CN114640458A - Fine-grained multi-user secure searchable encryption method in cloud-edge collaborative environment - Google Patents
Fine-grained multi-user secure searchable encryption method in cloud-edge collaborative environment Download PDFInfo
- Publication number
- CN114640458A CN114640458A CN202210314337.4A CN202210314337A CN114640458A CN 114640458 A CN114640458 A CN 114640458A CN 202210314337 A CN202210314337 A CN 202210314337A CN 114640458 A CN114640458 A CN 114640458A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- file
- key
- cloud
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000010276 construction Methods 0.000 claims abstract description 10
- 238000011160 research Methods 0.000 claims abstract description 4
- 238000013475 authorization Methods 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 4
- 125000004122 cyclic group Chemical group 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000007781 pre-processing Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/14—Details of searching files based on file metadata
- G06F16/148—File search processing
- G06F16/152—File search processing using file content signatures, e.g. hash values
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3033—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to pseudo-prime or prime number generation, e.g. primality test
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
- H04L9/3073—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Algebra (AREA)
- Mathematical Physics (AREA)
- Library & Information Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment, which comprises the following steps: a cloud edge collaborative platform is used as a research background to construct a multi-user system model; a system initialization stage; a safety index construction stage; a step of generating a query trapdoor; a safety retrieval stage; and (5) a ciphertext decryption stage. In the invention, under the environment of cloud-edge cooperation, a data owner adopts a temporary key to construct a security index for different files through an edge server, an authorized user generates an inquiry trapdoor under the condition of not knowing the temporary key, and a cloud server correctly realizes keyword matching under the condition of not knowing the temporary key, thereby realizing a security searchable encryption scheme of a plurality of data owners, a plurality of data users, the cloud server and the edge server; in addition, under the environment of cloud edge cooperation, the edge server is used for helping the user to encrypt data and decrypt data, and the computing cost of the user is obviously reduced.
Description
Technical Field
The invention relates to the field of data encryption, in particular to a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment.
Background
As a novel computing mode, the cloud computing has the characteristics of strong computing capacity, massive resources, demand allocation and the like. With the gradual maturation and rapid development of cloud computing technology, a user with limited resources can store data in a cloud end, and can enjoy efficient and rapid file storage and processing services only with low cost, so that local management overhead is greatly reduced while high-quality data services are enjoyed, but data outsourcing causes data ownership and management right separation, and how to ensure the security of the data in a cloud server becomes a key problem to be solved urgently in cloud computing. The common solution is to encrypt user data first, and then upload the encrypted ciphertext data to the cloud, and when the user needs to use a certain data, retrieve the required document from the user ciphertext, although the encryption technology can ensure the confidentiality of the data, how to perform meaningful retrieval operation in the ciphertext becomes a great challenge, and in order to realize efficient retrieval of the ciphertext data while ensuring the confidentiality of the data, the searchable encryption technology is born at present, and has become a hotspot studied by students.
The searchable encryption system is divided into a symmetrical searchable encryption system and a public key searchable encryption system, the searchable encryption scheme is firstly proposed by Song and the like, a stream cipher method is used for encryption in the scheme, specific keywords are searched through linear scanning, a keyword retrieval function is realized on a ciphertext, and a data file in the symmetrical searchable encryption system and a keyword trapdoor to be retrieved are encrypted by using the same key; a public key Encryption with key Search (PEKS) was proposed by Boneh et al for the first time, and the PEKS scheme in a single-user environment cannot support sharing of encrypted files. Researchers have subsequently proposed some new multi-user environment PEKS solutions in which a user administrator manages the search capabilities of multiple users to enable them to search each other's files, but there are typically no fully trusted administrators in a cloud environment. To address these problems, Tang et al propose a secure scalable multi-party searchable encryption scheme, however this scheme only supports authorization for user retrieval, but does not explicitly support revocation of user retrieval authorization. Sahai et al in 2005 proposed obfuscated identity-based encryption, and the concept of "attribute-based encryption (ABE)" was first developed, and the identity of a user no longer uses the traditional identity, but rather represents the identity of the user with several attributes that can be related together using a "and/or" not "relationship. The implementation of the attribute-based encryption (ABE) is usually in two policy modes, namely, one is the attribute-based encryption (CP-ABE) of a ciphertext policy, and the other is the attribute-based encryption (KP-ABE) of a key policy. Goyal et al, 2008, converted KP-ABE to CP-ABE by using the concept of "access tree", in which an access structure, i.e. access tree, was specified by using a part of the user's attributes, and then encrypted the data message in this access structure. During decryption, decryption can be completed as long as the attribute that the decryptor has satisfies the access structure.
Most of the existing searchable encryption schemes are in a single-user environment, but are often applied to multiple users in reality, in the multi-user environment, if data owners share the same index encryption key to construct a secure searchable index, authorized data users submit trapdoors to one of the data owners to query the trapdoors, but if one of the data owners carelessly leaks the index encryption key, the data security of all the data owners suffers from impact. Therefore, data owners are reluctant to share keys in real life, and another solution allows each data owner to encrypt data indexes using their own keys, in which case the data user must submit query trapdoors to all data owners multiple times to complete ciphertext retrieval, so the most important challenge is that different data owners should be able to select different keys to construct a secure searchable index, as compared to a single-user model, to ensure data flexibility and security.
Disclosure of Invention
In order to solve the technical problems, the invention provides a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment, which is simple in algorithm and high in security.
The technical scheme for solving the technical problems is as follows: a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment comprises the following steps:
the method comprises the following steps: the method comprises the steps that a cloud-edge collaborative platform is used as a research background, a multi-user system model is constructed, and the system model comprises a plurality of data owners, a plurality of data users, a cloud server and an edge server;
step two, a system initialization stage;
step three, a security index construction stage: after each data owner carries out preprocessing operation on the data files, the corresponding data file set is sent to a nearby edge server, the edge server encrypts the data files to generate ciphertext of the data files, a safe searchable index is constructed for different files by adopting a temporary key, and then the safe searchable index is outsourced to a cloud server;
step four, inquiring the trapdoor generation stage: authorized data users search for the correct data file by submitting query trapdoors to the edge server;
step five, a safety retrieval stage: after receiving the query trap door, the cloud server is responsible for carrying out searching operation on the encrypted index and returning a query result to the edge server;
step six, ciphertext decryption stage: and the edge server decrypts the ciphertext and verifies the integrity of the ciphertext under the condition of authorization of the data user, and finally, the edge server sends the decrypted data file to the data user through a secure channel.
In the above fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the second step, the specific steps in the system initialization stage are as follows:
inputting a safety parameter to the system model, outputting a public parameter of the system model, and constructing a working environment: let G1,G2Is two q factorial cyclic groups, G is G1,G2The bilinear map e: g1×G1→G2And an encrypted one-way hash function H:it hashes any string of characters intoOne element of, finally, each system user UnGenerate its public and private key pair PKn、SKnWherein PK isn=xn, The system user includes a data owner UiAnd data user Uj。
In the above fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the third step, the specific steps in the secure index construction stage are as follows:
data owner UiFor file FkGenerating two large prime numbersSo that it satisfies q ═ q1×q2Extracting file FkCorresponding keyword set wi,k={wi,k,1,wi,k,2,…},wi,k,1Representing data owner UiThe first keyword of the kth file of (1); to realize the data owner UiBy using an n-column access authority table LkTo save the data owner UiDocument FkFor data user UjAuthority value of LkEach element A in (1)i,k,jRepresenting data owner UiFile F of oneselfkAuthorization to data user UjAccess with an initial value ofIf to data user UjIf authorization is carried out, q is used2Data user UjOf (2) a public keyComputingSequentially finishing the authority access tables of all the files; data owner UiUsing its own private key xiDigitally signing the file; finally, data owner UiFile FkCorresponding digital signature, keyword set w extracted from datai,kCorresponding authority access table LkAnd corresponding parameters q1,q2Sending the data to a nearby edge server through a secure channel;
the edge server receives the data owner UiAfter request of (2), first generating an encryption keyUsing an encryption key KkEncrypted file FkObtain a ciphertext Ck(ii) a In the multiple data owner model, the most important challenge is that different data owners can choose different keys to construct a secure searchable index to ensure flexibility and security of the system, for file F, compared to the single data owner modelkFromIn the random generation of the temporary key ski,kEncrypting the corresponding set of keywords wi,kConstruction of document FkSecure searchable secure indexWherein Ii,k,yIs wi,k,yThe encrypted security index is then stored in a memory, is Ii,k,yThe edge server decrypts the ciphertext CkCorresponding digital signature, secure indexCorresponding rights access table LkAnd sending the data to a cloud server.
In the above fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the fourth step, the specific step of querying the trapdoor generation stage is as follows:
to achieve unlinkability of trapdoors, data user UjEncrypting the inquired key words by using a random key each time; data user UjRandomly generating a temporary secret r1、r2Using the temporary key and its private key xjEncrypting query key w to generate trapdoor TwThen the trap door T is putwThe information is sent to a nearby edge server, and finally the information is forwarded to a cloud server by the edge server;
wherein T is1、T2、T3Are respectively a trapdoor TwThe first, second, and third portions of (a).
In the above fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the fifth step, the specific steps in the secure retrieval stage are as follows:
user U receiving data by cloud serverjTrapdoor Tw={T1,T2,T3After the search, the ciphertext C is inquired in sequencekAccess right table LkIf, ifData user UjFor ciphertext CkNo access right to skip directly; if it isTrap door T performed by cloud serverwAnd a secure indexThe retrieval work of (2); the cloud server firstly accesses the authority value A of the table through the authorityi,k,jAnd T2、T3Generating authorized trapdoors T2′、T3′:
Defining an intermediate variable V, and enabling:
e(Ii,k,y,1,T3′)=V(Tw);
if the above equation is true, the ciphertext C is describedkIs a data user UjTo verify as follows:
finally, the cloud server matches the ciphertext CkCorresponding digital signature, authority access value Ai,k,jAnd a pseudo decryption key Ii,k,y,2To data user UjA nearby edge server.
In the fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the sixth step, the specific steps in the ciphertext decryption stage are as follows:
for the data user UjThe edge server can choose which cryptograms need to be decrypted by the edge server, and the edge server sends the pseudo decryption key Ii,k,y,2To a data user, a data user UjUsing its own private key xjGenerating a key decryption key with a pseudo decryption keyAnd sending the data to the edge server through a secure channel;
user U receiving data by edge serverjAfter decrypting the key K' with the authorization key, the access value A of the authority is usedi,k,jGenerating a ciphertext decryption keyDecipher ciphertext CkGet file FkReuse of data owner UiAnd file FkThe corresponding digital signature verifies the integrity thereof, and the last edge server verifies the integrity of the complete file FkSending to data user U through safety channelj。
The fine-grained multi-user secure searchable encryption method under the cloud edge collaborative environment further comprises an authority granting and deleting stage, wherein a data owner authorizes a data user according to each data file, and uploads authorization information to the authority access table stored in each data file in the cloud server through the edge server, so that the requirement of dynamic updating is met, and the data owner can change the access authority of the data user at any time;
permission granting operation: data owner UiUsing the parameter q2And data user UjOf (2) a public keyCalculate this file FkAuthority value of (2):repeating the process to realize authorization to a plurality of files, and finally setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and adding the authority value to the authority access table of the corresponding file by the cloud server;
and (3) permission deletion operation: data owner UiUsing the parameter q2And data user UjOf (2) a public keyCalculate this file FkAuthority value of (2):repeating the process to realize the revocation of the authority of a plurality of files, and finally, setting the authority value set Ai,j={Ai,k,1,Ai,k,2… is uploaded to the cloud server through the edge server, and the cloud server is corresponding to the edge serverUser U for deleting data in authority access table of filejThe authority value of (2).
The invention has the beneficial effects that:
1. in the invention, under the environment of cloud-edge cooperation, the data owner adopts the temporary key to construct the security index for different files through the edge server, the authorized user generates the query trapdoor under the condition of not knowing the temporary key, the cloud server correctly realizes keyword matching under the condition of not knowing the temporary key, and the security searchable encryption scheme of a plurality of data owners, a plurality of data users, the cloud server and the edge server is realized.
2. According to the invention, under the environment of cloud-edge cooperation, the edge server is utilized to help the user encrypt data and decrypt data, so that the computing cost of the user is obviously reduced.
3. Under the environment of cloud edge cooperation, the invention realizes fine-grained access control without a credible user management center, the data owner autonomously controls the access authority of the data user to the file of the data user without real-time online authorization, and the dynamic authority granting and deleting of the data user by the data owner are realized.
Drawings
FIG. 1 is a flow chart of the present invention.
FIG. 2 is a block diagram of a system model constructed in accordance with the present invention.
Detailed Description
The invention is further described below with reference to the figures and examples.
As shown in fig. 1, a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment includes the steps of:
the method comprises the following steps: the invention takes a cloud-edge collaborative platform as a research background to construct a multi-user system model, wherein the system model comprises a plurality of data owners, a plurality of data users, a cloud server and an edge server, as shown in fig. 2, the cloud server is defined as an honest but curious semi-trusted threat entity, and the edge server is defined as a trusted entity.
And step two, a system initialization stage.
The specific steps of the system initialization stage are as follows:
inputting a safety parameter to the system model, outputting a public parameter of the system model, and constructing a working environment: let G1,G2Is two q factorial cyclic groups, G is G1,G2The bilinear map e: g1×G1→G2And an encrypted one-way hash function H:it hashes any string of characters asOne element of, finally, each system user UnGenerate its public and private key pair PKn、SKnWherein PK isn=xn, The system user includes a data owner UiAnd data user Uj。
Step three, a security index construction stage: after each data owner carries out preprocessing operation on the data files, the corresponding data file set is sent to a nearby edge server, the edge server encrypts the data files to generate ciphertext of the data files, a safe searchable index is built for different files by adopting a temporary key, and then the safe searchable index is outsourced to a cloud server.
The specific steps of the security index construction stage are as follows:
data owner UiFor file FkGenerating two large prime numbersSo that it satisfies q ═ q1×q2Extracting file FkCorresponding keyword set wi,k={wi,k,1,wi,k,2,…},wi,k,1Representing data owner UiThe first keyword of the kth file of (1); to realize the data owner UiBy using an n-column access authority table LkTo save the data owner UiDocument FkFor data user UjAuthority value of LkEach element A in (1)i,k,jRepresenting data owner UiFile F of oneselfkAuthorization to data user UjAccess with an initial value ofIf to data user UjIf authorization is to be made, then q is used2Data user UjOf (2) a public keyComputingSequentially finishing the authority access tables of all the files; data owner UiUsing its own private key xiDigitally signing the file; finally, data owner UiFile FkCorresponding digital signature, keyword set w extracted from datai,kCorresponding authority access table LkAnd corresponding parameters q1,q2Sending the data to a nearby edge server through a secure channel;
the edge server receives the data owner UiAfter request of (2), first generating an encryption keyUsing an encryption key KkEncrypted file FkObtain the ciphertext Ck(ii) a In the multiple data owner model, the most important challenge is that different data owners can choose different keys to construct a secure searchable index to ensure flexibility and security of the system, for file F, compared to the single data owner modelkFromIn the random generation of the temporary key ski,kEncrypting the corresponding set of keywords wi,kConstruction of document FkSecure searchable secure indexWherein Ii,k,yIs wi,k,yThe encrypted security index is then stored in a memory, is Ii,k,yThe edge server decrypts the ciphertext CkCorresponding digital signature, secure indexCorresponding rights access table LkAnd sending the data to a cloud server.
Step four, inquiring the trapdoor generation stage: authorized data users search for the correct data file by submitting query trapdoors to the edge server.
The specific steps of the inquiry trapdoor generation stage are as follows:
to achieve unlinkability of trapdoors, data user UjEncrypting the inquired key words by using a random key each time; data user UjRandomly generating a temporary secret r1、r2Using the temporary key and its private key xjEncrypting query key w to generate trapdoor TwThen the trap door T is putwThe information is sent to a nearby edge server, and finally the information is forwarded to a cloud server by the edge server;
wherein T is1、T2、T3Are respectively a trapdoor TwTo (1) aA first, a second and a third part.
Step five, a safety retrieval stage: and after receiving the query trap, the cloud server is responsible for carrying out searching operation on the encrypted index and returning the query result to the edge server.
The specific steps of the safety retrieval stage are as follows:
user U receiving data by cloud serverjTrapdoor Tw={T1,T2,T3After the search, the ciphertext C is inquired in sequencekAccess right table LkIf, ifData user UjFor ciphertext CkNo access right to skip directly; if it isTrap door T performed by cloud serverwAnd a secure indexThe retrieval work of (2); the cloud server firstly accesses the authority value A of the table through the authorityi,k,jAnd T2、T3Generating authorized trapdoors T2’、T3’:
Defining an intermediate variable V, and enabling:
e(Ii,k,y,1,T3’)=V(Tw);
if the above equation is true, the ciphertext C is describedkIs a data user UjThe following is verified for a correct search result:
finally, the cloud server matches the ciphertext CkCorresponding digital signature, authority access value Ai,k,jAnd a pseudo decryption key Ii,k,y,2To data user UjA nearby edge server.
Step six, ciphertext decryption stage: the edge server decrypts the ciphertext and verifies the integrity of the ciphertext under the condition that the data user is authorized, and finally the edge server sends the decrypted data file to the data user through a secure channel.
The cryptograph decryption stage comprises the following specific steps:
for the data user UjThe edge server can select which cipher texts need to be decrypted by the edge server, and the edge server transmits the pseudo decryption key Ii,k,y,2To data users, data users UjUsing its own private key xjGenerating a key decryption key with a pseudo decryption keyAnd sending the data to the edge server through a secure channel;
edge serverUpon receipt of data user UjAfter decrypting the key K' with the authorization key, the access value A of the authority is usedi,k,jGenerating a ciphertext decryption keyDecipher ciphertext CkGet file FkReuse of data owner UiAnd file FkThe corresponding digital signature verifies the integrity thereof, and the last edge server verifies the integrity of the complete file FkSending to data user U through safety channelj。
The fine-grained multi-user secure searchable encryption method under the cloud edge collaborative environment further comprises an authority granting and deleting stage, a data owner authorizes a data user according to each data file, and uploads authorization information to an authority access table stored in each data file in a cloud server through an edge server, so that the requirement of dynamic updating is met, and the data owner can change the access authority of the data user at any time;
permission granting operation: data owner UiUsing the parameter q2And data user UjOf (2) a public keyCalculate this file FkAuthority value of (2):repeating the process to realize authorization to a plurality of files, and finally setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and adding the authority value to the authority access table of the corresponding file by the cloud server;
and (3) permission deletion operation: data owner UiUsing the parameter q2And data user UjOf (2) a public keyCalculate this file FkAuthority value of (2):repeating the process to realize the revocation of the authority of a plurality of files, and finally, setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and deleting the data user U in the authority access table of the corresponding file by the cloud serverjThe authority value of (2).
Claims (7)
1. A fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment is characterized by comprising the following steps:
the method comprises the following steps: the method comprises the steps that a cloud-edge collaborative platform is used as a research background, a multi-user system model is constructed, and the system model comprises a plurality of data owners, a plurality of data users, a cloud server and an edge server;
step two, a system initialization stage;
step three, a security index construction stage: after each data owner carries out preprocessing operation on the data files, the corresponding data file set is sent to a nearby edge server, the edge server encrypts the data files to generate ciphertext of the data files, a safe searchable index is constructed for different files by adopting a temporary key, and then the safe searchable index is outsourced to a cloud server;
step four, inquiring the trapdoor generation stage: authorized data users search for the correct data file by submitting query trapdoors to the edge server;
step five, a safety retrieval stage: after receiving the query trap door, the cloud server is responsible for carrying out searching operation on the encrypted index and returning a query result to the edge server;
step six, ciphertext decryption stage: the edge server decrypts the ciphertext and verifies the integrity of the ciphertext under the condition that the data user is authorized, and finally the edge server sends the decrypted data file to the data user through a secure channel.
2. The fine-grained multi-user secure searchable encryption method according to claim 1, in the second step, the specific steps of the system initialization stage are as follows:
inputting a safety parameter to the system model, outputting a public parameter of the system model, and constructing a working environment: let G1,G2Is two q factorial cyclic groups, G is G1,G2The bilinear map e: g1×G1→G2And an encrypted one-way hash function H:it hashes any string of characters asOne element of, finally, each system user UnGenerate its public and private key pair PKn、SKnWherein PK isn=xn, The system user includes a data owner UiAnd data user Uj。
3. The fine-grained multi-user secure searchable encryption method according to claim 2 in the cloud-edge collaborative environment, wherein in the third step, the specific steps in the secure index construction stage are as follows:
data owner UiFor file FkGenerating two large prime numbers q1,So that it satisfies q ═ q1×q2Extracting file FkCorresponding keyword set wi,k={wi,k,1,wi,k,2,…},wi,k,1Representing data owner UiFirst key of kth fileA word; to realize the data owner UiBy using an n-column access authority table LkTo save the data owner UiDocument FkFor data user UjAuthority value of LkEach element A in (1)i,k,jRepresenting data owner UiFile F of oneselfkAuthorization to data user UjAccess with an initial value ofIf to data user UjIf authorization is to be made, then q is used2Data user UjOf (2) a public keyComputingSequentially finishing the authority access tables of all the files; data owner UiUsing its own private key xiDigitally signing the file; finally, data owner UiFile FkCorresponding digital signature, keyword set w extracted from datai,kCorresponding authority access table LkAnd corresponding parameters q1,q2Sending the data to a nearby edge server through a secure channel;
the edge server receives the data owner UiAfter request of (2), first generating an encryption keyUsing an encryption key KkEncrypted File FkObtain the ciphertext Ck(ii) a In the multiple data owner model, the most important challenge is that different data owners can choose different keys to construct a secure searchable index to ensure flexibility and security of the system, for file F, compared to the single data owner modelkFromIn the random generation of the temporary key ski,kEncrypting the corresponding set of keywords wi,kConstruction of document FkSecure searchable secure indexWherein Ii,k,yIs wi,k,yThe encrypted security index is then stored in a memory, is Ii,k,yThe edge server decrypts the ciphertext CkCorresponding digital signature, secure indexCorresponding rights access table LkAnd sending the data to a cloud server.
4. The fine-grained multi-user secure searchable encryption method according to claim 3, wherein in the fourth step, the specific steps of querying the trapdoor generation stage are as follows:
to achieve unlinkability of trapdoors, data user UjEncrypting the inquired key words by using a random key each time; data user UjRandomly generating a temporary secret r1、r2Using the temporary key and its private key xjEncrypting query key w to generate trapdoor TwThen the trapdoor T is openedwThe cloud server is sent to a nearby edge server, and finally the edge server forwards the cloud server;
wherein T is1、T2、T3Are respectively provided withIs a trapdoor TwThe first, second, and third portions of (a).
5. The fine-grained multi-user secure searchable encryption method according to claim 4, wherein in the fifth step, the specific steps in the secure retrieval phase are as follows:
user U receiving data by cloud serverjTrapdoor Tw={T1,T2,T3After the search, the ciphertext C is inquired in sequencekAccess right table LkIf at allData user UjFor ciphertext CkNo access right to skip directly; if it isTrap door T performed by cloud serverwAnd a secure indexThe retrieval work of (2); the cloud server firstly accesses the authority value A of the table through the authorityi,k,jAnd T2、T3Generating authorized trapdoors T2’、T3’:
Defining an intermediate variable V, and enabling:
e(Ii,k,y,1,T3’)=V(Tw);
if the above equation is true, the ciphertext C is describedkIs a data user UjTo verify as follows:
finally, the cloud server matches the ciphertext CkCorresponding digital signature, authority access value Ai,k,jAnd a pseudo decryption key Ii,k,y,2To data user UjA nearby edge server.
6. The fine-grained multi-user secure searchable encryption method according to claim 5, in the sixth step, the ciphertext decryption stage includes the specific steps of:
for the data user UjThe edge server can select which cipher texts need to be decrypted by the edge server, and the edge server transmits the pseudo decryption key Ii,k,y,2To a data user, a data user UjUsing its own private key xjGenerating a key decryption key with a pseudo decryption keyAnd sending the data to the edge server through a secure channel;
user U receiving data by edge serverjAfter the authorization key of (2) decrypts the key K', the authority is usedAccessing the value Ai,k,jGenerating a ciphertext decryption keyDecipher ciphertext CkGet file FkReuse of data owner UiAnd file FkThe corresponding digital signature verifies the integrity thereof, and finally the edge server verifies the complete file FkSending to data user U through safety channelj。
7. The fine-grained multi-user secure searchable encryption method in the cloud-edge collaborative environment according to claim 6, further comprising an authority granting and deleting stage, wherein a data owner authorizes a data user according to each data file, uploads authorization information to an authority access table stored in each data file in a cloud server through an edge server, meets the requirement of dynamic update, and can change the access authority of the data user at any time;
permission granting operation: data owner UiUsing the parameter q2And data user UjOf (2) a public keyCalculate this file FkAuthority value of (2):repeating the process to realize authorization to a plurality of files, and finally setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and adding the authority value to the authority access table of the corresponding file by the cloud server;
and (3) permission deletion operation: data owner UiUsing the parameter q2And data user UjOf (2) a public keyCalculate this file FkAuthority value of (2):repeating the process to realize the revocation of the authority of a plurality of files, and finally, setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and deleting the data user U in the authority access table of the corresponding file by the cloud serverjThe authority value of (2).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210314337.4A CN114640458B (en) | 2022-03-28 | 2022-03-28 | Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210314337.4A CN114640458B (en) | 2022-03-28 | 2022-03-28 | Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114640458A true CN114640458A (en) | 2022-06-17 |
CN114640458B CN114640458B (en) | 2024-04-19 |
Family
ID=81950988
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210314337.4A Active CN114640458B (en) | 2022-03-28 | 2022-03-28 | Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114640458B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115484095A (en) * | 2022-09-14 | 2022-12-16 | 湖南科技大学 | Block chain-based fine-grained access control method in cloud edge collaborative environment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109450935A (en) * | 2018-12-19 | 2019-03-08 | 河南科技大学 | The multi-key word searching method for the Semantic Security that can verify that in cloud storage |
CN114048448A (en) * | 2021-11-24 | 2022-02-15 | 中央财经大学 | Block chain based dynamic searchable encryption method and device |
-
2022
- 2022-03-28 CN CN202210314337.4A patent/CN114640458B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109450935A (en) * | 2018-12-19 | 2019-03-08 | 河南科技大学 | The multi-key word searching method for the Semantic Security that can verify that in cloud storage |
CN114048448A (en) * | 2021-11-24 | 2022-02-15 | 中央财经大学 | Block chain based dynamic searchable encryption method and device |
Non-Patent Citations (2)
Title |
---|
王缵等: "移动边缘计算中基于位置信息的安全skyline查询处理方法", 《中国科学》, 14 October 2021 (2021-10-14) * |
郎晓丽;曹素珍;刘祥震;张玉磊;王斐;: "具有高效授权的无证书公钥认证可搜索加密方案", 计算机工程与科学, no. 03, 15 March 2020 (2020-03-15) * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115484095A (en) * | 2022-09-14 | 2022-12-16 | 湖南科技大学 | Block chain-based fine-grained access control method in cloud edge collaborative environment |
CN115484095B (en) * | 2022-09-14 | 2024-05-07 | 湖南科技大学 | Fine granularity access control method based on blockchain in cloud-edge cooperative environment |
Also Published As
Publication number | Publication date |
---|---|
CN114640458B (en) | 2024-04-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111835500B (en) | Searchable encryption data secure sharing method based on homomorphic encryption and block chain | |
CN112019591B (en) | Cloud data sharing method based on block chain | |
CN108494768B (en) | Ciphertext searching method and system supporting access control | |
CN109614818B (en) | Authorized identity-based keyword search encryption method | |
Kaaniche et al. | A secure client side deduplication scheme in cloud storage environments | |
CN108768951B (en) | Data encryption and retrieval method for protecting file privacy in cloud environment | |
CN104363215B (en) | A kind of encryption method and system based on attribute | |
Liu et al. | Multi-user searchable encryption with coarser-grained access control in hybrid cloud | |
CN103731432A (en) | Multi-user supported searchable encryption system and method | |
KR100839220B1 (en) | Method for searching encrypted database and System thereof | |
CN112989375B (en) | Hierarchical optimization encryption lossless privacy protection method | |
CN104780161A (en) | Searchable encryption method supporting multiple users in cloud storage | |
CN111930881B (en) | Connection keyword authentication searchable encryption method based on state cryptographic algorithm | |
WO2023044963A1 (en) | Method and system for re-encrypting threshold proxy based on attribute condition | |
US20160112413A1 (en) | Method for controlling security of cloud storage | |
CN112365945A (en) | Block chain-based electronic medical record fine-grained access control and ciphertext searchable method | |
CN106559422A (en) | Multidimensional ciphertext interval query method based on key agreement | |
CN107294701B (en) | Multidimensional ciphertext interval query device and method with efficient key management | |
WO2022025822A1 (en) | Cloud data sharing systems and methods for sharing data using the systems | |
CN114640458B (en) | Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment | |
CN108920968B (en) | File searchable encryption method based on connection keywords | |
Yan et al. | Secure and efficient big data deduplication in fog computing | |
CN109672525B (en) | Searchable public key encryption method and system with forward index | |
CN114793176B (en) | Pairing-free searchable encryption method supporting revocation and authentication | |
CN116663046A (en) | Private data sharing and retrieving method, system and equipment based on blockchain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |