CN114201773B - SkNN query method and system supporting access time limitation and verifiable result - Google Patents

SkNN query method and system supporting access time limitation and verifiable result Download PDF

Info

Publication number
CN114201773B
CN114201773B CN202111522678.2A CN202111522678A CN114201773B CN 114201773 B CN114201773 B CN 114201773B CN 202111522678 A CN202111522678 A CN 202111522678A CN 114201773 B CN114201773 B CN 114201773B
Authority
CN
China
Prior art keywords
data
evidence
hvs
cloud storage
query
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111522678.2A
Other languages
Chinese (zh)
Other versions
CN114201773A (en
Inventor
李萌
高剑博
祝烈煌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hefei University of Technology
Original Assignee
Hefei University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hefei University of Technology filed Critical Hefei University of Technology
Priority to CN202111522678.2A priority Critical patent/CN114201773B/en
Publication of CN114201773A publication Critical patent/CN114201773A/en
Application granted granted Critical
Publication of CN114201773B publication Critical patent/CN114201773B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a SkNN query method and a SkNN query system supporting access time limitation and verifiable results, which are applied to an environment formed by a plurality of data uploading modules, a plurality of data request modules and a data cloud storage module; the data uploading module calculates a data security index with limited access time, uploads the data security index to the data cloud storage module together with encrypted data and shares a secret key with some data request modules; the data request module generates a query token according to the access time, submits the token to the data cloud storage module, decrypts the matched data after waiting for the data to be sent back, verifies the authenticity, and otherwise waits for effective data all the time; the data cloud storage module receives the security index and the encrypted data from the data uploading module, receives the token from the data requesting module, searches the security index by using the token and returns nearest k query results and evidence. The method and the system can protect the privacy of the data requesting party from being damaged by the unreliable data cloud storage party, and are also applicable to the vehicle networking service based on the position.

Description

SkNN query method and system supporting access time limitation and verifiable result
Technical Field
The invention relates to a SkNN query method and a SkNN query system supporting access time limitation and verifiable results, and belongs to the technical fields of privacy protection, cloud service and encrypted data query.
Background
Most location-based services (lbs) allow users to upload their current location and their location to be queried to a cloud server, which returns a query result (such as the most recent ten-premium cafes) to the user. However, in such services, security is a major issue because location is closely related to user privacy, and cloud servers are not completely trusted. In particular, data stored on the cloud may be analyzed or compromised by the cloud server. Meanwhile, commercial cloud servers may be hacked, and public cloud storage services are not completely trusted, making privacy a critical issue. In particular, similar problems exist in location-based internet of vehicles services such as navigation, network taxi taking, intelligent parking, and the like.
In addition, data owners want to have specific access time restrictions on their data items uploaded to the cloud server, while data requesters also have specific access time requirements on data items on the cloud server (e.g., cafes open from 8 to 12). There is a need to focus on the data requirement issues of privacy preserving data owners and data requesters, which include spatial attributes of data items, temporal attributes of data items, category attributes of data items, and query requests of data items. Therefore, it is important to improve query efficiency and increase data verification measures while ensuring the privacy of the data owners and data requesters.
In order to address privacy protection issues, location-based services using secure K nearest neighbor query processing methods have emerged in recent years. Three parties are typically involved in these methods: data uploading party, data requesting party and data cloud storage party. Wherein the data uploader stores the encrypted data and the security index on the data cloud storage. The data request submits a safe K nearest neighbor query to the data cloud storage party, the data cloud storage party returns a corresponding result after searching the database, and the data cloud storage party is not completely trusted. But these approaches do not address the specific data attribute requirement issue, i.e., how SkNN query processing is implemented with secure, time-limited access. This also brings three new requirements:
(1) Access time limit: only matching specific items within the data attribute query time range are returned;
(2) The results can verify that: preventing a data cloud storage party from maliciously excluding or falsifying specific items in the query;
(3) Efficient query: on the premise of ensuring safety, the data query matching is performed efficiently.
Disclosure of Invention
The invention aims to solve the defects of the prior art, and provides a SkNN query method and a SkNN query system which support limited access time and verifiable results, so that the security threat of an untrusted data cloud storage party can be resisted in the process of inquiring cloud-oriented data, the problem of specific data attribute requirements is solved, the privacy problem of a data uploading party and a data requesting party is further protected, and the life and property security of the data uploading party and the data requesting party is guaranteed.
The invention adopts the following technical scheme to achieve the aim of the invention:
the SkNN query system supporting limited access time and verifiable results is characterized by comprising the following components: a plurality of data uploading modules, a plurality of data requesting modules and a data cloud storage module;
the data uploading module comprises: an index generation unit, a shared key transmission unit;
the data request module includes: the device comprises a shared key receiving unit, a token generating unit and a evidence verifying unit;
the data cloud storage module comprises: an index receiving unit, a data searching unit;
the shared key sending unit of any ith data uploading module sends the generated shared key to the index generating unit of the shared key sending unit and the shared key receiving unit of the jth data requesting module respectively;
the index generating unit of the ith data uploading module extracts access time attribute, space attribute and category attribute of the data item to be uploaded, calculates security index and verification information, encrypts the data item to be uploaded by using the shared key to obtain encrypted data, and sends the encrypted data and the security index and the verification information to the index receiving unit for storage;
the index receiving unit receives the encryption information, the security index and the verification information, stores the encryption information, the security index and the verification information and forwards the encryption information, the security index and the verification information to the data searching unit;
the shared key receiving unit of the jth data request module receives the shared key and then forwards the shared key to the token generating unit and the evidence verifying unit of the jth data request module;
the token generating unit of the j-th data request module uses the shared secret key, generates a query token according to the access time attribute, the space attribute and the category attribute of the data item required to be requested by the user and sends the query token to the data searching unit;
the data searching unit searches the security index by using the query token, if the search is successful, the data searching unit sends corresponding encrypted data and verification information to the evidence verification unit of the jth data request module, and if the search is failed, the data searching unit sends an empty string to the evidence verification unit of the jth data request module;
and if the evidence verification unit of the j-th data request module receives the encrypted data, decrypting the encrypted data by using the shared key, and generating a verification result by using the evidence information, thereby judging whether to accept the decrypted data according to the verification result.
The SkNN query method supporting limited access time and verifiable results is characterized by being applied to a network environment formed by a plurality of data uploaders, a plurality of data requesters and a data cloud storage party, and comprises the following steps of:
step one, constructing an index:
step 1.1 any ith data uploader first gives the shared key and updates the data { D 1 ,D 2 ,…,D n Each data item D in } i Calculate its encrypted data E i Each data item D is extracted again i Category attribute Type i Generating a subtree by using data items with the same category attribute, and then respectively generating the different category attributes as root nodes of the subtree and as new leaf nodes so as to generate a whole tree TiveTree;
step 1.2 ith data uploader for each data item D in a leaf node on the subtree i First, access Time Time is extracted i And position L i Position L is coded spatially i Conversion into a position area G #i) And then using the prefix coding method to access the Time Time i Conversion to access period i Finally according to the position area G (i) and the access period i Position area complement LCS (liquid Crystal display) is calculated by utilizing complement coding method i And access time complement TCS i
Step 1.3 given t pseudorandom key hash message authentication code functions h 1 ,h 2 ,...,h t A random predictor H and m+1 keys K 1 ,K 2 ,...,K m ,K m+1 The ith data uploading party initializes an empty indistinguishable bloom filter B i And is provided withThereby respectively dividing the location area G (i) or the access period i The kth prefix pr of (a) k And a random number r n Embedded in an indistinguishable bloom filter B i In (a) and (b); location area complement LCS i And access time complement TCS i Prefix element w in (a) s Calculating evidence bits i =QueLoc(B i ,w s ) And evidence bit hash value->Recalculating the evidence node hash value HV i =hash(E i ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein h is q Indicating the use of the q-th key K q Is a pseudo-random key hash message authentication code function, is a function of>Indicating the use of the (m+1) th key K m+1 A message authentication code function is hashed by the pseudo-random key of (a); />Represents an exclusive OR operation, k ε [1, |S n |],q∈[1,m];|S n The i indicates the location area G (i) or the access period i Is a length of (2); queLoc (B) i ,w s ) For calculating prefix element w s Embedded into notDistinguishable bloom filter B i Is a position in the middle; s epsilon [1, |CS ] n |];|CS n I represents location area complement LCS i And access time complement TCS i Is a length of (2);
step 1.4, the ith data uploading party converts the category attribute in the root node of the subtree into category attribute type by using a prefix coding method i And according to the category attribute type i Calculating category complement YCS by complement coding method i Then according to the process of step 1.3, the category attribute type is selected i And the random number r n Embedded in an indistinguishable bloom filter B i In (a) and (b); at the same time supplement YCS for category i Prefix element w in (a) y Calculating the evidence bit of the whole tree i ′=QueLoc(B i ,w y ) And whole tree evidence bit hash valueThen according to the left subtree left and the right subtree right of the root node; calculating a hash value HV of a whole tree evidence node i ′=hash(HV left ,HV right );HV left Representing the hash value of the whole tree evidence node of the left subtree, HV right Representing right subtree whole tree evidence node hash values
Step 1.5, the ith data uploading party calculates a hash value HV of the evidence root node for the root node of the whole tree TiveTree, the left subtree left and the right subtree right of the root node root =hash(HV left ,HV right );HV left Representing left subtree evidence root node hash value, HV right Representing right subtree evidence root node hash value
Step 1.6 the ith data uploading party uploads the entire tree TiveTree and the random number r n Combining the encrypted data { E }, as a security index 1 ,…E i ,…E n ' and authentication information { bits i ,Hvs i ,HVs i ,HV root Submitting to the data cloud storage; sharing the shared key to any data requesting party; wherein bits i Representing evidence bit sets, and bits i ={bit i ,bit i ′},Hvs i Representing a set of evidence bit hash values, and Hvs i ={Hv i ,Hv i ′},HVs i Represents a set of evidence node hash values, and HVs i ={HV i ,HV i ′};
Step two, token generation:
step 2.1 any jth data requestor uses the prefix encoding method and the space encoding method to Type the category attribute of the required request data item j Access Time j And position L j Respectively converted into corresponding prefix sets
Step 2.2 jth data requestor based on three prefix setsGenerating query tokens respectively->Submitting the data to a data cloud storage party; wherein pr (pr) k ' represents three prefix sets ++>Is an element of |S n 'I' means three prefix sets +.>The length of any one prefix set;
step 2.3 the jth data requestor will query the tokenSending the data to the data cloud storage party;
step three, query processing:
step 3.1, the data cloud storage side receives corresponding security from a plurality of data uploading sides respectivelyIndex and receive a query token from the jth data requestor
Step 3.2, the data cloud storage party starts to use from top to bottom from the root node of the whole tree TiveTreeChecking the query token->If can be matched with any security index, if can be matched, then inquiring the child node until inquiring the root node of the subtree, otherwise, returning the empty character string and verification information { bits } i ,Hvs i ,HVs i ,HV root ' random number r n
Step 3.3 the data cloud storage is utilized from top to bottom from the root node of the subtreeChecking two query tokens->If the two indexes can be matched with any one of the safety indexes, if the two indexes can be matched with each other, the child nodes are continuously inquired until the leaf nodes of the subtrees are inquired, and corresponding encrypted data E is returned i Verification information { bits i ,Hvs i ,HVs i ,HV root ' random number r n Further decrypting the data to the j-th data requesting party, otherwise, returning the empty character string and verification information { bits } i ,Hvs i ,HVs i ,HV root ' random number r n Giving the j-th data request party;
step four, verifying the result:
step 4.1 the jth data requestor receives encrypted data E from the data cloud storage i Or empty character string, from the ith data uploading partyReceiving a shared key and decrypting the encrypted data E using the shared key i To verify encrypted data E i Accuracy of (3);
step 4.2 the jth data requestor receives authentication information { bits from the data cloud storage i ,Hvs i ,HVs i ,HV root ' random number r n And hashes the value set HVs according to the evidence node i The element in the aggregate calculates the verification node hash value HV ver =hash(HVs i,x ,HVs i,y ) Comparison of HV root And HV (high voltage) ver Whether or not to be identical to verify the encrypted data E i If the integrity of the two is the same, executing the step 4.3; otherwise, represent encrypted data E i Incomplete and ending the flow; where x, y=1, 2, …, | HVs i |,|HVs i The i represents the collection HVs i Is a length of (2);
step 4.3 the jth data requestor initializes an empty non-resolvable bloom filter B j Will query the tokenEach element of (a) is embedded in an indistinguishable bloom filter B j Simultaneously calculating corresponding verification bit set bits ver And verifying the set of bit hash values Hv ver Comparing the verification bit sets bits ver And verifying the set of bit hash values Hv ver Respectively with evidence bit sets bits i And evidence bit hash value set Hvs i Whether or not to be identical to verify the encrypted data E i If the integrity of (C) is the same, then represents the encrypted data E i Complete; otherwise, represent encrypted data E i Incomplete.
Compared with the prior art, the invention has the beneficial effects that:
1. the data uploading party extracts the time attribute, the space attribute and the category attribute of the data item, calculates the security index and the verification information, encrypts the data, submits the encrypted data and the index and the verification information to the data cloud storage party, and shares the secret key with the data requesting party. The data requesting party generates a query token and submits the query token to the data cloud storage party to obtain required data and verification information, and the query result is verified. The data cloud storage searches the security index using the token and returns corresponding data and authentication information. The method solves the problem of specific data attribute requirements, achieves the aim of supporting efficient secret state data query with limited access time and verifiable results, and effectively protects the privacy of a data uploading party and a data requesting party;
2. according to the invention, the data uploading party generates the security index and the verification information by using the indistinguishable bloom filter method, the spatial coding method, the prefix coding method and the complement coding method, so that a malicious data cloud storage party cannot acquire the information such as the spatial position of the data uploading party, and the strong index security is achieved;
3. the invention uses the prefix coding method, the complement coding method and the pseudo-random hash function method to enable the data requesting party to generate the query token, solves the problem of specific data attribute requirement, enables the malicious data cloud storage party to be unable to acquire the spatial position information of the data requesting party and the related information of the access time range, and achieves strong token privacy;
4. the invention realizes the low-cost computing operation on each party in the data uploading party, the data requesting party and the data cloud storage party, realizes the lower-cost communication of each party, effectively reduces the query response time, avoids the complex interactive operation taking local execution as the main part, and does not reduce the accuracy of the safe K nearest neighbor query processing.
Drawings
FIG. 1 is a diagram of a prior art security K nearest neighbor query model;
FIG. 2 is a model diagram of a SkNN query system that supports access time limitation and result verifiability in accordance with the present invention;
fig. 3 is an overview of the SkNN query method of the present invention that supports access time limitation and result verifiability.
Detailed Description
In this embodiment, a typical security K nearest neighbor query process is shown in fig. 1, where a data uploading module encrypts data and calculates a security index to upload the data to a data cloud storage module, and a data requesting module sends a security K nearest neighbor query to the data cloud storage module and obtains a return result;
in this embodiment, as shown in fig. 2, a SkNN query system supporting access time limitation and verifiable results includes a plurality of data uploading modules, a plurality of data requesting modules, and a data cloud storage module;
taking cloud-top secret data query processing in one-time restaurant reservation service as an example, the data uploading module is a restaurant providing dining service, the data requesting module is a guest needing to use the restaurant reservation service, and the data cloud storage module is a third party platform. The guest submits the position and the preset time to a third party platform, and the third party platform matches a proper restaurant to conduct reservation;
the data uploading module comprises: an index generation unit, a shared key transmission unit;
the data request module comprises: the device comprises a shared key receiving unit, a token generating unit and a evidence verifying unit;
the data cloud storage module comprises: an index receiving unit, a data searching unit;
the shared key sending unit of any ith data uploading module sends the generated shared key to the index generating unit of the shared key sending unit and the shared key receiving unit of the jth data requesting module respectively;
the index generating unit of the ith data uploading module extracts access time attribute, space attribute and category attribute of the data item to be uploaded, calculates security index and verification information, encrypts the data item to be uploaded by using the shared key to obtain encrypted data, and sends the encrypted data to the index receiving unit together with the security index and the verification information for storage;
the index receiving unit receives the encryption information, the security index and the verification information, and then stores and forwards the encryption information, the security index and the verification information to the data searching unit;
the shared key receiving unit of the jth data request module receives the shared key and then forwards the shared key to the token generating unit and the evidence verifying unit of the jth data request module;
the token generating unit of the jth data request module uses the shared secret key, generates a query token according to the access time attribute, the space attribute and the category attribute of the data item required to be requested by the token generating unit and sends the query token to the data searching unit;
the data searching unit searches the security index by using the query token, if the search is successful, the corresponding encrypted data and verification information are sent to the evidence verification unit of the jth data request module, and if the search is failed, the empty character string is sent to the evidence verification unit of the jth data request module;
and if the evidence verification unit of the j-th data request module receives the encrypted data, decrypting the encrypted data by using the shared secret key, and generating a verification result by using the evidence information, thereby judging whether to accept the decrypted data according to the verification result.
As shown in fig. 3, the SkNN query method supporting access time limitation and verifiable results uses spatial encoding to convert K nearest neighbor questions into equality check questions, prefix encoding to convert equality check questions and range query questions into neighboring keyword query questions, respectively, and finally uses an indistinguishable bloom filter to construct security index and verification information, and utilizes member check in the bloom filter to realize secure and effective query processing and evidence generation.
In this embodiment, a SkNN query method supporting access time limitation and verifiable results is applied to a network environment formed by a plurality of data uploaders, a plurality of data requesters and a data cloud storage, and is performed according to the following steps:
step one, constructing an index:
step 1.1 any ith data uploader first gives the shared key and updates the data { D 1 ,D 2 ,…,D n Each data item D in } i ,D i For the useful information related to the location L, such as the current business hours information uploaded by the restaurant in the reservation restaurant service, the restaurant address information, etc., the encryption data E thereof is calculated i The encryption algorithm here is the AES encryption algorithm, and each data item D is extracted again i Category attribute Type i Generating a subtree by the data items with the same category attribute, and thenRespectively generating different category attributes into root nodes of subtrees and using the root nodes as new leaf nodes so as to generate a whole tree TiveTree;
step 1.2 ith data uploader pair each data item D in a leaf node on a subtree i First, access Time Time is extracted i And position L i Position L is coded spatially i Converting into a position area G (i), and then using a prefix coding method to access Time i Conversion to access period i Finally according to the location area G (i) and the access period i Position area complement LCS (liquid Crystal display) is calculated by utilizing complement coding method i And access time complement TCS i
Step 1.3 given t pseudorandom key hash message authentication code functions h 1 ,h 2 ,...,h t A random predictor H and m+1 keys K 1 ,K 2 ,...,K m ,K m+1 The ith data uploader initializes an empty indistinguishable bloom filter B i And is provided withThereby respectively dividing the location area G (i) or the access period i The kth prefix pr of (a) k And a random number r n Embedded in an indistinguishable bloom filter B i In (a) and (b); location area complement LCS i And access time complement TCS i Prefix element w in (a) s Calculating evidence bits i =QueLoc(B i ,w s ) And evidence bit hash value->Recalculating the evidence node hash value HV i =hash(E i ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein h is q Indicating the use of the q-th key K q The pseudo-random key hash message authentication code function of the system comprises a key hash message authentication code which refers to a hash value obtained by adding a key into data and then carrying out hash operation; />Indicating the use of the (m+1) th key K m+1 A message authentication code function is hashed by the pseudo-random key of (a); />Represents an exclusive OR operation, k ε [1, |S n |],q∈[1,m];|S n The i indicates the location area G (i) or the access period i Is a length of (2); queLoc (B) i ,w s ) For calculating prefix element w s Embedded in an indistinguishable bloom filter B i Is a position in the middle; s epsilon [1, |CS ] n |];|CS n I represents location area complement LCS i And access time complement TCS i Is a length of (2);
step 1.4 ith data uploader converts category attributes in root nodes of subtrees into category attribute types by prefix coding method i And according to the category attribute type i Calculating category complement YCS by complement coding method i Then according to the process of step 1.3, the category attribute type is selected i Prefix and random number r in (a) n Embedded in an indistinguishable bloom filter B i In (a) and (b); at the same time supplement YCS for category i Prefix element w in (a) y Calculating the evidence bit 'of the whole tree' i =QueLoc(B i ,w y ) And whole tree evidence bit hash valueThen according to the left subtree left and the right subtree right of the root node; calculating a hash value HV of a whole tree evidence node i ′=hash(HV′ left ,HV′ right );HV′ left Representing the hash value of the whole tree evidence node of the left subtree, HV' right Representing right subtree whole tree evidence node hash values
Step 1.5 ith data upload Fang Duizheng root node of TiveTree, left subtree left and right subtree right of root node, calculate evidence root node hash value HV root =hash(HV left ,HV right );HV left Representing left subtree evidence root node hash value, HV right Representing right subtree evidence root node hash value
Step 1.6 ith data uploading method includes the steps of combining the whole tree TiveTree and the random number r n Combining the encrypted data { E }, as a security index 1 ,…E i ,…E n ' and authentication information { bits i ,Hvs i ,HVs i ,HV root Submitting to a data cloud storage; sharing the shared key to any data requesting party; wherein bits i Representing evidence bit sets, and bits i ={bit i ,bit′ i },Hvs i Representing a set of evidence bit hash values, and Hvs i ={Hv i ,Hv′ i },HVs i Represents a set of evidence node hash values, and HVs i ={HV i ,HV′ i };
Step two, token generation:
step 2.1 any jth data requestor uses the prefix encoding method and the space encoding method to Type the category attribute of the required request data item j Access Time j And position L j Respectively converted into corresponding prefix setsFor example, in a reservation restaurant service, restaurant business hours information, current address information, etc. queried by guests;
step 2.2 jth data requestor based on three prefix setsGenerating query tokens respectively->Submitting the data to a data cloud storage party; wherein pr (pr) k ' represents three prefix sets ++>Is an element of |S n 'I' means three prefix sets +.>Any of (3)The length of one prefix set;
step 2.3 jth data requestor will query the tokenTransmitting the data to a data cloud storage party;
step three, query processing:
step 3.1 the data cloud storage receives the respective security indexes from the plurality of data uploaders, respectively, and receives the query token from the jth data requestor
Step 3.2, the data cloud storage party starts to use from top to bottom from the root node of the whole tree TiveTreeCheck query token->If can be matched with any security index, if can be matched, then inquiring the child node until inquiring the root node of the subtree, otherwise, returning the empty character string and verification information { bits } i ,Hvs i ,HVs i ,HV root ' random number r n
Step 3.3 data cloud storage side starts from root node of subtree and uses from top to bottomChecking two query tokens->If the two indexes can be matched with any one of the safety indexes, if the two indexes can be matched with each other, the child nodes are continuously inquired until the leaf nodes of the subtrees are inquired, and corresponding encrypted data E is returned i Verification information { bits i ,Hvs i ,HVs i ,HV root ' random number r n To the jth data requesting partyStep decrypting the data, otherwise, returning the empty character string and verification information { bits } i ,Hvs i ,HVs i ,HV root ' random number r n To the jth data requestor;
step four, verifying the result:
step 4.1 jth data requestor receives encrypted data E from the data cloud storage i Or an empty string, receives the shared key from the ith data uploading party and decrypts the encrypted data E using the shared key i To verify encrypted data E i Accuracy of (3);
step 4.2 jth data requestor receives authentication information { bits from data cloud storage i ,Hvs i ,HVs i ,HV root ' random number r n And hashes the value set HVs according to the evidence node i The element in the aggregate calculates the verification node hash value HV ver =hash(HVs i,x ,HVs i,y ) Comparison of HV root And HV (high voltage) ver Whether or not to be identical to verify the encrypted data E i If the integrity of the two is the same, executing the step 4.3; otherwise, represent encrypted data E i Incomplete and ending the flow; where x, y=1, 2, …, | HVs i |,|HVs i The i represents the collection HVs i Is a length of (2);
step 4.3 jth data requestor initializing an empty indistinguishable bloom filter B j Will query the tokenEach element of (a) is embedded in an indistinguishable bloom filter B j Simultaneously calculating corresponding verification bit set bits ver And verifying the set of bit hash values Hv ver Comparing the verification bit sets bits ver And verifying the set of bit hash values Hv ver And evidence bit set bits i And evidence bit hash value set Hvs i Whether or not to be identical to verify the encrypted data E i If the integrity of (C) is the same, then represents the encrypted data E i Complete and finish the flow; otherwise, represent encrypted data E i Incomplete and the process ends.
In summary, the invention improves the security K nearest neighbor algorithm, solves the problem of specific attribute requirements, realizes the SkNN query method and the SkNN query system supporting limited access time and verifiable result, and can effectively resist the security threat of an untrusted data cloud storage party, thereby protecting the privacy security, personal safety and property security of a data request party.

Claims (2)

1. A SkNN challenge system supporting access time limitation and result verifiable, comprising: a plurality of data uploading modules, a plurality of data requesting modules and a data cloud storage module;
the data uploading module comprises: an index generation unit, a shared key transmission unit;
the data request module includes: the device comprises a shared key receiving unit, a token generating unit and a evidence verifying unit;
the data cloud storage module comprises: an index receiving unit, a data searching unit;
the shared key sending unit of any ith data uploading module sends the generated shared key to the index generating unit of the shared key sending unit and the shared key receiving unit of the jth data requesting module respectively;
the index generating unit of the ith data uploading module extracts access time attribute, space attribute and category attribute of the data item to be uploaded, calculates security index and verification information, encrypts the data item to be uploaded by using the shared key to obtain encrypted data, and sends the encrypted data and the security index and the verification information to the index receiving unit for storage;
the index receiving unit receives the encryption information, the security index and the verification information, stores the encryption information, the security index and the verification information and forwards the encryption information, the security index and the verification information to the data searching unit;
the shared key receiving unit of the jth data request module receives the shared key and then forwards the shared key to the token generating unit and the evidence verifying unit of the jth data request module;
the token generating unit of the j-th data request module uses the shared secret key, generates a query token according to the access time attribute, the space attribute and the category attribute of the data item required to be requested by the user and sends the query token to the data searching unit;
the data searching unit searches the security index by using the query token, if the search is successful, the data searching unit sends corresponding encrypted data and verification information to the evidence verification unit of the jth data request module, and if the search is failed, the data searching unit sends an empty string to the evidence verification unit of the jth data request module;
and if the evidence verification unit of the j-th data request module receives the encrypted data, decrypting the encrypted data by using the shared key, and generating a verification result by using the evidence information, thereby judging whether to accept the decrypted data according to the verification result.
2. The SkNN query method supporting limited access time and verifiable results is characterized by being applied to a network environment formed by a plurality of data uploaders, a plurality of data requesters and a data cloud storage party, and comprises the following steps of:
step one, constructing an index:
step 1.1 any ith data uploader first gives the shared key and updates the data { D 1 ,D 2 ,…,D n Each data item D in } i Calculate its encrypted data E i Each data item D is extracted again i Category attribute Type i Generating a subtree by using data items with the same category attribute, and then respectively generating the different category attributes as root nodes of the subtree and as new leaf nodes so as to generate a whole tree TiveTree;
step 1.2 ith data uploader for each data item D in a leaf node on the subtree i First, access Time Time is extracted i And position L i Position L is coded spatially i Converting into a position area G (i), and then using a prefix coding method to access Time i Conversion to access period i Finally according to the position area G (i) and the access period i Position area complement LCS (liquid Crystal display) is calculated by utilizing complement coding method i And access time complement TCS i
Step 1.3 given t pseudorandom key hash message authentication code functions h 1 ,h 2 ,...,h t A random predictor H and m+1 keys K 1 ,K 2 ,...,K m ,K m+1 The ith data uploading party initializes an empty indistinguishable bloom filter B i And is provided withThereby respectively dividing the location area G (i) or the access period i The kth prefix pr of (a) k And a random number r n Embedded in an indistinguishable bloom filter B i In (a) and (b); location area complement LCS i And access time complement TCS i Prefix element w in (a) s Calculating evidence bits i =QueLoc(B i ,w s ) And evidence bit hash value->Recalculating the evidence node hash value HV i =hash(E i ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein h is q Indicating the use of the q-th key K q Is a pseudo-random key hash message authentication code function, is a function of>Indicating the use of the (m+1) th key K m+1 A message authentication code function is hashed by the pseudo-random key of (a); />Represents an exclusive OR operation, k ε [1, |S n |],q∈[1,m];|S n The i indicates the location area G (i) or the access period i Is a length of (2); queLoc (B) i ,w s ) For calculating prefix element w s Embedded in an indistinguishable bloom filter B i In (a) and (b)A location; s epsilon [1, |CS ] n |];|CS n I represents location area complement LCS i And access time complement TCS i Is a length of (2);
step 1.4, the ith data uploading party converts the category attribute in the root node of the subtree into category attribute type by using a prefix coding method i And according to the category attribute type i Calculating category complement YCS by complement coding method i Then according to the process of step 1.3, the category attribute type is selected i And the random number r n Embedded in an indistinguishable bloom filter B i In (a) and (b); at the same time supplement YCS for category i Prefix element w in (a) y Calculating the evidence bit 'of the whole tree' i =QueLoc(B i ,w y ) And whole tree evidence bit hash valueThen according to the left subtree left and the right subtree right of the root node; calculating a hash value HV of a whole tree evidence node i ′=hash(HV′ left ,HV′ right );HV′ left Representing the hash value of the whole tree evidence node of the left subtree, HV' right Representing right subtree whole tree evidence node hash values
Step 1.5, the ith data uploading party calculates a hash value HV of the evidence root node for the root node of the whole tree TiveTree, the left subtree left and the right subtree right of the root node root =hash(HV left ,HV right );HV left Representing left subtree evidence root node hash value, HV right Representing right subtree evidence root node hash value
Step 1.6 the ith data uploading party uploads the entire tree TiveTree and the random number r n Combining the encrypted data { E }, as a security index 1 ,…E i ,…E n ' and authentication information { bits i ,Hvs i ,HVs i ,HV root Submitting to the data cloud storage; sharing the shared key to any data requesting party; wherein bits i Representing evidence bit sets, and bits i ={bit i ,bit′ i },Hvs i Representing a set of evidence bit hash values, and Hvs i ={Hv i ,Hv′ i },HVs i Represents a set of evidence node hash values, and HVs i ={HV i ,HV i ′};
Step two, token generation:
step 2.1 any jth data requestor uses the prefix encoding method and the space encoding method to Type the category attribute of the required request data item j Access Time j And position L j Respectively converted into corresponding prefix sets
Step 2.2 jth data requestor based on three prefix setsGenerating query tokens, respectivelySubmitting the data to a data cloud storage party; wherein pr' k Representing three prefix sets->Is an element of |S |' n I represents three prefix setsThe length of any one prefix set;
step 2.3 the jth data requestor will query the tokenSending the data to the data cloud storage party;
step three, query processing:
step 3.1, the data cloud storage side receives corresponding security indexes from a plurality of data uploading sides respectively, and the data cloud storage side receives corresponding security indexes from the j th numberUpon receipt of the query token by the requestor
Step 3.2, the data cloud storage party starts to use from top to bottom from the root node of the whole tree TiveTreeChecking the query token->If can be matched with any security index, if can be matched, then inquiring the child node until inquiring the root node of the subtree, otherwise, returning the empty character string and verification information { bits } i ,Hvs i ,HVs i ,HV root ' random number r n
Step 3.3 the data cloud storage is utilized from top to bottom from the root node of the subtreeChecking two query tokens->If the two indexes can be matched with any one of the safety indexes, if the two indexes can be matched with each other, the child nodes are continuously inquired until the leaf nodes of the subtrees are inquired, and corresponding encrypted data E is returned i Verification information { bits i ,Hvs i ,HVs i ,HV root ' random number r n Further decrypting the data to the j-th data requesting party, otherwise, returning the empty character string and verification information { bits } i ,Hvs i ,HVs i ,HV root ' random number r n Giving the j-th data request party;
step four, verifying the result:
step 4.1 the jth data requestor receives encrypted data E from the data cloud storage i Or empty wordsA string of characters, receiving a shared key from the ith data uploading party and decrypting the encrypted data E using the shared key i To verify encrypted data E i Accuracy of (3);
step 4.2 the jth data requestor receives authentication information { bits from the data cloud storage i ,Hvs i ,HVs i ,HV root ' random number r n And hashes the value set HVs according to the evidence node i The element in the aggregate calculates the verification node hash value HV ver =hash(HVs i,x ,HVs i,y ) Comparison of HV root And HV (high voltage) ver Whether or not to be identical to verify the encrypted data E i If the integrity of the two is the same, executing the step 4.3; otherwise, represent encrypted data E i Incomplete and ending the flow; where x, y=1, 2, …, | HVs i |,|HVs i The i represents the collection HVs i Is a length of (2);
step 4.3 the jth data requestor initializes an empty non-resolvable bloom filter B j Will query the tokenEach element of (a) is embedded in an indistinguishable bloom filter B j Simultaneously calculating corresponding verification bit set bits ver And verifying the set of bit hash values Hv ver Comparing the verification bit sets bits ver And verifying the set of bit hash values Hv ver Respectively with evidence bit sets bits i And evidence bit hash value set Hvs i Whether or not to be identical to verify the encrypted data E i If the integrity of (C) is the same, then represents the encrypted data E i Complete; otherwise, represent encrypted data E i Incomplete.
CN202111522678.2A 2021-12-13 2021-12-13 SkNN query method and system supporting access time limitation and verifiable result Active CN114201773B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111522678.2A CN114201773B (en) 2021-12-13 2021-12-13 SkNN query method and system supporting access time limitation and verifiable result

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111522678.2A CN114201773B (en) 2021-12-13 2021-12-13 SkNN query method and system supporting access time limitation and verifiable result

Publications (2)

Publication Number Publication Date
CN114201773A CN114201773A (en) 2022-03-18
CN114201773B true CN114201773B (en) 2024-02-13

Family

ID=80653255

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111522678.2A Active CN114201773B (en) 2021-12-13 2021-12-13 SkNN query method and system supporting access time limitation and verifiable result

Country Status (1)

Country Link
CN (1) CN114201773B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2936106A1 (en) * 2016-07-14 2018-01-14 Mirza Kamaludeen Encrypted data - data integrity verification and auditing system
WO2018019815A1 (en) * 2016-07-25 2018-02-01 Robert Bosch Gmbh Method and system for dynamic searchable symmetric encryption with forward privacy and delegated verifiability
CN110334526A (en) * 2019-05-30 2019-10-15 西安电子科技大学 It is a kind of that the forward secrecy verified is supported to can search for encryption storage system and method
CN110602099A (en) * 2019-09-16 2019-12-20 广西师范大学 Privacy protection method based on verifiable symmetric searchable encryption
CN111935141A (en) * 2020-08-10 2020-11-13 合肥工业大学 Single-time inadvertent anti-link query system and method for secret data
CN112804050A (en) * 2021-04-14 2021-05-14 湖南大学 Multi-source data query system and method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2936106A1 (en) * 2016-07-14 2018-01-14 Mirza Kamaludeen Encrypted data - data integrity verification and auditing system
WO2018019815A1 (en) * 2016-07-25 2018-02-01 Robert Bosch Gmbh Method and system for dynamic searchable symmetric encryption with forward privacy and delegated verifiability
EP3488554A1 (en) * 2016-07-25 2019-05-29 Robert Bosch GmbH Method and system for dynamic searchable symmetric encryption with forward privacy and delegated verifiability
CN110334526A (en) * 2019-05-30 2019-10-15 西安电子科技大学 It is a kind of that the forward secrecy verified is supported to can search for encryption storage system and method
CN110602099A (en) * 2019-09-16 2019-12-20 广西师范大学 Privacy protection method based on verifiable symmetric searchable encryption
CN111935141A (en) * 2020-08-10 2020-11-13 合肥工业大学 Single-time inadvertent anti-link query system and method for secret data
CN112804050A (en) * 2021-04-14 2021-05-14 湖南大学 Multi-source data query system and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种面向移动云存储的可验证访问控制方案;王谦;熊书明;;计算机工程;20160515(05);全文 *
排序可验证的语义模糊可搜索加密方案;杨书略 等;工程科学与技术;20170720(04);全文 *

Also Published As

Publication number Publication date
CN114201773A (en) 2022-03-18

Similar Documents

Publication Publication Date Title
CN107256248B (en) Wildcard-based searchable encryption method in cloud storage security
CN101593196B (en) Method, device and system for rapidly searching ciphertext
EP2731041B1 (en) Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method
CN106330865B (en) Attribute-based keyword searching method supporting efficient revocation in cloud environment and cloud computing application system
Yiu et al. Enabling search services on outsourced private spatial data
CN106803784A (en) The multi-user based on lattice is fuzzy in secure multimedia cloud storage can search for encryption method
CN102187618B (en) Method and apparatus for pseudonym generation and authentication
CN105007161B (en) A kind of fuzzy keyword public key search encryption method of trapdoor None- identified
CN112511599B (en) Civil air defense data sharing system and method based on block chain
CN111935141B (en) Single-time inadvertent anti-link query system and method for secret data
CN108021677A (en) The control method of cloud computing distributed search engine
CN108092766A (en) A kind of cipher text searching method for verifying authority and its system
RuWei et al. Study of privacy-preserving framework for cloud storage
CN114567465B (en) Block chain-based classified medical data searchable encryption method
CN116469501A (en) Electronic medical record sharing method, system, equipment and storage medium based on blockchain
Li et al. Secure deduplication storage systems with keyword search
CN112215626B (en) Online taxi booking system and method supporting annular order verifiable
CN116663046A (en) Private data sharing and retrieving method, system and equipment based on blockchain
CN114201773B (en) SkNN query method and system supporting access time limitation and verifiable result
CN108055256A (en) The platform efficient deployment method of cloud computing SaaS
CN115664801A (en) Block chain-based distributed digital identity management authentication method and system
Wang et al. An effective verifiable symmetric searchable encryption scheme in cloud computing
CN114595472B (en) Method and system for repeated, careless and anti-link query of secret state data
CN107995298A (en) The data reusing method of parallel cloud computing
Sharaf Non-repudiation and privacy-preserving sharing of electronic health records

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant