CN114339743A - Internet of things client privacy protection authentication method based on edge calculation - Google Patents

Abstract

The invention relates to an Internet of things client privacy protection authentication method based on edge computing, which comprises the following steps: s1: the central base station establishes the public parameters of the system and completes the registration of all the clients and n edge servers, simultaneously constructs a binary tree according to the upper limit of the number of the clients, each edge server generates a group of public and private key pairs, wherein the public keys are safely shared to any entity in the system, and the central base station generates the public key of the system according to the public keys of the edge servers; s2: issuing an attribute key for a client; s3: the cloud server calculates a cloud server token according to the attribute key, and the client generates a signature message according to the cloud server token; s4: judging whether the signature message is legal or not by any other client according to the predicate strategy, if so, outputting 1, and otherwise, outputting 0; s5: and the revocation of the client is realized by utilizing a binary tree structure.

Description

Internet of things client privacy protection authentication method based on edge calculation

Technical Field

The invention relates to the technical field of information security, in particular to an internet of things client privacy protection authentication method based on edge computing.

Background

In the message transmission process, the Internet of things equipment ensures the integrity of the transmitted message by introducing various signature mechanisms. However, in conventional digital signature mechanisms, verification is performed for a particular public key, which exposes the associated identity information to any verifying entity in its entirety. In other words, such a signature mechanism does not provide any privacy or anonymity requirements. To balance message integrity verification and identity privacy protection, various schemes have been proposed to address both security issues. In particular, the pseudonymization technology is widely used in terms of realizing privacy protection for anonymous communication. Pseudonymization mechanisms based on symmetric cryptography are computationally efficient but are generally not suitable for sensitive end-to-end communication, since an internet of things terminal must contact a base station to decrypt or verify information received from another terminal. Pseudonym mechanisms based on public key certificates incur a significant storage and communication overhead because the public key certificate must be sent with the message to facilitate message authentication by the recipient. While identity-based pseudonym mechanisms remove the need for public key certificates, they require a trusted center to issue pseudonyms. The scheme based on the group signature can indeed meet the requirement that the terminal of the internet of things generates the signature on the premise of not revealing identity information, but the terminal of the internet of things is responsible for aggregating all nodes to one group on the assumption that a trusted group manager exists.

The pseudonym mechanism based on the symmetric password, the asymmetric password and the identity password is static in nature and cannot meet the requirements of the internet of things system with dynamic change or frequent update, and the development of the attribute encryption technology provides a new direction for solving the problem. In the attribute signature system, a signer constructs a legal signature according to a promised predicate policy, and after a verifier successfully verifies the signature, the signed message can be obtained without being tampered, the signer really has an attribute set meeting the predicate policy, and specific identity information of more signers can not be obtained.

However, in the conventional attribute signature mechanism, a single authorization center can forge the signature of any client by generating a client key, or when the authorization center is attacked, the whole system is threatened. Although multiple-grant attribute signature schemes have been constructed, they do not alter the fact that a central authority decides on the system master key, and therefore do not fundamentally address the key escrow issue. Meanwhile, along with the movement and position change of the client, the problem of revocation of the client is a great challenge, and the unique and trusted authorization center may issue a private key for an illegal client for reputation benefit or cannot update the private key for the revoked client in time, which all affect the security of the system; finally, a large number of power operations and bilinear operations with high computational complexity in the signature generation process cannot be borne by mobile equipment with limited computing power and storage resources.

Disclosure of Invention

The invention aims to provide an Internet of things client privacy protection authentication method based on edge computing, so as to solve the problem of key escrow and relieve the management burden of mobile equipment.

The internet of things client privacy protection authentication method based on edge calculation meets the following requirements: firstly, a plurality of edge servers are set as edge servers to manage and verify the attributes of users, and issue private key components associated with the attributes, each edge server can manage the attributes of the whole system, so that the application of a user key cannot be influenced by the downtime of one edge server; secondly, by applying a gate trap secret sharing technology, each edge server interactively shares a main key of the edge server, the central base station reconstructs to obtain a complete system main key, but any edge server and any central base station cannot forge a signature through an attribute key, and the central base station cannot issue a private key for a malicious user at will and even cannot forge a signature of a legal client; thirdly, the client is managed by applying the existing binary tree structure, and the revocation of the user is quickly realized; and meanwhile, outsourcing computing power of the cloud server is applied, and power operation and bilinear mapping operation with high computing complexity are outsourced to cloud computing processing.

The invention provides an Internet of things client privacy protection authentication method based on edge computing, which comprises the following steps:

s1: the central base station establishes the public parameters of the system and completes the registration of all the clients and n edge servers, simultaneously constructs a binary tree according to the upper limit of the number of the clients, each edge server generates a group of public and private key pairs, wherein the public keys are safely shared to any entity in the system, and the central base station generates the public key of the system according to the public keys of the edge servers;

s2: issuing an attribute key for a client;

s3: the cloud server calculates according to the attribute key to obtain a cloud server token, and the client generates a signature message according to the cloud server token;

s4: judging whether the signature message is legal or not by any other entity according to the predicate strategy, if so, outputting 1, and otherwise, outputting 0;

s5: and the revocation of the client is realized by utilizing a binary tree structure.

Further, step S1 includes:

s11: the central base station takes a security parameter lambda as input, firstly selects a hash function which can resist collusion attack

Wherein n is_MRepresenting a binary upper bound on the size of the signature message, followed by the selection of two multiplicative cyclic groups G and G of order prime p_TAnd defining a bilinear map e on the group G → G_T(ii) a Let G be the generator of G and randomly select

Thereby defining a function

And

selecting

D different elements phi ═ phi₁,φ₂,…,φ_dAs a system default attribute set; then setting the parameter l to 2d +1, and the central base station continues to select

And is calculated to obtain

The central base station additionally distributes a digital signature algorithm omega_SignAnd a set of corresponding public and private key pairs (pk)_BS；sk_BS) Wherein pk_BSDisclosure to any entity of the system, sk_BSMastered only by the central base station, through sk_BSRealizing the registration of a client and an edge server; the central base station constructs a binary tree according to the upper limit of the number of the clients and uses the binary tree

This binary number is marked, N denotes the maximum number of client nodes, RL denotes the client's revocation list and is initialized to the empty set, st the state of the binary tree of the current time node and is initialized to the state of the empty set

For each node θ ∈ N of the binary tree, a random number r is selected and stored_θ∈Z_pAt the nodeAt least one of (1) and (b);

the registration process of the client comprises the following steps: when any client is added into the system, the central base station firstly carries out the validity verification of the client, the validity verification of the client comprises the verification of whether the client has carried out registration application before to resist replay attack and denial of service attack, and when the client is verified to be legal, the central base station randomly selects

One element is used as a global identity uid of the client to be issued to the client, and a corresponding digital certificate Cert.uid is constructed according to a signature algorithm and a signature private key; for each legitimate client registered to the system, the central base station is in a binary tree

Selecting an unallocated node from all leaf nodes of the client end uid to send to the current client end uid, and marking the uid on the leaf node;

the registration process of each edge server includes: central base station random selection Z_pOne element as global identity aid of edge server_iIssuing to an edge server, and constructing a corresponding digital certificate Cert_iAnd simultaneously, the binary tree of the current state is safely shared to each edge server, and the binary tree comprises leaf nodes marked with the clients and random number factors of each node, so that the edge server can generate effective attribute key components to be adjusted for each client.

Further, step S1 further includes:

s12: each edge server ES_i(i ═ 1,2, …, n) a random number α is selected_i∈Z_pAs a subkey, the system master key is now represented as

Then each ES_i(i-1, 2, …, n) each generates a polynomial f of degree k-1_i(x) Satisfies alpha_i＝f_i(0) (ii) a According to the selectionEach ES of_i(i-1, 2, …, n) is another ES_j(i ═ 1,2, …, i-1, i +1, …, n) is calculated to give the corresponding sub-shares s_ij＝f_i(aid_j) And through ES_jSecret delivery of certificates to the ES_i(ii) a Simultaneous ES_iCalculate s for oneself_ii＝f_i(aid_i) When receiving the data from other n-1 ESs_j(j ═ 1,2, …, i-1, i +1, …, n) of the subgroup s_ji(j-1, 2, …, i-1, i +1, …, n) and then ES_iCalculating to obtain a master key

And according to the master key sk_iCalculate to obtain the corresponding public key as

After initialization of the edge server, each ES_iObtaining a group of public and private key pairs (pk)_i,sk_i) Wherein pk_iTo any entity including the central base station.

Further, step S1 further includes:

s13: the central base station arbitrarily selects n ESs_iK public keys are subjected to reconstruction calculation to obtain the public key of the system:

wherein the content of the first and second substances,

the published parameters of the final system are:

where G is the generator of the multiplication cycle group G, n is the number of edge servers, e (G, G)^αIs the public key of the system, λ is the security parameter, G_TFor multiplicative cyclic groups, Φ is the default set of attributes for the system, F₁(t),F₂(M) is a mapping function defined during the initialization of the central base station,

for the vector parameters defined during initialization, H₀Is a hash function.

Further, step S2 includes:

step S21: random selection of client with identity uid

Global private key beta as its own global private key, i.e. client_uidAnd calculating from the generator G of the multiplication cycle group G in the public parameters of the system

As the global public key pk of the client_uidThen sends the global public key pk of the client_uidAnd a zero knowledge proof

Applying attribute keys to the edge server together;

step S22: the edge server issues corresponding attribute key components to be adjusted for the users according to the binary tree state and the node factors shared by the central base station, the central base station constructs key updating parameters according to the revocation list of the current time period, and only the users which are not revoked operate the attribute key components to be adjusted according to the key updating parameters to obtain the attribute key components of the associated time parameters.

Step S23: the client collects the ES from n different edge servers_iThe k attribute key components, and reconstruct the complete attribute key.

Further, the step S22 includes:

step S221: using the ith edge server ES_iAccording to the private key sk of the edge server_iAnd a set of random parameters

Respectively for rolesConstructing data to be adjusted of the ith key component of the attribute key of the client by using the attribute set omega and the default attribute set phi;

step S222: and according to the current time node revocation list and the state of the binary tree, judging whether the user is revoked at the current time node, and according to the judgment result, the central base station constructs a time parameter according to a revocation algorithm to adjust the data to be adjusted of the ith key component of the attribute key of the client so as to update and obtain the final attribute key component.

Further, in the step S222, only the user whose node is not revoked at the current time can correctly update the attribute key component;

aiming at the role attribute set omega, the self part SK of the generated complete attribute key_ωComprises the following steps:

wherein the content of the first and second substances,

for the default attribute set Φ, ithEdge server ES of_iSelecting random numbers

Default part SK of generated complete attribute key_φ(D_t,φ,0,D_φ,1,D_φ,2,K_φ,i) Comprises the following steps:

further, step S3 further includes:

1) when it is a message

Selecting predicate strategy gamma ═ (m, S), wherein S is an attribute set with the size of S ═ S ≦ d, and m ∈ {1, …, S }, and grouping attribute keys by a client side as follows ({ SK_ω}_ω∈Ω,{SK_φ}_φ∈φ) The data is transmitted to a cloud server, and the cloud server firstly selects a subset phi of the front d-m elements of the set phi according to the dictionary sequence_d-mSimultaneously selecting arbitrary subsets

Satisfy | S_mI | ═ m; a vector can be defined according to the following polynomial

Since d-m + s + 1. ltoreq.2 d +1 ═ l, the coefficient y_d-m+s+2,…,y_lIs determined to be 0;

for each attribute ω ∈ S_mThe cloud server according to the attribute key SK_ω＝{D_ω,0,D_ω,1,K_ω,iThe parameter is obtained by calculating | i ═ 1,2, …, l-1}

For each attribute φ ∈ φ_d-mThe client end is according to the attribute key SK_φ＝{D_φ,0,D_φ,1,K_φ,iThe parameter is obtained by calculating | i ═ 1,2, …, l-1}

According to

And

the cloud server calculates three elements D contained in the cloud server token₀、D₁And D₂：

Wherein the content of the first and second substances,

and

is composed of a set S_mAnd phi_d-mCo-determined Lagrange coefficients, for a certain ω ∈ S_m，

For a certain phi e phi_d-m，

2) Client first calculates

And selecting u, v, w epsilon to Z_pThen calculating to obtain the signature sigma ═ (sigma)₀,σ₁,σ₂,σ₃,σ^*)：

σ₁＝D₁g^u,σ₂＝D₂g^v,σ₃＝g^w,

Further, step S4 further includes:

other arbitrary entities firstly resolve the predicate strategy gamma into (m, S), and calculate

Then, according to the parameter m, a subset of Φ is defined which contains the d-m elements

Using a polynomial P_S(Z) definition rule definition vector

If equation

If true, the acceptance signature ∑ (σ) is set₀,σ₁,σ₂,σ₃,σ^*) A 1 is legally signed and output, otherwise the output is 0.

Further, step S5 further includes:

and (x; T) is added to all nodes x associated with the identity uid by taking the identity uid, the time period T, the revocation list rl and the state st as input, and the updated revocation list rl is output.

According to the privacy protection and authentication method for the client side of the Internet of things based on the edge calculation, the attribute set of the system is managed by a plurality of edge servers together, so that the real distributed management requirement of the client side of the Internet of things is realized, a single trusted center or a center base station is not required to be on line at any time, and the key application and management of the client side are ensured; each edge server can realize authenticity verification and attribute key issuing of a client attribute set, and the downtime of a specific edge server cannot influence the key application of the client; by applying a gate trap secret sharing mechanism, the central base station obtains the master key of the whole system by reconstructing the master key of each edge server, so that the problem of single-point failure of the central base station in a centralized system is fundamentally solved, and the central base station and any edge server cannot forge client-side signatures in a mode of independently generating private keys; in the initialization process, a binary tree structure is introduced into the central base station, all leaf nodes are used for managing a registered user set, and when a user is revoked, the private key of the user is quickly updated according to a KUNODE algorithm without influencing other users who are not revoked; and finally, a cloud server outsourcing computing technology is introduced into a generation algorithm of the attribute signature, power operation and bilinear mapping operation with high computational complexity are outsourced to the cloud server for computation processing, and the client of the Internet of things can complete the signature structure only by executing simple operation, so that the efficiency of the client in processing the power operation and the bilinear mapping operation with high complexity is greatly improved.

Drawings

Fig. 1 is a flowchart of an internet of things client privacy protection authentication method based on edge computing according to an embodiment of the present invention.

Detailed Description

The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

The entity related to the embodiment of the invention comprises:

central Base Station (BS): as a global trusted certificate center of the system, the method carries out initialization creation of the system and receives registration of a legal client and an edge server;

edge Server (ES): the method comprises the following steps that a plurality of edge servers manage the same system attribute set and issue attribute key components for each Internet of things client;

the client side of the Internet of things: the client having the legal attribute key can construct a signature meeting the corresponding predicate policy, and any client entity can complete signature verification under the condition that no additional information is needed for signature verification.

As shown in fig. 1, an embodiment of the present invention provides an internet of things client privacy protection authentication method based on edge computing, including the following steps:

s1: the central base station establishes the public parameters of the system and completes the registration of all the clients and n edge servers, simultaneously constructs a binary tree according to the upper limit of the number of the clients, each edge server generates a group of public and private key pairs, the public keys of the edge servers are safely shared to any entity in the system, and the central base station generates the public parameters of the system according to the public keys of the edge servers;

s2: issuing an attribute key for a client;

s3: the cloud server calculates a cloud server token according to the attribute key, and the client generates a signature message according to the cloud server token;

s4: judging whether the signature message is legal or not by any other client entity according to the predicate strategy, if so, outputting 1, and otherwise, outputting 0;

s5: and the revocation of the client is realized by utilizing a binary tree structure.

Step S1 is a system initialization, which includes three steps: BSetup1, BSetup, and BSetup 2. The BSetup1 is mainly responsible for establishing system parameters and registering all clients and edge servers; the edge servers interact in an ESetup stage to share the sub-keys; and finally, the central base station reconstructs the complete system public parameters in the stage of BSetup 2. The method comprises the following specific steps:

S11：BSetup1

the central base station runs an initialization operation with the security parameter λ as input. Firstly, a hash function which can resist collusion attack is selected

Wherein n is_MRepresenting a binary upper bound on the size of the signature message, the base station then selects two multiplicative cyclic groups G and G of order prime p_TAnd defining a bilinear map e on the group G → G_TLet G be the generator of the multiplication cycle group G and randomly select

Thereby defining a function

And

wherein F₁(t) and F₂(M) mapping the time parameter and the signature message onto the corresponding cyclic group G, respectively; meanwhile, in order to simplify the description of a trapdoor predicate strategy, an integer group with the order of prime number is selected

D different elements phi ═ phi₁,φ₂,…,φ_dD is used as a default attribute set phi of the system, wherein d determines the maximum value of a trapdoor (trapdoor) predicate strategy in the final signature structure, and the specific parameters of d cannot influence the structure of the attribute signature; then the central base station continuously selects a group of random numbers to construct vector parameters

I.e. each element of the vector is taken from the group of integers

And calculating therefrom the vector parameters

In addition, the central base station additionally allocates a traditional digital signature algorithm omega_SignAnd a set of corresponding public and private key pairs (pk)_BS；sk_BS) For signing and verifying of subsequent certificates. Wherein the public key pk_BSIs any master entity disclosed to the system and the private key sk_BSRegistration for subsequent clients and edge servers is only handled by the central base station. Simultaneously, the center base considers the withdrawal requirementThe station constructs a binary tree according to the upper limit of the number of clients and uses the binary tree

This binary number is marked, N denotes the maximum number of client nodes, RL denotes the client node whose client revocation list is revoked for real-time updates, and the initialization is set to the empty set

st represents the state of the binary tree of the node at the current time and is initially set to

For each node theta of the binary tree, a random number is selected and stored

At the node theta.

When any client is added into the system, the central base station firstly verifies the validity of the client, and mainly verifies whether the client has previously performed registration application to resist replay attack and denial of service attack. When the client is verified to be legitimate, the central base station will randomly select

One element is issued to the client as its global identity uid, along with a digital certificate cert. More importantly, to implement client revocation management, all registered clients are assigned

And marking the uid at the leaf node.

Each edge server also needs to register with the central base station during the system initialization phase. Likewise, the central base station randomly selects

One element as global identity aid of edge server_iIssued to it and constructing a corresponding digital certificate cert_iThe method is used for guaranteeing the safety of interactive communication among the following edge servers. And simultaneously, safely sharing the binary tree of the current state to each edge server, wherein the binary tree comprises leaf nodes marked with the positions of the clients and random number factors of each node, so that the edge server can generate effective attribute key components to be adjusted for each client subsequently.

S12：ESetup

This process is run cooperatively by all edge servers. All n edge server interaction invoke the (k, n) threshold secret sharing mechanism as follows:

assume ES_iDenotes the ith edge server, each ES_i(i ═ 1,2, …, n) a random number α is selected_i∈Z_pAs its subkey, the system master key may now be obscured as shown

Then each ES_i(i-1, 2, …, n) each generates a polynomial f of degree k-1_i(x) Satisfies alpha_i＝f_i(0). According to a selected polynomial, each ES_i(i-1, 2, …, n) is another ES_j(i ═ 1,2, …, i-1, i +1, …, n) is calculated to give the corresponding sub-shares s_ij＝f_i(a_id_j) And through ES_jTo which it is passed in secret, wherein aid_jIs the global identity of the jth edge server. Simultaneous ES_iCalculate s for oneself_ij＝f_i(aid_i). When receiving the data from other n-1 ESs_j(j ═ 1,2, …, i-1, i +1, …, n) of the subgroup s_ji(j＝1,2,…,i-1,i+1,…,n),ES_iCalculating to obtain the own private key (namely the private key of the ith edge server)

Then ES_iCalculates to obtain its public key as

After initialization of the edge server, each ES_iObtaining a group of public and private key pairs (pk)_i,sk_i) Here pk_iTo any entity including the central base station.

S13：BSetup2

In order to calculate the public key of the system, the central base station arbitrarily selects n ESs_iK public keys are subjected to reconstruction calculation to obtain:

as an important parameter for signature verification is no longer determined by a single entity, we can show it in a cryptic way

Wherein the content of the first and second substances,

e is a defined bilinear map, G is a generator of a public multiplication cyclic group G; sk_iThe private key of the ith edge server; pk_iIs the public key of the ith edge server, k is a parameter of the threshold secret sharing mechanism (k, n), and P (i) represents the set of identities (aid) by the edge server₁,aid₂,…aid_k) The determined lagrangian coefficients are chosen according to the dictionary order for the sake of simplicity of description, but in practice, the id sets of any k edge servers from n are all implemented.

After the final initialization is completed, the published parameters of the whole system are as follows:

where G is the generator of the multiplication cycle group G, n is the number of edge servers, e (G, G)^αIs the public key of the system, λ is the security parameter, G_TFor multiplicative cyclic groups, Φ is the default set of attributes for the system, F₁(t),F₂(M) is a mapping function defined during the initialization of the central base station,

for the vector parameters defined during initialization, H₀Is a hash function.

Step S2 issues an attribute key to the client, including:

step S21: random selection of client with identity uid

As its own global private key, i.e. the global private key sk of the client_uid＝β_uidHere, the

Adding groups for prime numbers

All non-zero elements in (1), and calculating

As its own global public key, i.e. the global public key of the client, and then sends the global public key pk_uidAnd a zero knowledge proof

And sending the attribute key application to the edge server together. Zero knowledge proof means that sk cannot be obtained at the edge server (i.e., verifier)_uid＝β_uidIn case of (2), according to the evidence

It follows that the client (i.e., prover) does have sk_uid＝β_uid。

Step S221: ith edge server ES_iAnd issuing the attribute key component to be adjusted for the client. Firstly, the edge server verifies the validity of the client, namely the accuracy of the zero-knowledge proof, then issues a role attribute set omega according to the specific identity role of the client, such as the professional attribute, the gender attribute and the like of the client, and carries out customized description according to different system environments. And defining a path node parameter Path (uid) according to the binary tree state shared by the central base station, wherein the path node parameter Path (uid) represents all the node sets from the leaf node marked with the uid to the root node in the binary tree, so that all the nodes covering the client uid in the binary tree are associated to the attribute key component to be adjusted. Then according to the private key sk of the edge server_iAnd a set of random parameters

Defining an implicit polynomial

And constructing data to be adjusted of the attribute key component of the client according to the role attribute set omega and the default attribute set phi respectively. In particular, we describe in detail according to the role attribute set as an example. For a specific attribute omega, ES in the role attribute set omega_iSelecting a random number

The data to be adjusted of the respective key component consists of three elements, which can be represented as

For each theta e Path (uid)

For j ═ 1,2, …, l-1

Step S222: the central base station firstly obtains a node set KUNOde (BT, RL, t, st) according to the current time parameter and a revocation list, wherein the KUNOde represents the abbreviation of a binary tree revocation algorithm (namely the revocation algorithm), the BT binary tree and the RL revocation list are used as input, t is the current time parameter, st is the state of the binary tree, and the output result is that the current time node t can be covered as the minimum binary tree node set of the clients which are not revoked. The node factor r stored at node θ is then retrieved_θ(ii) a Selecting a random number

And calculating to obtain:

wherein

And updates all the keys to the parameter UK_t＝(θ,UK_t,θ) I theta epsilon KUNOde (BT, RL, t, st) is disclosed in the system, which includes all updated key parameters UK belonging to nodes theta epsilon KUNOde (BT, RL, t, st) of the binary tree_t,θA set of compositions.

Step S223: assuming that I is a node set Path (uid) and J is a node set KUNOde (BT, RL, t, st) obtained according to a revocation algorithm, if a node is legal at a certain time by a clientNon-revoked clients, then there is a unique intersection between sets I and J. This unique intersection is the only node in the binary tree node, which can then be based on this node factor r_θConstructed to-be-adjusted attribute key component

And updating the Key parameter UK_t,θ＝(UK_θ,0,UK_θ,1) And finally obtaining the accurate attribute key component of the current time period containing the time parameter. At this time, the client first selects a random number

The attribute key belonging to ω is adjusted to include four elements

The detailed parameters are calculated as follows:

for j ═ 1,2, …, l-1

Step S23, for the role attribute ω, when adjusted data of the attribute key components from k different edge servers are collected, i.e. from each edge server ES_iResulting attribute key components

Complete SK (Key) belonging to omega attribute key and obtained by client reconstruction_ω＝(D_ω,0,D_ω,1,D_ω,2,D_ω,iI ═ 1,2, …, l-1) is still made up of four elements, including in particular the following:

wherein P (j) is from the set I_kDetermined Lagrange coefficient

Which are two random parameters determined by specific attributes.

It is worth noting that:

likewise, for the default attribute set Φ, each of which is represented as Φ ∈ Φ, the ith ES is processed through the above-described steps S22-S23_iSelecting random numbers

Default part SK of generated complete attribute key_φ(D_t,φ,0，D_φ,1，D_φ,2，K_φ,i) Comprises the following steps:

the private key of the final client comprises a global private key beta of the client_uidAnd an attribute key of the client. The client's attribute key includes (SK)_ω＝{D_t,ω,0,D_ω,1,D_ω,2,K_ω,i1,2, …, l-1 for each attribute ω ∈ Ω }, SK_φ＝{D_t,φ,0,D_φ,1,D_φ,2,K_φ,iI ═ 1,2, …, l-1 for each attribute Φ ∈ Φ }).

Step S3 is to sign the client message, and the generation of the signature includes cloud server token generation and signature generation, which are as follows:

1) cloud server token generation

When it is a message

The predicate policy chosen is Γ ═ (m, S), where S is a set of attributes of size S ═ S ≦ d, and m ∈ {1, …, S }, and the client groups the attribute keys as follows ({ SK, …, S }, with the client grouping the attribute keys as follows ({ SK ≦ S ≦ d }_ω}_ω∈Ω,{SK_φ}_φ∈Φ) The data is transmitted to a cloud server, and the cloud server firstly selects a subset phi of the front d-m elements of the set phi according to the dictionary sequence_d-mSimultaneously selecting arbitrary subsets

Satisfy | S_mAnd m. According to the following polynomial P_S(Z) may define a vector

Since d-m + s +1 is less than or equal to l, the coefficient y_d-m+s+2,…,y_lIt is certainly determined to be 0.

For each attribute ω ∈ S_mThe cloud server according to the attribute key SK_ω＝{D_ω,0,D_ω,1,K_ω,i1,2, …, l-1, calculating to obtain a binary group

As important parameters for signature generation:

for each attribute φ ∈ φ_d-mLikewise, the cloud server user can select the SK according to the attribute key_φ＝{D_φ,0,D_φ,1,K_φ,iI ═ 1,2, …, l-1} calculated as:

according to

And

three elements (D) contained in the cloud server token₀,D₁,D₂) It can be calculated that:

here we mark

And

is composed of a set S_mAnd phi_d-mCo-determined Lagrange coefficient, for a certain

For a certain phi e phi_d-m，

2) Signature generation: the client first computes as a signer

And select

The final signature contains five elements ∑ (σ)₀,σ₁,σ₂,σ₃,σ^*) Can be calculated as follows:

σ₁＝D₁g^u,σ₂＝D₂g^v,σ₃＝g^w,

step S4 is a client message authentication, further comprising:

an arbitrary entity (such as an edge server or a central base station) serving as a verifier firstly resolves the predicate strategy gamma into (m, S), and calculates

Then, according to the parameter m, a subset of Φ is defined which contains the d-m elements

Using the same polynomial P_S(Z) definition rule definition vector

If the following equation holds true, the signature ∑ will be accepted (σ)₀,σ₁,σ₂,σ₃,σ^*) Legal signature and output 1, otherwise, output 0:

step S5 is a client revocation, further comprising:

and (x; T) is added to all nodes x associated with the identity uid by taking the identity uid, the current time point T, the revocation list RL and the state st as input, and the updated revocation list RL is output. In step S222, according to the kunon algorithm, only the clients that are not revoked within the legal period can successfully update the attribute key component.

According to the method for protecting and authenticating the privacy of the Internet of things client based on the edge computing, the attribute set of a system is managed by a plurality of edge servers together, so that the real distributed management requirement of the Internet of things client is realized, a single trusted center or a center base station is not required to be on line at any time, and the key application and management of the client are ensured; each edge server can realize authenticity verification and attribute key issuing of a client attribute set, and the downtime of a specific edge server cannot influence the key application of the client; by applying a threshold secret sharing mechanism, the central base station obtains the master key of the whole system by reconstructing the master key of each edge server, so that the problem of single-point failure of the central base station in a centralized system is fundamentally solved, and the central base station and any edge server cannot forge client-side signatures in a mode of independently generating private keys; in the initialization process, a binary tree structure is introduced into the central base station, all leaf nodes are used for managing a registered user set, and when a user is revoked, the private key of the user is quickly updated according to a KUNODE algorithm without influencing other users who are not revoked; and finally, a cloud server outsourcing computing technology is introduced into a generation algorithm of the attribute signature, power operation and bilinear mapping operation with high computational complexity are outsourced to the cloud server for computation processing, and the client of the Internet of things can complete the signature structure only by executing simple operation, so that the efficiency of the client in processing the power operation and the bilinear mapping operation with high complexity is greatly improved.

The above embodiments are merely preferred embodiments of the present invention, which are not intended to limit the scope of the present invention, and various changes may be made in the above embodiments of the present invention. All simple and equivalent changes and modifications made according to the claims and the content of the specification of the present application fall within the scope of the claims of the present patent application. The invention has not been described in detail in order to avoid obscuring the invention.

Claims (10)

1. An Internet of things client privacy protection authentication method based on edge computing is characterized by comprising the following steps:

s1: the central base station establishes the public parameters of the system and completes the registration of all the clients and n edge servers, simultaneously constructs a binary tree according to the upper limit of the number of the clients, each edge server generates a group of public and private key pairs, wherein the public keys are safely shared to any entity in the system, and the central base station generates the public key of the system according to the public keys of the edge servers;

s2: issuing an attribute key for a client;

s3: the cloud server calculates according to the attribute key to obtain a cloud server token, and the client generates a signature message according to the cloud server token;

s4: judging whether the signature message is legal or not by any other entity according to the predicate strategy, if so, outputting 1, and otherwise, outputting 0;

s5: and the revocation of the client is realized by utilizing a binary tree structure.

2. The internet of things client privacy protection authentication method based on edge computing as claimed in claim 1, wherein the step S1 includes:

s11: the central base station takes a security parameter lambda as input, firstly selects a hash function H which can resist collusion attack₀：

Wherein n is_MRepresenting a binary upper bound on the size of the signature message, followed by the selection of two multiplicative cyclic groups G and G of order prime p_TAnd defines a bilinear map on the group e:G×G→G_T(ii) a Let G be the generator of G and randomly select

Thereby defining a function

And

selecting

D different elements phi ═ phi₁，φ₂，…，φ_dAs a system default attribute set; then setting the parameter l to 2d +1, and the central base station continues to select

And is calculated to obtain

The central base station additionally distributes a digital signature algorithm omega_SignAnd a set of corresponding public and private key pairs (pk)_BS；sk_BS) Wherein pk_BSDisclosure to any entity of the system, sk_BSMastered only by the central base station, through sk_BSRealizing the registration of a client and an edge server; the central base station constructs a binary tree according to the upper limit of the number of the clients and uses the binary tree

The binary number is marked, N denotes the maximum number of client nodes, RL denotes the clientRevocation list and initialization set to empty set, st State of binary Tree of node at current time and initialization set to

For each node θ ∈ N of the binary tree, a random number r is selected and stored_θ∈Z_pAt the node;

the registration process of the client comprises the following steps: when any client is added into the system, the central base station firstly carries out the validity verification of the client, the validity verification of the client comprises the verification of whether the client has carried out registration application before to resist replay attack and denial of service attack, and when the client is verified to be legal, the central base station randomly selects

One element is used as a global identity uid of the client to be issued to the client, and a corresponding digital certificate Cert.uid is constructed according to a signature algorithm and a signature private key; for each legitimate client registered to the system, the central base station is in a binary tree

Selecting an unallocated node from all leaf nodes of the client end uid to send to the current client end uid, and marking the uid on the leaf node;

the registration process of each edge server includes: central base station random selection Z_pOne element as global identity aid of edge server_iIssuing to an edge server, and constructing a corresponding digital certificate Cert_iAnd simultaneously, the binary tree of the current state is safely shared to each edge server, and the binary tree comprises leaf nodes marked with the clients and random number factors of each node, so that the edge server can generate effective attribute key components to be adjusted for each client.

3. The internet of things client privacy protection authentication method based on edge computing according to claim 2, wherein the step S1 further comprises:

s12: each edge server ES_i(i ═ 1,2, …, n) a random number α is selected_i∈Z_pAs a subkey, the system master key is now represented as

Then each ES_i(i-1, 2, …, n) each generates a polynomial f of degree k-1_i(x) Satisfies alpha_i＝f_i(0) (ii) a According to a selected polynomial, each ES_i(i-1, 2, …, n) is another ES_j(i ═ 1,2, …, i-1, i +1, …, n) is calculated to give the corresponding sub-shares s_ij＝f_i(aid_j) And through ES_jSecret delivery of certificates to the ES_i(ii) a Simultaneous ES_iCalculate s for oneself_ii＝f_i(aid_i) When receiving the data from other n-1 ESs_j(j ═ 1,2, …, i-1, i +1, …, n) of the subgroup s_ji(j-1, 2, …, i-1, i +1, …, n) and then ES_iCalculating to obtain a master key

And according to the master key sk_iCalculate to obtain the corresponding public key as

After initialization of the edge server, each ES_iObtaining a group of public and private key pairs (pk)_i，sk_i) Wherein pk_iTo any entity including the central base station.

4. The internet of things client privacy protection authentication method based on edge computing according to claim 3, wherein the step S1 further comprises:

s13: the central base station arbitrarily selects n ESs_iK public keys are subjected to reconstruction calculation to obtain the public key of the system:

wherein the content of the first and second substances,

the published parameters of the final system are:

where G is the generator of the multiplication cycle group G, n is the number of edge servers, e (G, G)^αIs the public key of the system, λ is the security parameter, G_TFor multiplicative cyclic groups, Φ is the default set of attributes for the system, F₁(t)，F₂(M) is a mapping function defined during the initialization of the central base station,

for the vector parameters defined during initialization, H₀Is a hash function.

5. The Internet of things client privacy protection authentication method based on edge computing as claimed in claim 4, wherein the step S2 includes:

step S21: random selection of client with identity uid

Global private key beta as its own global private key, i.e. client_uidAnd calculating from the generator G of the multiplication cycle group G in the public parameters of the system

As the global public key pk of the client_uidThen sends the global public key pk of the client_uidAnd a zero knowledge proof

Applying attribute keys to the edge server together;

step S22: the edge server issues corresponding attribute key components to be adjusted for the users according to the binary tree state and the node factors shared by the central base station, the central base station constructs key updating parameters according to the revocation list of the current time period, and only the users which are not revoked operate the attribute key components to be adjusted according to the key updating parameters to obtain the attribute key components of the associated time parameters.

Step S23: the client collects the ES from n different edge servers_iThe k attribute key components, and reconstruct the complete attribute key.

6. The internet of things client privacy protection authentication method based on edge computing according to claim 5, wherein the step S22 includes:

step S221: using the ith edge server ES_iAccording to the private key sk of the edge server_iAnd a set of random parameters

Respectively constructing data to be adjusted of the ith key component of the attribute key of the client aiming at the role attribute set omega and the default attribute set phi;

step S222: and according to the current time node revocation list and the state of the binary tree, judging whether the user is revoked at the current time node, according to the judgment result, the central base station constructs a time parameter according to a revocation algorithm to adjust the data to be adjusted of the ith key component of the attribute key of the client, and the client updates to obtain the final attribute key component.

7. The internet of things client privacy protection authentication method based on edge computing according to claim 6, wherein in the step S222, only the users whose nodes are not revoked at the current time can correctly update the attribute key component;

for each of the set of role attributes ΩAn attribute omega, the generated complete attribute key SK_ωComprises the following steps:

wherein the content of the first and second substances,

edge server ES for each attribute φ, ith in the default attribute set φ_iSelecting random numbers

Default part SK of generated complete attribute key_φ＝(D_t，φ，0，D_φ，1，D_φ，2，K_φ，i) Comprises the following steps:

8. the internet of things client privacy protection authentication method based on edge computing according to claim 7, wherein the step S3 further comprises:

1) when it is a message

Selecting predicate strategy gamma ═ (m, S), wherein S is an attribute set with the size of S ═ S ≦ d, and m ∈ {1, …, S }, and grouping attribute keys by a client side as follows ({ SK_ω}_ω∈Ω，{SK_φ}_φ∈Φ) The data is transmitted to a cloud server, and the cloud server firstly selects a subset phi of the front d-m elements of the set phi according to the dictionary sequence_d-mSimultaneously selecting arbitrary subsets

Satisfy | S_mI | ═ m; a vector can be defined according to the following polynomial

Since d-m + s + 1. ltoreq.2 d +1 ═ l, the coefficient y_d-m+s+2，…，y_lIs determined to be 0;

for each attribute ω ∈ S_mThe cloud server according to the attribute key SK_ω＝{D_ω，0，D_ω，1，K_ω，iThe parameter is obtained by calculating | i ═ 1,2, …, l-1}

For each attribute φ ∈ φ_d-mThe client end is according to the attribute key SK_φ＝{D_φ，0，D_φ，1，K_φ，iThe parameter is obtained by calculating | i ═ 1,2, …, l-1}

According to

And

the cloud server calculates three elements D contained in the cloud server token₀、D₁And D₂：

Wherein the content of the first and second substances,

and

is composed of a set S_mAnd phi_d-mCo-determined Lagrange coefficients, for a certain ω ∈ S_m，

For a certain phi e phi_d-m，

2) Client first calculates

And selecting u, v, w epsilon to Z_pThen calculating to obtain the signature sigma ═ (sigma)₀，σ₁，σ₂，σ₃，σ^*)：

9. The internet of things client privacy protection authentication method based on edge computing according to claim 8, wherein the step S4 further comprises:

other arbitrary entities firstly resolve the predicate strategy gamma into (m, S), and calculate

Then, according to the parameter m, a subset of Φ is defined which contains the d-m elements

Using a polynomial P_S(Z) definition rule definition vector

If equation

If true, the acceptance signature ∑ (σ) is set₀，σ₁，σ₂，σ₃，σ^*) A 1 is legally signed and output, otherwise the output is 0.

10. The internet of things client privacy protection authentication method based on edge computing according to claim 9, wherein the step S5 further comprises:

and (x; T) is added to all nodes x associated with the identity uid by taking the identity uid, the time period T, the revocation list rl and the state st as input, and the updated revocation list rl is output.

Images