly calculates the user factor by the time stamp t of the user

Att for arbitrary attributes_xE to S, the decryption algorithm executes the following calculation to obtain a corresponding attribute group key:

wherein the content of the first and second substances,

represents the ith user factor;

after obtaining the attribute group key, the decryption algorithm performs the following calculations:

where ρ (i) ∈ S denotes a row specifying attribute,

D_ρ(i)each represents a private key encryption key pair, and K rho (i) · 1K rho (i) represents the ith row attribute key;

represented as a hash-value algorithm, is,

g^τare all represented as the generator of the group G,_ωi、_βτλiωiare all represented as Z_pA random number of the set.

In a further embodiment, it can be seen from the LSSS property that if the set of attributes does not satisfy the rights of the access policy, the secret s will not be recovered within the polynomial time and the decryption will fail; otherwise, the secret s can be recovered within the polynomial time, so that the decryption calculation formula is established:

the parameter obtained at this time is denoted as a, and then the following bilinear operation is continuously performed:

and recording the obtained parameter as B, and finally executing the following operation to obtain the correct message plaintext M:

has the advantages that: compared with the prior art, the invention has the following advantages:

a Fast and Immediate Revocation (FIR) algorithm is adopted, a user is not required to keep online to update a private key, and multiplication operation required for obtaining an attribute group key during decryption is reduced to only 1 time, so that decryption overhead is reduced while immediate revocation is ensured; improved revocation work calculation efficiency and flexibility and usability of the PHR system are achieved.

Drawings

Fig. 1 is a topological structure diagram of the ciphertext policy supporting quick revocation according to the present invention.

Fig. 2 is a graph comparing average encryption times in embodiment 2 of the present invention.

Fig. 3 is a graph comparing the average decryption time in embodiment 2 of the present invention.

Detailed Description

In order to more fully understand the technical content of the present invention, the technical solution of the present invention will be further described and illustrated with reference to the following specific embodiments, but not limited thereto.

Fig. 1 to fig. 3 are further used to explain an encryption method for supporting fast revocation ciphertext policy attribute, which includes the following steps:

initializing an algorithm after the system is started, outputting a public key and a master key by a key center, and sending the public key and the master key to an encryptor and a storage center;

after receiving the private key request of the decryptor, the key center executes a key generation algorithm to generate a private key;

an encryptor encrypts a data plaintext by using a public key and an access strategy through an encryption algorithm to generate a first generation ciphertext, and the first generation ciphertext is transferred to a storage center;

the storage center executes revocation algorithm encryption on the received primary ciphertext to generate a secondary ciphertext;

after receiving the revocation request of a decryptor, the storage center executes the revocation algorithm again on the second-generation ciphertext to generate a third-generation ciphertext, and if the request times are more than one, the revocation algorithm updates the iteration ciphertext according to the request times;

after receiving the decryption request of the decryptor, the storage center acquires a time stamp of the moment when the decryptor requests to send, and executes a decryption algorithm;

and after the attribute set of the decryptor meets the access policy and the decryptor carries the timestamp which is verified to be consistent with the timestamp acquired in the storage center, the decryptor can acquire the data plaintext, otherwise, the output indicates that the decryption fails.

In a further embodiment, in the initialization algorithm, the public and master key generation process is as follows:

let global attribute space be

Initial clustering of attributes

Inputting a safety parameter 1^λThe algorithm generates a prime number p of length lambda bits and two cyclic groups of order p

And

let g be

Generating a bilinear pairwise map e by an algorithm:

a set of and attribute spaces

Corresponding random number h₁,h₂,…,h_nAnd two collision-resistant hash functions

And H₁:{0,1}^*→Z_p；

Finally outputting the public key

And master key MSK ═ g^α,β}。

In a further embodiment, the private key generation algorithm inputs the set of attributes S, the public key PK, and the master key MSK and then outputs the set of private keys SK and the session public key PK corresponding to the set attributes_session,kThe specific process is as follows:

selecting a random number tau epsilon Z_pAnd calculates a first private key D₁＝g^α+βτAnd a second private key D₂＝g^τ；

For any attribute att in attribute set S_xCalculating the x private key

For any user u_kThe user himself selects a secret character sigma_k∈{0,1}^*Then generates a session private key SK_session,k＝H(ID_k,σ_k) And a session public key

Wherein the ID_kAn identity unique to the user; finally, outputting a private key related to the attribute set S:

in a further embodiment, the specific steps of the first generation ciphertext are as follows:

for an access policy

Note that it contains a total number of attributes of l

Generating corresponding LSSS access structures

Wherein

The method comprises the following steps that a matrix with l rows and m columns is adopted, and rho is a mapping function and is responsible for mapping any row of the matrix into a certain attribute in an access strategy;

secondly, a secret number s is generated to belong to Z_pAnd one random vector v ═ s, v₁,v₂,…,v_m) Wherein v is₁,v₂,…,v_mAre all Z_pA random number of (c);

computing a first ciphertext C₁＝M·e(g,g)^αsAnd a second ciphertext C₂＝g^s(ii) a Att for any one attribute_ρ(i)Computing initial ciphertext of Attribute i

Wherein

Representing a secret shared key share;

and outputting an initial ciphertext:

in a further embodiment of the method of the invention,

the first generation ciphertext executes a revocation (FIR) algorithm for the first time to generate FIR message header headers and FIR ciphertext CT, and the steps are as follows:

clustering by attributes

Generate a corresponding set of attribute group keys

Selecting a secret random number gamma E Z_pAnd generates a session public key PK_session＝g^γAnd a session private key SK_sessionγ; and then calculate the user u with respect to any_kFactor of (2)

Setting any one attribute group

The number of users involved is d, and for this property group, the FIR algorithm generates a polynomial

A set of elements P is then generated₀＝K_x+a₀,P₁＝a₁,…,P_d＝a_dIn turn, with respect to the FIR message header of the attribute group: head device_x＝{P₀＝K_x+a₀,P₁＝a₁,…,P_d＝a_d}；

From this, the global FIR header is:

the final FIR ciphertext is:

in a further embodiment, attribute att is revoked when a decryptor revokes it_yThe method comprises the following specific steps:

the attribute cluster is updated to:

wherein G'_yThe attribute group of the user is removed;

the attribute group key set is updated as:

wherein K'_yIs an updated attribute group key;

then G'_yAll users in the system respectively generate random numbers of the users;

let user u_kThe new random number generated is σ'_kAnd calculates a new public key for the session

The storage center calculates X 'according to the new conversation private key'_k＝(PK′_session,k)^γSubsequently, a new polynomial is generated

To generate a new FIR header:

header′_y＝{P₀＝K′_y+a′₀,P₁＝a′₀,…,P_d′＝a′_d′}；

the global FIR header will then be updated as:

attribute att is contained in all access strategies_yThe FIR ciphertext of (a) will be updated as:

in a further embodiment, the decryption algorithm steps are as follows:

after the decryption session is established, the timestamp t at this time is recorded, and then the global FIR message header is updated to be:

then, the updated global FIR message header and the FIR ciphertext are sent to the user;

the user firstly calculates the user factor by the time stamp t of the user

Att for arbitrary attributes_xE to S, the decryption algorithm executes the following calculation to obtain a corresponding attribute group key:

wherein the content of the first and second substances,

represents the ith user factor;

after obtaining the attribute group key, the decryption algorithm performs the following calculations:

where ρ (i) ∈ S denotes a row specifying attribute,

D_ρ(i)all represent a private key cryptographic key pair, K_ρ(i)·1/K_ρ(i)Representing the ith row attribute key;

represented as a hash-value algorithm, is,

g^τare all represented as the generator of the group G,_ωi、_βτλiωiare all represented as Z_pA random number of the set. A

In a further embodiment, it can be seen from the LSSS property that if the set of attributes does not satisfy the rights of the access policy, the secret s will not be recovered within the polynomial time and the decryption will fail; otherwise, the secret s can be recovered within the polynomial time, so that the decryption calculation formula is established:

the parameter obtained at this time is denoted as a, and then the following bilinear operation is continuously performed:

and recording the obtained parameter as B, and finally executing the following operation to obtain the correct message plaintext M:

from the above ciphertext composition, it can be seen that att is the attribute which is revoked_yEven if it calculates the attribute group key K using the previously acquired message header_yDecryption to obtain the correct message plaintext cannot be completed either because the ciphertext has been updated at this time. Thus, the forward security of the scheme can be guaranteed.

For attribute att still contained in attribute set_yOr just possess attribute att_yWhen the user initiates decryption, the user can only obtain the re-encrypted message header and the re-encrypted ciphertext of the current time stamp, even if the user obtains the message header at a certain past momentThe user cannot know the specific session time, and therefore cannot extract the past attribute group key. Cannot be decrypted correctly even if it has downloaded past ciphertext; therefore, the backward safety of the scheme can be ensured.

The method is verified by the game employing the encryption mechanism in example 1, and the confidentiality of the CP-ABE-FR scheme is stipulated to the difficulty of the DBDH problem by the game. The game is played by the enemy

Simulator

And challenger

The joint participation is completed, and the process is as follows:

(1) an initialization stage: first enemy

Direction simulator

Sending a challenge access policy

Second challenger

Generating a cyclic group

Selecting a generator g of the group and three secrets a, b, c ∈ Z_pAnd g, A ═ g^a、B＝g^b、C＝g^cAnd Z is sent to the simulator

Then simulator

Selecting a cyclic group

And a two-line pair map e:

set of secret random numbers [ beta, r ]₁,r₂,…,r_nAn attribute cluster

And two random prediction machines

And H₁:{0,1}^*→Z_p. Final simulator

To the enemy

The following public key is sent:

(2) an inquiry stage: enemy

Direction simulator

The following two queries are sent a limited number of times:

a. private key challenge: first simulator

A List is maintained. Second enemy

Clustering on attributes

In which one user u is arbitrarily selected_k(memory user u)_kIs represented as ID_kAttribute set is S) parallel simulator

A private key request is issued for the set of attributes S. Then simulator

Generating a random number R₁,R₂,R₃∈Z_pThen, the private key:

final simulator

Add information about user u in List List_kTuple of (2)

b. Encrypting the challenge: first enemy

Selecting a PHR data plaintext M and an access policy

Parallel simulator

Sending a message about M and

the encryption request of (2). Second simulator

Firstly, generating a corresponding attribute group key set according to the attribute group set

And generating and accessing policies

Corresponding LSSS access structure matrix

Simultaneously selecting a secret number s ∈ Z_pAnd one random vector v ═ s, v₁,v₂,…,v_m) Calculating

Then simulator

Generate the following cipher text to

Extracting user's public key PK from List at the same time_session,kAnd constructing a global re-encryption message header according to a real re-encryption algorithm. For users not in List, the simulator

A private key generator is invoked to generate a tuple corresponding to the user and add to the List. Final simulator

Sending the ciphertext and the global re-encrypted message header corresponding to the timestamp at that time to the adversary

(3) A challenge stage: first enemy

Direction simulator

Submitting two PHR data plaintext M with same length₁And M₂. Second simulator

Generating and

corresponding LSSS access structure

And one random vector v ═ s, v₁,v₂,…,v_m). And then for arbitrary attributes

Computing

Wherein

Final simulator

Selects a random bit value delta epsilon {0,1} and returns the following challenge ciphertext to

(4) An inquiry stage: as with step 2, the adversary

Continue to simulator

A limited number of private key challenges and encrypted challenges are sent. It is to be noted that all queries must satisfy the following constraints:

a. in the private key inquiry process, all attribute sets S cannot meet the challenge access policy

b. Access policy

Or is M₁And M₂May not be used to make encrypted queries.

(5) Guessing: enemy

Output δ' ∈ {0,1} as a guess for δ. If delta is delta', enemy

Win challenge game while simulating

Output 1 indicates its guess Z ═ e (g, g)^abc. If δ ≠ δ' then adversary challenge fails while the simulator is in progress

Output 0 represents guess Z ═ e (g, g)^z。

When Z is equal to e (g, g)^abcEncryption process of time, challenge phase andthe encryption process of the real CP-ABE-FR algorithm is the same. Suppose an adversary

The advantage of breaking the CP-ABE-FR algorithm is epsilon', then the simulator

The probability of outputting 1 is:

when Z is equal to e (g, g)^zTime, enemy

The challenge cryptogram obtained is a completely random cryptogram, so that the adversary

The guess of (a) is completely random. In such a case, the simulator

The probability of outputting 1 is:

thus, the simulator

The advantages of solving the DBDH problem are satisfied:

it can be concluded from this that if there is no polynomial time algorithm that can solve the DBDH problem with a non-negligible dominance epsilon, then there must be no polynomial time adversary

And breaking the CP-ABE-FR algorithm. The algorithm can well ensure confidentiality.

In the invention, various network attacks of private key stealing can be faced in the actual use process, the collusion attack is a typical network attack means, and the collusion attack means that a plurality of decryptors illegally generate a brand-new private key through respective private keys, and the brand-new private key can correctly realize correct decryption. If the attribute sets of these multiple decryptors do not conform to the access policy of the ciphertext, but can produce a legal private key through collusion, the security of the ciphertext will be greatly threatened.

In the method of the invention, each time a private key is generated, the algorithm generates a different random number τ and embeds this random number into the private key component, i.e. each private key has a different D ═ g α + β τ. Even if multiple message visitors attempt to collude, a legitimate private key cannot be obtained because different random numbers τ are embedded within the private key components from different message visitors. In summary, CP-ABE-FR is well resistant to collusion attack.

The comparison analysis of the LHS method and the Hur method in the embodiment 2 and the FIR algorithm in the invention is as follows:

definition of T_mulAnd T_expThe time required to perform a single multiplication or exponentiation in generating the header and extracting the attribute group key, respectively

The comparison results are shown in Table 1, LHS method [19 ]]And Hur method [21]Generating a group of attributes G_xThe message header of (1) needs to perform multiplication and exponent operation for 2d times, and the message header of (d) needs to perform multiplication and exponent operation for d (d +3)/2 times when extracting the attribute group key, where d is the attribute group G_xThe number of users involved.

TABLE 1 revocation efficiency comparison

The FIR algorithm proposed herein is generating a group G of attributes_xThe message header of (1) is needed to perform only 1 multiplication, and 2d exponential operations are reduced compared with the LHS method and the Hur method. Meanwhile, the FIR algorithm needs to execute d times of multiplication and d (d +1)/2 times of exponential operation when extracting the corresponding attribute group key, and d times of exponential operation are reduced compared with the two schemes. The FIR algorithm thus improves the computational efficiency of attribute revocation.

The experimental procedure in the codebase for the following examples is as follows:

the experiment is based on a 512-bit elliptic curve, the order of which is a large prime number of 120 bit. The PHR system access control model is established in experiments based on an LHS method, a Hur method and the scheme provided by the text, and the average encryption and decryption calculation time under the condition of different attribute quantities is recorded;

as shown in fig. 2, several system models have average encryption time under different attribute numbers, and both the LHS method and the Hur method support fine-grained instant revocation based on an attribute group, so that ciphertext needs to be encrypted again in the encryption process; while the encryption time of the Hur method is slightly shorter than that of the LHS method, the CP-ABE-FR-based PHR system access control model adds the FIR algorithm, but the FIR algorithm does not generate too much computational load to the encryption work of the system.

As shown in fig. 3, the average decryption time is calculated by using the distributed private key for decryption, but the decryption time is slightly longer in the LHS method. And CP-ABE-FR reduces PHR decryption time by about 9.3%; therefore, in general, the decryption computation efficiency of the PHR system access control model proposed by the present invention is considerable.

Through the rapid instant revocation (FIR) algorithm, a user is not required to keep online to update a private key, and the multiplication operation required for obtaining an attribute group key during decryption is reduced to only 1 time, so that instant revocation is ensured, and decryption overhead is reduced; improved revocation work calculation efficiency and flexibility and usability of the PHR system are achieved.

The present invention has been described above by way of illustration in the drawings, and it will be understood by those skilled in the art that the present disclosure is not limited to the embodiments described above, and various changes, modifications and substitutions may be made without departing from the scope of the present invention.

Claims (8)

1. A ciphertext strategy attribute encryption method supporting quick revocation is characterized by comprising the following steps:

initializing an algorithm after the system is started, outputting a public key and a master key by a key center, and sending the public key and the master key to an encryptor and a storage center;

after receiving the private key request of the decryptor, the key center executes a key generation algorithm to generate a private key;

an encryptor encrypts a data plaintext by using a public key and an access strategy through an encryption algorithm to generate a first generation ciphertext, and the first generation ciphertext is transferred to a storage center;

the storage center executes revocation algorithm encryption on the received primary ciphertext to generate a secondary ciphertext;

after receiving the revocation request of a decryptor, the storage center executes the revocation algorithm again on the second-generation ciphertext to generate a third-generation ciphertext, and if the request times are more than one, the revocation algorithm updates the iteration ciphertext according to the request times;

after receiving the decryption request of the decryptor, the storage center acquires a time stamp of the moment when the decryptor requests to send, and executes a decryption algorithm;

the attribute set of the decryptor meets the access policy, and the decryptor can acquire the data plaintext only after carrying the timestamp which is acquired from the storage center and verifying the consistency.

2. The method for encrypting the ciphertext policy attribute supporting the quick revocation according to claim 1, wherein in an initialization algorithm, the process of generating the public key and the master key is as follows:

let global attribute space be

Initial clustering of attributes

Inputting a safety parameter 1^λThe algorithm generates a prime number p of length lambda bits and two cyclic groups of order p

And

let g be

A generator for generating a bilinear pairwise map by an algorithm

A set of and attribute spaces

Corresponding random number h₁,h₂,…,h_nAnd two collision-resistant hash functions

And H₁:{0,1}^*→Z_p；

Finally outputting the public key

And master key MSK ═ g^α,β}。

3. The method as claimed in claim 1, wherein the secret key generation algorithm inputs the attribute set S, the public key PK, and the master key MSK and then outputs the private key set SK and the session public key PK corresponding to the set attributes_session,kThe specific process is as follows:

selecting a random number tau epsilon Z_pAnd calculates a first private key

And a second private key D₂＝g^τ；

For any attribute att in attribute set S_xCalculating the x private key

For any user u_kThe user himself selects a secret character sigma_k∈{0,1}^*Then generates a session private key SK_session,k＝H(ID_k,σ_k) And a session public key

Wherein the ID_kAn identity unique to the user; finally, outputting a private key related to the attribute set S:

4. the ciphertext policy attribute encryption method supporting quick revocation as claimed in claim 1, wherein the specific steps of the primary ciphertext are as follows:

for an access policy

Note that it contains a total number of attributes of l

Generating corresponding LSSS access structures

Wherein

The method comprises the following steps that a matrix with l rows and m columns is adopted, and rho is a mapping function and is responsible for mapping any row of the matrix into a certain attribute in an access strategy;

secondly, a secret number s is generated to belong to Z_pAnd one random vector v ═ s, v₁,v₂,…,v_m) Wherein v is₁,v₂,…,v_mAre all Z_pA random number of (c);

computing a first ciphertext C₁＝M·e(g,g)^αsAnd a second ciphertext C₂＝g^s(ii) a Att for any one attribute_ρ(i)Computing initial ciphertext of Attribute i

Wherein

Representing a secret shared key share;

and outputting an initial ciphertext:

5. the encryption method for supporting fast revocation of ciphertext policy attributes according to claim 1,

the first generation ciphertext executes a revocation (FIR) algorithm for the first time to generate FIR message header headers and FIR ciphertext CT, and the steps are as follows:

clustering by attributes

Generate a corresponding set of attribute group keys

Selecting a secret random number gamma E Z_pAnd generates a session public key PK_session＝g^γAnd dialoguePrivate key SK_sessionγ; and then calculate the user u with respect to any_kFactor of (2)

Setting any one attribute group

The number of users involved is d, and for this property group, the FIR algorithm generates a polynomial

A set of elements P is then generated₀＝K_x+a₀,P₁＝a₁,…,P_d＝a_dIn turn, with respect to the FIR message header of the attribute group: head device_x＝{P₀＝K_x+a₀,P₁＝a₁,…,P_d＝a_d}；

From this, the global FIR header is:

the final FIR ciphertext is:

6. the method as claimed in claim 1, wherein when attribute att is revoked by a decryptor, the ciphertext policy attribute encryption method supports fast revocation_yThe method comprises the following specific steps:

the attribute cluster is updated to:

wherein G'_yThe attribute group of the user is removed;

the attribute group key set is updated as:

wherein K'_yIs an updated attribute group key;

then G'_yAll users in the system respectively generate random numbers of the users;

let user u_kThe new random number generated is σ'_kAnd calculates a new public key for the session

The storage center calculates X 'according to the new conversation private key'_k＝(PK′_session,k)^γSubsequently, a new polynomial is generated

To generate a new FIR header:

header′_y＝{P₀＝K′_y+a′₀,P₁＝a′₀,…,P_d′＝a′_d′}；

the global FIR header will then be updated as:

attribute att is contained in all access strategies_yThe FIR ciphertext of (a) will be updated as:

7. the method for encrypting the ciphertext policy attribute supporting the quick revocation according to claim 1, wherein a decryption algorithm comprises the following steps:

after the decryption session is established, the timestamp t at this time is recorded, and then the global FIR message header is updated to be:

then, the updated global FIR message header and the FIR ciphertext are sent to the user;

the user firstly calculates the user factor by the time stamp t of the user

Att for arbitrary attributes_xE to S, the decryption algorithm executes the following calculation to obtain a corresponding attribute group key:

wherein the content of the first and second substances,

represents the ith user factor;

after obtaining the attribute group key, the decryption algorithm performs the following calculations:

where ρ (i) ∈ S denotes a row specifying attribute,

D_ρ(i)all represent a private key cryptographic key pair, K_ρ(i)·1/K_ρ(i)Representing the ith row attribute key;

represented as a hash-value algorithm, is,

g^τare all represented as generator, ω, of group G_i、

Are all represented as Z_pA random number of the set.

8. The encryption method for supporting fast revocation of ciphertext policy attributes according to claim 7,

according to the LSSS property, if the attribute set does not meet the authority of the access strategy, the secret s cannot be recovered within the polynomial time, and the decryption fails; otherwise, the secret s can be recovered within the polynomial time, so that the decryption calculation formula is satisfied:

the parameter obtained at this time is denoted as a, and then the following bilinear calculation is continuously performed:

and recording the obtained parameter as B, and finally executing the following operation to obtain the correct message plaintext M:

Images