CN114357477A - Boolean keyword searchable encryption method supporting large-scale user group - Google Patents

Abstract

The invention discloses a boolean keyword searchable encryption method supporting a large-scale user group, which is based on a recursion attribute set structure, an access tree structure and a recursion keyword set structure and realizes flexible access strategy matching and fine-grained access control on the premise of facing large-scale users. Firstly, the invention supports more flexible data user attribute organization mode and more flexible access strategy matching, and realizes more efficient access control. The invention uses the access tree to express the access strategy and organizes the data user attributes in a recursive set structure, thereby realizing more efficient access strategy matching. In addition, the invention also supports more flexible keyword organization mode and Boolean keyword search. In the invention, by adopting the form of organizing the keywords into a recursion set and adopting a Boolean matching operation method, the flexible keyword organization and Boolean keyword search are realized.

Description

Boolean keyword searchable encryption method supporting large-scale user group

Technical Field

The invention relates to the technical field of cryptography, in particular to a boolean keyword searchable encryption method supporting large-scale user groups.

Background

In order to provide users with the capability of performing keyword search on ciphertext data, a Searchable Encryption (SE) technology has been proposed as a solution. According to different Encryption methods, the existing Searchable Encryption schemes can be divided into two types, namely Symmetric Searchable Encryption (SSE) and Public-key Encryption with Keyword Search (PEKS). In a public key searchable encryption scheme, data is encrypted using a public key of a given user before the data owner uploads the data to the cloud server, after which the users can search and decrypt the data using their private keys.

However, the basic PEKS scheme has limitations in some practical application scenarios. For example, in a healthcare system, the personal health information of a patient can only be retrieved by authorized physicians of a given identity. Under such circumstances, in order to achieve both keyword search and fine-grained access control on encrypted data, researchers have proposed a searchable encryption method based on attributes, and many of the existing works have made corresponding studies on this method.

Although the existing work provides a solution as the keyword search based on the attributes, at present, no solution can simultaneously support the three aspects of flexible access policy matching, flexible expression of the user attributes and flexible keyword search on the premise of facing large-scale users. Therefore, how to design a perfect keyword search method based on the above three aspects under the background of rapid development of today big data and cloud computing, which can support large-scale users, becomes a problem to be solved urgently.

Disclosure of Invention

The invention aims to solve the defects in the prior art and provides a boolean keyword searchable encryption method supporting a large-scale user group. In the background of cloud computing, the invention is based on a recursion attribute set structure, an access tree structure and a recursion keyword set structure, and realizes flexible access strategy matching and fine-grained access control on the premise of facing large-scale users. By using the Boolean search to support the multi-keyword search, the data which the user is interested in can be effectively and flexibly positioned, and simultaneously, the three aspects of flexible access strategy matching, flexible expression of user attributes and flexible keyword search are met.

The purpose of the invention can be achieved by adopting the following technical scheme:

a boolean keyword searchable encryption method supporting a large-scale user population, the encryption method comprising the steps of:

s1, system initialization: the trusted authority TA generates a public key pk and a master key mk according to the security parameter K, and publishes the public key pk to the cloud server;

s2, generating a private key: data users organize their attributes into a recursive attribute set

It is then sent to the trusted authority TA, which uses the master key mk and the recursive set of attributes

Generating a private key sk and sending the private key sk to a data user, wherein the attribute set

Is resolved into { A₀，A₁，...，A_n}，A_iTo represent

The ith sub-attribute set in (1), let sub-attribute set A_iContaining m_iThe number of the attributes is one,

wherein a is_i，jRepresenting a set of sub-attributes A_iThe jth attribute of (1);

s3, encryption: data owner uses system public key pk, recursive key set

And access tree

Generating a ciphertext C for the document, uploading the ciphertext C to a cloud server, and recursively collecting the keywords W_VElement (1) of

Representing the i' th subset of the set of recursive keywords, which is resolved to

Recursive keyword name set

And a set of recursive keywords W_VHaving the same structure, elements of the set

Denoted is the ith ' subset of the set of recursive keyword names, resolved as (ρ (i ', 1), ρ (i ', 2).. ρ (i ', m '_i′) Wherein, m'_i′Indicating the number of keywords in the ith 'keyword subset, ρ (i', j ') indicating the name of the jth keyword in the ith' keyword subset, and w_{ρ(i′，j′)}A value representing a jth keyword in the ith' keyword subset;

s4, search token generation: the data user uses the private key obtained in step S2 in combination with the boolean keyword value expression B local to the data user_VGenerating a retrieval token TK, wherein B_VIs an access tree structure, B_NRepresenting a Boolean keyword name expression having a sum of B_VSame access tree structure for B_VLeaf node in (1)

The keyword value is represented as

Wherein

Representing a corresponding keyword name;

s5, ciphertext search: and (4) the data user sends the retrieval token TK generated in the step S4 to the cloud server, the cloud server checks the retrieval token TK and the ciphertext C stored in the cloud server after receiving the retrieval token TK, checks whether the ciphertext C is matched, and sends the ciphertext C meeting the matching condition to the data user.

Further, the step S1 process is as follows:

s1a, trusted authority TA use group generator

Execute

To form (p, G, G)_TE) where p is a prime number, G and G_TFor a cyclic group of order p, G is the generator of G, e: g → G_TIs a bilinear map;

s1b, selecting two anti-collision hash functions H by the trusted authority TA₀(. and H)₁Therein, a hash function H₀(. cndot.) satisfies the following mapping:

wherein the content of the first and second substances,

is a set of all numbers prime to a prime number p, hash function H₁(. cndot.) satisfies the following mapping: {0,1}^*→G；

S1c, the trusted authority TA randomly selects the first, second, third and fourth parameters for realizing private key generation, document encryption and retrieval token generation

And by calculating

S1d, the trusted authority TA obtains the system public key according to the variables

Master key mk ═<β₁，β₂，α>。

Further, the step S2 process is as follows:

s2a, the credible authority TA is a recursive attribute set

Random selection

For recursive sets of attributes

Each subset A of_iSelection of r_iWherein r is a parameter of the attribute set A for subsequent matching verification with the access tree, and r_iIs a set of attributes

Subset A of_iParameters for subsequent and access tree match verification, assuming a recursive set of attributes

There are n +1 subsets, and for the 2 nd to n +1 th subsets, their parameters r_iSatisfy the requirement of

Let 1 st subset A₀Parameter (d) of

Is a set of all numbers prime to the prime number p;

s2b, the credible authority TA also needs to be deliveryAttribute collection

Each attribute a in (1)_i，jSelecting a parameter r_i，jFor subsequent matching calculations, wherein

S2c, calculating by a trusted authority TA

For subsequent generation

Computing

For subsequent generation

And

wherein i is more than or equal to 0 and less than or equal to n, j is more than or equal to 1 and less than or equal to m_i；

S2d, calculating by a trusted authority TA

For subsequent generation

Wherein i is more than or equal to 1 and less than or equal to n;

s2e, the trusted authority TA obtains the private key of the data user according to the variables

And sends it to the data user.

Further, the step S3 process is as follows:

s3a, data owner randomly selects recursive key word set W_VParameters for matching verification

Is a set of all numbers prime to the prime number p, and calculates parameters for ciphertext and keyword match validation calculations

And parameters for conversion calculation at the conversion node

S3b, data owner generates a set containing n' random parameters

Wherein s is_i′Is a recursive set of keywords W_VIs a subset of

Parameters for performing a match verification, order s₀Is a subset of

Parameters for performing matching verification;

s3c, the data owner generates a random parameter set for subsequent matching calculation

Wherein s is_i′，j′Corresponding key word

S3d, calculating parameters for calculating keyword matching algorithm DecryptNodeII by data owner

And

wherein i 'is more than or equal to 0 and less than or equal to n', and j 'is more than or equal to 1 and less than or equal to m'_i′The keyword matching algorithm decryptnodei is used for ciphertext and search token keyword matching calculation, and then the subset enabling recursive keyword set is calculated

S of_i′Conversion to subsets

S of₀Parameter (d) of

Wherein i 'is more than or equal to 1 and is more than or equal to n';

s3e, using secret sharing algorithm by data owner

Secret sharing of s is calculated, where q_v(0) The value of the constant in the secret sharing polynomial representing node v,

representing access trees

The leaf node of (a) is,

representation according to s and access tree

Running a secret sharing algorithm;

s3f, data possessionPerson to access tree

Each leaf node v of (1) calculates the parameters for the calculation of the attribute matching algorithm DecryptNodeI

And

the attribute matching algorithm DecryptNodeI is used for matching calculation of the user attribute set and the access tree;

s3g, accessing tree

Is represented as

For each node x ∈

Data owner computing

Wherein the content of the first and second substances,

the support sets are mutually converted at a conversion node x;

s3h, obtaining the ciphertext according to the variable obtained in the step by the data owner

Further, the step S4 process is as follows:

s4a, randomly selecting a value by data user

For subsequent parameter generation, and calculating for conversionParameters of conversion calculation at conversion node

S4b, secret sharing algorithm used by data user

Secret sharing of computation t, for each leaf node

Data user calculation parameter for subsequent keyword matching algorithm DecryptNodeII calculation

For each conversion node

Data user calculation of parameters for conversion calculation at conversion node

S4c, the data user analyzes the private key sk into

And calculating parameters for ciphertext and keyword matching verification calculation

Parameter for calculating attribute matching algorithm DecryptNodeI

Wherein i is more than or equal to 0 and less than or equal to n, j is more than or equal to 1 and less than or equal to m_i(ii) a And enable subset a_iR of_iConversion to subset A₀R of₀Parameter (d) of

Wherein i is more than or equal to 1 and less than or equal to n;

s4d, obtaining the retrieval token by the data user according to the variable obtained in the step

Further, the step S5 process is as follows:

s5a, the cloud server analyzes the ciphertext C into

Resolving the retrieval token TK into

S5b, according to the access tree

And attribute set

For access trees

The cloud server will return a set S for each node τ in (1)_τWherein, in the step (A),S_τis a label of node τ, each label u corresponds to a set A_uEach set A_uCan satisfy sub access trees

For the root node R, then there is

The corresponding set is S_R；

S5c, if attribute set

Satisfying access trees

For each node τ, randomly slave set S_τSelecting one label as u, operating attribute matching algorithm DecryptNodeI (C, TK, tau, u), inputting cipher text C, searching token TK, node tau and label u, calculating

Output node τ calculation result F_τWherein, C_τAnd C'_τIs a parameter corresponding to the node τ in the ciphertext C,

is that the node tau of the retrieval token TK is in the subset A_uParameters of the corresponding attributes; if there is no satisfied access tree

Property set of

Return to "0";

s5d, for a given set W of recursive keyword names_NAnd boolean keyword name expression B_NFor B_NEach node of

Cloud server computing a set of tags

Each label h corresponds to a W_NIs a subset of

Each subset

Can all satisfy B_NSubtree of

For root node

Then there is

Corresponding set is

S5e, if recursive keyword name structure W_NSatisfy boolean keyword name expression B_NFor each node

Random slave set

One label is selected and marked as h, and a keyword matching algorithm is operated

The algorithm inputs a ciphertext C, retrieves a token TK and accounts for

And a label h, by calculation

Output node

Result of calculation of (2)

Wherein the content of the first and second substances,

and

is a node in the retrieval token TK

Corresponding parameter, C_ρ(h，j′)And C'_ρ(h，j′)Is a node in the ciphertext C

In a subset

Parameters of the corresponding keyword name; if the expression B satisfying the Boolean keyword name does not exist_NOf the recursive keyword name structure W_NThen return to "0";

s5f, calculating parameters for verification matching calculation by the cloud server

And judge

Whether or not it is true, wherein,

is ciphertext key word and user searchThe result of the keyword matching calculation, F is the result of the access tree and user attribute matching calculation, and if yes, 0 is output; if not, outputting '1'; wherein e (G, G) represents the mapping of two elements in the cyclic group G to the multiplicative cyclic group G_TOf (1).

Compared with the prior art, the invention has the following advantages and effects:

1. flexible access policy expression. The invention allows the data owner to implement the access policy on the data, wherein the representation of the access policy adopts the form of an access tree with conversion nodes, thereby not only supporting Boolean expressions nested with logic words such as AND, OR AND the like, but also selectively allowing the data user to combine attributes in the attribute set to meet the access policy, AND helping the data owner to flexibly control AND authorize the data.

2. Flexible keyword and data user attribute organization. The invention organizes the attributes of the keywords and the data users in a recursive set, and can solve the problem that the compound keywords and the data users have compound attributes.

3. Boolean keyword searching is supported. The invention simultaneously supports Boolean keyword search organizing keywords into an access tree form, brings greater flexibility to data users in encrypted data search, AND supports search strategies of logic word nesting such as AND, OR, NOT AND the like. The user is helped to accurately find the required data, and meanwhile, the transmission cost and the calculation cost are reduced.

4. Practicality and safety. The invention adopts the composite order group, the bilinear mapping, the access tree and the recursion attribute set for construction, has the characteristics of strategy hiding and leakage resistance, has stronger safety, provides flexible access strategy expression, efficient access strategy matching and flexible expression of keyword search, and has better practicability.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

FIG. 1 is a flowchart of a searchable encryption method disclosed in the present invention that supports fine-grained access tree structure-based access control and Boolean keyword search;

FIG. 2 is a schematic diagram of an application environment of the searchable encryption method supporting fine-grained Boolean access control and Boolean keyword retrieval disclosed in the present invention;

FIG. 3 is a block diagram of a searchable encryption system supporting fine-grained Boolean access control and Boolean keyword retrieval as disclosed in the present invention;

FIG. 4 is a diagram of an access policy set by the data owner;

figure 5 is another access policy diagram set by the data owner.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example 1

Flexible Access policy matching can help data owners to flexibly manage data, and most of the existing work adopts Access policies expressed by Access trees (Access trees) or Linear password Sharing Schemes (LSSS for short); the expression mode of the user attributes can support finer-grained access control, and the user attributes are combined in a character string mode in most of the existing work, or the attributes are combined into a single attribute set or a recursive attribute set structure; the flexible keyword search can bring flexible selection for the search of data users, and the existing scheme mainly supports one of the following three search modes: matching search, connection keyword search and boolean keyword search, wherein the matching search has the least flexibility and the boolean keyword search has the best flexibility.

In practical application scenarios, the attributes of the data user are quite complex, such as data user a, who may be both a researcher at university a and a professor in the chemical and principal departments of a certain pharmaceutical department. Therefore, in a large-scale user-oriented scenario, reasonable organization of user attributes and flexible access control matching also become the key for scheme implementation. On the premise, flexible keyword organization and an efficient keyword search method also become keys for improving the overall performance.

On the premise of large-scale users, the embodiment of the invention simultaneously supports the flexible access strategy matching, the flexible expression of user attributes and the flexible keyword search.

Before introducing the technical solution, the mathematical basis and definition related to the present invention are explained as follows:

bilinear pairings

Suppose G and G_TIs two p-order cyclic groups, and G is the generator of G. A bilinear map e: g → G_TThe following properties are satisfied:

(1) bilinear: for any G, h belongs to G, a, b belongs to Z_pHaving a value of e (g)^a，h^b)＝e(g，h)^ab。

(2) Non-degradability: e (g, g) ≠ 1.

Wherein e (G, G) represents the mapping of two elements in the cyclic group G to the multiplicative cyclic group G_TWithout losing its isomorphism.

The technical scheme provided by the embodiment is a boolean searchable encryption scheme supporting fine-grained boolean access control and flexible attribute set structure and keyword structure, and comprises the following steps:

s1, system initialization: and the trusted authority TA generates a public key pk and a master key mk according to the security parameter K, and publishes the public key pk to the cloud server.

The trusted authority TA is a completely trusted third-party security authority, and is responsible for generating a pair of system public keys pk and a master key mk, and generating a corresponding private key sk according to an attribute set of a data user, where the system public key pk, the master key mk, and the private key sk are binary codes with a certain length.

After generating a public key pk and a master key mk, a Trusted Authority (TA) publishes the public key pk in a cloud storage server or broadcasts the public key pk to all users in the system, and all users in the system have the authority of accessing the public key pk; the master key mk is properly kept in the trusted authority TA, and only the trusted authority TA has the right to access the master key mk.

The specific process of the step is as follows:

s1a, trusted authority TA use group generator

Execute

To form (p, G, G)_TE) where p is a prime number, G and G_TFor a cyclic group of order p, G is the generator of G, e: g → G_TIs a bilinear map;

s1b, selecting two anti-collision hash functions H by the trusted authority TA₀(. and H)₁Therein, a hash function H₀(. cndot.) satisfies the following mapping:

wherein the content of the first and second substances,

is a set of all numbers prime to a prime number p, hash function H₁(. cndot.) satisfies the following mapping: {0,1}^*→G；

S1c, the trusted authority TA randomly selects the first, second, third and fourth parameters for realizing private key generation, document encryption and retrieval token generation

And by calculating

S1d, the trusted authority TA obtains the system public key according to the variables

Master key mk ═<β₁，β₂，α>。

S2, generating a private key: data users organize their attributes into a recursive attribute set

It is then sent to the trusted authority TA, which uses the master key mk and the recursive set of attributes

Generating a private key sk and sending the private key sk to a data user, wherein the attribute set

Is resolved into { A₀，A₁，...，A_n}，A_iTo represent

The ith sub-attribute set in (1), let sub-attribute set A_iContaining m_iAn attribute, which can then be expressed as

Wherein a is_i，jRepresenting a set of sub-attributes A_iThe j-th attribute of (1).

The specific process of the step is as follows:

s2a, the credible authority TA is a recursive attribute set

Random selection

For recursive sets of attributes

Each subset A of_iSelection of r_iWhere r is a set of attributes

Parameter for subsequent and access tree match verification, r_iIs a set of attributes

Subset A of_iParameters for subsequent and access tree match verification, assuming a recursive set of attributes

There are n +1 subsets, and for the 2 nd to n +1 th subsets, their parameters r_iSatisfy the requirement of

Let 1 st subset A₀Parameter r of₀＝r；

S2b, the trusted authority TA also needs to be a recursive attribute set

Each attribute a in (1)_i，jSelecting a parameter r_i，jFor subsequent matching calculations, wherein

S2c, calculating by a trusted authority TA

For subsequent generation

Computing

For subsequent generation

Wherein i is more than or equal to 0 and less than or equal to n, j is more than or equal to 1 and less than or equal to m_i；

S2d, calculating by a trusted authority TA

For subsequent generation

Wherein i is more than or equal to 1 and less than or equal to n;

s2e, the trusted authority TA obtains the private key of the data user according to the variables

And sends it to the data user.

S3, encryption: data owner uses system public key pk, recursive key set

And access tree

Generating a ciphertext C for the document, uploading the ciphertext C to a cloud server, and recursively collecting the keywords W_VElement (1) of

Representing the i' th subset of the set of recursive keywords, which is resolved to

Recursive keyword name set

And a set of recursive keywords W_VHaving the same structure, elements of the set

Denoted is the ith ' subset of the set of recursive keyword names, resolved as (ρ (i ', 1), ρ (i ', 2).. ρ (i ', m '_i′) Wherein, m'_i′Indicating the number of keywords in the ith 'keyword subset, ρ (i', j ') indicating the name of the jth keyword in the ith' keyword subset, and w_{ρ(i′，j′)}A value representing a jth keyword in the ith' keyword subset;

the specific process of the step is as follows:

s3a, data owner randomly selects recursive key word set W_VParameters for matching verification

And calculating parameters for ciphertext and keyword matching verification calculation

And parameters for conversion calculation at the conversion node

S3b, data owner generates a set containing n' random parameters

s_i′Is a recursive set of keywords W_VIs a subset of

Parameters for performing a match verification, order s₀Is a subset of

Parameters for performing matching verification;

s3c, the data owner generates a random parameter set for subsequent matching calculation

Wherein s is_i′，j′Corresponding keyword w_{ρ(i′，j′)}；

S3d, calculating parameters for calculating keyword matching algorithm DecryptNodeII by data owner

Wherein i 'is more than or equal to 0 and less than or equal to n', and j 'is more than or equal to 1 and less than or equal to m'_i′The keyword matching algorithm decryptnodei is an algorithm for ciphertext and search token keyword matching computation, followed by computation of a subset that enables a recursive keyword set

S of_i′Conversion to subsets

S of₀Parameter (d) of

Wherein i' is more than or equal to 1 and less than or equal to n;

s3e, using secret sharing algorithm by data owner

Secret sharing of s is calculated, where q_v(0) The value of the constant in the secret sharing polynomial representing node v,

representing access trees

The leaf node of (a) is,

representation according to s and access tree

Running a secret sharing algorithm;

s3f, data owner aiming at access tree

Each leaf node of (1) calculates the sum of parameters for the calculation of the attribute matching algorithm DecryptNodeI

The attribute matching algorithm DecryptNodeI is an algorithm for matching calculation of a user attribute set and an access tree;

s3g, accessing tree

Is represented as

For each node

Data owner computing

Wherein the content of the first and second substances,

the support sets are mutually converted at a conversion node x;

s3h, obtaining the ciphertext according to the variable obtained in the step by the data owner

S4, search token generation: the data user uses the private key obtained in step S2 in combination with the boolean keyword value expression B local to the data user_VGenerating a retrieval token TK, wherein B_VIs an access tree structure, B_NRepresenting a Boolean keyword name expression having a sum of B_VSame access tree structure for B_VLeaf node in (1)

The keyword value is represented as

Wherein

Representing a corresponding keyword name; the specific process of the step is as follows:

s4a, randomly selecting a value by data user

For subsequent parameter generation and calculating parameters for conversion calculation at conversion nodes

S4b, secret sharing algorithm used by data user

Secret sharing of computation t, for each leaf node

Data user calculation parameter for subsequent keyword matching algorithm DecryptNodeII calculation

For each conversion node

Data user calculation of parameters for conversion calculation at conversion node

S4c, the data user analyzes the private key sk into

And calculating parameters for ciphertext and keyword matching verification calculation

Parameter for calculating attribute matching algorithm DecryptNodeI

Wherein i is more than or equal to 0 and less than or equal to n, j is more than or equal to 1 and less than or equal to m_i(ii) a And enable subset a_iR of_iConversion to subset A₀R of₀Parameter (d) of

Wherein i is more than or equal to 1 and less than or equal to n;

s4d, obtaining the retrieval token by the data user according to the variable obtained in the step

S5, ciphertext search: and (4) the data user sends the retrieval token TK generated in the step S4 to the cloud server, the cloud server checks the retrieval token TK and the ciphertext C stored in the cloud server after receiving the retrieval token TK, checks whether the ciphertext C is matched, and sends the ciphertext C meeting the matching condition to the data user.

The specific process of the step is as follows:

s5a, the cloud server analyzes the ciphertext C into

Resolving the retrieval token TK into

S5b, according to the access tree

And attribute set

For access trees

The cloud server will return a set S for each node τ in (1)_τWherein S is_τIs a label of node τ, each label u corresponds to a set A_uEach set A_uCan satisfy sub access trees

For the root node R, then there is

The corresponding set is S_R；

S5c, if attribute set

Satisfying access trees

For each node τ, randomly slave set S_τSelecting one label as u, operating attribute matching algorithm DecryptNodeI (C, TK, tau, u), inputting cipher text C, searching token TK, node tau and label u, calculating

The calculation result of the output node tau is returned to F_τWherein, C_τAnd C'_τIs a parameter corresponding to the node τ in the ciphertext C,

and

is that the node tau of the retrieval token TK is in the subset A_uParameters of the corresponding attributes; if there is no satisfied access tree

Property set of

Then "0" is returned.

According to the node type of the tau, u in the attribute matching algorithm DecryptNodeI (C, TK, tau, u) has the following two different calculation modes:

when node τ is a leaf node, if attribute att (τ) E A corresponding to node τ is present_iThen, the attribute matching algorithm DecryptNodeI (C, TK, tau, u) is run and output

Otherwise, the algorithm returns ″;

when the node tau is a non-leaf node, the cloud server first calculates a k containing the node tau_τSet of sub-nodes E_τ，E_τEach node z in the set must satisfy the set S of labels that the label u belongs to z_z，u∈S_zOr z is a transition node and there is at least one tag u' e S_z(ii) a Then, the attribute matching algorithm DecryptNodeI (C, TK, z, u') is operated and output

Then, F 'is obtained according to the value of tag u'_zConverting by using a conversion formula, and calculating when u is 0

Outputting the calculation result

Wherein

Is the corresponding parameter of the tag u' in the retrieval token TK,

is the parameter corresponding to the node z in the ciphertext C; when u ≠ 0, it is calculated

Outputting the calculation result

Wherein

Is the corresponding parameter of the tag u in the retrieval token TK;

after E is calculated_τAfter each node in the tree, F is calculated using the following equation_τ：

Wherein the content of the first and second substances,

k＝index(z)，U_z＝{index(z)：z∈E_τthe function of index (·) is to obtain the label of the node;

then, the attribute matching algorithm DecryptNodeI (C, TK, R, u) is operated to calculate the root node R, and when the label u of R is 0, the calculation result F is output_R＝e(g，g)^trs(ii) a When u is not equal to 0, outputting a calculation result

Finally, F is calculated according to the label u, and when the label u is equal to 0, F is equal to F_R(ii) a When u ≠ 0, it is calculated

Outputting the calculation result F ═ e (g, g)^trs。

S5d, for a given set W of recursive keyword names_NAnd boolean keyword name expression B_NFor B_NEach node of

Cloud server computing a set of tags

Each label h corresponds to a W_NIs a subset of

Each subset

Can all satisfy B_NSubtree of

For root node

Then there is

Corresponding set is

S5e, if recursive keyword name structure W_NSatisfy boolean keyword name expression B_NFor each node

Random slave set

One label is selected and marked as h, and a keyword matching algorithm is operated

The algorithm inputs a ciphertext C, retrieves a token TK and accounts for

And a label h, by calculation

Output node

Result of calculation of (2)

Wherein the content of the first and second substances,

and

is a node in the retrieval token TK

Corresponding parameter, C_ρ(h，j′)And C'_ρ(h，j′)Is a node in the ciphertext C

In a subset

Parameters of the corresponding keyword name; if the expression B satisfying the Boolean keyword name does not exist_NOf the recursive keyword name structure W_NThen, 0 is returned. According to

Node type of (2), keyword matching algorithm

There are two different ways of calculating:

as a node

When it is a leaf node, if

Keyword matching algorithm

Returning to the position of T; otherwise, assume that

Then

And run keyword matching algorithms

Outputting the result

Wherein s is_hRepresenting subsets

The corresponding matching verification random number,

a constant in the secret sharing polynomial representing node τ; as a node

When the node is a non-leaf node, the cloud server firstly calculates a node containing node

Is/are as follows

Set of sub-nodes

Each node in

Must satisfy that tag h belongs to

Set of tags of

Is a conversion node and at least one label exists

Followed by running a keyword matching algorithm

Output of

Then, according to the value pair of the label h

Converting by using a conversion formula, and calculating when h is 0

Outputting the calculation result

Wherein

Is a node

Corresponding parameter, K, in the retrieval token TK_h′Is the corresponding parameter of the tag h' in the ciphertext C; when h ≠ 0, calculate

Outputting the calculation result

Wherein K_hIs the corresponding parameter of the tag h in the ciphertext C.

Has been calculated

After each node in the tree, the following equation is used to calculate

Wherein the content of the first and second substances,

next, the keyword matching algorithm decryptnodii (C, TK,

h) root node

Performing a calculation when

When the label h is equal to 0, the calculation result is output

When h is not equal to 0, outputting a calculation result

Finally, calculate according to the label h

When the label h is 0, order

When h ≠ 0, calculate

Outputting the calculation result

S5f, calculating parameters for verification matching calculation by the cloud server

And judge

Whether or not it is true, wherein,

the result of matching calculation of the ciphertext keyword and the user search keyword is shown as F, the result of matching calculation of the access tree and the user attribute is shown as F, and if the result is obtained, 0 is output; if not, a "1" is output.

Example 2

As shown in fig. 3, the present embodiment continuously provides a large-scale user-oriented boolean keyword ciphertext retrieval system, which includes the following four parts: a cloud storage subsystem running on the cloud server; an encryption subsystem operating at the data owner side; a user retrieval token generation and decryption subsystem operating at a data user side; and the initialization and private key generation subsystem runs in the trusted authority TA.

The initialization and private key generation subsystem running in the trusted authority TA comprises the following modules: the device comprises an initialization module, a master key storage module and a private key generation module. The initialization module is used for generating a system public key and a master key, distributing the public development of the system public key to the cloud server, and storing the master key to the master key storage module, wherein the master key storage module is used for storing the master key and only allowing a Trusted Authority (TA) to access; the private key generation module is used for receiving the attribute set of the data user

And generating a user private key sk by using the master key, and sending the user private key sk to the data user.

The cloud storage subsystem running on the cloud server comprises the following modules: the system comprises a system public key public module, a storage module and a retrieval module. The system public key module publishes a system public key pk generated by the trusted authority TA; the storage module is used for storing the encrypted data ciphertext of the data owner; the retrieval module performs one-to-one matching operation on the retrieval token and the data ciphertext, and sends the data ciphertext meeting the matching condition to the data user after the data ciphertext meeting the matching condition is obtained from the storage module.

The encryption subsystem operating at the data owner end comprises a data encryption module, the data encryption module acquires a system public key from the cloud server, encrypts a file by using the key and an access strategy defined by the data owner to obtain a data ciphertext, and sends the data ciphertext to the cloud server.

The user retrieval token generation and decryption subsystem running at the data user side comprises the following modules: the system comprises a retrieval token generation module, a user retrieval module and a data decryption module. The retrieval token generation module is responsible for generating a retrieval token by using a private key of a data user and a user query keyword predicate; the user retrieval module is responsible for sending the retrieval token to the cloud server to complete retrieval operation; and the data decryption module decrypts the data ciphertext obtained by the retrieval by using the user private key to recover the plaintext content.

To further illustrate this scenario, a searchable encryption method supporting flexible access policy matching, flexible user attribute organization, and boolean keyword retrieval applied to a healthcare scenario in accordance with an embodiment of the present invention is described below in conjunction with fig. 2.

In this embodiment, the keyword set structure height of the document is 2; the access policy access tree height of the data owner is 2; the attribute set architecture height for data users is 2. The specific flow in this example is as follows:

t1, running an initialization module by a trusted authority TA, generating a system public key pk and a master key mk according to the security parameter K, and distributing public development of the system public key pk to a cloud server; meanwhile, the data user sends its attribute set to the trusted authority TA

The set of attributes for data user 1 is represented as: { organization: university A, position: researcher, { department: pharmacy, position: principal }, { department: chemistry, position: professor } }; the trusted authority TA according to the master key mk and the data user attribute set

And generating a private key sk of the data user, and sending the private key sk to the data user. And the master key mk is stored in the master key storage module.

T2, data owner 1 owns three documents 1, 2, 3, where:

the recursive keyword set for document 1 is represented as: { name: plum, xiao ming, disease: heart disease, medication: liputal, { name: plum, xiao ming, disease: hypertension, medication: amiloride }, { name: plum, xiao ming, disease: heart disease, medication: nitroglycerin }, the structure of the access tree of the access strategy implemented is shown in fig. 4;

the recursive keyword set for document 2 is represented as: { name: wanxiaomai, disease: coronary heart disease, medication: aspirin, { name: wanxiaomai, disease: hypertension, medication: amiloride }, { name: wanxiaomai, disease: heart disease, medication: nitroglycerin }, the structure of the access tree of the access strategy implemented is shown in fig. 5;

document 3 the recursive keyword set is represented as: { name: zhang Xiao gang, disease: chronic urticaria, medication: loratadine, { name: zhang Xiao gang, disease: diabetes mellitus, medication: baida Yang }, { name: zhang Xiao gang, disease: heart disease, medication: nitroglycerin }, the structure of the access tree of the access strategy implemented is shown in fig. 4;

to encrypt the above document, the data owner 1 first runs an encryption subsystem, and obtains the system public key pk from the cloud storage subsystem on the cloud server. Then the subsystem uses the system public key pk to encrypt the three documents in sequence to generate a ciphertext { C_i}_{i＝1，２,3}And uploading to a cloud server.

And T3, after receiving the ciphertext set of the data owner 1, the cloud server stores the ciphertext set in a storage module of the cloud storage subsystem. For simplicity of explanation, it is assumed here that the current storage module stores only the above three ciphertexts { C of the data owner 1_i}_{i＝1，２,3}。

T4, if the user wants to inquire about the document whose disease is heart disease and the used medicine is Lipitor or nitroglycerin, operating the search token generation module of the user search token generation and decryption subsystem, and enabling the user private key sk and the query keyword predicate

(disease ═ heart disease ") AND((drug use ═ lipitor ") OR (drug use ═ nitroglycerin)) generates a retrieval token TK, and transmits the retrieval token TK to the user retrieval module. And the user retrieval module sends the retrieval token TK to the cloud server so as to perform the next retrieval operation.

T5, after receiving the query request of the data user 1, the cloud server operates a retrieval module, and the retrieval module is used for retrieving the TK and the ciphertext C in the storage module₁、C₂、C₃And carrying out matching operation in sequence. After the matching operation is completed, the cloud server will accord with the ciphertext C₁And C₃And returns to data user 1.

T6 data user 1 receives returned data ciphertext C₁And C₃Then, a decryption module of the user retrieval and decryption subsystem is operated, and the module decrypts the ciphertext C by using the private key sk₁And C₃The plaintext contents of document 1 and document 3 are obtained.

In summary, the boolean keyword searchable encryption method supporting a large-scale user group disclosed in this embodiment supports a more flexible data user attribute organization manner and a more flexible access policy matching, and realizes more efficient access control. In the prior art, most of the technologies perform improvement or expansion work based on an ABE (attribute-based encryption) scheme or a PEKS (public-key encryption with key search) scheme. At present, although the two schemes can realize fine-grained access control, the attributes of the data users are still integrated into a single attribute set, which is not in accordance with the actual use scene. The invention uses the access tree to express the access strategy and organizes the data user attributes in a recursive set structure, thereby realizing more efficient access strategy matching. In addition, the encryption method also supports more flexible keyword organization mode and Boolean keyword retrieval. In the prior art, some technologies only support a data owner to encrypt data aiming at a single keyword, a data user uses the single keyword to retrieve the data, AND the data user does not support Boolean keyword search of logic word nesting such as AND, OR AND the like; meanwhile, in the prior art, keywords are organized in a set, and efficient keyword matching cannot be achieved in some practical use scenes. In the invention, by adopting the form of organizing the keywords into a recursion set and adopting a Boolean matching operation method, the flexible keyword organization and Boolean keyword search are realized.

The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.

Claims (8)

1. A Boolean keyword searchable encryption method supporting a large-scale user group is characterized by comprising the following steps:

s1, system initialization: the trusted authority TA generates a public key pk and a master key mk according to the security parameter K, and publishes the public key pk to the cloud server;

s2, generating a private key: data users organize their attributes into a recursive attribute set

It is then sent to the trusted authority TA, which uses the master key mk and the recursive set of attributes

Generating a private key sk and sending the private key sk to a data user, wherein the attribute set

Is resolved into { A₀，A₁，...，A_n}，A_iTo represent

The ith sub-attribute set in (1), let sub-attribute set A_iContaining m_iThe number of the attributes is one,

wherein a is_i，jRepresenting a set of sub-attributes A_iThe jth attribute of (1);

s3, encryption: data owner uses system public key pk, recursive key set

And access tree

Generating a ciphertext C for the document, uploading the ciphertext C to a cloud server, and recursively collecting the keywords W_VElement (1) of

Representing the i' th subset of the set of recursive keywords, which is resolved to

Recursive keyword name set

And a set of recursive keywords W_VHaving the same structure, elements of the set

Denoted is the ith ' subset of the set of recursive keyword names, resolved as (ρ (i ', 1), ρ (i ', 2).. ρ (i ', m '_i′) Wherein, m'_i′Indicating the number of keywords in the ith 'keyword subset, ρ (i', j ') indicating the name of the jth keyword in the ith' keyword subset, and w_{ρ(i′，j′)}A value representing a jth keyword in the ith' keyword subset;

s4, search token generation: number ofAccording to the user 'S use of the private key obtained in step S2 in combination with the data user' S local Boolean keyword value expression B_VGenerating a retrieval token TK, wherein B_VIs an access tree structure, B_NRepresenting a Boolean keyword name expression having a sum of B_VSame access tree structure for B_VLeaf node in (1)

The keyword value is represented as

Wherein

Representing a corresponding keyword name;

s5, ciphertext search: and (4) the data user sends the retrieval token TK generated in the step S4 to the cloud server, the cloud server checks the retrieval token TK and the ciphertext C stored in the cloud server after receiving the retrieval token TK, checks whether the ciphertext C is matched, and sends the ciphertext C meeting the matching condition to the data user.

2. The boolean keyword searchable encryption method according to claim 1, wherein said step S1 is performed by:

s1a, trusted authority TA use group generator

Execute

To form (p, G, G)_TE) where p is a prime number, G and G_TFor a cyclic group of order p, G is the generator of G, e: g → G_TIs a bilinear map;

s1b, selecting two anti-collision hash functions H by the trusted authority TA₀(. and H)₁(. h), wherein,hash function H₀(. cndot.) satisfies the following mapping:

wherein the content of the first and second substances,

is a set of all numbers prime to a prime number p, hash function H₁(. cndot.) satisfies the following mapping: {0,1}^*→G；

S1c, the trusted authority TA randomly selects the first, second, third and fourth parameters beta for realizing private key generation, document encryption and retrieval token generation₁，β₂，α，

And by calculating

g^α，g^αγ，g^1/γ；

S1d, the trusted authority TA obtains the system public key according to the variables

Master key mk ═<β₁，β₂，α>。

3. The boolean keyword searchable encryption method according to claim 1, wherein said step S2 is performed by:

s2a, the credible authority TA is a recursive attribute set

Random selection

For recursive sets of attributes

Each subset A of_iSelection of r_iWhere r is a set of attributes

Parameter for subsequent and access tree match verification, r_iIs a set of attributes

Subset A of_iParameters for subsequent and access tree match verification, assuming a recursive set of attributes

There are n +1 subsets, and for the 2 nd to n +1 th subsets, their parameters r_iSatisfy the requirement of

Let 1 st subset A₀Parameter r of₀＝r，

Is a set of all numbers prime to the prime number p;

s2b, the trusted authority TA also needs to be a recursive attribute set

Each attribute a in (1)_i，jSelecting a parameter r_i，jFor subsequent matching calculations, wherein

S2c, calculating by a trusted authority TA

For subsequent generation

Computing

And

for subsequent generation

And

wherein i is more than or equal to 0 and less than or equal to n, j is more than or equal to 1 and less than or equal to m_i；

S2d, calculating by a trusted authority TA

For subsequent generation

Wherein i is more than or equal to 1 and less than or equal to n;

s2e, the trusted authority TA obtains the private key of the data user according to the variables

And sends it to the data user.

4. The boolean keyword searchable encryption method according to claim 1, wherein said step S3 is performed by:

s3a, data owner randomly selects recursive key word set W_VParameters for matching verification

Is a set of all numbers prime to the prime number p, and calculates parameters for ciphertext and keyword match validation calculations

And parameters for conversion calculation at the conversion node

S3b, data owner generates a set containing n' random parameters

Wherein s is_i′Is a recursive set of keywords W_VIs a subset of

Parameters for performing a match verification, order s₀Is a subset of

Parameters for performing matching verification;

s3c, the data owner generates a random parameter set for subsequent matching calculation

Wherein s is_i′，j′Corresponding keyword w_{ρ(i′，j′)}；

S3d, calculating parameters for calculating keyword matching algorithm DecryptNodeII by data owner

And

wherein i 'is more than or equal to 0 and less than or equal to n', and j 'is more than or equal to 1 and less than or equal to m'_i′The keyword matching algorithm decryptnodei is used for ciphertext and search token keyword matching calculation, and then the subset enabling recursive keyword set is calculated

S of_i′Conversion to subsets

S of₀Parameter (d) of

Wherein i 'is more than or equal to 1 and is more than or equal to n';

s3e, using secret sharing algorithm by data owner

Secret sharing of s is calculated, where q_v(0) The value of the constant in the secret sharing polynomial representing node v,

representing access trees

The leaf node of (a) is,

representation according to s and access tree

Running a secret sharing algorithm;

s3f, data owner aiming at access tree

Each leaf node v of (1) calculates the parameters for the calculation of the attribute matching algorithm DecryptNodeI

And

the attribute matching algorithm DecryptNodeI is used for matching calculation of the user attribute set and the access tree;

s3g, accessing tree

Is represented as

For each node

Data owner computing

Wherein the content of the first and second substances,

the support sets are mutually converted at a conversion node x;

s3h, obtaining the ciphertext according to the variable obtained in the step by the data owner

5. The boolean keyword searchable encryption method according to claim 4, wherein said step S4 is performed by:

s4a, randomly selecting a value by data user

For subsequent parameter generation and calculating parameters for conversion calculation at conversion nodes

S4b, secret sharing algorithm used by data user

Secret sharing of computation t, for each leaf node

Data user calculation parameter for keyword matching algorithm DecryptNodeII calculation

And

for each conversion node

Data user calculation of parameters for conversion calculation at conversion node

S4c, the data user analyzes the private key sk into

And calculating parameters for ciphertext and keyword matching verification calculation

Parameter for calculating attribute matching algorithm DecryptNodeI

And

wherein i is more than or equal to 0 and less than or equal to n, j is more than or equal to 1 and less than or equal to m_i(ii) a And enable subset a_iR of_iConversion to subset A₀R of₀Parameter (d) of

Wherein i is more than or equal to 1 and less than or equal to n;

s4d, obtaining the retrieval token by the data user according to the variable obtained in the step

6. The boolean keyword searchable encryption method according to claim 5, wherein said step S5 is performed by:

s5a, the cloud server analyzes the ciphertext C into

Resolving the retrieval token TK into

S5b, according to the access tree

And attribute set

For access trees

The cloud server will return a set S for each node τ in (1)_τWherein S is_τIs a label of node τ, each label u corresponds to a set A_uEach set A_uCan satisfy sub access trees

For the root node R, then there is

The corresponding set is S_R；

S5c, if attribute set

Satisfying access trees

For each node τ, randomly slave set S_τSelecting one label as u, operating attribute matching algorithm DecryptNodeI (C, TK, tau, u), inputting cipher text C, searching token TK, node tau and label u, calculating

Output node τ calculation result F_τWherein, C_τAnd C'_τIs a parameter corresponding to the node τ in the ciphertext C,

and

is that the node tau of the retrieval token TK is in the subset A_uParameters of the corresponding attributes; if there is no satisfied access tree

Property set of

Return to "0";

s5d, for a given set W of recursive keyword names_NAnd boolean keyword name expression B_NFor B_NEach node of

Cloud server computing a set of tags

Each label h corresponds to a W_NIs a subset of

Each subset

Can all satisfy B_NSubtree of

For root node

Then there is

Corresponding set is

S5e, if recursive keyword name structure W_NSatisfy boolean keyword name expression B_NFor each node

Random slave set

One label is selected and marked as h, and a keyword matching algorithm is operated

The algorithm inputs a ciphertext C, a retrieval token TK and a node

And a label h, by calculation

Output node

Result of calculation of (2)

Wherein the content of the first and second substances,

and

is a node in the retrieval token TK

Corresponding parameter, C_ρ(h，j′)And C'_ρ(h，j′)Is a node in the ciphertext C

In a subset

Parameters of the corresponding keyword name; if the expression B satisfying the Boolean keyword name does not exist_NOf the recursive keyword name structure W_NThen return to "0";

s5f, calculating parameters for verification matching calculation by the cloud server

And judge

Whether or not it is true, wherein,

the result of matching calculation of the ciphertext keyword and the user search keyword is shown as F, the result of matching calculation of the access tree and the user attribute is shown as F, and if the result is obtained, 0 is output; if not, outputting"1"; wherein e (G, G) represents the mapping of two elements in the cyclic group G to the multiplicative cyclic group G_TOf (1).

7. The boolean keyword searchable encryption method according to claim 6, characterized in that in step S5C, the attribute matching algorithm DecryptNodeI (C, TK, τ, u) has the following two different calculation manners according to the node type of the node τ:

when node τ is a leaf node, if attribute att (τ) E A corresponding to node τ is present_iThen, the attribute matching algorithm DecryptNodeI (C, TK, tau, u) is run and output

Otherwise, the algorithm returns ″;

when the node tau is a non-leaf node, the cloud server first calculates a k containing the node tau_τSet of sub-nodes E_τ，E_τEach node z in the set must satisfy the set S of labels that the label u belongs to z_z，u∈S_zOr z is a transition node and there is at least one tag u' e S_z(ii) a Then, the attribute matching algorithm DecryptNodeI (C, TK, z, u') is operated and output

Then, F 'is obtained according to the value of tag u'_zConverting by using a conversion formula, and calculating when u is 0

Outputting the calculation result

Wherein

Is the corresponding parameter of the tag u' in the retrieval token TK,

is the parameter corresponding to the node z in the ciphertext C; when u ≠ 0, it is calculated

Outputting the calculation result

Wherein

Is the corresponding parameter of the tag u in the retrieval token TK;

after E is calculated_τAfter each node in the tree, F is calculated using the following equation_τ：

Wherein the content of the first and second substances,

k＝index(z)，U_z＝{index(z)：z∈E_τthe function of index (·) is to obtain the label of the node;

then, the attribute matching algorithm DecryptNodeI (C, TK, R, u) is operated to calculate the root node R, and when the label u of R is 0, the calculation result F is output_R＝e(g，g)^trs(ii) a When u is not equal to 0, outputting a calculation result

Finally, F is calculated according to the label u, and when the label u is equal to 0, F is equal to F_R(ii) a When u ≠ 0, it is calculated

Outputting the calculation result F ═ e (g, g)^trs。

8. The boolean keyword searchable encryption method according to claim 6, wherein in step S5d, based on nodes

Node type of (2), keyword matching algorithm

There are two different ways of calculating:

as a node

When it is a leaf node, if

Keyword matching algorithm

Returning to the position of T; otherwise, assume that

Then

And run keyword matching algorithms

Outputting the result

Wherein s is_hRepresenting subsets

Corresponding matching testThe random number is verified and stored in a memory,

representation node

Constant in the secret sharing polynomial of (1);

as a node

When the node is a non-leaf node, the cloud server firstly calculates a node containing node

Is/are as follows

Set of sub-nodes

Each node in

Must satisfy that tag h belongs to

Set of tags of

Or

Is a conversion node and at least one of which is presentLabel (R)

Followed by running a keyword matching algorithm

Output of

Then, according to the value pair of the label h

Converting by using a conversion formula, and calculating when h is 0

Outputting the calculation result

Wherein

Is a node

Corresponding parameter, K, in the retrieval token TK_h′Is the corresponding parameter of the tag h' in the ciphertext C; when h ≠ 0, calculate

Outputting the calculation result

Wherein K_hIs the corresponding parameter of the tag h in the ciphertext C;

has been calculated

After each node in the tree, the following equation is used to calculate

Wherein the content of the first and second substances,

next, a keyword matching algorithm is run

Root node

Performing a calculation when

When the label h is equal to 0, the calculation result is output

When h is not equal to 0, outputting a calculation result

Finally, calculate according to the label h

When the label h is 0, order

When h ≠ 0, calculate

Outputting the calculation result

Images