CN115412233A - Searchable encryption method and system with forward and backward privacy based on attributes on block chain - Google Patents

Searchable encryption method and system with forward and backward privacy based on attributes on block chain Download PDF

Info

Publication number
CN115412233A
CN115412233A CN202210990925.XA CN202210990925A CN115412233A CN 115412233 A CN115412233 A CN 115412233A CN 202210990925 A CN202210990925 A CN 202210990925A CN 115412233 A CN115412233 A CN 115412233A
Authority
CN
China
Prior art keywords
user
data
index
retrieval
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210990925.XA
Other languages
Chinese (zh)
Inventor
徐玲玲
金祥
徐培明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South China University of Technology SCUT
CSG Electric Power Research Institute
Original Assignee
South China University of Technology SCUT
CSG Electric Power Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South China University of Technology SCUT, CSG Electric Power Research Institute filed Critical South China University of Technology SCUT
Priority to CN202210990925.XA priority Critical patent/CN115412233A/en
Publication of CN115412233A publication Critical patent/CN115412233A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9014Indexing; Data structures therefor; Storage structures hash tables
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention discloses a searchable encryption method and a system method based on attributes and having forward and backward privacy on a block chain, wherein the method comprises the following steps: s1, generating system parameters SPP and publishing the SPP to generate a private key dk 1 And dk 2 Generating a private key K for a user u (ii) a S2, generating an index ciphertext set EDB and an updated mapping sigma for the document, and deploying the EDB to a block chain; s3, when the data user DU carries out retrieval operation, the private key is usedK u Encrypting the keyword q to obtain a retrieval trapdoor Tra and sending the retrieval trapdoor Tra to a block chain network; s4 according to EDB [ H ] 2 (C)]Judging whether the user has corresponding access authority; after the authority check is passed, the authority is checked according to EDB [ H ] 2 (C)]Obtaining a corresponding state value; s5, after the data user receives the result set MEI, the private key K is used u And recovering the corresponding plaintext content. The invention can effectively set the access authority of the user; meanwhile, forward privacy and backward privacy of data are realized; and by using the block chain, the decentralization of the retrieval is realized.

Description

Attribute-based searchable encryption method and system with forward and backward privacy on blockchain
Technical Field
The invention belongs to the technical field of information retrieval and cryptography, and particularly relates to a searchable encryption method and system based on attributes and having forward and backward privacy on a block chain.
Background
With the rapid development of internet technology, the popularity of cloud computing technology, and the exponential growth in the amount of user data, more and more enterprise users and individuals choose to store their data in the cloud, which alleviates their own overhead of managing and storing data. The user can retrieve data in the cloud anytime and anywhere and can easily share the data to the licensee. However, cloud computing offers us convenience and also presents a serious security risk. When data is outsourced to a cloud server in clear text, it may be subject to illegal access by a cloud service provider or hacker. The conventional solution is to encrypt data and store the encrypted data in a cloud server in a form of ciphertext, but the conventional plaintext retrieval technology cannot be applied to the ciphertext.
In order to enable a user to perform keyword search on ciphertext data, a Searchable Encryption (SE) technique has been proposed as a solution. According to different Encryption methods, searchable Encryption can be divided into Searchable Symmetric Encryption (SSE) and Public Key Encryption with Keyword Search (PEKS). In public key based searchable encryption, data owners encrypt data using a public key of a given user before uploading the data to a cloud server, after which these users can search and decrypt the data using their private keys.
However, the two types of searchable encryption schemes mostly depend on a trusted authority in the aspect of private key generation and distribution, and the trusted authority becomes an attack target of most hackers on the aspect; on the other hand, the "trustfulness" of the trusted authority once disappeared, the security of the user data is flushed. Therefore, researchers have attempted to apply the block chain technique having the characteristics of decentralization and the like to the searchable encryption field, and have proposed many schemes. These are mainly performed by storing data separately from an index, storing the data in a server, storing the index on a blockchain, and performing encrypted retrieval using the blockchain. And uploading the data encryption to a server by a data owner, sending the generated retrieval trapdoor to a block chain for query when a user needs to query keywords, and acquiring corresponding data from the server according to a returned result. The searchable encryption based on the block chain realizes decentralization of a retrieval process, ensures the legality of returned results, and reduces the storage space and the searching cost of a cloud server.
Although existing workers provide solutions as blockchain-based searches, none of the existing solutions can simultaneously address three issues of recentering of retrieval, fine-grained access control to users, forward privacy and backward privacy of data, and the like.
The decentralized search can solve the problem of single point of failure, so that the stability of the system is improved, and most of the existing work is search operation through a single server; fine-grained access control on users plays a very important role in ensuring data security of data owners, and a multi-user mode of the users has many application scenes, and existing methods on some block chains do not support the characteristic; the forward privacy of the data ensures that a user cannot retrieve the data updated after the trapdoor is generated by using a previously generated retrieval trapdoor, while the backward privacy of the data ensures that the user cannot retrieve the data which is added before but deleted now by using the retrieval trapdoor.
In summary, even though some work has proposed excellent solutions to some of the above three problems, it is inevitable to make compromises in other aspects, and the three problems cannot be solved at the same time. Therefore, how to design a complete block chain attribute-based searchable encryption scheme method with forward and backward privacy on a block chain in the context of big data and cloud storage becomes a critical problem to be solved urgently.
Disclosure of Invention
The invention mainly aims to overcome the defects of the prior art and provide a searchable Encryption method and a searchable Encryption system with forward and backward privacy Based on attributes on a block chain, and a Ciphertext strategy is utilized to support fine-grained access control on a user Based on Attribute Encryption (CP-ABE for short), so that the access authority of the user can be effectively set; the forward privacy and the backward privacy of the data are realized at the same time; and by using the block chain, the decentralization of retrieval is realized, and single-point faults can be effectively avoided.
In order to achieve the purpose, the invention adopts the following technical scheme:
one aspect of the present invention provides a searchable encryption method with forward and backward privacy based on attributes on a blockchain, comprising the steps of:
s1, generating a system parameter SPP (shortest Path) by a data owner DO (data owner) according to a security parameter lambda, publishing the SPP, and then generating a private key dk according to the SPP 1 And dk 2 And using the public parameter SPP, private key dk 2 And attribute set S of data user u Generating a private key K for a user u And sends the data to user DU through safe channel;
s2, the data owner DO uses the private key dk 1 The method comprises the steps that a data set DB = { OP, ind, W, T }, public parameters SPP and a mapping sigma are generated for a document, an index dense text set EDB and an updated mapping sigma are generated for the document, the EDB is deployed on a block chain, wherein OP represents an operation mode of data, namely addition or deletion, ind represents a file index set, W represents a keyword set, and T represents an access tree set of keywords;
s3, when the data user DU carries out retrieval operation, the data user uses the private key K thereof u Encrypting the keyword q to obtain a retrieval trapdoor Tra and sending the retrieval trapdoor Tra to a block chain network;
s4, after the block chain network BP receives the retrieval trapdoor Tra sent by the data user DU, the BP firstly carries out the operation according to EDB [ T ] ind ]Obtaining a corresponding access tree T; followed by T in trapdoor q And calculating the attribute set of the user on the access tree to obtain C according to EDB [ H ] 2 (C)]Judging whether the user has corresponding access authority; after the permission check is passed, according to EDB [ H ] 2 (C)]Obtaining a corresponding state value, tracing back from the state forward, adding the encryption index which is updated each time before and is related to the keyword q into a result set MEI, and finally returning the MEI to the data user;
s5, after the data user receives the result set MEI, the private key K is used u And recovering the corresponding plaintext content.
As a preferred technical solution, in step S1, the data owner DO generates the system parameter SPP and the private key dk 1 And private key dk 2 Then, the system parameter SPP is published in the block chain network or broadcast to all users, and all users have the authority of accessing the system parameter SPP; private key dk 1 And private key dk 2 Stored in the data owner DO, only the data owner DO has the access private key dk 1 And private key dk 2 The right of (1).
As a preferred technical solution, step S1 specifically is:
s11, data owner DO group generator
Figure BDA0003803913620000031
Execute
Figure BDA0003803913620000032
Generation (G) 1 ,G 2 E, G, q), where q is a prime number, G 1 And G 2 For multiplications with q, G is G 1 G of generator, e: G 1 ×G 1 →G 2 Is a bilinear map;
s12, the data owner DO randomly selects a plurality of safety hash functions and selects one safety hash functionPseudo-random sequence generating functions F, F -1 ,F:{0,1} λ *{0,1} λ →{0,1} λ ,F -1 Is the inverse permutation thereof; the above secure hash function, pseudo-random sequence generation function, and the parameters in step S11 are combined into the public parameter SPP = (G) 1 ,G 2 ,e,g,q,H 0 ,H 1 ,H 2 ,H 3 H 4 ,h 1 ,h 2 ,h 3 ,h 4 ,F,F -1 ) SPPs are distributed in a blockchain network or broadcast to all users in the system, where H 0 ,H 1 ,H 2 ,H 3 ,H 4 ,h 1 h, 2 ,h 3 ,h 4 All represent a secure hash function;
s13, the data owner DO initializes an empty mapping Σ, i.e., ∑ [ key ] = value, which is maintained by the data owner DO and used for storing the state of the key;
s14, defining Lagrange coefficients by a data owner DO:
Figure BDA0003803913620000033
wherein S represents a set, i, j ∈ Z q *
S15, randomly selecting alpha, beta E to Z by a data owner q * Calculate g α ,g β And e (g, g) α To obtain dk 1 =(e(g,g) α ,g β ),dk 2 =(β,g α );
S16, randomly selecting r to Z by the data owner q * Calculating
Figure BDA0003803913620000036
And k 3 =g r For a user' S attribute set S u Each attribute a in (1) i The following calculations were all made: random selection
Figure BDA0003803913620000037
Then calculate
Figure BDA0003803913620000038
And
Figure BDA0003803913620000039
end user's private key
Figure BDA00038039136200000310
And sends it to the user DU over a secure channel.
Preferably, in step S2, the index dense text set EDB refers to data obtained by encrypting a keyword by a data owner, and in the search stage, the index T is an access tree index T submitted by a user ind Finding the corresponding access tree
Figure BDA00038039136200000311
Figure BDA00038039136200000312
Is for the keyword w i The server calculates the result by using the access tree and the retrieval token sent by the user, and judges whether a corresponding encryption index exists by using the result, thereby continuing the retrieval.
As a preferred technical solution, step S2 specifically includes:
s21, randomly selecting version number v belonging to Z by data owner DO q * Calculating and disclosing version information EV = g v
S22, data owner to each keyword w in the data set DB i Performing the following calculation, judging whether the key word exists by using the mapping sigma, and judging the state value of the key word if the key word does not exist
Figure BDA0003803913620000041
Initialization is performed, and then a key is calculated using the state value
Figure BDA0003803913620000042
Then will be
Figure BDA0003803913620000043
Is stored in the corresponding value
Figure BDA0003803913620000044
In which
Figure BDA0003803913620000045
Is DB (w) i ) Size of (d), DB (w) i ) Is w i A set of corresponding file indices;
s23, for DB (w) i ) Each index in (1)
Figure BDA0003803913620000046
The following calculation is performed, first encrypting the index, the formula is as follows:
Figure BDA0003803913620000047
then, another key is calculated by using the state value
Figure BDA0003803913620000048
Storing encryption indexes at corresponding values
Figure BDA0003803913620000049
In the process (a), wherein,
Figure BDA00038039136200000410
Figure BDA00038039136200000411
s24, then the data owner randomly selects a secret number S E Z q * And calculate
Figure BDA00038039136200000412
s is used as a secret value of the root of the attribute access tree; let t be
Figure BDA00038039136200000413
Root node of, pair
Figure BDA00038039136200000414
Is calculated as follows, if x is t, d is randomly selected t =k t Polynomial q of degree 1 t And is provided with q t (0) = s, randomly set d t A plurality of polynomials q t To accomplish q by the coefficients of t The definition of (1); otherwise, randomly select d x =k x -polynomial of degree 1 q x And is provided with q x (0)=q parent(x) (index(x));
S25, making X be the set of all leaf nodes, and calculating each leaf node X as follows,
Figure BDA00038039136200000415
Figure BDA00038039136200000416
finally, the corresponding access tree is obtained
Figure BDA00038039136200000417
S26, finally calculating the value matched with the user trapdoor
Figure BDA00038039136200000418
And an index T of the access tree ind
Figure BDA00038039136200000419
Figure BDA00038039136200000420
And calculates its hash value as a key
Figure BDA00038039136200000421
Make it anotherThe result of the XOR of the hash value and the state value is taken as the value
Figure BDA00038039136200000422
Wherein the content of the first and second substances,
Figure BDA0003803913620000051
Figure BDA0003803913620000052
s27, the data owner enables the key value pair to be used
Figure BDA0003803913620000053
Figure BDA0003803913620000054
Figure BDA0003803913620000055
Inserted into the smart contract.
As a preferred technical solution, step S3 is specifically:
s31, the private key of the data user is
Figure BDA0003803913620000056
By k 2 And q to calculate the value temp to obtain,
Figure BDA0003803913620000057
s32, then use k 1 And temp calculation to obtain T q
Figure BDA0003803913620000058
S33, finally, calculating to obtain the access tree index T with version information by using the version number EV ind
Figure BDA0003803913620000059
S34, the data user DU obtains the retrieval trapdoor according to the variable combination:
Tra=<T ind ,T q ,S u >
wherein the content of the first and second substances,
Figure BDA00038039136200000510
Figure BDA00038039136200000511
Figure BDA00038039136200000512
and S35, the data user DU sends the retrieval trapdoor Tra to a block chain network.
As a preferred technical solution, step S4 is specifically:
s41, acquiring index T of access tree from trapdoor by block chain network ind Resulting in an access tree T = EDB [ T [ ] ind ];
S42, enabling x to represent a node of T, and calculating each leaf node x in T as follows: let a denote the corresponding attribute of the leaf node x, i.e., a = attr (x), if a ∈ S u Then calculate F x
Figure BDA00038039136200000513
Otherwise F x = T; for each non-leaf node x in T, the following calculations are made: order S x Represents k x Size set of child nodes z belonging to x, if S x Absent, then F x = T, otherwise F is calculated using Lagrange interpolation x
Figure BDA0003803913620000061
Wherein the content of the first and second substances,
i=index(z),
Figure BDA0003803913620000062
Figure BDA0003803913620000063
is Lagrange coefficient
Let T denote the root node of T: if F t And = ×, then return 0, otherwise calculate C,
Figure BDA0003803913620000064
wherein the content of the first and second substances,
Figure BDA0003803913620000065
s43, then calculating the key according to C
Figure BDA0003803913620000066
If it is not
Figure BDA0003803913620000067
The user does not have corresponding access right; otherwise, obtaining the corresponding value
Figure BDA0003803913620000068
Figure BDA0003803913620000069
And according to
Figure BDA00038039136200000610
Calculating to obtain a state value
Figure BDA00038039136200000611
Figure BDA00038039136200000612
S44, entering a circulation loop to pass the state value
Figure BDA00038039136200000613
Acquisition key
Figure BDA00038039136200000614
Figure BDA00038039136200000615
If it is not
Figure BDA00038039136200000616
If not, the corresponding value is obtained
Figure BDA00038039136200000617
Otherwise, ending the circulation and returning a result set MEI
Figure BDA00038039136200000618
By using
Figure BDA00038039136200000619
Obtaining the length of the index set containing the current keyword in the state
Figure BDA00038039136200000620
Figure BDA00038039136200000621
Let j go from 1 to
Figure BDA00038039136200000622
First use state value
Figure BDA00038039136200000623
And j get Key
Figure BDA00038039136200000624
Figure BDA00038039136200000625
Thereby obtaining a value
Figure BDA0003803913620000071
Figure BDA0003803913620000072
Further calculating to obtain the encryption index
Figure BDA0003803913620000073
And adds it to the result set MEI,
Figure BDA0003803913620000074
finally when
Figure BDA0003803913620000075
Then backtrack to the last state value
Figure BDA0003803913620000076
Figure BDA0003803913620000077
And assign it to
Figure BDA0003803913620000078
The LOOP continues to LOOP.
As a preferred technical solution, step S5 specifically includes:
s51, each MEI in the data user pairs
Figure BDA0003803913620000079
The following calculation is made, temp is calculated first,
Figure BDA00038039136200000710
then decrypting to obtain the file index
Figure BDA00038039136200000711
Figure BDA00038039136200000712
And S52, acquiring the file on the cloud storage server by using the file index to obtain the corresponding document.
In another aspect, the present invention provides a searchable encryption system with forward and backward privacy based on attributes in a blockchain, which is applied to a searchable encryption method with forward and backward privacy based on attributes in the blockchain, and the searchable encryption system includes: the system comprises a cloud storage subsystem running on a cloud server, an initialization and encryption subsystem running on a data owner end, a retrieval trapdoor generation and decryption subsystem running on a data user end and a retrieval subsystem running on a block chain network;
the cloud storage subsystem is used for storing the file ciphertext, returning the file ciphertext according to the corresponding file index and sending the file ciphertext to the data user;
the initialization and encryption subsystem comprises an initialization module, a private key storage module and an encryption module; the initialization module is used for generating system public parameters, private keys and user private keys, publishing the system public parameters to the block chain network, storing the two private keys to the private key storage module and sending the user private keys to the data user; the main private key storage module is used for storing a main private key and only allowing a data owner to access; the encryption module is responsible for encrypting the file and storing the file in the cloud storage subsystem, encrypting the index set and the access tree corresponding to each keyword by using a private key to obtain an index ciphertext, and sending the index ciphertext to the block chain network;
the retrieval trapdoor generation and decryption subsystem comprises a user trapdoor generation module and a data decryption module; the user trap door generation module is responsible for calculating by using a private key and a retrieval keyword of a user to obtain a legal retrieval trap door and sending the retrieval trap door to the block chain network; the data decryption module recovers a plaintext index from the encrypted index set obtained by retrieval by using a user private key, and the plaintext index is sent to the cloud server to obtain a corresponding file;
the retrieval subsystem comprises an encrypted data set storage module and a retrieval module; wherein the encrypted data set storage module takes the encryption index, access tree and associated key-value pair from the data owner and stores them in the blockchain network; the retrieval module is responsible for processing the retrieval trapdoor sent by the data user, judging whether the user has access authority or not according to the retrieval trapdoor and returning the encryption index set containing the retrieval key words to the user.
Yet another aspect of the present invention provides a computer readable storage medium storing a program which, when executed by a processor, implements the attribute-based searchable encryption method with forward and backward privacy on a blockchain.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. forward privacy and backward privacy are guaranteed; the invention allows the retrieval system to add a specific state value to each time of updating and retrieving the trapdoor so as to control the retrieval time span of the trapdoor, so that the previously generated retrieval trapdoor can not retrieve and obtain the later updated data content, namely forward privacy; each update, whether adding or deleting, is embodied by the operator op, which makes the adversary unable to get useful information on the index without the user's private key, thus achieving backward privacy.
2. Fine-grained access control; the invention supports the subdivision of the user attribute, controls the access of each keyword by using the access tree, and can search to obtain a corresponding result only if the user attribute meets the access tree.
3. Decentralized retrieval; the invention simultaneously supports the retrieval operation by using the intelligent contract deployed on the block chain, brings better system stability and retrieval credibility for the data user in the encrypted data search, reduces the possibility of single point failure, and can ensure the correctness of the retrieval result.
4. Practicability and safety; the invention adopts prime order group, bilinear mapping and ciphertext strategy attribute searchable encryption scheme (CP-ABSE) to construct, has the characteristics of flexible expressiveness of access control and access strategy, has stronger safety, balances the problems of forward privacy, backward privacy, decentralization of retrieval and the like of data retrieval, and has better practicability.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is an exemplary diagram of a fine grain access control tree used by the present invention;
FIG. 2 is a flowchart of a method for attribute-based searchable encryption scheme with forward and backward privacy on a blockchain according to the present invention;
fig. 3 is a block diagram of a searchable encryption scheme method and system with forward and backward privacy based on attributes on a blockchain according to the present invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It should be apparent that the described embodiments are only a few embodiments of the present application, and not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
Before describing the technical solution of the present invention, the mathematical basis and definition related to the present invention will be explained as follows.
(1) Bilinear pairwise mapping:
let G 1 And G 2 Representing two cyclic multiplications with the same order q, G 1 And G 2 The mapping of (c) is defined as e: G 1 *G 1 →G 2 (ii) a E is a bilinear pair map if map e satisfies the following properties (1.1) - (1.3).
(1.1) bilinear: for all of
Figure BDA0003803913620000091
And x, y ∈ G 1 Having e (x) a ,y b )=e(x,y) ab (ii) a For all x 1 ,x 2 ,y∈G 1 Having e (x) 1 x 2 ,y)=e(x 1 ,y)e(x 2 Y); for all x, y 1 ,y 2 ∈G 1 ,e(x,y 1 y 2 )=e(x,y 1 )e(x,y 2 )。
(1.2) calculability: for any x, y ∈ G 1 There is a polynomial time algorithm to efficiently compute e (x, y) e G 2
(1.3) non-degradability: if G is G 1 Is then e (G, G) is G 2 The generator of (1).
(2) Access structure and access tree:
(2.1) access structure: let P = { P 1 ,P 2 ,…,P n Represents a set of participants; for a monotonic set
Figure BDA0003803913620000092
Figure BDA0003803913620000093
If and only if set
Figure BDA0003803913620000094
If B is equal to A,
Figure BDA0003803913620000095
then there is C.epsilon.A. That is, a is a subset of the power set of the participant set, which is a set of sets, B, C are subsets of the participant set, and when B is included in a, which is an element of a, then if B is a subset of C at the same time, so that C is also included in a, which is an element of a, then a is monotonic.
(2.2) access tree: let T denote a tree of access control policies; in T, each non-leaf node represents a threshold gate, described by its children and threshold, and each leaf node represents an attribute, in num x And k x Represents the number of children of node x and its threshold, here k for a non-leaf node x There are three cases: k is a radical of formula x =1 means node x is an or gate; k is a radical of x =num x Indicating that node x is an and gate; 1 < k x <num x Indicating that node x is a threshold gate. And we define k x =1, it means that node x is a leaf node.
Several symbols for the access tree are defined as follows: (x) represents the parent node of x; for leaf node x, attribute associated with the leaf node is represented using attr (x); index (x) represents the label of x; given a node y that contains c child nodes, the child nodes are numbered from 1 to c.
Judging whether the access tree is satisfied: let T x A subtree being T with node x as root node; if a set of attributes S satisfies T x Then it is denoted as T x (S) =1. Wherein T is x (S) is calculated as follows, if x is a non-leaf node, T is calculated for all children x' of node x x′ (S) if and only if at least k x When the child node returns 1, T x (S) returns 1 if x is a leaf node, T if and only if attr (x) e S x (S) returns to 1. Thus, according to the recursive computation above, if the set S satisfies T, T r (S) =1 where r is the root node of T.
The access tree structure is as shown in figure 1, starting from a root node, the threshold value is 2, the number of child nodes is 3, a polynomial is randomly generated, the highest frequency is less than 1 of the threshold value, so that the highest frequency of the root node is 1, and then a constant item is set as a secret number (the secret number is the number needing secret storage); thus the root node random polynomial is f (x) =5+3x, and the secret number is 5. In addition, the child nodes of the root node are marked as 1,2,3 \8230fromleft to right, the node marking values are substituted into an f (x) function, and the obtained values are transmitted to the marked child nodes for secret storage; therefore, the node "3/3" (the first node on the left) is marked as 1, the secret value f (1) =5+3 + 1=8 transmitted to the node "3/3", the node "teacher" (the middle node) is marked as 2, the secret value f (2) =5+3 + 2=11 transmitted to the node "teacher", the node "1/2" (the node on the right) is marked as 3, and the secret value transmitted to the node "1/2" is f (3) =5+ 3=14.
For decrypting the source data encrypted by the access tree, three attributes need to be satisfied by a data visitor: user attributes are ("computer academy" and "Master" and "two studies") and "teacher"; the user attributes are "teacher" and ("web lab" or "cloud lab"); the user attributes are ("computer academy" and "Master" and "Tuesday") and ("network lab" or "cloud lab"), otherwise inaccessible.
(2.3) pseudo-random permutation function, which implements a function that cannot be distinguished from random permutation, when the mapping F: {0,1} L *{0,1} λ →{0,1} L Is a pseudo-random permutation function, it satisfies the following properties: for any K ← {0,1} λ The mapping F is from {0,1} L To {0,1} L Double shot of (2); time adversary for any probabilistic polynomial
Figure BDA0003803913620000101
Figure BDA0003803913620000102
Figure BDA0003803913620000103
Wherein K ← {0,1 }) λ F is a random permutation function on an L-bit string, ε is negligible; for any K ← {0,1 }) λ And x ← {0,1 }) L There is an efficient algorithm to calculate F K (x)。
As shown in fig. 2, the execution flow of the searchable encryption method with forward and backward privacy based on attributes in the blockchain of this embodiment is as follows: firstly, a data owner DO initializes a system public parameter SPP, and then publishes the system public parameter on a block chain network or broadcasts the system public parameter to all users of the system, wherein all the users in the system have the right to access the system public parameter. Then DO generates private key dk from SPP 1 And dk 2 And using the public parameter SPP, the private key dk 2 And a user' S attribute set S u Generating a user private key K for a user u And finally, sending the user private key to the user DU through a secure channel. When uploading files, a data owner uploads the encrypted files to the cloud storage server first, and after obtaining a file index returned by the cloud storage server, the data owner uses the private key dk 1 The data set DB = { OP, ind, W, T }, the system public parameter SPP and a mapping sigma, the index ciphertext set EDB and the updated mapping sigma are generated for the document, and the ciphertext set EDB is deployed to the block chain. When data user DU carries out searching operation, data user uses its private key K u Add to the keyword qAnd acquiring a retrieval trapdoor Tra and sending the retrieval trapdoor Tra to the block chain network.
After a block chain network BP receives a retrieval trapdoor Tra sent by a data user DU, the BP firstly follows EDB [ T ] ind ]Obtaining a corresponding access tree T; followed by T in trapdoor q And performing a series of calculations on the access tree by the attribute set of the user to obtain C according to EDB [ H ] 2 (C)]Whether the user has corresponding access authority can be judged; after the permission check is passed, the following EDB [ H ] is used 2 (C)]And obtaining a corresponding state value, tracing back from the state, adding the encryption index related to the key q updated each time before to the result set MEI, and finally returning the MEI to the data user. After the data user receives the result set MEI, the private key K is used u And recovering the corresponding plaintext index and acquiring the corresponding file from the cloud storage server.
Further, the steps of the searchable encryption method with forward and backward privacy based on attributes in this embodiment are specifically:
s1, system initialization: the data owner DO generates and publishes the system parameter SPP according to the security parameter lambda, and then generates a private key dk according to the SPP 1 And dk 2 Then using the public parameter SPP, the private key dk 2 And attribute set S of data user u Generating a private key K for a user u And sends it to the user DU through a secure channel.
It will be appreciated that the data owner DO may be a medical institution having a plurality of data, which is responsible for generating the system parameters SPP and the private key dk for file index encryption 1 And a private key dk for generating a private key of the user 2 Where the system public parameter SPP is a set of parameters, the private key dk 1 And private key dk 2 Are each a one-dimensional array of size 2.
Data owner DO generating system parameters SPP, private key dk 1 And private key dk 2 Then, the system public parameter SPP is published in a block chain network or broadcast to all users in the system, and all users in the system have the authority to access the system public parameter SPP; private key dk 1 And private key dk 2 Is properly stored in the data owner DO, only the data owner DO has the access private key dk 1 And private key dk 2 The right of (c).
Further, the step S1 specifically includes the following steps:
s11, group generator for data owner DO
Figure BDA0003803913620000111
Execute
Figure BDA0003803913620000112
Generation (G) 1 ,G 2 E, g, q). Wherein q is a prime number, G 1 And G 2 For multiplications with q, G is G 1 Generation of (e: G) 1 ×G 1 →G 2 Is a bilinear map.
S12, randomly selecting nine safety hash functions H by a data owner DO 0 :{0,1} * →Z q * ,H 1 :G 1 *0,1} * →{0,1} λ+1 ,H 2 ,H 3 :G 2 →{0,1} ,H 4 :{0,1} * →G 1 ,h 1 :{0,1} λ →{0,1} ,h 2
Figure BDA0003803913620000113
Figure BDA0003803913620000114
h 3
Figure BDA0003803913620000115
h 4
Figure BDA0003803913620000116
Wherein N is max Refers to the maximum number of indices containing a key. Selecting a pseudo-random sequence generating function F/F -1 ,F:{0,1} λ *{0,1} λ →{0,1} λ ,F -1 Is the inverse permutation thereof. The above safety functions,Combining the pseudo-random sequence generation function and the parameters in the first step into a system public parameter SPP = (G) 1 ,G 2 ,e,g,q,H 0 ,H 1 ,H 2 ,H 3 ,H 4 ,h 1 ,h 2 ,h 3 ,h 4 ,F,F -1 ) It is distributed in a blockchain network or broadcast to all users in the system.
S13, the data owner DO initializes an empty mapping Σ, i.e., ∑ [ key ] = value, which is maintained by the data owner DO for storing the state of the key.
S14, defining Lagrange coefficients by a data owner DO:
Figure BDA0003803913620000121
where S represents a set, i, j ∈ Z q *
S15, randomly selecting alpha, beta E to Z by a data owner q * Calculate g α ,g β And e (g, g) α To obtain dk 1 =(e(g,g) α ,g β ),dk 2 =(β,g α )。
S16, the data owner randomly selects r E Z q * Calculating
Figure BDA0003803913620000123
And k 3 =g r For a user' S attribute set S u Each attribute a in (1) i The following calculations were all made: random selection
Figure BDA0003803913620000124
Then calculate
Figure BDA0003803913620000125
And
Figure BDA0003803913620000126
end user's private key
Figure BDA0003803913620000127
And send over a secure channelTo the user DU.
S2, encryption: the data owner uses its private key dk 1 The data set DB = { OP, ind, W, T }, the system public parameter SPP and a mapping sigma, the index ciphertext set EDB and the updated mapping sigma are generated for the document, and the EDB is deployed on the block chain. Wherein, OP = { addition, deletion }, ind = { ind = 1 ,ind 2 ,…},W={w 1 ,w 2 …w D },
Figure BDA0003803913620000128
The index ciphertext set EDB refers to data obtained by encrypting a keyword by a data owner. During the search phase, the index T is indexed by the access tree submitted by the user ind Finding the corresponding access tree
Figure BDA0003803913620000129
Figure BDA00038039136200001210
Is for the keyword w i The server calculates the result by using the access tree and the retrieval token sent by the user, and judges whether a corresponding encryption index exists by using the result, thereby continuing the retrieval.
Further, the specific content of step S2 is:
s21, randomly selecting version number v belonging to Z by data owner DO q * Calculating and disclosing version information EV = g v
S22, the data owner carries out processing on each keyword w in the data set DB i Performing the following calculation, judging whether the key word exists by using the mapping sigma, and if the key word does not exist, judging the state value of the key word
Figure BDA00038039136200001211
Initialization is performed, and then a key is calculated using the state value
Figure BDA00038039136200001212
Then will be
Figure BDA00038039136200001213
Is stored in the corresponding value
Figure BDA00038039136200001214
In which
Figure BDA00038039136200001215
Is DB (w) i ) Size of (d), DB (w) i ) Is w i A collection of corresponding file indices.
S23, for DB (w) i ) Each index in (1)
Figure BDA00038039136200001216
The following calculation is performed, first encrypting the index, the formula is as follows:
Figure BDA0003803913620000131
then, another key is calculated by using the state value
Figure BDA0003803913620000132
Storing encryption indexes at corresponding values
Figure BDA0003803913620000133
In (1). Wherein the content of the first and second substances,
Figure BDA0003803913620000134
Figure BDA0003803913620000135
s24, then the data owner randomly selects a secret number S ∈ Z q * And calculate
Figure BDA0003803913620000136
s is used as a secret value for the root of the attribute access tree. Let t be
Figure BDA0003803913620000137
Root node of, pair
Figure BDA0003803913620000138
Is calculated as follows, if x is t, d is randomly selected t =k t -polynomial of degree 1 q t And is provided with q t (0) = s, randomly set d t A plurality of polynomials q t To accomplish q by the coefficients of t The definition of (1); otherwise, randomly select d x =k x Polynomial q of degree 1 x And is provided with q x (0)= parent(x) (index(x))。
S25, making X be the set of all leaf nodes, and calculating each leaf node X as follows,
Figure BDA0003803913620000139
Figure BDA00038039136200001310
finally, the corresponding access tree is obtained
Figure BDA00038039136200001311
S26, finally calculating the value matched with the user trapdoor
Figure BDA00038039136200001312
And an index T of the access tree ind
Figure BDA00038039136200001313
Figure BDA00038039136200001314
Parallel meterComputing using its hash value as a key
Figure BDA00038039136200001315
The result of exclusive or of its further hash value with the state value is taken as the value
Figure BDA00038039136200001316
Wherein, the first and the second end of the pipe are connected with each other,
Figure BDA00038039136200001317
Figure BDA00038039136200001318
s27, the data owner enables the key value pair to be used
Figure BDA00038039136200001319
Figure BDA00038039136200001320
Figure BDA00038039136200001321
Inserted into the smart contract.
S3, a step of generating a retrieval trap door: when data user DU carries out searching operation, data user uses its private key K u And encrypting the keyword q to obtain a retrieval trapdoor Tra and sending the retrieval trapdoor Tra to the block chain network.
Further, the step S3 specifically includes:
s31, the private key of the data user is
Figure BDA00038039136200001322
By k 2 And q to calculate the value temp to obtain,
Figure BDA0003803913620000141
s32, then use k 1 And tempCalculating to obtain T q
Figure BDA0003803913620000142
S33, finally, calculating to obtain the access tree index T with version information by utilizing the version number EV ind
Figure BDA0003803913620000143
S34, the data user DU obtains the retrieval trapdoor according to the variable combination:
Tra=<T ind ,T q ,S u >
wherein the content of the first and second substances,
Figure BDA0003803913620000144
Figure BDA0003803913620000145
Figure BDA0003803913620000146
and S35, the data user DU sends the retrieval trapdoor Tra to a block chain network.
S4, ciphertext searching: after a block chain network BP receives a retrieval trapdoor Tra sent by a data user DU, the BP firstly carries out the extraction according to EDB [ T ] ind ]Obtaining a corresponding access tree T; followed by T in trapdoor q And performing a series of calculations on the access tree by the attribute set of the user to obtain C according to EDB [ H ] 2 (C)]Whether the user has corresponding access authority can be judged; after the authority check is passed, the authority is checked according to EDB [ H ] 2 (C)]Obtaining the corresponding state value, tracing back from the state, adding the encryption index related to the key q updated each time before to the result set MEI, and finallyFinally, the MEI is returned to the data user.
Further, the specific content of step S4 is:
s41, acquiring index T of access tree from trapdoor by block chain network ind Resulting in an access tree T = EDB [ T [ ] ind ]。
S42, enabling x to represent a node of T, and calculating each leaf node x in T as follows: let a denote the corresponding attribute of the leaf node x, i.e., a = attr (x), if a ∈ S u Then calculate F x
Figure BDA0003803913620000147
Otherwise F x = T; for each non-leaf node x in T, the following calculations are made: order S x Represents k x Size set of child nodes z belonging to x, if S x Absent, then F x = t, otherwise F is calculated using Lagrange interpolation x
Figure BDA0003803913620000148
Figure BDA0003803913620000151
Wherein, the first and the second end of the pipe are connected with each other,
i=index(z),
Figure BDA0003803913620000152
Figure BDA0003803913620000153
is Lagrange coeffient
Let T denote the root node of T: if F t And = ×, then return 0, otherwise calculate C,
Figure BDA0003803913620000154
wherein, the first and the second end of the pipe are connected with each other,
Figure BDA0003803913620000155
s43, then calculating the key according to C
Figure BDA0003803913620000156
If it is not
Figure BDA0003803913620000157
The user does not have corresponding access right; otherwise, obtaining the corresponding value
Figure BDA0003803913620000158
Figure BDA0003803913620000159
And in accordance with
Figure BDA00038039136200001510
Calculating to obtain a state value
Figure BDA00038039136200001511
Figure BDA00038039136200001512
S44, entering a circulation loop to pass the state value
Figure BDA00038039136200001513
Acquisition key
Figure BDA00038039136200001514
Figure BDA00038039136200001515
If it is not
Figure BDA00038039136200001516
If not, the corresponding value is obtained
Figure BDA00038039136200001517
Otherwise, ending the circulation and returning a result set MEI
Figure BDA00038039136200001518
By using
Figure BDA00038039136200001519
Obtaining the length of the index set containing the current keyword in the state
Figure BDA00038039136200001520
Figure BDA00038039136200001521
Let j go from 1 to
Figure BDA00038039136200001522
First use state value
Figure BDA00038039136200001523
And j get key
Figure BDA00038039136200001524
Figure BDA00038039136200001525
Thereby obtaining a value
Figure BDA00038039136200001526
Figure BDA0003803913620000161
Further calculating to obtain the encryption index
Figure BDA0003803913620000162
And adds it to the result set MEI,
Figure BDA0003803913620000163
finally when
Figure BDA0003803913620000164
Then backtrack to the last state value
Figure BDA0003803913620000165
Figure BDA0003803913620000166
And assign it to
Figure BDA0003803913620000167
The LOOP continues to LOOP.
S5, decryption: after the data user receives the result set MEI, the private key K is used u And recovering the corresponding plaintext content.
Further, the specific content of step S5 is:
s51, each of the MEIs in the data user pair
Figure BDA0003803913620000168
The following calculation is made, temp is calculated first,
Figure BDA0003803913620000169
then decrypting to obtain the file index
Figure BDA00038039136200001610
Figure BDA00038039136200001611
And S52, acquiring the file on the cloud storage server by using the file index to obtain the corresponding document.
It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present invention is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present invention.
As shown in fig. 3, in another embodiment of the present application, there is also provided a searchable encryption system with forward and backward privacy based on attributes on a blockchain, including a cloud storage subsystem running on a cloud server, an initialization and encryption subsystem running on a data owner side, a retrieval trapdoor generation and decryption subsystem running on a data user side, and a retrieval subsystem running on a blockchain network;
the cloud storage subsystem is used for storing the file ciphertext, returning the file ciphertext according to the corresponding file index and sending the file ciphertext to the data user;
the initialization and encryption subsystem comprises an initialization module, a private key storage module and an encryption module; the initialization module is used for generating system public parameters, private keys and user private keys, publishing the system public parameters to the block chain network, storing the two private keys to the private key storage module and sending the user private keys to the data user; the main private key storage module is used for storing a main private key and only allowing a data owner to access; the encryption module is responsible for encrypting the file and storing the file in the cloud storage subsystem, encrypting the index set and the access tree corresponding to each keyword by using a private key to obtain an index ciphertext, and sending the index ciphertext to the block chain network;
the retrieval trapdoor generation and decryption subsystem comprises a user trapdoor generation module and a data decryption module; the user trap door generation module is responsible for calculating by using a private key and a retrieval keyword of a user to obtain a legal retrieval trap door and sending the retrieval trap door to the block chain network; the data decryption module recovers a plaintext index from the encrypted index set obtained by retrieval by using a user private key, and the plaintext index is sent to the cloud server to obtain a corresponding file;
the retrieval subsystem comprises an encrypted data set storage module and a retrieval module; wherein the encrypted data set storage module takes the encryption index, access tree and associated key-value pair from the data owner and stores them in the blockchain network; the retrieval module is responsible for processing a retrieval trapdoor sent by a data user, judging whether the user has access authority or not according to the retrieval trapdoor, and returning an encryption index set containing retrieval keywords to the user.
For ease of illustration, the schematic structural diagram of the embodiment of the searchable encryption system with forward and backward privacy based on attributes on a blockchain only shows the parts related to the embodiment of the present invention, and those skilled in the art will appreciate that the illustrated structure does not constitute a limitation on the apparatus, and may include more or less components than those illustrated, or combine some components, or arrange different components.
In addition, in the implementation of the searchable encryption system with forward and backward privacy based on attributes on the blockchain in the above embodiment, the logical division of each program module is only an example, and in practical applications, the above function allocation may be performed by different program modules according to needs, for example, due to configuration requirements of corresponding hardware or due to convenience of implementation of software, that is, the internal structure of the multiparty privacy protection machine learning system based on homomorphic encryption and trusted hardware is divided into different program modules to perform all or part of the functions described above.
In another embodiment, a computer-readable storage medium is provided, which stores a program, and when the program is executed by a processor, the program implements a searchable encryption method with forward and backward privacy based on attributes on a blockchain, specifically:
s1, generating a system parameter SPP by a data owner DO according to a security parameter lambda, publishing the SPP, and then generating a private key dk according to the SPP 1 And dk 2 And using the public parameter SPP, private key dk 2 And attribute set S of data user u Generating a private key K for a user u And sends the data to user DU through safe channel;
s2, the data owner DO uses the private key dk 1 The method comprises the steps that a data set DB = { OP, ind, W, T }, public parameters SPP and a mapping sigma are generated for a document, an index dense text set EDB and an updated mapping sigma are generated for the document, the EDB is deployed on a block chain, wherein OP represents an operation mode of data, namely addition or deletion, ind represents a file index set, W represents a keyword set, and T represents an access tree set of keywords;
s3, when the data user DU carries out retrieval operation, the data user uses the private key K thereof u Encrypting the keyword q to obtain a retrieval trapdoor Tra and sending the retrieval trapdoor Tra to a block chain network;
s4, after the block chain network BP receives the retrieval trapdoor Tra sent by the data user DU, the BP firstly follows EDB [ T ] ind ]Obtaining a corresponding access tree T; followed by T in trapdoor q And calculating the attribute set of the user on the access tree to obtain C according to EDB [ H ] 2 (C)]Judging whether the user has corresponding access authority; after the permission check is passed, the following EDB [ H ] is used 2 (C)]Obtaining a corresponding state value, tracing back from the state forward, adding the encryption index which is updated each time before and is related to the keyword q into a result set MEI, and finally returning the MEI to the data user;
s5, after the data user receives the result set MEI, the private key K is used u And recovering the corresponding plaintext content.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by a computer program, which may be stored in a non-volatile computer readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.

Claims (10)

1. A searchable encryption method on a blockchain based on attributes with forward and backward privacy, comprising the steps of:
s1, generating a system parameter SPP by a data owner DO according to a security parameter lambda, publishing the SPP, and then generating a private key dk according to the SPP 1 And dk 2 And using the public parameter SPP, private key dk 2 And attribute set S of data user u Is a userGenerating a private key K u And sends the data to user DU through safe channel;
s2, the data owner DO uses the private key dk 1 The method comprises the steps that a data set DB = { OP, ind, W, T }, public parameters SPP and a mapping sigma are generated for a document, an index dense text set EDB and an updated mapping sigma are generated for the document, the EDB is deployed on a block chain, wherein OP represents an operation mode of data, namely addition or deletion, ind represents a file index set, W represents a keyword set, and T represents an access tree set of keywords;
s3, when the data user DU carries out retrieval operation, the data user uses the private key K thereof u Encrypting the keyword q to obtain a retrieval trapdoor Tra and sending the retrieval trapdoor Tra to a block chain network;
s4, after the block chain network BP receives the retrieval trapdoor Tra sent by the data user DU, the BP firstly carries out the operation according to EDB [ T ] ind ]Obtaining a corresponding access tree T; then using T in trapdoor q And calculating the attribute set of the user on the access tree to obtain C according to EDB [ H ] 2 (C)]Judging whether the user has corresponding access authority; after the permission check is passed, according to EDB [ H ] 2 (C)]Obtaining a corresponding state value, tracing back from the state forward, adding the encryption index which is updated each time before and is related to the keyword q into a result set MEI, and finally returning the MEI to a data user;
s5, after the data user receives the result set MEI, the private key K is used u And recovering the corresponding plaintext content.
2. The method of claim 1, wherein the data owner DO generates the system parameters SPP, the private key dk in step S1 1 And private key dk 2 Then, the system parameter SPP is published in the block chain network or broadcast to all users, and all users have the authority of accessing the system parameter SPP; private key dk 1 And private key dk 2 Stored in the data owner DO, only the data owner DO has the access private key dk 1 And private key dk 2 The right of (1).
3. The searchable encryption method based on attributes on a blockchain and having forward and backward privacy according to claim 1, wherein step S1 is specifically:
s11, group generator for data owner DO
Figure FDA0003803913610000011
Execute
Figure FDA0003803913610000012
Generation (G) 1 ,G 2 E, G, q), wherein q is a prime number, G 1 And G 2 For multiplications with q, G is G 1 The generator of (e): g 1 ×G 1 →G 2 Is a bilinear map;
s12, the data owner DO randomly selects a plurality of safety hash functions and selects one pseudo-random sequence generation function F, F -1 ,F:{0,1} λ *{0,1} λ →{0,1} λ ,F -1 Is the inverse permutation thereof; the above secure hash function, pseudo-random sequence generation function, and parameter in step S11 are combined into the public parameter SPP = (G) 1 ,G 2 ,e,g,q,H 0 ,H 1 ,H 2 ,H 3 ,H 4 ,h 1 ,h 2 ,h 3 ,h 4 ,F,F -1 ) SPPs are distributed in a blockchain network or broadcast to all users in the system, where H 0 ,H 1 ,H 2 ,H 3 ,H 4 ,h 1 ,h 2 ,h 3 ,h 4 All represent a secure hash function;
s13, the data owner DO initializes an empty mapping Σ, i.e., ∑ [ key ] = value, which is maintained by the data owner DO and used for storing the state of the key;
s14, defining Lagrange coefficients by a data owner DO:
Figure FDA0003803913610000021
wherein S represents a set, i, j ∈ Z q *
S15, randomly selecting alpha, beta E to Z by a data owner q * Calculate g α ,g β And e (g, g) α To obtain dk 1 =(e(g,g) α ,g β ),dk 2 =(β,g α );
S16, the data owner randomly selects r E Z q * Calculating
Figure FDA0003803913610000022
And k 3 =g r For a user' S attribute set S u Each attribute a in (1) i The following calculations were all made: random selection
Figure FDA00038039136100000220
Then calculate
Figure FDA0003803913610000023
And
Figure FDA0003803913610000024
end user's private key
Figure FDA0003803913610000025
And sends it to the user DU over a secure channel.
4. The method of claim 1, wherein the EDB index set refers to data obtained by encrypting keywords by a data owner in step S2, and the index T is an access tree index submitted by a user during a search phase ind Finding the corresponding access tree
Figure FDA0003803913610000026
Figure FDA0003803913610000027
Is for the keyword w i The server calculates the result by using the access tree and the retrieval token sent by the user, and judges whether a corresponding encryption index exists by using the result, thereby continuing the retrieval.
5. The searchable encryption method based on attributes on blockchains and having forward and backward privacy according to claim 1, wherein step S2 is specifically:
s21, randomly selecting a version number v E Z by a data owner DO q * Calculating and disclosing version information EV = g v
S22, the data owner carries out processing on each keyword w in the data set DB i Performing the following calculation, judging whether the key word exists by using the mapping sigma, and judging the state value of the key word if the key word does not exist
Figure FDA0003803913610000028
Initialization is performed, and then a key is calculated using the state value
Figure FDA0003803913610000029
Then will
Figure FDA00038039136100000210
Is stored in the corresponding value
Figure FDA00038039136100000211
In which
Figure FDA00038039136100000212
Is DB (w) i ) Size of (d), DB (w) i ) Is w i A set of corresponding file indices;
s23, for DB (w) i ) Each index in (1)
Figure FDA00038039136100000213
The calculation is performed by first encrypting the index, the formula isThe following:
Figure FDA00038039136100000214
then, another key is calculated by using the state value
Figure FDA00038039136100000215
Storing encryption indexes at corresponding values
Figure FDA00038039136100000216
In the process (a), wherein,
Figure FDA00038039136100000217
Figure FDA00038039136100000218
s24, then the data owner randomly selects a secret number S ∈ Z q * And calculate
Figure FDA00038039136100000219
s is used as a secret value of the root of the attribute access tree; let t be
Figure FDA0003803913610000031
Root node of, pair
Figure FDA0003803913610000032
Is calculated as follows, if x is t, d is randomly selected t =k t -polynomial of degree 1 q t And is provided with q t (0) = s, randomly set d t A plurality of polynomials q t To complete q t The definition of (1); otherwise, randomly select d x =k x Polynomial q of degree 1 x And is provided with q x (0)=q parent(x) (index(x));
S25, setting X as the set of all leaf nodes, performing the following calculation on each leaf node X,
Figure FDA0003803913610000033
Figure FDA0003803913610000034
finally, the corresponding access tree is obtained
Figure FDA0003803913610000035
S26, finally calculating the value matched with the user trapdoor
Figure FDA0003803913610000036
And an index T of the access tree ind
Figure FDA0003803913610000037
Figure FDA0003803913610000038
And calculates its hash value as a key
Figure FDA0003803913610000039
The result of exclusive or of its further hash value with the state value is taken as the value
Figure FDA00038039136100000310
Wherein the content of the first and second substances,
Figure FDA00038039136100000311
Figure FDA00038039136100000312
s27, the data owner enables the key value pair to be used
Figure FDA00038039136100000313
Figure FDA00038039136100000314
Figure FDA00038039136100000315
Inserted into the smart contract.
6. The searchable encryption method with forward and backward privacy based on attributes on a blockchain according to claim 1, wherein step S3 is specifically:
s31, the private key of the data user is
Figure FDA00038039136100000316
By k 2 And q the temp is calculated to obtain,
Figure FDA00038039136100000317
s32, then use k 1 And temp calculation to obtain T q
Figure FDA00038039136100000318
S33, finally, calculating to obtain the access tree index T with version information by utilizing the version number EV ind
Figure FDA00038039136100000319
S34, the data user DU obtains the retrieval trapdoor according to the variable combination:
Tra=<T ind ,T q ,S u >
wherein the content of the first and second substances,
Figure FDA00038039136100000320
Figure FDA00038039136100000321
Figure FDA0003803913610000041
and S35, the data user DU sends the retrieval trapdoor Tra to a block chain network.
7. The searchable encryption method based on attributes on blockchains and having forward and backward privacy according to claim 1, wherein step S4 is specifically:
s41, acquiring index T of access tree from trapdoor by block chain network ind Resulting in an access tree of T = EDB [ T ind ];
S42, enabling x to represent a node of T, and calculating each leaf node x in T as follows: let a denote the corresponding attribute of the leaf node x, i.e., a = attr (x), if a ∈ S u Then calculate F x
Figure FDA0003803913610000042
Otherwise F x = ≠ T; for each non-leaf node x in T, the following calculations are made: order S x Represents k x Size set of child nodes z belonging to x, if S x Does not storeIn then F x = T, otherwise F is calculated using Lagrange interpolation x
Figure FDA0003803913610000043
Wherein the content of the first and second substances,
i=index(z),
Figure FDA0003803913610000044
Figure FDA0003803913610000045
is Lagrange coefficient
Let T denote the root node of T: if F t = ×, then return 0, otherwise calculate C,
Figure FDA0003803913610000046
wherein, the first and the second end of the pipe are connected with each other,
Figure FDA0003803913610000047
s43, then calculating the key according to C
Figure FDA0003803913610000048
If it is not
Figure FDA0003803913610000049
The user does not have corresponding access right; otherwise, obtaining the corresponding value
Figure FDA00038039136100000410
Figure FDA00038039136100000411
And according to
Figure FDA00038039136100000412
Calculating to obtain a state value
Figure FDA00038039136100000413
Figure FDA00038039136100000414
S44, then entering a circulation loop to process the passing state value
Figure FDA00038039136100000415
Acquisition key
Figure FDA00038039136100000416
Figure FDA00038039136100000417
If it is not
Figure FDA0003803913610000051
If not null, the corresponding value is obtained
Figure FDA0003803913610000052
Otherwise, ending the circulation and returning a result set MEI
Figure FDA0003803913610000053
By using
Figure FDA0003803913610000054
Obtaining the current keyword contained in the stateIndex set length
Figure FDA0003803913610000055
Figure FDA0003803913610000056
Let j go from 1 to
Figure FDA0003803913610000057
First use state value
Figure FDA0003803913610000058
And j get Key
Figure FDA0003803913610000059
Figure FDA00038039136100000510
Thereby obtaining a value
Figure FDA00038039136100000511
Figure FDA00038039136100000512
Further calculating to obtain the encryption index
Figure FDA00038039136100000513
And adds it to the result set MEI,
Figure FDA00038039136100000514
finally when
Figure FDA00038039136100000515
Then backtrack to the last state value
Figure FDA00038039136100000516
Figure FDA00038039136100000517
And assign it to
Figure FDA00038039136100000518
The LOOP continues to LOOP.
8. The searchable encryption method with forward and backward privacy based on attributes on a blockchain according to claim 1, wherein step S5 is specifically:
s51, each MEI in the data user pairs
Figure FDA00038039136100000519
The following calculation is made, temp is calculated first,
Figure FDA00038039136100000520
then decrypting to obtain the file index
Figure FDA00038039136100000521
Figure FDA00038039136100000522
And S52, acquiring the file on the cloud storage server by using the file index to obtain the corresponding document.
9. A searchable encryption system with forward and backward privacy based on attributes on a blockchain, applied to the searchable encryption method with forward and backward privacy based on attributes on a blockchain according to any one of claims 1 to 8, the searchable encryption system comprising: the system comprises a cloud storage subsystem running on a cloud server, an initialization and encryption subsystem running on a data owner end, a retrieval trapdoor generation and decryption subsystem running on a data user end and a retrieval subsystem running on a block chain network;
the cloud storage subsystem is used for storing the file ciphertext, returning the file ciphertext according to the corresponding file index and sending the file ciphertext to the data user;
the initialization and encryption subsystem comprises an initialization module, a private key storage module and an encryption module; the initialization module is used for generating system public parameters, private keys and user private keys, publicly releasing the system public parameters in a block chain network, storing the two private keys in a private key storage module and sending the user private keys to a data user; the main private key storage module is used for storing a main private key and only allowing a data owner to access; the encryption module is responsible for encrypting the file and storing the encrypted file in the cloud storage subsystem, encrypting the index set and the access tree corresponding to each keyword by using a private key to obtain an index ciphertext, and sending the index ciphertext to the block chain network;
the retrieval trapdoor generation and decryption subsystem comprises a user trapdoor generation module and a data decryption module; the user trap door generation module is responsible for calculating by using a private key and a retrieval keyword of a user to obtain a legal retrieval trap door and sending the retrieval trap door to the block chain network; the data decryption module recovers a plaintext index from the encrypted index set obtained by retrieval by using a user private key, and the plaintext index is sent to the cloud server to obtain a corresponding file;
the retrieval subsystem comprises an encrypted data set storage module and a retrieval module; wherein the encrypted data set storage module takes the encryption index, the access tree, and the associated key-value pair from the data owner and stores them in the blockchain network; the retrieval module is responsible for processing a retrieval trapdoor sent by a data user, judging whether the user has access authority or not according to the retrieval trapdoor, and returning an encryption index set containing retrieval keywords to the user.
10. A computer-readable storage medium storing a program which, when executed by a processor, implements the attribute-based searchable encryption method with forward and backward privacy on a blockchain according to any of claims 1-8.
CN202210990925.XA 2022-08-18 2022-08-18 Searchable encryption method and system with forward and backward privacy based on attributes on block chain Pending CN115412233A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210990925.XA CN115412233A (en) 2022-08-18 2022-08-18 Searchable encryption method and system with forward and backward privacy based on attributes on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210990925.XA CN115412233A (en) 2022-08-18 2022-08-18 Searchable encryption method and system with forward and backward privacy based on attributes on block chain

Publications (1)

Publication Number Publication Date
CN115412233A true CN115412233A (en) 2022-11-29

Family

ID=84159966

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210990925.XA Pending CN115412233A (en) 2022-08-18 2022-08-18 Searchable encryption method and system with forward and backward privacy based on attributes on block chain

Country Status (1)

Country Link
CN (1) CN115412233A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117596085A (en) * 2024-01-19 2024-02-23 华南理工大学 Searchable encryption method with forward and backward privacy based on attribute set

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117596085A (en) * 2024-01-19 2024-02-23 华南理工大学 Searchable encryption method with forward and backward privacy based on attribute set

Similar Documents

Publication Publication Date Title
CN109660555B (en) Content secure sharing method and system based on proxy re-encryption
Pasupuleti et al. An efficient and secure privacy-preserving approach for outsourced data of resource constrained mobile devices in cloud computing
CN106815350B (en) Dynamic ciphertext multi-keyword fuzzy search method in cloud environment
Sun et al. Catch you if you lie to me: Efficient verifiable conjunctive keyword search over large dynamic encrypted cloud data
CN110334526B (en) Forward security searchable encryption storage system and method supporting verification
WO2019165880A1 (en) Efficient and verifiable multi-keyword sorting searchable encryption method supporting preference search and logical search
CN108055122B (en) Verifiable memory leak prevention dynamic searchable encryption method and cloud server
WO2022099495A1 (en) Ciphertext search method, system, and device in cloud computing environment
Liu et al. Verifiable ranked search over dynamic encrypted data in cloud computing
CN108197499B (en) Verifiable ciphertext data range query method
CN112800445B (en) Boolean query method for forward and backward security and verifiability of ciphertext data
CN112332979B (en) Ciphertext search method, system and equipment in cloud computing environment
CN112328606B (en) Keyword searchable encryption method based on block chain
CN114826703B (en) Block chain-based data search fine granularity access control method and system
CN114048448A (en) Block chain based dynamic searchable encryption method and device
CN109088719A (en) Outsourced database multi-key word can verify that cipher text searching method, data processing system
CN114531220A (en) Efficient fault-tolerant dynamic phrase searching method based on forward privacy and backward privacy
CN115438230A (en) Safe and efficient dynamic encrypted cloud data multidimensional range query method
CN110727951B (en) Lightweight outsourcing file multi-keyword retrieval method and system with privacy protection function
CN115412233A (en) Searchable encryption method and system with forward and backward privacy based on attributes on block chain
CN109783456B (en) Duplication removing structure building method, duplication removing method, file retrieving method and duplication removing system
Jho et al. Symmetric searchable encryption with efficient range query using multi-layered linked chains
Zhang et al. KT-ORAM: A bandwidth-efficient ORAM built on k-ary tree of PIR nodes
CN107294701B (en) Multidimensional ciphertext interval query device and method with efficient key management
Xu et al. Dynamic chameleon authentication tree for verifiable data streaming in 5G networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination