CN114640458A - Fine-grained multi-user secure searchable encryption method in cloud-edge collaborative environment - Google Patents

Fine-grained multi-user secure searchable encryption method in cloud-edge collaborative environment Download PDF

Info

Publication number
CN114640458A
CN114640458A CN202210314337.4A CN202210314337A CN114640458A CN 114640458 A CN114640458 A CN 114640458A CN 202210314337 A CN202210314337 A CN 202210314337A CN 114640458 A CN114640458 A CN 114640458A
Authority
CN
China
Prior art keywords
data
user
file
key
cloud
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210314337.4A
Other languages
Chinese (zh)
Other versions
CN114640458B (en
Inventor
张世文
何家毅
李梦玲
晏紫微
梁伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University of Science and Technology
Original Assignee
Hunan University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University of Science and Technology filed Critical Hunan University of Science and Technology
Priority to CN202210314337.4A priority Critical patent/CN114640458B/en
Publication of CN114640458A publication Critical patent/CN114640458A/en
Application granted granted Critical
Publication of CN114640458B publication Critical patent/CN114640458B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/14Details of searching files based on file metadata
    • G06F16/148File search processing
    • G06F16/152File search processing using file content signatures, e.g. hash values
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3033Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to pseudo-prime or prime number generation, e.g. primality test
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Algebra (AREA)
  • Mathematical Physics (AREA)
  • Library & Information Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment, which comprises the following steps: a cloud edge collaborative platform is used as a research background to construct a multi-user system model; a system initialization stage; a safety index construction stage; a step of generating a query trapdoor; a safety retrieval stage; and (5) a ciphertext decryption stage. In the invention, under the environment of cloud-edge cooperation, a data owner adopts a temporary key to construct a security index for different files through an edge server, an authorized user generates an inquiry trapdoor under the condition of not knowing the temporary key, and a cloud server correctly realizes keyword matching under the condition of not knowing the temporary key, thereby realizing a security searchable encryption scheme of a plurality of data owners, a plurality of data users, the cloud server and the edge server; in addition, under the environment of cloud edge cooperation, the edge server is used for helping the user to encrypt data and decrypt data, and the computing cost of the user is obviously reduced.

Description

Fine-grained multi-user secure searchable encryption method in cloud-edge collaborative environment
Technical Field
The invention relates to the field of data encryption, in particular to a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment.
Background
As a novel computing mode, the cloud computing has the characteristics of strong computing capacity, massive resources, demand allocation and the like. With the gradual maturation and rapid development of cloud computing technology, a user with limited resources can store data in a cloud end, and can enjoy efficient and rapid file storage and processing services only with low cost, so that local management overhead is greatly reduced while high-quality data services are enjoyed, but data outsourcing causes data ownership and management right separation, and how to ensure the security of the data in a cloud server becomes a key problem to be solved urgently in cloud computing. The common solution is to encrypt user data first, and then upload the encrypted ciphertext data to the cloud, and when the user needs to use a certain data, retrieve the required document from the user ciphertext, although the encryption technology can ensure the confidentiality of the data, how to perform meaningful retrieval operation in the ciphertext becomes a great challenge, and in order to realize efficient retrieval of the ciphertext data while ensuring the confidentiality of the data, the searchable encryption technology is born at present, and has become a hotspot studied by students.
The searchable encryption system is divided into a symmetrical searchable encryption system and a public key searchable encryption system, the searchable encryption scheme is firstly proposed by Song and the like, a stream cipher method is used for encryption in the scheme, specific keywords are searched through linear scanning, a keyword retrieval function is realized on a ciphertext, and a data file in the symmetrical searchable encryption system and a keyword trapdoor to be retrieved are encrypted by using the same key; a public key Encryption with key Search (PEKS) was proposed by Boneh et al for the first time, and the PEKS scheme in a single-user environment cannot support sharing of encrypted files. Researchers have subsequently proposed some new multi-user environment PEKS solutions in which a user administrator manages the search capabilities of multiple users to enable them to search each other's files, but there are typically no fully trusted administrators in a cloud environment. To address these problems, Tang et al propose a secure scalable multi-party searchable encryption scheme, however this scheme only supports authorization for user retrieval, but does not explicitly support revocation of user retrieval authorization. Sahai et al in 2005 proposed obfuscated identity-based encryption, and the concept of "attribute-based encryption (ABE)" was first developed, and the identity of a user no longer uses the traditional identity, but rather represents the identity of the user with several attributes that can be related together using a "and/or" not "relationship. The implementation of the attribute-based encryption (ABE) is usually in two policy modes, namely, one is the attribute-based encryption (CP-ABE) of a ciphertext policy, and the other is the attribute-based encryption (KP-ABE) of a key policy. Goyal et al, 2008, converted KP-ABE to CP-ABE by using the concept of "access tree", in which an access structure, i.e. access tree, was specified by using a part of the user's attributes, and then encrypted the data message in this access structure. During decryption, decryption can be completed as long as the attribute that the decryptor has satisfies the access structure.
Most of the existing searchable encryption schemes are in a single-user environment, but are often applied to multiple users in reality, in the multi-user environment, if data owners share the same index encryption key to construct a secure searchable index, authorized data users submit trapdoors to one of the data owners to query the trapdoors, but if one of the data owners carelessly leaks the index encryption key, the data security of all the data owners suffers from impact. Therefore, data owners are reluctant to share keys in real life, and another solution allows each data owner to encrypt data indexes using their own keys, in which case the data user must submit query trapdoors to all data owners multiple times to complete ciphertext retrieval, so the most important challenge is that different data owners should be able to select different keys to construct a secure searchable index, as compared to a single-user model, to ensure data flexibility and security.
Disclosure of Invention
In order to solve the technical problems, the invention provides a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment, which is simple in algorithm and high in security.
The technical scheme for solving the technical problems is as follows: a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment comprises the following steps:
the method comprises the following steps: the method comprises the steps that a cloud-edge collaborative platform is used as a research background, a multi-user system model is constructed, and the system model comprises a plurality of data owners, a plurality of data users, a cloud server and an edge server;
step two, a system initialization stage;
step three, a security index construction stage: after each data owner carries out preprocessing operation on the data files, the corresponding data file set is sent to a nearby edge server, the edge server encrypts the data files to generate ciphertext of the data files, a safe searchable index is constructed for different files by adopting a temporary key, and then the safe searchable index is outsourced to a cloud server;
step four, inquiring the trapdoor generation stage: authorized data users search for the correct data file by submitting query trapdoors to the edge server;
step five, a safety retrieval stage: after receiving the query trap door, the cloud server is responsible for carrying out searching operation on the encrypted index and returning a query result to the edge server;
step six, ciphertext decryption stage: and the edge server decrypts the ciphertext and verifies the integrity of the ciphertext under the condition of authorization of the data user, and finally, the edge server sends the decrypted data file to the data user through a secure channel.
In the above fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the second step, the specific steps in the system initialization stage are as follows:
inputting a safety parameter to the system model, outputting a public parameter of the system model, and constructing a working environment: let G1,G2Is two q factorial cyclic groups, G is G1,G2The bilinear map e: g1×G1→G2And an encrypted one-way hash function H:
Figure BDA0003568541880000041
it hashes any string of characters into
Figure BDA0003568541880000042
One element of, finally, each system user UnGenerate its public and private key pair PKn、SKnWherein PK isn=xn
Figure BDA0003568541880000043
Figure BDA0003568541880000044
The system user includes a data owner UiAnd data user Uj
In the above fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the third step, the specific steps in the secure index construction stage are as follows:
data owner UiFor file FkGenerating two large prime numbers
Figure BDA0003568541880000045
So that it satisfies q ═ q1×q2Extracting file FkCorresponding keyword set wi,k={wi,k,1,wi,k,2,…},wi,k,1Representing data owner UiThe first keyword of the kth file of (1); to realize the data owner UiBy using an n-column access authority table LkTo save the data owner UiDocument FkFor data user UjAuthority value of LkEach element A in (1)i,k,jRepresenting data owner UiFile F of oneselfkAuthorization to data user UjAccess with an initial value of
Figure BDA0003568541880000046
If to data user UjIf authorization is carried out, q is used2Data user UjOf (2) a public key
Figure BDA0003568541880000047
Computing
Figure BDA0003568541880000048
Sequentially finishing the authority access tables of all the files; data owner UiUsing its own private key xiDigitally signing the file; finally, data owner UiFile FkCorresponding digital signature, keyword set w extracted from datai,kCorresponding authority access table LkAnd corresponding parameters q1,q2Sending the data to a nearby edge server through a secure channel;
the edge server receives the data owner UiAfter request of (2), first generating an encryption key
Figure BDA0003568541880000049
Using an encryption key KkEncrypted file FkObtain a ciphertext Ck(ii) a In the multiple data owner model, the most important challenge is that different data owners can choose different keys to construct a secure searchable index to ensure flexibility and security of the system, for file F, compared to the single data owner modelkFrom
Figure BDA0003568541880000051
In the random generation of the temporary key ski,kEncrypting the corresponding set of keywords wi,kConstruction of document FkSecure searchable secure index
Figure BDA0003568541880000052
Wherein Ii,k,yIs wi,k,yThe encrypted security index is then stored in a memory,
Figure BDA0003568541880000053
Figure BDA0003568541880000054
is Ii,k,yThe edge server decrypts the ciphertext CkCorresponding digital signature, secure index
Figure BDA0003568541880000055
Corresponding rights access table LkAnd sending the data to a cloud server.
In the above fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the fourth step, the specific step of querying the trapdoor generation stage is as follows:
to achieve unlinkability of trapdoors, data user UjEncrypting the inquired key words by using a random key each time; data user UjRandomly generating a temporary secret r1、r2Using the temporary key and its private key xjEncrypting query key w to generate trapdoor TwThen the trap door T is putwThe information is sent to a nearby edge server, and finally the information is forwarded to a cloud server by the edge server;
Figure BDA0003568541880000056
wherein T is1、T2、T3Are respectively a trapdoor TwThe first, second, and third portions of (a).
In the above fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the fifth step, the specific steps in the secure retrieval stage are as follows:
user U receiving data by cloud serverjTrapdoor Tw={T1,T2,T3After the search, the ciphertext C is inquired in sequencekAccess right table LkIf, if
Figure BDA0003568541880000057
Data user UjFor ciphertext CkNo access right to skip directly; if it is
Figure BDA0003568541880000058
Trap door T performed by cloud serverwAnd a secure index
Figure BDA0003568541880000059
The retrieval work of (2); the cloud server firstly accesses the authority value A of the table through the authorityi,k,jAnd T2、T3Generating authorized trapdoors T2′、T3′:
Figure BDA0003568541880000061
Figure BDA0003568541880000062
Defining an intermediate variable V, and enabling:
Figure BDA0003568541880000063
if it can be safely indexed
Figure BDA0003568541880000064
Find an index I ini,k,y,1The following equation is satisfied:
e(Ii,k,y,1,T3′)=V(Tw);
if the above equation is true, the ciphertext C is describedkIs a data user UjTo verify as follows:
Figure BDA0003568541880000065
Figure BDA0003568541880000066
Figure BDA0003568541880000071
finally, the cloud server matches the ciphertext CkCorresponding digital signature, authority access value Ai,k,jAnd a pseudo decryption key Ii,k,y,2To data user UjA nearby edge server.
In the fine-grained multi-user secure searchable encryption method under the cloud-edge collaborative environment, in the sixth step, the specific steps in the ciphertext decryption stage are as follows:
for the data user UjThe edge server can choose which cryptograms need to be decrypted by the edge server, and the edge server sends the pseudo decryption key Ii,k,y,2To a data user, a data user UjUsing its own private key xjGenerating a key decryption key with a pseudo decryption key
Figure BDA0003568541880000072
And sending the data to the edge server through a secure channel;
user U receiving data by edge serverjAfter decrypting the key K' with the authorization key, the access value A of the authority is usedi,k,jGenerating a ciphertext decryption key
Figure BDA0003568541880000073
Decipher ciphertext CkGet file FkReuse of data owner UiAnd file FkThe corresponding digital signature verifies the integrity thereof, and the last edge server verifies the integrity of the complete file FkSending to data user U through safety channelj
The fine-grained multi-user secure searchable encryption method under the cloud edge collaborative environment further comprises an authority granting and deleting stage, wherein a data owner authorizes a data user according to each data file, and uploads authorization information to the authority access table stored in each data file in the cloud server through the edge server, so that the requirement of dynamic updating is met, and the data owner can change the access authority of the data user at any time;
permission granting operation: data owner UiUsing the parameter q2And data user UjOf (2) a public key
Figure BDA0003568541880000074
Calculate this file FkAuthority value of (2):
Figure BDA0003568541880000075
repeating the process to realize authorization to a plurality of files, and finally setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and adding the authority value to the authority access table of the corresponding file by the cloud server;
and (3) permission deletion operation: data owner UiUsing the parameter q2And data user UjOf (2) a public key
Figure BDA0003568541880000081
Calculate this file FkAuthority value of (2):
Figure BDA0003568541880000082
repeating the process to realize the revocation of the authority of a plurality of files, and finally, setting the authority value set Ai,j={Ai,k,1,Ai,k,2… is uploaded to the cloud server through the edge server, and the cloud server is corresponding to the edge serverUser U for deleting data in authority access table of filejThe authority value of (2).
The invention has the beneficial effects that:
1. in the invention, under the environment of cloud-edge cooperation, the data owner adopts the temporary key to construct the security index for different files through the edge server, the authorized user generates the query trapdoor under the condition of not knowing the temporary key, the cloud server correctly realizes keyword matching under the condition of not knowing the temporary key, and the security searchable encryption scheme of a plurality of data owners, a plurality of data users, the cloud server and the edge server is realized.
2. According to the invention, under the environment of cloud-edge cooperation, the edge server is utilized to help the user encrypt data and decrypt data, so that the computing cost of the user is obviously reduced.
3. Under the environment of cloud edge cooperation, the invention realizes fine-grained access control without a credible user management center, the data owner autonomously controls the access authority of the data user to the file of the data user without real-time online authorization, and the dynamic authority granting and deleting of the data user by the data owner are realized.
Drawings
FIG. 1 is a flow chart of the present invention.
FIG. 2 is a block diagram of a system model constructed in accordance with the present invention.
Detailed Description
The invention is further described below with reference to the figures and examples.
As shown in fig. 1, a fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment includes the steps of:
the method comprises the following steps: the invention takes a cloud-edge collaborative platform as a research background to construct a multi-user system model, wherein the system model comprises a plurality of data owners, a plurality of data users, a cloud server and an edge server, as shown in fig. 2, the cloud server is defined as an honest but curious semi-trusted threat entity, and the edge server is defined as a trusted entity.
And step two, a system initialization stage.
The specific steps of the system initialization stage are as follows:
inputting a safety parameter to the system model, outputting a public parameter of the system model, and constructing a working environment: let G1,G2Is two q factorial cyclic groups, G is G1,G2The bilinear map e: g1×G1→G2And an encrypted one-way hash function H:
Figure BDA0003568541880000091
it hashes any string of characters as
Figure BDA0003568541880000092
One element of, finally, each system user UnGenerate its public and private key pair PKn、SKnWherein PK isn=xn
Figure BDA0003568541880000093
Figure BDA0003568541880000094
The system user includes a data owner UiAnd data user Uj
Step three, a security index construction stage: after each data owner carries out preprocessing operation on the data files, the corresponding data file set is sent to a nearby edge server, the edge server encrypts the data files to generate ciphertext of the data files, a safe searchable index is built for different files by adopting a temporary key, and then the safe searchable index is outsourced to a cloud server.
The specific steps of the security index construction stage are as follows:
data owner UiFor file FkGenerating two large prime numbers
Figure BDA0003568541880000095
So that it satisfies q ═ q1×q2Extracting file FkCorresponding keyword set wi,k={wi,k,1,wi,k,2,…},wi,k,1Representing data owner UiThe first keyword of the kth file of (1); to realize the data owner UiBy using an n-column access authority table LkTo save the data owner UiDocument FkFor data user UjAuthority value of LkEach element A in (1)i,k,jRepresenting data owner UiFile F of oneselfkAuthorization to data user UjAccess with an initial value of
Figure BDA0003568541880000101
If to data user UjIf authorization is to be made, then q is used2Data user UjOf (2) a public key
Figure BDA0003568541880000102
Computing
Figure BDA0003568541880000103
Sequentially finishing the authority access tables of all the files; data owner UiUsing its own private key xiDigitally signing the file; finally, data owner UiFile FkCorresponding digital signature, keyword set w extracted from datai,kCorresponding authority access table LkAnd corresponding parameters q1,q2Sending the data to a nearby edge server through a secure channel;
the edge server receives the data owner UiAfter request of (2), first generating an encryption key
Figure BDA0003568541880000104
Using an encryption key KkEncrypted file FkObtain the ciphertext Ck(ii) a In the multiple data owner model, the most important challenge is that different data owners can choose different keys to construct a secure searchable index to ensure flexibility and security of the system, for file F, compared to the single data owner modelkFrom
Figure BDA0003568541880000105
In the random generation of the temporary key ski,kEncrypting the corresponding set of keywords wi,kConstruction of document FkSecure searchable secure index
Figure BDA0003568541880000106
Wherein Ii,k,yIs wi,k,yThe encrypted security index is then stored in a memory,
Figure BDA0003568541880000107
Figure BDA0003568541880000108
is Ii,k,yThe edge server decrypts the ciphertext CkCorresponding digital signature, secure index
Figure BDA0003568541880000109
Corresponding rights access table LkAnd sending the data to a cloud server.
Step four, inquiring the trapdoor generation stage: authorized data users search for the correct data file by submitting query trapdoors to the edge server.
The specific steps of the inquiry trapdoor generation stage are as follows:
to achieve unlinkability of trapdoors, data user UjEncrypting the inquired key words by using a random key each time; data user UjRandomly generating a temporary secret r1、r2Using the temporary key and its private key xjEncrypting query key w to generate trapdoor TwThen the trap door T is putwThe information is sent to a nearby edge server, and finally the information is forwarded to a cloud server by the edge server;
Figure BDA0003568541880000111
wherein T is1、T2、T3Are respectively a trapdoor TwTo (1) aA first, a second and a third part.
Step five, a safety retrieval stage: and after receiving the query trap, the cloud server is responsible for carrying out searching operation on the encrypted index and returning the query result to the edge server.
The specific steps of the safety retrieval stage are as follows:
user U receiving data by cloud serverjTrapdoor Tw={T1,T2,T3After the search, the ciphertext C is inquired in sequencekAccess right table LkIf, if
Figure BDA0003568541880000112
Data user UjFor ciphertext CkNo access right to skip directly; if it is
Figure BDA0003568541880000113
Trap door T performed by cloud serverwAnd a secure index
Figure BDA0003568541880000114
The retrieval work of (2); the cloud server firstly accesses the authority value A of the table through the authorityi,k,jAnd T2、T3Generating authorized trapdoors T2’、T3’:
Figure BDA0003568541880000115
Figure BDA0003568541880000116
Defining an intermediate variable V, and enabling:
Figure BDA0003568541880000117
if it can be safely indexed
Figure BDA0003568541880000118
To find an index Ii,k,y,1The following equation is satisfied:
e(Ii,k,y,1,T3’)=V(Tw);
if the above equation is true, the ciphertext C is describedkIs a data user UjThe following is verified for a correct search result:
Figure BDA0003568541880000119
Figure BDA0003568541880000121
Figure BDA0003568541880000122
finally, the cloud server matches the ciphertext CkCorresponding digital signature, authority access value Ai,k,jAnd a pseudo decryption key Ii,k,y,2To data user UjA nearby edge server.
Step six, ciphertext decryption stage: the edge server decrypts the ciphertext and verifies the integrity of the ciphertext under the condition that the data user is authorized, and finally the edge server sends the decrypted data file to the data user through a secure channel.
The cryptograph decryption stage comprises the following specific steps:
for the data user UjThe edge server can select which cipher texts need to be decrypted by the edge server, and the edge server transmits the pseudo decryption key Ii,k,y,2To data users, data users UjUsing its own private key xjGenerating a key decryption key with a pseudo decryption key
Figure BDA0003568541880000123
And sending the data to the edge server through a secure channel;
edge serverUpon receipt of data user UjAfter decrypting the key K' with the authorization key, the access value A of the authority is usedi,k,jGenerating a ciphertext decryption key
Figure BDA0003568541880000131
Decipher ciphertext CkGet file FkReuse of data owner UiAnd file FkThe corresponding digital signature verifies the integrity thereof, and the last edge server verifies the integrity of the complete file FkSending to data user U through safety channelj
The fine-grained multi-user secure searchable encryption method under the cloud edge collaborative environment further comprises an authority granting and deleting stage, a data owner authorizes a data user according to each data file, and uploads authorization information to an authority access table stored in each data file in a cloud server through an edge server, so that the requirement of dynamic updating is met, and the data owner can change the access authority of the data user at any time;
permission granting operation: data owner UiUsing the parameter q2And data user UjOf (2) a public key
Figure BDA0003568541880000132
Calculate this file FkAuthority value of (2):
Figure BDA0003568541880000133
repeating the process to realize authorization to a plurality of files, and finally setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and adding the authority value to the authority access table of the corresponding file by the cloud server;
and (3) permission deletion operation: data owner UiUsing the parameter q2And data user UjOf (2) a public key
Figure BDA0003568541880000134
Calculate this file FkAuthority value of (2):
Figure BDA0003568541880000135
repeating the process to realize the revocation of the authority of a plurality of files, and finally, setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and deleting the data user U in the authority access table of the corresponding file by the cloud serverjThe authority value of (2).

Claims (7)

1. A fine-grained multi-user secure searchable encryption method in a cloud-edge collaborative environment is characterized by comprising the following steps:
the method comprises the following steps: the method comprises the steps that a cloud-edge collaborative platform is used as a research background, a multi-user system model is constructed, and the system model comprises a plurality of data owners, a plurality of data users, a cloud server and an edge server;
step two, a system initialization stage;
step three, a security index construction stage: after each data owner carries out preprocessing operation on the data files, the corresponding data file set is sent to a nearby edge server, the edge server encrypts the data files to generate ciphertext of the data files, a safe searchable index is constructed for different files by adopting a temporary key, and then the safe searchable index is outsourced to a cloud server;
step four, inquiring the trapdoor generation stage: authorized data users search for the correct data file by submitting query trapdoors to the edge server;
step five, a safety retrieval stage: after receiving the query trap door, the cloud server is responsible for carrying out searching operation on the encrypted index and returning a query result to the edge server;
step six, ciphertext decryption stage: the edge server decrypts the ciphertext and verifies the integrity of the ciphertext under the condition that the data user is authorized, and finally the edge server sends the decrypted data file to the data user through a secure channel.
2. The fine-grained multi-user secure searchable encryption method according to claim 1, in the second step, the specific steps of the system initialization stage are as follows:
inputting a safety parameter to the system model, outputting a public parameter of the system model, and constructing a working environment: let G1,G2Is two q factorial cyclic groups, G is G1,G2The bilinear map e: g1×G1→G2And an encrypted one-way hash function H:
Figure FDA0003568541870000011
it hashes any string of characters as
Figure FDA0003568541870000012
One element of, finally, each system user UnGenerate its public and private key pair PKn、SKnWherein PK isn=xn
Figure FDA0003568541870000021
Figure FDA0003568541870000022
The system user includes a data owner UiAnd data user Uj
3. The fine-grained multi-user secure searchable encryption method according to claim 2 in the cloud-edge collaborative environment, wherein in the third step, the specific steps in the secure index construction stage are as follows:
data owner UiFor file FkGenerating two large prime numbers q1
Figure FDA0003568541870000023
So that it satisfies q ═ q1×q2Extracting file FkCorresponding keyword set wi,k={wi,k,1,wi,k,2,…},wi,k,1Representing data owner UiFirst key of kth fileA word; to realize the data owner UiBy using an n-column access authority table LkTo save the data owner UiDocument FkFor data user UjAuthority value of LkEach element A in (1)i,k,jRepresenting data owner UiFile F of oneselfkAuthorization to data user UjAccess with an initial value of
Figure FDA0003568541870000024
If to data user UjIf authorization is to be made, then q is used2Data user UjOf (2) a public key
Figure FDA0003568541870000025
Computing
Figure FDA0003568541870000026
Sequentially finishing the authority access tables of all the files; data owner UiUsing its own private key xiDigitally signing the file; finally, data owner UiFile FkCorresponding digital signature, keyword set w extracted from datai,kCorresponding authority access table LkAnd corresponding parameters q1,q2Sending the data to a nearby edge server through a secure channel;
the edge server receives the data owner UiAfter request of (2), first generating an encryption key
Figure FDA0003568541870000027
Using an encryption key KkEncrypted File FkObtain the ciphertext Ck(ii) a In the multiple data owner model, the most important challenge is that different data owners can choose different keys to construct a secure searchable index to ensure flexibility and security of the system, for file F, compared to the single data owner modelkFrom
Figure FDA0003568541870000028
In the random generation of the temporary key ski,kEncrypting the corresponding set of keywords wi,kConstruction of document FkSecure searchable secure index
Figure FDA0003568541870000029
Wherein Ii,k,yIs wi,k,yThe encrypted security index is then stored in a memory,
Figure FDA00035685418700000210
Figure FDA00035685418700000211
is Ii,k,yThe edge server decrypts the ciphertext CkCorresponding digital signature, secure index
Figure FDA00035685418700000212
Corresponding rights access table LkAnd sending the data to a cloud server.
4. The fine-grained multi-user secure searchable encryption method according to claim 3, wherein in the fourth step, the specific steps of querying the trapdoor generation stage are as follows:
to achieve unlinkability of trapdoors, data user UjEncrypting the inquired key words by using a random key each time; data user UjRandomly generating a temporary secret r1、r2Using the temporary key and its private key xjEncrypting query key w to generate trapdoor TwThen the trapdoor T is openedwThe cloud server is sent to a nearby edge server, and finally the edge server forwards the cloud server;
Figure FDA0003568541870000031
wherein T is1、T2、T3Are respectively provided withIs a trapdoor TwThe first, second, and third portions of (a).
5. The fine-grained multi-user secure searchable encryption method according to claim 4, wherein in the fifth step, the specific steps in the secure retrieval phase are as follows:
user U receiving data by cloud serverjTrapdoor Tw={T1,T2,T3After the search, the ciphertext C is inquired in sequencekAccess right table LkIf at all
Figure FDA0003568541870000032
Data user UjFor ciphertext CkNo access right to skip directly; if it is
Figure FDA0003568541870000033
Trap door T performed by cloud serverwAnd a secure index
Figure FDA0003568541870000037
The retrieval work of (2); the cloud server firstly accesses the authority value A of the table through the authorityi,k,jAnd T2、T3Generating authorized trapdoors T2’、T3’:
Figure FDA0003568541870000034
Figure FDA0003568541870000035
Defining an intermediate variable V, and enabling:
Figure FDA0003568541870000036
if can be at safetyIndex
Figure FDA0003568541870000043
To find an index Ii,k,y,1The following equation is satisfied:
e(Ii,k,y,1,T3’)=V(Tw);
if the above equation is true, the ciphertext C is describedkIs a data user UjTo verify as follows:
Figure FDA0003568541870000041
Figure FDA0003568541870000042
finally, the cloud server matches the ciphertext CkCorresponding digital signature, authority access value Ai,k,jAnd a pseudo decryption key Ii,k,y,2To data user UjA nearby edge server.
6. The fine-grained multi-user secure searchable encryption method according to claim 5, in the sixth step, the ciphertext decryption stage includes the specific steps of:
for the data user UjThe edge server can select which cipher texts need to be decrypted by the edge server, and the edge server transmits the pseudo decryption key Ii,k,y,2To a data user, a data user UjUsing its own private key xjGenerating a key decryption key with a pseudo decryption key
Figure FDA0003568541870000051
And sending the data to the edge server through a secure channel;
user U receiving data by edge serverjAfter the authorization key of (2) decrypts the key K', the authority is usedAccessing the value Ai,k,jGenerating a ciphertext decryption key
Figure FDA0003568541870000052
Decipher ciphertext CkGet file FkReuse of data owner UiAnd file FkThe corresponding digital signature verifies the integrity thereof, and finally the edge server verifies the complete file FkSending to data user U through safety channelj
7. The fine-grained multi-user secure searchable encryption method in the cloud-edge collaborative environment according to claim 6, further comprising an authority granting and deleting stage, wherein a data owner authorizes a data user according to each data file, uploads authorization information to an authority access table stored in each data file in a cloud server through an edge server, meets the requirement of dynamic update, and can change the access authority of the data user at any time;
permission granting operation: data owner UiUsing the parameter q2And data user UjOf (2) a public key
Figure FDA0003568541870000053
Calculate this file FkAuthority value of (2):
Figure FDA0003568541870000054
repeating the process to realize authorization to a plurality of files, and finally setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and adding the authority value to the authority access table of the corresponding file by the cloud server;
and (3) permission deletion operation: data owner UiUsing the parameter q2And data user UjOf (2) a public key
Figure FDA0003568541870000055
Calculate this file FkAuthority value of (2):
Figure FDA0003568541870000056
repeating the process to realize the revocation of the authority of a plurality of files, and finally, setting the authority value set Ai,j={Ai,k,1,Ai,k,2…, uploading to the cloud server through the edge server, and deleting the data user U in the authority access table of the corresponding file by the cloud serverjThe authority value of (2).
CN202210314337.4A 2022-03-28 2022-03-28 Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment Active CN114640458B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210314337.4A CN114640458B (en) 2022-03-28 2022-03-28 Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210314337.4A CN114640458B (en) 2022-03-28 2022-03-28 Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment

Publications (2)

Publication Number Publication Date
CN114640458A true CN114640458A (en) 2022-06-17
CN114640458B CN114640458B (en) 2024-04-19

Family

ID=81950988

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210314337.4A Active CN114640458B (en) 2022-03-28 2022-03-28 Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment

Country Status (1)

Country Link
CN (1) CN114640458B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115484095A (en) * 2022-09-14 2022-12-16 湖南科技大学 Block chain-based fine-grained access control method in cloud edge collaborative environment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450935A (en) * 2018-12-19 2019-03-08 河南科技大学 The multi-key word searching method for the Semantic Security that can verify that in cloud storage
CN114048448A (en) * 2021-11-24 2022-02-15 中央财经大学 Block chain based dynamic searchable encryption method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450935A (en) * 2018-12-19 2019-03-08 河南科技大学 The multi-key word searching method for the Semantic Security that can verify that in cloud storage
CN114048448A (en) * 2021-11-24 2022-02-15 中央财经大学 Block chain based dynamic searchable encryption method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王缵等: "移动边缘计算中基于位置信息的安全skyline查询处理方法", 《中国科学》, 14 October 2021 (2021-10-14) *
郎晓丽;曹素珍;刘祥震;张玉磊;王斐;: "具有高效授权的无证书公钥认证可搜索加密方案", 计算机工程与科学, no. 03, 15 March 2020 (2020-03-15) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115484095A (en) * 2022-09-14 2022-12-16 湖南科技大学 Block chain-based fine-grained access control method in cloud edge collaborative environment
CN115484095B (en) * 2022-09-14 2024-05-07 湖南科技大学 Fine granularity access control method based on blockchain in cloud-edge cooperative environment

Also Published As

Publication number Publication date
CN114640458B (en) 2024-04-19

Similar Documents

Publication Publication Date Title
CN111835500B (en) Searchable encryption data secure sharing method based on homomorphic encryption and block chain
CN112019591B (en) Cloud data sharing method based on block chain
CN108494768B (en) Ciphertext searching method and system supporting access control
CN109614818B (en) Authorized identity-based keyword search encryption method
Kaaniche et al. A secure client side deduplication scheme in cloud storage environments
CN108768951B (en) Data encryption and retrieval method for protecting file privacy in cloud environment
CN104363215B (en) A kind of encryption method and system based on attribute
Liu et al. Multi-user searchable encryption with coarser-grained access control in hybrid cloud
CN103731432A (en) Multi-user supported searchable encryption system and method
KR100839220B1 (en) Method for searching encrypted database and System thereof
CN112989375B (en) Hierarchical optimization encryption lossless privacy protection method
CN104780161A (en) Searchable encryption method supporting multiple users in cloud storage
CN111930881B (en) Connection keyword authentication searchable encryption method based on state cryptographic algorithm
WO2023044963A1 (en) Method and system for re-encrypting threshold proxy based on attribute condition
US20160112413A1 (en) Method for controlling security of cloud storage
CN112365945A (en) Block chain-based electronic medical record fine-grained access control and ciphertext searchable method
CN106559422A (en) Multidimensional ciphertext interval query method based on key agreement
CN107294701B (en) Multidimensional ciphertext interval query device and method with efficient key management
WO2022025822A1 (en) Cloud data sharing systems and methods for sharing data using the systems
CN114640458B (en) Fine granularity multi-user security searchable encryption method in cloud-edge cooperative environment
CN108920968B (en) File searchable encryption method based on connection keywords
Yan et al. Secure and efficient big data deduplication in fog computing
CN109672525B (en) Searchable public key encryption method and system with forward index
CN114793176B (en) Pairing-free searchable encryption method supporting revocation and authentication
CN116663046A (en) Private data sharing and retrieving method, system and equipment based on blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant