CN114357477B - Boolean Keyword Searchable Encryption Method Supporting Large-Scale User Groups - Google Patents

Abstract

The invention discloses a Boolean keyword searchable encryption method supporting a large-scale user group, which is based on a recursive attribute set structure, an access tree structure and a recursive keyword set structure, and realizes flexible access policy matching and fine-grained access control on the premise of facing the large-scale user. Firstly, the invention supports a more flexible data user attribute organization mode and more flexible access strategy matching, thereby realizing more efficient access control. The invention uses the access tree to represent the access strategy and organizes the data user attributes in a recursive set structure, thereby realizing more efficient access strategy matching. In addition, the invention also supports a more flexible keyword organization mode and Boolean keyword retrieval. In the invention, the flexible keyword organization and Boolean keyword search are realized by adopting a method of organizing keywords into a recursive set and performing Boolean matching operation.

Description

Boolean keyword searchable encryption method supporting large user groups

Technical Field

The present invention relates to the technical field of cryptography, and in particular to a Boolean keyword searchable encryption method supporting a large-scale user group.

Background Art

In order to provide users with the ability to perform keyword searches on ciphertext data, searchable encryption (SE) technology has been proposed as a solution. According to different encryption methods, existing searchable encryption schemes can be divided into two types: symmetric searchable encryption (SSE) and public-key encryption with keyword search (PEKS). In the public-key searchable encryption scheme, the data owner encrypts the data using the public key of the specified user before uploading it to the cloud server, and then these users can use their private keys to search and decrypt the data.

However, the basic PEKS scheme has limitations in some practical application scenarios. For example, in the healthcare system, the patient's personal health information can only be retrieved by some authorized doctors with specified identities. In this case, in order to achieve keyword query and fine-grained access control on encrypted data at the same time, researchers proposed attribute-based searchable encryption methods, and many existing works have also conducted corresponding research on this.

Although existing work provides solutions for attribute-based keyword search, there is currently no solution that can simultaneously support flexible access policy matching, flexible expression of user attributes, and flexible keyword search for large-scale users. Therefore, how to design a complete attribute-based keyword search method that can support large-scale users in the context of the rapid development of big data and cloud computing has become an urgent problem to be solved.

Summary of the invention

The purpose of the present invention is to solve the above-mentioned defects in the prior art and provide a Boolean keyword searchable encryption method that supports a large-scale user group. In the context of cloud computing, the present invention is based on a recursive attribute set structure, an access tree structure, and a recursive keyword set structure, and realizes flexible access policy matching and fine-grained access control on the premise of facing a large number of users. By using Boolean search to support multi-keyword search, it can effectively and flexibly locate the data of interest to the user, while satisfying the three aspects of flexible access policy matching, flexible expression of user attributes, and flexible keyword search.

The purpose of the present invention can be achieved by adopting the following technical solutions:

A Boolean keyword searchable encryption method supporting a large user group, the encryption method comprising the following steps:

S1. System initialization: The trusted authority TA generates a public key pk and a master key mk based on the security parameter K, and publishes the public key pk to the cloud server;

S2. Generate private key: Data users organize their attributes into recursive attribute sets It is then sent to the trusted authority TA, which uses the master key mk and the recursive attribute set Generate a private key sk and send it to the data user, where the attribute set is parsed as {A ₀ , A ₁ , ..., _An }, where A _i represents The i-th sub-attribute set in , assuming that the sub-attribute set _Ai contains _mi attributes, Where a _i,j represents the jth attribute in the sub-attribute set A _i ;

S3, encryption: the data owner uses the system public key pk and recursive keyword set and visit tree Generate ciphertext C for the document and upload it to the cloud server. Recursively search for elements in the keyword set W _V represents the i′th subset of the recursive keyword set, which is parsed as (w _{ρ(i′, 1)} , w _{ρ(i′, 2)} , ..., ), a set of recursive keyword names The recursive keyword set W _V has the same structure, and the elements in the set represents the i′th subset in the recursive keyword name set, which is parsed as (ρ(i′, 1), ρ(i′, 2), ... ρ(i′, m′ _i′ )), where m′ _i′ represents the number of keywords in the i′th keyword subset, ρ(i′, j′) represents the name of the j′th keyword in the i′th keyword subset, and w _{ρ(i′, j′)} represents the value of the j′th keyword in the i′th keyword subset;

S4. Retrieval token generation: The data user uses the private key obtained in step S2 and the data user's local Boolean keyword value expression B _V to generate a retrieval token TK, where B _V is an access tree structure, and B _N represents a Boolean keyword name expression with the same access tree structure as B _V. For the leaf nodes in B _V , Keyword values are represented as in Indicates the corresponding keyword name;

S5. Ciphertext search: The data user sends the retrieval token TK generated in step S4 to the cloud server. After receiving it, the cloud server uses the retrieval token TK and the ciphertext C stored on the cloud server to verify whether the ciphertext C matches, and sends the ciphertext C that meets the matching conditions to the data user.

Furthermore, the process of step S1 is as follows:

S1a, Trusted authority TA uses group generator implement Generate (p, g, G, _GT , e), where p is a prime number, G and _GT are cyclic groups of order p, g is a generator of G, and e: G×G→ _GT is a bilinear map;

S1b. The trusted authority TA selects two collision-resistant hash functions H ₀ (·) and H ₁ (·), where the hash function H ₀ (·) satisfies the following mapping: in, is the set of all numbers that are coprime with the prime number p, and the hash function H ₁ (·) satisfies the following mapping: {0, 1} ^* →G;

S1c, the trusted authority TA randomly selects the first, second, third, and fourth parameters β ₁ , β ₂ , α, which are subsequently used to generate private keys, encrypt documents, and generate retrieval tokens. And by calculating

S1d, the trusted authority TA obtains the system public key based on the above variables Master key mk=<β ₁ , β ₂ , α>.

Furthermore, the process of step S2 is as follows:

S2a, the trusted authority TA is a recursive attribute set Random Selection is a recursive attribute set Each subset A _i of selects r _i , where r is the attribute set Parameters used for subsequent and access tree matching verification, _ri is the attribute set The subset Ai _of is used for subsequent and access tree matching verification parameters, assuming the recursive attribute set There are n+1 subsets in total. For the 2nd to n+1th subsets, their parameters _ri satisfy Let the parameter of the first subset A ₀ be r ₀ = r, is the set of all numbers that are coprime with the prime number p;

S2b, the trusted authority TA also needs to be a recursive attribute set Each attribute a _i,j in selects a parameter _ri,j for subsequent matching calculations, where

S2c, trusted authority TA calculation For subsequent generation calculate and For subsequent generation and Where 0≤i≤n, 1≤j≤m _i ;

S2d, trusted authority TA calculation For subsequent generation Where 1≤i≤n;

S2e, the trusted authority TA obtains the data user's private key based on the above variables and send it to the data user.

Furthermore, the process of step S3 is as follows:

S3a, the data owner randomly selects the recursive keyword set W _V for matching verification parameters is the set of all numbers that are coprime with the prime number p, and calculates the parameters used for the ciphertext and keyword matching verification calculation and parameters used for transformation calculations at transformation nodes

S3b, the data owner generates a set of n′ random parameters Where si _′ is a subset of the recursive keyword set W _V Parameters used for matching verification, let s0 = s, is a subset Parameters used for matching verification;

S3c, the data owner generates a random parameter set for subsequent matching calculations Among them, s _{i′, j′} corresponds to the keyword w _{ρ(i′, j′)} ;

S3d, the data owner calculates the parameters used for the keyword matching algorithm DecryptNodeII calculation and Where 0≤i′≤n′, 1≤j′≤m′ _i′ , the keyword matching algorithm DecryptNodeII is used to calculate the ciphertext and retrieval token keyword matching, and then calculate the subset that can make the recursive keyword set s _i′ is converted into a subset The parameters of s ₀ Where 1≤i′≤n′;

S3e, data owner uses secret sharing algorithm Compute the secret sharing of s, where q _v (0) represents the value of the constant in the secret sharing polynomial of node v, Represents a visit tree The leaf nodes of Indicates that according to s and access tree Run the secret sharing algorithm;

S3f, data owner for access tree Each leaf node v calculates the parameters used for the attribute matching algorithm DecryptNodeI calculation and The attribute matching algorithm DecryptNodeI is used for matching calculation between user attribute set and access tree;

S3g, will visit the tree The set of transition nodes is represented as For each node Data Owner Computing in, Supports mutual conversion of sets at conversion node x;

S3h, the data owner obtains the ciphertext according to the variables obtained in the above steps

Furthermore, the process of step S4 is as follows:

S4a, data user randomly selects a value Used for subsequent parameter generation and calculation of parameters used for conversion calculations at conversion nodes

S4b, data users use secret sharing algorithm Calculate the secret share of t, for each leaf node Data users calculate the parameters used for subsequent keyword matching algorithm DecryptNodeII calculation and For each transition node Data User Compute Parameters used for transformation calculations at transformation nodes

S4c, the data user parses the private key sk into And calculate the parameters used for ciphertext and keyword matching verification calculation Parameters used for calculation of attribute matching algorithm DecryptNodeI and where 0≤i≤n, 1≤j≤m _i ; and the parameter that can transform the _ri of subset A _i into the r ₀ of subset A ₀ Where 1≤i≤n;

S4d, the data user obtains the retrieval token based on the variables obtained in the above steps

Furthermore, the process of step S5 is as follows:

S5a, the cloud server parses the ciphertext C into Parse the retrieval token TK into

S5b, according to the access tree and attribute sets For access tree For each node τ in the cloud server, the cloud server returns a set S _τ , where the elements of S _τ are the labels of the nodes τ , and each label u corresponds to a set _Au , and each set _Au can satisfy the sub-access tree For the root node R, there exists The corresponding set is S _R ;

S5c, if the attribute set Satisfy access tree Then for each node τ, a label is randomly selected from the set S _τ , marked as u, and the attribute matching algorithm DecryptNodeI(C, TK, τ, u) is run. The algorithm inputs the ciphertext C, retrieves the token TK, the node τ and the label u, and calculates Output the calculation result F _τ of node τ, where C _τ and C′ _τ are the parameters corresponding to node τ in the ciphertext C. and It is the parameter for retrieving the corresponding attribute of the token TK node τ in the subset _Au ; if there is no node that satisfies the access tree The property set Then it returns "0";

S5d, for a given recursive keyword name set W _N and a Boolean keyword name expression B _N , for each node of B N The cloud server calculates a tag set Each label h corresponds to a subset of WN Each sub-collection All subtrees that satisfy BN For the root node then exists The corresponding set is

S5e. If the recursive keyword name structure W _N satisfies the Boolean keyword name expression B _N , then for each node Random from the set Select a tag, label it as h, and run the keyword matching algorithm The algorithm inputs the ciphertext C, retrieves the token TK, and the node and label h, by calculating Output Node The calculation results in, and It is the node in the retrieval token TK The corresponding parameters, C _{ρ(h, j′)} and C′ _{ρ(h, j′)} are the nodes in the ciphertext C In the subset The parameter corresponding to the keyword name in; if there is no recursive keyword name structure W _N that satisfies the Boolean keyword name expression B _N , then "0" is returned;

S5f, cloud server calculation is used to verify the parameters of the matching calculation And judge Is it established, among which, is the result of the matching calculation between the ciphertext keyword and the user search keyword, F is the result of the matching calculation between the access tree and the user attribute, if it is established, output "0"; if it is not established, output "1"; where e(g, g) represents mapping two elements in the cyclic group G to elements in the multiplication cyclic group _GT .

Compared with the prior art, the present invention has the following advantages and effects:

1. Flexible access policy expression. The present invention allows data owners to implement access policies on their data, where the access policies are expressed in the form of an access tree with conversion nodes. It not only supports Boolean expressions with nested logical terms such as AND and OR, but also selectively allows data users to combine attributes in the attribute set to meet the access policy, which can help data owners flexibly control and authorize data.

2. Flexible organization of keywords and data user attributes. The present invention organizes keywords and data user attributes in the form of recursive sets, which can solve the problem of compound keywords and data users having compound attributes.

3. Support Boolean keyword search. The present invention also supports Boolean keyword search by organizing keywords into an access tree, which brings greater flexibility to data users in searching encrypted data and supports search strategies with nested logical words such as AND, OR, and NOT. It helps users find the required data accurately while reducing transmission and computation costs.

4. Practicality and security. The present invention is constructed using composite order groups, bilinear mappings, access trees, and recursive attribute sets. It has the characteristics of strategy hiding and anti-leakage, has strong security, and provides flexible access strategy expression, efficient access strategy matching, and flexible expression of keyword search, and has good practicality.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings described herein are used to provide a further understanding of the present invention and constitute a part of this application. The exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute an improper limitation of the present invention. In the drawings:

FIG1 is a flow chart of a searchable encryption method supporting fine-grained access control based on an access tree structure and Boolean keyword search disclosed in the present invention;

2 is a schematic diagram of an application environment of the searchable encryption method supporting fine-grained Boolean access control and Boolean keyword retrieval disclosed in the present invention;

FIG3 is a structural block diagram of a searchable encryption system supporting fine-grained Boolean access control and Boolean keyword retrieval disclosed in the present invention;

FIG4 is an access strategy diagram set by a data owner;

FIG. 5 is another access policy diagram set by the data owner.

DETAILED DESCRIPTION

In order to make the purpose, technical solution and advantages of the embodiments of the present invention clearer, the technical solution in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

Example 1

Flexible access policy matching can help data owners manage data flexibly. Most of the existing work uses access policies represented by access trees (Access Tree) or linear secret sharing schemes (LSSS). The expression of user attributes can support more fine-grained access control. Most of the existing work combines user attributes in the form of strings, or combines attributes into single attribute sets or recursive attribute set structures. Flexible keyword search can provide flexible choices for data users' searches. Existing solutions mainly support one of the following three search methods: matching search, connection keyword search and Boolean keyword search, among which matching search has the worst flexibility and Boolean keyword search has the best flexibility.

In actual application scenarios, the attributes of data users are very complex. For example, data user A can be a researcher at University A, the director of a pharmaceutical department, and a professor at a chemistry department. Therefore, in scenarios facing large-scale users, the reasonable organization of user attributes and flexible access control matching have also become the key to implementing the solution. Under this premise, flexible keyword organization and efficient keyword search methods have also become the key to improving overall performance.

Under the premise of being oriented to large-scale users, this embodiment simultaneously supports a Boolean keyword searchable encryption method for three aspects: flexible access policy matching, flexible expression of user attributes, and flexible keyword search.

Before introducing the technical solution, the mathematical basis and definitions involved in the present invention are first explained as follows:

Bilinear pairing

Assume that G and _GT are two p-order cyclic groups, and g is a generator of G. A bilinear map e:G×G→ _GT satisfies the following properties:

(1) Bilinear: For any g, h∈G, a, b∈Z _p , e( ^ga , ^hb )＝e(g, h) ^ab .

(2) Non-degeneracy: e(g, g)≠1.

Here, e(g, g) means mapping two elements in the cyclic group G to elements in the multiplicative cyclic group _GT without losing their isomorphism.

The technical solution provided in this embodiment is a Boolean searchable encryption solution that supports fine-grained Boolean access control, flexible attribute set structure and keyword structure, including the following steps:

S 1. System initialization: The trusted authority TA generates a public key pk and a master key mk based on the security parameter K, and publishes the public key pk to the cloud server.

The above-mentioned trusted authority TA is a fully trusted third-party security organization, responsible for generating a pair of system public keys pk and master keys mk, and generating the corresponding private key sk according to the attribute set of the data user, where the system public key pk, master key mk and private key sk are all binary codes of a certain length.

After the trusted authority TA generates the public key pk and the master key mk, the public key pk is published publicly on the cloud storage server or broadcast to all users in the system. All users in the system have the right to access the public key pk; the master key mk is properly stored in the trusted authority TA, and only the trusted authority TA has the right to access the master key mk.

The specific process of this step is as follows:

S1a, Trusted authority TA uses group generator implement Generate (p, g, G, _GT , e), where p is a prime number, G and _GT are cyclic groups of order p, g is a generator of G, and e: G×G→ _GT is a bilinear map;

S1b. The trusted authority TA selects two collision-resistant hash functions H ₀ (·) and H ₁ (·), where the hash function H ₀ (·) satisfies the following mapping: in, is the set of all numbers that are coprime with the prime number p, and the hash function H ₁ (·) satisfies the following mapping: {0, 1} ^* →G;

S1c, the trusted authority TA randomly selects the first, second, third, and fourth parameters β ₁ , β ₂ , α, which are subsequently used to generate private keys, encrypt documents, and generate retrieval tokens. And by calculating

S1d, the trusted authority TA obtains the system public key based on the above variables Master key mk=<β ₁ , β ₂ , α>.

S2. Generate private key: Data users organize their attributes into recursive attribute sets It is then sent to the trusted authority TA, which uses the master key mk and the recursive attribute set Generate a private key sk and send it to the data user, where the attribute set is parsed as {A ₀ , A ₁ , ..., _An }, where A _i represents The i-th sub-attribute set in , assuming that the sub-attribute set _Ai contains _mi attributes, can be expressed as Where a _i,j represents the j-th attribute in the sub-attribute set A _i .

The specific process of this step is as follows:

S2a, the trusted authority TA is a recursive attribute set Random Selection is a recursive attribute set Each subset A _i of selects r _i , where r is the attribute set Parameters used for subsequent and access tree matching verification, _ri is the attribute set The subset Ai _of is used for subsequent and access tree matching verification parameters, assuming the recursive attribute set There are n+1 subsets in total. For the 2nd to n+1th subsets, their parameters _ri satisfy Let the parameter of the first subset A ₀ be r ₀ = r;

S2b, the trusted authority TA also needs to be a recursive attribute set Each attribute a _i,j in selects a parameter ri _,j for subsequent matching calculations, where

S2c, trusted authority TA calculation For subsequent generation calculate and For subsequent generation and Where 0≤i≤n, 1≤j≤m _i ;

S2d, trusted authority TA calculation For subsequent generation Where 1≤i≤n;

S2e, the trusted authority TA obtains the data user's private key based on the above variables and send it to the data user.

S3, encryption: the data owner uses the system public key pk and recursive keyword set and visit tree Generate ciphertext C for the document and upload it to the cloud server. Recursively search for elements in the keyword set W _V represents the i′th subset of the recursive keyword set, which is parsed as Recursive keyword name set The recursive keyword set W _V has the same structure, and the elements in the set represents the i′th subset in the recursive keyword name set, which is parsed as (ρ(i′, 1), ρ(i′, 2), ... ρ(i′, m′ _i′ )), where m′ _i′ represents the number of keywords in the i′th keyword subset, ρ(i′, j′) represents the name of the j′th keyword in the i′th keyword subset, and w _{ρ(i′, j′)} represents the value of the j′th keyword in the i′th keyword subset;

The specific process of this step is as follows:

S3a, the data owner randomly selects the recursive keyword set W _V for matching verification parameters And calculate the parameters used for ciphertext and keyword matching verification calculation and parameters used for transformation calculations at transformation nodes

S3b, the data owner generates a set of n′ random parameters s _i′ is a subset of the recursive keyword set W _V Parameters used for matching verification, let s ₀ = s, is a subset Parameters used for matching verification;

S3c, the data owner generates a random parameter set for subsequent matching calculations Among them, s _{i′, j′} corresponds to the keyword w _{ρ(i′, j′)} ;

S3d, the data owner calculates the parameters used for the keyword matching algorithm DecryptNodeII calculation Where 0≤i′≤n′, 1≤j′≤m′ _i′ , the keyword matching algorithm DecryptNodeII is an algorithm used to calculate the matching of ciphertext and retrieval token keywords, and then calculate the subset that can make the recursive keyword set s _i′ is converted into a subset The parameters of s0 Where 1≤i′≤n;

S3e, data owner uses secret sharing algorithm Compute the secret sharing of s, where q _v (0) represents the value of the constant in the secret sharing polynomial of node v, Represents a visit tree The leaf nodes of Indicates that according to s and access tree Run the secret sharing algorithm;

S3f, data owner for access tree Each leaf node of the calculation is used to calculate the parameters and and The attribute matching algorithm DecryptNodeI is an algorithm used for matching calculation between user attribute set and access tree;

S3g, will visit the tree The set of transition nodes is represented as For each node Data Owner Computing in, Supports mutual conversion of sets at conversion node x;

S3h, the data owner obtains the ciphertext according to the variables obtained in the above steps

S4. Retrieval token generation: The data user uses the private key obtained in step S2 and the data user's local Boolean keyword value expression B _V to generate a retrieval token TK, where B _V is an access tree structure, and B _N represents a Boolean keyword name expression with the same access tree structure as B _V. For the leaf nodes in B _V , Keyword values are represented as in Indicates the corresponding keyword name; the specific process of this step is as follows:

S4a, data user randomly selects a value Used for subsequent parameter generation and calculation of parameters used for conversion calculations at conversion nodes

S4b, data users use secret sharing algorithm Calculate the secret share of t, for each leaf node Data users calculate the parameters used for subsequent keyword matching algorithm DecryptNodeII calculation and For each transition node Data User Compute Parameters used for transformation calculations at transformation nodes

S4c, the data user parses the private key sk into And calculate the parameters used for ciphertext and keyword matching verification calculation Parameters used for calculation of attribute matching algorithm DecryptNodeI and where 0≤i≤n, 1≤j≤m _i ; and the parameter that can transform the _ri of subset A _i into the r ₀ of subset A ₀ Where 1≤i≤n;

S4d, the data user obtains the retrieval token based on the variables obtained in the above steps

S5. Ciphertext search: The data user sends the retrieval token TK generated in step S4 to the cloud server. After receiving it, the cloud server uses the retrieval token TK and the ciphertext C stored on the cloud server to verify whether the ciphertext C matches, and sends the ciphertext C that meets the matching conditions to the data user.

The specific process of this step is as follows:

S5a, the cloud server parses the ciphertext C into Parse the retrieval token TK into

S5b, according to the access tree and attribute sets For access tree For each node τ in the cloud server, the cloud server returns a set S _τ , where the elements of S _τ are the labels of the nodes τ , and each label u corresponds to a set _Au , and each set _Au can satisfy the sub-access tree For the root node R, there exists The corresponding set is S _R ;

S5c, if the attribute set Satisfy access tree Then for each node τ, a label is randomly selected from the set S _τ , marked as u, and the attribute matching algorithm DecryptNodeI(C, TK, τ, u) is run. The algorithm inputs the ciphertext C, retrieves the token TK, the node τ and the label u, and calculates The calculation result of the output node τ returns F _τ , where C _τ and C′ _τ are the parameters corresponding to the node τ in the ciphertext C. and is the parameter for retrieving the corresponding attribute of the token TK node τ in the subset _Au ; if there is no node that satisfies the access tree The property set It returns "0".

According to the node type of τ, u in the attribute matching algorithm DecryptNodeI(C, TK, τ, u) has the following two different calculation methods:

When node τ is a leaf node, if the attribute att(τ)∈A _i corresponding to node τ is, then the attribute matching algorithm DecryptNodeI(C, TK, τ, u) is run, and the output is Otherwise, the algorithm returns “⊥”;

When node τ is a non-leaf node, the cloud server first calculates a set E _τ of k _τ child nodes of node τ. Each node z in E _τ must satisfy that label u belongs to z's label set S _z , u∈S _z or z is a transition node and there is at least one label u′∈S _z ; then runs the attribute matching algorithm DecryptNodeI(C, TK, z, u′) and outputs Next, according to the value of label u, F′ _z is converted using the conversion formula. When u = 0, calculate Output calculation results in is the parameter corresponding to the tag u′ in the retrieval token TK, is the parameter corresponding to node z in the ciphertext C; when u≠0, calculate Output calculation results in is the parameter corresponding to the tag u in the retrieval token TK;

After calculating each node in E _τ , use the following formula to calculate F _τ :

in, k＝index(z), U _z ＝{index(z):z∈E _τ }, the index(·) function is used to obtain the label of the node;

Next, run the attribute matching algorithm DecryptNodeI(C, TK, R, u) to calculate the root node R. When the label u of R is 0, output the calculation result F _R = e(g, g) ^trs ; when u≠0, output the calculation result Finally, F is calculated based on the label u. When the label u＝0, let F＝ _FR ; when u≠0, calculate The calculation result F=e(g, g) ^trs is output.

S5d, for a given recursive keyword name set W _N and a Boolean keyword name expression B _N , for each node of B N The cloud server calculates a tag set Each label h corresponds to a subset of WN Each sub-collection All subtrees that satisfy BN For the root node then exists The corresponding set is

S5e. If the recursive keyword name structure W _N satisfies the Boolean keyword name expression B _N , then for each node Random from the set Select a tag, label it as h, and run the keyword matching algorithm The algorithm inputs the ciphertext C, retrieves the token TK, and the node and label h, by calculating Output Node The calculation results in, and It is the node in the retrieval token TK The corresponding parameters, C _{ρ(h, j′)} and C′ _{ρ(h, j′)} are the nodes in the ciphertext C In the subset The parameter corresponding to the keyword name in ; if there is no recursive keyword name structure WN that satisfies the Boolean keyword name expression B _N , then "0" is returned. Node type, keyword matching algorithm There are two different calculation methods:

When the node If it is a leaf node, Keyword matching algorithm Returns "⊥"; otherwise, assume but And run the keyword matching algorithm Output Where _sh represents the subset The corresponding matching verification random number, represents the constant in the secret sharing polynomial of node τ; when node When it is a non-leaf node, the cloud server first calculates a node containing of The set of child nodes Each node in The label h must belong to Collection of tags or is a transition node with at least one label Then run the keyword matching algorithm Output Next, according to the value of label h Use the conversion formula to convert. When h = 0, calculate Output calculation results in It is a node The corresponding parameter in the retrieval token TK, K _h′ is the parameter corresponding to the tag h′ in the ciphertext C; when h≠0, calculate Output calculation results Where K _h is the parameter corresponding to the label h in the ciphertext C.

Calculation completed After each node is found, use the following formula to calculate

in, Next, run the keyword matching algorithm For the root node Calculate when When the label h＝0, output the calculation result When h≠0, output the calculation result Finally, according to the label h, When label h = 0, let When h≠0, calculate Output calculation results

S5f, cloud server calculation is used to verify the parameters of the matching calculation And judge Is it established, among which, is the result of the matching calculation between the ciphertext keyword and the user search keyword, and F is the result of the matching calculation between the access tree and the user attribute. If it is true, output "0"; if it is not true, output "1".

Example 2

As shown in Figure 3, this embodiment continues to provide a Boolean keyword ciphertext retrieval system for large-scale users, including the following four parts: a cloud storage subsystem running on a cloud server; an encryption subsystem running on the data owner's side; a user retrieval token generation and decryption subsystem running on the data user's side; and an initialization and private key generation subsystem running on a trusted authority TA.

The initialization and private key generation subsystem running on the trusted authority TA includes the following modules: initialization module, master key storage module and private key generation module. The initialization module is used to generate the system public key and master key, and publish the system public key to the cloud server, save the master key to the master key storage module, and the master key storage module is used to store the master key, which is only accessible to the trusted authority TA; the private key generation module is used to receive the attribute set of the data user. The master key is used to generate the user private key sk, and the user private key sk is sent to the data user.

The cloud storage subsystem running on the cloud server includes the following modules: system public key disclosure module, storage module and retrieval module. The system public key module publicly releases the system public key pk generated by the trusted authority TA; the storage module is used to store the data ciphertext encrypted by the data owner; the retrieval module performs a one-to-one matching operation between the retrieval token and the data ciphertext, obtains the data ciphertext that meets the matching conditions from the storage module, and sends it to the data user.

The encryption subsystem running on the data owner's side includes a data encryption module, which obtains the system public key from the cloud server, encrypts the file using the key and the access policy defined by the data owner, obtains the data ciphertext, and sends the data ciphertext to the cloud server.

The user retrieval token generation and decryption subsystem running on the data user side includes the following modules: retrieval token generation module, user retrieval module and data decryption module. Among them, the retrieval token generation module is responsible for using the data user's private key and the user's query keyword predicate to generate a retrieval token; the user retrieval module is responsible for sending the retrieval token to the cloud server to complete the retrieval operation; the data decryption module uses the user's private key to decrypt the retrieved data ciphertext and restore the plaintext content.

To further illustrate the solution, the following describes a searchable encryption method supporting flexible access policy matching, flexible user attribute organization, and Boolean keyword retrieval applied to a healthcare scenario according to an embodiment of the present invention in conjunction with FIG. 2 .

In this embodiment, the height of the keyword set structure of the file is 2; the height of the access policy access tree of the data owner is 2; and the height of the attribute set structure of the data user is 2. The specific process of this example is as follows:

T1. The trusted authority TA runs the initialization module, generates the system public key pk and the master key mk according to the security parameter K, and publishes the system public key pk to the cloud server; at the same time, the data user sends his attribute set to the trusted authority TA. The attribute set of data user 1 is represented as: {Institution: University A, Position: Researcher, {Department: Pharmaceutical, Position: Director}, {Department: Chemistry, Position: Professor}}; the trusted authority TA uses the master key mk and the data user attribute set to Generate the data user's private key sk and send it to the data user. The master key mk is saved in the master key storage module.

T2. Data owner 1 owns three documents 1, 2, and 3, among which:

The recursive keyword set of document 1 is represented as: {name: Li Xiaoming, disease: heart disease, medication: Lipitor, {name: Li Xiaoming, disease: hypertension, medication: amiloride}, {name: Li Xiaoming, disease: heart disease, medication: nitroglycerin}}, and the access tree structure of the implemented access strategy is shown in Figure 4;

The recursive keyword set of document 2 is represented as: {name: Wang Xiaomei, disease: coronary heart disease, medication: aspirin, {name: Wang Xiaomei, disease: hypertension, medication: amiloride}, {name: Wang Xiaomei, disease: heart disease, medication: nitroglycerin}}, and the access tree structure of the implemented access strategy is shown in Figure 5;

The recursive keyword set of document 3 is represented as: {name: Zhang Xiaogang, disease: chronic urticaria, medication: loratadine, {name: Zhang Xiaogang, disease: diabetes, medication: Baidayan}, {name: Zhang Xiaogang, disease: heart disease, medication: nitroglycerin}}, and the access tree structure of the implemented access strategy is shown in Figure 4;

To encrypt the above documents, data owner 1 first runs the encryption subsystem to obtain the system public key pk from the cloud storage subsystem on the cloud server. Then the subsystem uses the system public key pk to encrypt the three documents in turn, generating ciphertext {C _i } _i=1,2,3 and uploading it to the cloud server.

T3. After receiving the ciphertext set of data owner 1, the cloud server stores it in the storage module of the cloud storage subsystem. To simplify the description, it is assumed here that the current storage module only stores the above three ciphertexts {C _i } _i=1,2,3 of data owner 1.

T4. If the data user wants to search for documents related to heart disease and the drugs used are Lipitor or nitroglycerin, the retrieval token generation module of the user retrieval token generation and decryption subsystem is run. This module uses the user private key sk and the query keyword predicate AND((medication = "Lipitor") OR(medication = "nitroglycerin)) is used to generate a search token TK, and the search token TK is sent to the user search module. The user search module sends the search token TK to the cloud server for the next search operation.

T5. After receiving the query request from data user 1, the cloud server runs the retrieval module, which matches the retrieval token TK with the ciphertexts C ₁ , C ₂ , and C ₃ in the storage module in sequence. After the matching operation is completed, the cloud server returns the qualified ciphertexts C ₁ and C ₃ to data user 1.

T6 After receiving the returned data ciphertexts C ₁ and C ₃ , data user 1 runs the decryption module of the user retrieval and decryption subsystem, which uses the private key sk to decrypt the ciphertexts C ₁ and C ₃ to obtain the plaintext contents of document 1 and document 3.

In summary, the Boolean keyword searchable encryption method supporting a large user group disclosed in this embodiment supports a more flexible data user attribute organization method and a more flexible access policy matching, thereby achieving more efficient access control. In the prior art, most technologies are based on the ABE (attribute-based encryption) scheme or the PEKS (public-key encryption with keyword search) scheme for improvement or expansion. Although the two schemes can currently achieve fine-grained access control, the attributes of data users are still integrated into a separate attribute set, which does not conform to the actual usage scenario. The present invention uses an access tree to represent the access policy, and organizes the data user attributes in a recursive set structure to achieve more efficient access policy matching. In addition, the encryption method also supports a more flexible keyword organization method and Boolean keyword retrieval. In the prior art, some technologies only support data owners to encrypt data for a single keyword, and data users use a single keyword for retrieval, but do not support Boolean keyword searches with nested logical words such as AND and OR; at the same time, the keywords in the prior art are organized in a set, and efficient keyword matching cannot be achieved in some actual usage scenarios. In the present invention, by organizing keywords into a recursive set and using a Boolean matching operation method, flexible keyword organization and Boolean keyword search are achieved.

The above embodiments are preferred implementation modes of the present invention, but the implementation modes of the present invention are not limited to the above embodiments. Any other changes, modifications, substitutions, combinations, and simplifications that do not deviate from the spirit and principles of the present invention should be equivalent replacement methods and are included in the protection scope of the present invention.

Claims (4)

1. A Boolean keyword searchable encryption method supporting a large user group, characterized in that the encryption method comprises the following steps: S1. System initialization: The trusted authority TA generates a public key pk and a master key mk based on the security parameter K, and publishes the public key pk to the cloud server; S2. Generate private key: Data users organize their attributes into recursive attribute sets It is then sent to the trusted authority TA, which uses the master key mk and the recursive attribute set Generate a private key sk and send it to the data user, where the attribute set is parsed as {A ₀ , A ₁ , ..., _An }, where A _i represents The i-th sub-attribute set in , assuming that the sub-attribute set _Ai contains _mi attributes, Where a _i,j represents the jth attribute in the sub-attribute set A _i ; S3, encryption: the data owner uses the system public key pk and recursive keyword set and visit tree Generate ciphertext C for the document and upload it to the cloud server. Recursively search for elements in the keyword set W _V represents the i′th subset of the recursive keyword set, which is parsed as Recursive keyword name set The recursive keyword set W _V has the same structure, and the elements in the set represents the i′th subset in the recursive keyword name set, which is parsed as (ρ(i′, 1), ρ(i′, 2), ... ρ(i′, m′ _i′ )), where m′ _i′ represents the number of keywords in the i′th keyword subset, ρ(i′, j′) represents the name of the j′th keyword in the i′th keyword subset, and w _{ρ(i′, j′)} represents the value of the j′th keyword in the i′th keyword subset; S4. Retrieval token generation: The data user uses the private key obtained in step S2 and the data user's local Boolean keyword value expression B _V to generate a retrieval token TK, where B _V is an access tree structure, and B _N represents a Boolean keyword name expression with the same access tree structure as B _V. For the leaf nodes in B _V , Keyword values are represented as in Indicates the corresponding keyword name; The process of step S4 is as follows: S4a, data user randomly selects a value Used for subsequent parameter generation and calculation of parameters used for conversion calculations at conversion nodes g is the generator of G, α and γ are the third and fourth parameters used to implement private key generation, document encryption and generation of retrieval tokens; S4b, data users use secret sharing algorithm Calculate the secret share of t, for each leaf node Data users calculate the parameters used for the keyword matching algorithm DecryptNodeII calculation and For each transition node Data User Compute Parameters used for transformation calculations at transformation nodes β ₂ is a second parameter used to implement private key generation, document encryption, and generation of retrieval tokens. The hash function H ₀ (·) satisfies the following mapping: in, is the set of all numbers that are coprime with the prime number p, Represents each transition node The constant in the secret sharing polynomial of ; S4c, the data user parses the private key sk into 1≤j≤m _i }, {E _i |1≤i≤n}>, and calculate the parameters used for ciphertext and keyword matching verification calculation Parameters used for calculation of attribute matching algorithm DecryptNodeI and where 0≤i≤n, 1≤j≤m _i ; and the parameter that can transform the _ri of subset A _i into the r ₀ of subset A ₀ Among them, the trusted authority TA calculates For subsequent generation Is a property set The subset Ai _of is used for subsequent and access tree matching verification parameters, assuming the recursive attribute set There are n+1 subsets in total. For the 2nd to n+1th subsets, their parameters _ri satisfy Let the parameter of the first subset A ₀ be r ₀ = r; S4d, the data user obtains the retrieval token based on the variables obtained in the above steps Among them, the trusted authority TA calculates For subsequent generation S5, ciphertext search: the data user sends the search token TK generated in step S4 to the cloud server. After receiving the ciphertext C stored on the cloud server, the cloud server uses the search token TK to verify whether the ciphertext C matches, and sends the ciphertext C that meets the matching condition to the data user. The process of step S5 is as follows: S5a, the cloud server parses the ciphertext C into It is a parameter used for ciphertext and keyword matching verification calculation. is the parameter used for the conversion calculation at the conversion node, n′ is the number of random parameters si _′ , and Ki _′ is the subset of the recursive keyword set s _i′ is converted into a subset The parameter of s ₀ , and These are all parameters used for calculating the attribute matching algorithm DecryptNodeI. Is the access tree The set of transition nodes that parses the retrieval token TK into S5b, according to the access tree and attribute sets For access tree For each node τ in the cloud server, the cloud server returns a set S _τ , where the elements of S _τ are the labels of the nodes τ , and each label u corresponds to a set _Au , and each set _Au can satisfy the sub-access tree For the root node R, there exists The corresponding set is S _R ; S5c, if the attribute set Satisfy access tree Then for each node τ, a label is randomly selected from the set S _τ , marked as u, and the attribute matching algorithm DecryptNodeI(C, TK, τ, u) is run. The algorithm inputs the ciphertext C, retrieves the token TK, the node τ and the label u, and calculates Output the calculation result F _τ of node τ, where C _τ and C′ _τ are the parameters corresponding to node τ in the ciphertext C. and is the parameter for retrieving the corresponding attribute of the token TK node τ in the subset _Au ; if there is no node that satisfies the access tree The property set Then it returns "0"; In step S5c, according to the node type of the node τ, the attribute matching algorithm DecryptNodeI(C, TK, τ, u) has the following two different calculation methods: When node τ is a leaf node, if the attribute att(τ)∈A _i corresponding to node τ is, then the attribute matching algorithm DecryptNodeI(C, TK, τ, u) is run, and the output is e: G×G→ _GT is a bilinear mapping; otherwise, the algorithm returns “⊥”; When node τ is a non-leaf node, the cloud server first calculates a set E _τ of k _τ child nodes of node τ. Each node z in E _τ must satisfy that label u belongs to z's label set S _z , u∈S _z or z is a transition node and there is at least one label u′∈S _z ; then runs the attribute matching algorithm DecryptNodeI(C, TK, z, u,) and outputs Next, according to the value of label u, F′ _z is converted using the conversion formula. When u = 0, calculate Output calculation results in is the parameter corresponding to the tag u′ in the retrieval token TK, is the parameter corresponding to the node z in the ciphertext C; when u≠0, calculate Output calculation results in is the parameter corresponding to the tag u in the retrieval token TK; After calculating each node in E _τ , use the following formula to calculate F _τ : in, k＝index(z), U _z ＝{index(z):z∈E _τ }, the index(·) function is used to obtain the label of the node; Next, run the attribute matching algorithm DecryptNodeI(C, TK, R, u) to calculate the root node R. When the label u of R is 0, output the calculation result F _R = e(g, g) ^trs ; when u≠0, output the calculation result Finally, F is calculated based on the label u. When the label u＝0, let F＝ _FR ; when u≠0, calculate Output calculation result F=e(g, g) ^trs ; S5d, for a given recursive keyword name set W _N and a Boolean keyword name expression B _N , for each node of B _N The cloud server calculates a tag set Each label h corresponds to a subset of W _N Each sub-collection All subtrees that satisfy B _N For the root node then exists The corresponding set is In step S5d, according to the node Node type, keyword matching algorithm There are two different calculation methods: When the node If it is a leaf node, Keyword matching algorithm Returns "⊥"; otherwise, assume but And run the keyword matching algorithm Output Where _sh represents the subset The corresponding matching verification random number, Represents a node The constant in the secret sharing polynomial of ; When the node When it is a non-leaf node, the cloud server first calculates a node containing of The set of child nodes Each node in The label h must belong to Collection of tags or is a transition node with at least one label Then run the keyword matching algorithm Output Next, according to the value of label h Use the conversion formula to convert. When h = 0, calculate Output calculation results in It is a node The corresponding parameter in the retrieval token TK, K _h′ is the parameter corresponding to the tag h′ in the ciphertext C; when h≠0, calculate Output calculation results Where K _h is the parameter corresponding to label h in ciphertext C; Calculation completed After each node is found, use the following formula to calculate in, Next, run the keyword matching algorithm For the root node Calculate when When the label h＝0, output the calculation result When h≠0, output the calculation result Finally, according to the label h, When label h = 0, let When h≠0, calculate Output calculation results S5e. If the recursive keyword name structure W _N satisfies the Boolean keyword name expression B _N , then for each node Random from the set Select a tag, label it as h, and run the keyword matching algorithm The algorithm inputs the ciphertext C, retrieves the token TK, and the node and label h, by calculating Output Node The calculation results in, and It is the node in the retrieval token TK The corresponding parameters, C _{ρ(h, j′)} and C′ _{ρ(h, j′)} are the nodes in the ciphertext C In the subset The parameter corresponding to the keyword name in; if there is no recursive keyword name structure W _N that satisfies the Boolean keyword name expression B _N , then "0" is returned; S5f, cloud server calculation is used to verify the parameters of the matching calculation And judge Is it true, where s ₀ is a subset Parameters used for matching verification, is the result of the matching calculation between the ciphertext keyword and the user search keyword, F is the result of the matching calculation between the access tree and the user attribute, if it is established, output "0"; if it is not established, output "1"; where e(g, g) represents mapping two elements in the cyclic group G to elements in the multiplication cyclic group _GT . 2. The Boolean keyword searchable encryption method supporting large-scale user groups according to claim 1, characterized in that the process of step S1 is as follows: S1a, Trusted authority TA uses group generator implement Generate (p, g, G, _GT , e), where p is a prime number, G and _GT are cyclic groups of order p, g is a generator of G, and e: G×G→ _GT is a bilinear map; S1b. The trusted authority TA selects two collision-resistant hash functions H ₀ (·) and H ₁ (·), where the hash function H ₀ (·) satisfies the following mapping: in, is the set of all numbers that are coprime with the prime number p, and the hash function H ₁ (·) satisfies the following mapping: {0, 1} ^* →G; S1c, the trusted authority TA randomly selects the first, second, third, and fourth parameters β ₁ , β ₂ , α, which are subsequently used to generate private keys, encrypt documents, and generate retrieval tokens. And by calculating g ^α , g ^αγ , g ^1/γ ; S1d, the trusted authority TA obtains the system public key based on the above variables Master key mk=<β ₁ , β ₂ , α>. 3. The Boolean keyword searchable encryption method supporting large-scale user groups according to claim 1, characterized in that the process of step S2 is as follows: S2a, the trusted authority TA is a recursive attribute set Random Selection is a recursive attribute set Each subset A _i of selects r _i , where r is the attribute set Parameters used for subsequent and access tree matching verification, _ri is the attribute set The subset Ai _of is used for subsequent and access tree matching verification parameters, assuming the recursive attribute set There are n+1 subsets in total. For the 2nd to n+1th subsets, their parameters _ri satisfy Let the parameter of the first subset A ₀ be r ₀ = r, is the set of all numbers that are coprime with the prime number p; S2b, the trusted authority TA also needs to be a recursive attribute set Each attribute a _i,j in selects a parameter ri _,j for subsequent matching calculations, where S2c, trusted authority TA calculation For subsequent generation calculate and For subsequent generation and Where 0≤i≤n, 1≤j≤m _i ; S2d, trusted authority TA calculation For subsequent generation Where 1≤i≤n; S2e, the trusted authority TA obtains the data user's private key based on the above variables and send it to the data user. 4. The Boolean keyword searchable encryption method supporting large-scale user groups according to claim 1, characterized in that the process of step S3 is as follows: S3a, the data owner randomly selects the recursive keyword set W _V for matching verification parameters is the set of all numbers that are coprime with the prime number p, and calculates the parameters used for the ciphertext and keyword matching verification calculation and parameters used for transformation calculations at transformation nodes S3b, the data owner generates a set of n′ random parameters Where si _′ is a subset of the recursive keyword set W _V Parameters used for matching verification, let s ₀ = s, is a subset Parameters used for matching verification; S3c, the data owner generates a random parameter set for subsequent matching calculations Among them, s _{i′, j′} corresponds to the keyword w _{ρ(i′, j′)} ; S3d, the data owner calculates the parameters used for the keyword matching algorithm DecryptNodeII calculation and Where 0≤i′≤n′, 1≤j′≤m′ _i′ , the keyword matching algorithm DecryptNodeII is used to calculate the ciphertext and retrieval token keyword matching, and then calculate the subset that can make the recursive keyword set s _i′ is converted into a subset The parameters of s ₀ Where 1≤i′≤n′; S3e, data owner uses secret sharing algorithm Compute the secret sharing of s, where q _v (0) represents the value of the constant in the secret sharing polynomial of node v, Represents a visit tree The leaf nodes of Indicates that according to s and access tree Run the secret sharing algorithm; S3f, data owner for access tree Each leaf node v calculates the parameters used for the attribute matching algorithm DecryptNodeI calculation and The attribute matching algorithm DecryptNodeI is used for matching calculation between user attribute set and access tree; S3g, will visit the tree The set of transition nodes is represented as For each node Data Owner Computing in, Supports mutual conversion of sets at conversion node x; S3h, the data owner obtains the ciphertext according to the variables obtained in the above steps