CN115459967A - Ciphertext database query method and system based on searchable encryption - Google Patents

Ciphertext database query method and system based on searchable encryption Download PDF

Info

Publication number
CN115459967A
CN115459967A CN202211027665.2A CN202211027665A CN115459967A CN 115459967 A CN115459967 A CN 115459967A CN 202211027665 A CN202211027665 A CN 202211027665A CN 115459967 A CN115459967 A CN 115459967A
Authority
CN
China
Prior art keywords
data
ciphertext
key
query
data content
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211027665.2A
Other languages
Chinese (zh)
Inventor
张李军
潘光明
张�浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Basebit Shanghai Information Technology Co ltd
Wing Fang Jianshu Beijing Information Technology Co ltd
Original Assignee
Basebit Shanghai Information Technology Co ltd
Wing Fang Jianshu Beijing Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Basebit Shanghai Information Technology Co ltd, Wing Fang Jianshu Beijing Information Technology Co ltd filed Critical Basebit Shanghai Information Technology Co ltd
Publication of CN115459967A publication Critical patent/CN115459967A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/221Column-oriented storage; Management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2462Approximate or statistical queries
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Abstract

The application discloses a ciphertext database query method and system based on searchable encryption. Firstly, plaintext source data is obtained, wherein the plaintext source data comprises a data file name and data content; extracting keywords from the data content to obtain a keyword list, generating a key based on the index according to the data file name to obtain a ciphertext index library, and correspondingly storing the ciphertext data content and the ciphertext index library into a ciphertext database; then, acquiring a target query keyword, and processing the target query keyword through a trapdoor generation key to generate a query ciphertext; inquiring in the ciphertext index library based on the inquiry ciphertext to obtain a ciphertext inquiry result and obtain corresponding ciphertext data content; and finally, carrying out data decryption on the ciphertext data content based on the data decryption key to obtain plaintext data content. All algorithms in the application are designed by adopting the symmetric password primitive, so that the efficiency of algorithm execution is ensured, and meanwhile, the search efficiency is improved by adopting the inverted index technology by taking the key words as key values.

Description

Ciphertext database query method and system based on searchable encryption
Technical Field
The invention relates to the field of data processing, in particular to a ciphertext database query method and system based on searchable encryption.
Background
With the deep application of the internet and the advent of the big data era, enterprises and even individuals have a large amount of data to store. Currently, many cloud service manufacturers provide outsourced storage services with high cost performance for data storage, so that enterprises or individuals usually purchase the storage services to store own data. In order to protect the security or privacy of the data, people tend to encrypt the data and store the encrypted data in a cloud server, however, the data in the form of ciphertext brings great obstruction to the use of the data. For example, in a common data query scenario, a data owner wants to query relevant data (data may be a document, audio, video, or the like) stored on a cloud server through a certain keyword, but a general encryption algorithm does not support querying on a data ciphertext. If the data to be queried is downloaded locally for decryption and then queried, the communication cost and the decryption time are often unacceptable. In order to solve the problem of query on ciphertext data, searchable encryption technology is developed. The technology encrypts the plaintext data into ciphertext data with an index structure by designing a special encryption algorithm. The ciphertext data are formed into a ciphertext database, and an index structure in the ciphertext database has the searching capability. When in query, a specific key is used for generating a query trapdoor T for the queried keywords, then the T is used for searching the ciphertext indexes to find data matched with the keywords, and finally, a query result is output.
According to whether the key for generating the ciphertext index is the same as the key for inquiring the trapdoor, the searchable encryption technology is specifically divided into two types: symmetric Searchable Encryption SSE (Symmetric Searchable Encryption) and Public key Encryption PEKS (Public key Encryption with Keyword Search).
However, when the existing searchable encryption algorithm is used for searching, the full text of the database needs to be scanned, the searching time is in a linear relation with the size of the database, the algorithm efficiency is low, safety and high efficiency are not considered in a data sharing scene, a ciphertext query request cannot be effectively controlled, the decryption of ciphertext data and the perception of high-value data resources are difficult to intervene, and the data sharing income of a data provider is influenced.
Disclosure of Invention
Based on the above, the embodiment of the application provides a ciphertext database query method and system based on searchable encryption, and solves the problem of the existing searchable encryption algorithm in ciphertext database query.
In a first aspect, a ciphertext database query method based on searchable encryption is provided, where the method includes:
acquiring plaintext source data, wherein the plaintext source data comprises a data file name and data content; carrying out data encryption on the data content based on a data encryption key to obtain ciphertext data content;
extracting keywords from the data content to obtain a keyword list, generating a key based on an index according to the data file name to obtain a ciphertext index library, and correspondingly storing the ciphertext data content and the ciphertext index library into a ciphertext database;
acquiring a target query keyword, and processing the target query keyword through a trapdoor generation key to generate a query ciphertext;
inquiring in a ciphertext index library based on the inquiry ciphertext to obtain a ciphertext inquiry result and obtain corresponding ciphertext data content;
and carrying out data decryption on the ciphertext data content based on the data decryption key to obtain plaintext data content.
Before data decryption is performed on the ciphertext data content based on the data decryption key to obtain plaintext data content, the method further includes: and generating a data decryption key of the plaintext source data in response to a decryption authorization request of a plaintext source data provider.
Optionally, performing data encryption on the data content based on the data encryption key to obtain ciphertext data content, including:
encrypting the data content by a block encryption algorithm, wherein the block encryption algorithm at least comprises an AES algorithm and an SM4 algorithm.
Optionally, the data encryption key and the index generation key include:
a random value is generated as a seed for key generation, and then a corresponding encryption key is generated for each file using the seed and a key derivation function.
Optionally, the storing the ciphertext data content and the ciphertext index library into a ciphertext database correspondingly further includes:
and establishing a data deletion table in the ciphertext database, wherein the data deletion table is used for recording deleted data, and when the query result contains the deleted data, the decryption operation of the deleted data is skipped by accessing the table during decryption, so that the returned query result does not contain the deleted data.
Optionally, before processing the target query keyword through the trapdoor generation key to generate a query ciphertext, the method includes:
and obtaining a trapdoor generation key based on the trapdoor generation algorithm of token/nonce.
In a second aspect, a ciphertext database query system based on searchable encryption is provided, the system comprising:
the data encryption module is used for acquiring plaintext source data, and the plaintext source data comprises a data file name and data content; carrying out data encryption on the data content based on a data encryption key to obtain ciphertext data content;
the ciphertext index database construction module is used for extracting keywords from the data content to obtain a keyword list, generating a key based on an index according to the data file name to obtain a ciphertext index database, and correspondingly storing the ciphertext data content and the ciphertext index database into the ciphertext database;
the ciphertext database storage module is used for storing the ciphertext data content and the ciphertext index database;
the query trapdoor generation module is used for acquiring a target query keyword, and processing the target query keyword through a trapdoor generation key to generate a query ciphertext;
the ciphertext index library query module is used for querying in the ciphertext index library based on the query ciphertext to obtain a ciphertext query result and obtain corresponding ciphertext data content;
and the data decryption module is used for carrying out data decryption on the ciphertext data content based on the data decryption key to obtain plaintext data content.
Optionally, the system further comprises:
and the key management and authorization module is used for responding to a decryption authorization request of a plaintext source data provider and generating a data decryption key of the plaintext source data.
Optionally, the data encryption module includes:
encrypting the data content by a block encryption algorithm, wherein the block encryption algorithm at least comprises an AES algorithm and an SM4 algorithm.
Optionally, the ciphertext database storage module further includes:
and establishing a data deletion table, wherein the data deletion table is used for recording deleted data, and when the query result contains the deleted data, the decryption operation of the deleted data is skipped by accessing the table during decryption, so that the returned query result does not contain the deleted data.
The beneficial effects brought by the technical scheme provided by the embodiment of the application at least comprise:
(1) A high-efficiency and safe ciphertext query method and system are designed by adopting a data-key high-strength encryption mode and technologies such as a symmetric password primitive and inverted index search, and the method and system are particularly suitable for safe sharing of data and circulation scenes of data values.
(2) Ciphertext inquiry under data dynamic change such as data addition or deletion is supported, the updatability of data is adapted, and the requirement of data change in practical application scenes is met.
(3) The token mechanism is utilized to ensure the instantaneity and the legality of the data query request, avoid an adversary from initiating illegal query or replay attack, and further improve the service security of the data query.
(4) The data provider can count the frequently inquired data according to the authorization information, so that the data value can be sensed and the flexible adjustment of the pricing can be performed. In a practical scenario, this facilitates the data provider to gain more reasonable revenue in data sharing.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
Fig. 1 is a flowchart of a ciphertext database query method based on searchable encryption according to an embodiment of the present application;
fig. 2 is a schematic diagram of encryption of plaintext source data according to an embodiment of the present application;
fig. 3 is a schematic diagram of a ciphertext index database EDB according to an embodiment of the present application;
fig. 4 is a schematic diagram of a query result in a plaintext data form according to an embodiment of the present application;
fig. 5 is a block diagram of a ciphertext database query system based on searchable encryption according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In the description of the present invention, the terms "comprises," "comprising," "has," "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements specifically listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus or added steps or elements based on further optimization concepts of the present invention.
The application designs a ciphertext database query method and a system architecture capable of searching and encrypting aiming at a data sharing scene with a plurality of data providers, and solves the following technical problems:
1. efficiency of the query: the designed ciphertext database query method avoids a public key encryption technology from the architectural design, is designed by adopting symmetric password primitives, utilizes system-level secret key sharing to complete an index structure of plaintext data and ciphertext data generation, and adopts an inverted index technology during searching, so that the data encryption and decryption efficiency and the ciphertext database searching efficiency are ensured.
2. Security of the query: the algorithm adopts different keys to generate an index structure and data ciphertexts, and indexes and data stored in the cipher text database are in a cipher text form. In addition, the keywords are encrypted and converted into the query trapdoor firstly during query, and the ciphertext database cannot recover the keywords from the query trapdoor. This ensures the security of the original data and the query key.
3. Controllability of the query: in the algorithm, the query request is effectively controlled through a query token or a random number nonce, and the generated query trapdoors are different even aiming at the query request of the same keyword. Replayed query requests can also be detected accurately.
4. Decryption requires authorization, and the data value can be sorted: and after obtaining the query result in the form of the ciphertext, the data inquirer initiates a decryption request, the system requests a data provider for decryption authorization, and the system sends the decrypted plaintext data to the data inquirer after the authorization passes. The data provider can carry out statistics according to the authorization record of data decryption, and finds high-value data resources with high query frequency, so that the pricing of data can be adjusted to improve the benefit of data sharing.
Specifically, please refer to fig. 1, which shows a flowchart of a ciphertext database query method based on searchable encryption according to an embodiment of the present application, where the method may include the following steps:
s1, plaintext source data are obtained, and data encryption is carried out on data content based on a data encryption key to obtain ciphertext data content.
The plaintext source data comprises a data file name and data content. This step corresponds to arrows 1 and 2 in the figure. In step S1, the encryption algorithm PlainEnc of the plaintext source data is involved. Specifically, the method comprises the following steps:
the encryption algorithm of the plaintext source data encrypts the plaintext source data provided by the data provider to generate corresponding ciphertext data.
Inputting an algorithm: plaintext source data M, encryption key K;
and (3) outputting an algorithm: ciphertext data C = Enc (M, K), where Enc is a block encryption algorithm, such as AES algorithm, SM4 algorithm, and the like. Alternatively, the symmetric encryption and decryption algorithm of the present application is not limited to the AES, SM4, and other block cipher algorithms, and virtually any other block cipher algorithm or stream cipher algorithm may be used instead.
Detailed description of the algorithm:
using plaintext source data as fileFor example, assume a total of three data providers A, B, C, which provide lists of files { A-01, A-02, A-03}, { B-01, B-02}, and { C-01}. The files are generated encryption keys { K-K } for plaintext data, respectively A01 ,K A02 ,K A03 },{K B01 ,K B02 },{K C01 }. the file contents are encrypted respectively by using block Cipher algorithm Enc, for example, encrypting the data content of plaintext a-01 to obtain ciphertext file Cipher _ a01= Enc (a 01, K) A01 ) Similarly, after all plaintext source data are encrypted, corresponding ciphertext files { Cipher _ a01, cipher _ a02, cipher _ a03}, { Cipher _ B01, cipher _ B02} and { Cipher _ C01} are obtained, as shown in fig. 2.
In specific implementation, in order to reduce the storage amount of the plaintext data encryption key, only one random value may be generated for each data provider as a seed for key generation, and then a corresponding encryption key is generated for each file of each data provider by using the seed and a key derivation function KDF, for example, a key seed _ a is set for a user a, and 3 plaintext data encryption keys generated by using the KDF for the user a are:
K A0i = KDF (seed _ a, a-0 i), where i =1,2,3.
And S2, extracting keywords from the data content to obtain a keyword list, generating a key based on the index according to the data file name to obtain a ciphertext index library, and correspondingly storing the ciphertext data content and the ciphertext index library into a ciphertext database.
Wherein this step corresponds to arrows 3 and 4 in the figure. Step S2 relates to a ciphertext index database construction algorithm BuildIndex, and specifically comprises the following steps:
the ciphertext index database construction algorithm is to process keywords contained in plaintext data of all data providers to generate ciphertext indexes, and the ciphertext indexes together form a ciphertext index database, as shown in fig. 3.
Inputting an algorithm: all the plaintext source data { M _1, M _2, …, M _ n }, and the keyword list { W _ i1, W _ i2, …, W _ im } extracted from each source data M _ i, i.e. assuming that there are n source data in total, the ith source data packet contains im keywords.
And (3) outputting an algorithm: the ciphertext index generates a key K and a ciphertext index database EDB.
Detailed description of the algorithm:
(a) Setting the key word set of all data as W and the safety parameter as lambda, randomly selecting the key word cryptograph index with lambda bit length to generate key K *
(b) For each keyword W ∈ W in the keyword set, DB (W) represents the set of file names containing the keyword W, and the key K is used * And a pseudorandom function F: {0,1} λ ×{0,1} * →{0,1} λ Two keys K1 and K2 are calculated:
K1=F(K * ,w||key1),K2=F(K * ,w||key2),
where the symbol | | | represents the concatenation of w with the string "key1" or "key 2".
First, initializing the ciphertext index database EDB to be empty, and executing the following loop:
1) Initialization counter c =0;
2) Calculating a label l = F (K1, c), selecting id epsilon DB (w), and calculating a ciphertext d = Enc (K2, id);
3) The counter increments c + +;
4) The tag and ciphertext pair (l, d) is added to the ciphertext index database (l, d) → EDB.
(c) Output ciphertext index generation key K * And a ciphertext index database EDB.
And S3, acquiring the target query keyword, and processing the target query keyword through the trapdoor generation key to generate a query ciphertext.
Wherein, this step corresponds to arrows 5 and 6 in the figure, and includes a trapdoor query generation algorithm TrapGen in this step, specifically:
the query trapdoor generation algorithm is to generate a key by utilizing the trapdoor (and a ciphertext index generation key K) * Same) generates a query condition (i.e. query trapdoor) of the ciphertext for the query keyword w of the data inquirer, and submits the query condition to the ciphertext index database EDB for query.
The method designs a token/nonce-based trapdoor generation algorithm, so that the query trapdoors obtained by a data querier every time are different, and the trapdoors obtained by querying the same keyword w twice are different. For the sake of convenience of the marking, the present application uses tokens collectively to represent query token or random number nonces.
Inputting an algorithm: query key and token pair (w, token);
and (3) outputting an algorithm: and inquiring the trapdoor T.
Describing an algorithm:
(a) Generation of a secret key K using an index * Calculate K1= F (K) * ,w||key1),H=F(K * ,token);
(b) Computing
Figure BDA0003816401710000092
(symbol)
Figure BDA0003816401710000093
Representing an exclusive or operation;
(c) And outputting a query trapdoor T = (Kt, H).
And S4, inquiring in the ciphertext index library based on the inquiry ciphertext to obtain a ciphertext inquiry result and obtain corresponding ciphertext data content.
Since the ciphertext index is only used for searching the corresponding ciphertext data, and the plaintext data is obtained by decrypting the ciphertext data finally, only the final plaintext data is needed by the data inquirer, the plaintext index does not need to be returned to the data inquirer in the application, and only the content of the plaintext data is returned.
In the present embodiment, the present step corresponds to arrows 7, 8, and 9 in the figure. The step relates to a Search algorithm Search of a ciphertext index database, and specifically comprises the following steps:
the ciphertext index database searching algorithm is to search the ciphertext index database by using the query trapdoor to obtain a ciphertext file name set corresponding to the tag.
Inputting an algorithm: inquiring a trapdoor T and a ciphertext index database EDB;
and (3) outputting an algorithm: a set of ciphertext filenames, ciphertext _ ID;
describing an algorithm:
(a) Initializing calculator c =0, cipherer_id = empty;
(b) Key calculation using look-up trapdoor T
Figure BDA0003816401710000091
The following loop is performed:
1) Calculating a label l = F (K1, c), inquiring a ciphertext index corresponding to the label l in the EDB, and inquiring a result d = find (EDB, l);
2) If the query result d of the EDB of the previous step is not empty, adding d to the Cipher _ ID and incrementing the counter c + +; and if the query result d is empty, exiting the loop.
(c) And outputting a set of ciphertext file names, cipher _ ID.
In an optional embodiment of the present application, step S4 further includes
And generating a data decryption key of the plaintext source data in response to a decryption authorization request of the plaintext source data provider. In the present embodiment, this step corresponds to the arrow 10 in the figure.
And S5, carrying out data decryption on the ciphertext data content based on the data decryption key to obtain plaintext data content.
In the present embodiment, the present step corresponds to arrows 11 and 12 in the figure. The step relates to a ciphertext index decryption algorithm DecryptInex and a ciphertext data decryption algorithm CipherDec, and specifically comprises the following steps:
the ciphertext index decryption algorithm is to decrypt the set Cipher _ ID of the ciphertext file names to obtain a corresponding set Plain _ ID of the plaintext file names.
Inputting an algorithm: the query information (w, token, H, cipher _ ID) of this time;
and (3) outputting an algorithm: the set of plaintext filenames Plain _ ID.
Describing an algorithm:
(a) Verifying whether the query is valid or not by using token and H in the query information, and calculating F (K) * Token), if the token is equal to H in the current query information and the token value of the token is different from the token value of the previous query history query, the query is valid, otherwise, an invalid query is output, and the algorithm exits;
(b) Initializing Plain _ ID to be null, and recovering decryption keyK2=F(K * ,w||key2);
(c) For each d ∈ Cipher _ ID, calculate:
1) And decrypting to obtain a plaintext file name id = Dec (K2, d), wherein Dec represents a decryption algorithm corresponding to Enc.
2) The ID is added to the plaintext filename set platin _ ID.
(d) The plaintext filename set Plain _ ID is output.
The ciphertext data decryption algorithm is to decrypt the content of ciphertext data, and first, confirms the source of plaintext data according to the file name in the Plain _ ID, and then, obtains a corresponding decryption key through authorization of a data provider, and decrypts the content of the plaintext data, as shown in fig. 4.
Inputting an algorithm: a set of plaintext filenames Plain _ ID;
and (3) outputting an algorithm: the plaintext data set PlainData.
Describing an algorithm:
(a) Initializing Plaindata to be null, and executing the following steps for each ID e to the Plain _ ID:
1) And acquiring a decryption key DK corresponding to id, wherein for example, if id is A-02, the data comes from the provider A, and the decryption key of the ciphertext data content is DK = KDF (seed _ A, A-02).
2) Decryption yields plaintext data content Plain = Dec (Cipher, DK), where Cipher represents ciphertext data content corresponding to this id.
3) The plaintext data Plain is added to the set PlainData.
(b) The plaintext data set PlainData is output.
Referring to fig. 5, by using the 6 algorithms given above, the present application designs a ciphertext database query system based on searchable encryption, which is composed of 7 modules, such as a key management and authorization module, a data encryption module, a ciphertext index database construction module, a query trapdoor generation module, a ciphertext index database query module, a data decryption module, and a ciphertext database storage module.
(1) Key management and authorization module: the data encryption and decryption key generation system is responsible for generating and managing a data encryption and decryption key and a ciphertext index generation key, and provides the ciphertext index generation key and the data decryption key on the premise of authorization of a data provider.
(2) A data encryption module: and the platform Enc algorithm is used for acquiring a data encryption key from the key management and authorization module, and encrypting the plaintext data content to generate ciphertext data content.
(3) Ciphertext index library construction module: and the system is responsible for acquiring the ciphertext index from the key management and authorization module to generate a key, running the BuildIndex algorithm to generate a ciphertext index library for all data names and keyword lists, and storing the ciphertext index library in the ciphertext database storage module. In addition, it can be seen that the given ciphertext index database construction algorithm BuildIndex can cope with the situation of dynamic change of data (addition or deletion), the newly added data only needs to add a data file name to a file name list DB (w) of a keyword w contained in the newly added data, and then a new index pair (a label, a file name ciphertext) is calculated, note that a counter c in the algorithm is an existing maximum value plus 1.
(4) Query trapdoor generation module: and the system is responsible for receiving query keywords of a data inquirer, acquiring the trapdoor from the key management and authorization module to generate a key, and operating a TrapGen algorithm to generate a corresponding query trapdoor.
(5) Ciphertext index bank query module: and the Search algorithm is operated to query from the ciphertext index library in the ciphertext storage module to obtain a query result in a ciphertext form.
(6) A data decryption module: the system is responsible for receiving ciphertext query results from a ciphertext index library query module, acquiring an index generation key from a key management and authorization module, and operating a DecryptIndex algorithm to decrypt to obtain a plaintext file name list. And analyzing the file name list, initiating a content decryption authorization request, operating a CipherDec algorithm after the request passes to acquire a data content decryption key from the key management and authorization module, decrypting to obtain plaintext data content, and returning the plaintext data content to the data inquirer.
(7) Ciphertext database storage module: and the data decryption module is responsible for uniformly storing the ciphertext index library and ciphertext data contents for the ciphertext index library query module to query and providing the ciphertext data contents for the data decryption module.
As shown in fig. 1, the operation flow (indicated by the numeral on the flow arrow) for implementing the system is to start with the data and keyword list provided by the data provider, generate the ciphertext data content and ciphertext index database, and store the ciphertext index database in the ciphertext storage module. And then, a data inquirer initiates inquiry by using the inquiry keyword, the inquiry trapdoor generation module generates an inquiry trapdoor, and the ciphertext index library inquiry module performs ciphertext inquiry by using the inquiry trapdoor to obtain a ciphertext result. The data decryption module decrypts the ciphertext query result, initiates authorization to the corresponding data provider, decrypts the plaintext result and returns the plaintext result to the querier.
(1) All algorithms are designed by adopting symmetric password primitives, so that complicated and time-consuming public key passwords such as bilinear pairings or lattice passwords are avoided, and the high efficiency of algorithm execution is ensured.
(2) The ciphertext index library search algorithm adopts an inverted index technology, namely, a keyword is used as a key value, and a corresponding data value is a file name id containing the keyword, so that the search efficiency can be improved. Because the forward-arranged index (file name, keyword) can only be searched according to the file name during searching, the searching time is the linear complexity of the total number of files, and the reverse-arranged index technology is used, the cycle number during searching is the number of files containing the keyword, the searching time is the sub-linear time complexity, and the searching efficiency is improved.
Meanwhile, different encryption keys (one data and one key) are adopted for different data files of different data providers, and the security of data content is protected in a high-intensity mode.
The index database and the data content in the form of the ciphertext are stored in the ciphertext storage module, and even if the ciphertext storage module is broken through, an adversary cannot decrypt the data.
The query keywords provided by the data inquirer can be encrypted by the trapdoor generation module, and the ciphertext index library query module and the ciphertext storage module cannot know the queried keywords, so that the security of the keywords is ensured.
The ciphertext database query system based on searchable encryption provided by the embodiment of the application is used for implementing the ciphertext database query method based on searchable encryption, and specific limitations on the ciphertext database query system based on searchable encryption may be referred to the above limitations on the ciphertext database query method based on searchable encryption, and are not described herein again. Various portions of the searchable encryption based ciphertext database query system may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the device, and can also be stored in a memory in the device in a software form, so that the processor can call and execute operations corresponding to the modules.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the claims. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent application shall be subject to the appended claims.

Claims (10)

1. A ciphertext database query method based on searchable encryption, the method comprising:
acquiring plaintext source data, wherein the plaintext source data comprises a data file name and data content; carrying out data encryption on the data content based on a data encryption key to obtain ciphertext data content;
extracting keywords from the data content to obtain a keyword list, generating a key based on an index according to the data file name to obtain a ciphertext index library, and correspondingly storing the ciphertext data content and the ciphertext index library into a ciphertext database;
acquiring a target query keyword, and processing the target query keyword through a trapdoor generation key to generate a query ciphertext;
inquiring in a ciphertext index library based on the inquiry ciphertext to obtain a ciphertext inquiry result and obtain corresponding ciphertext data content;
and carrying out data decryption on the ciphertext data content based on the data decryption key to obtain plaintext data content.
2. The method of claim 1, wherein prior to data decrypting the ciphertext data content based on a data decryption key to obtain a plaintext data content, the method further comprises:
and generating a data decryption key of the plaintext source data in response to a decryption authorization request of a plaintext source data provider.
3. The method of claim 1, wherein data encrypting the data content based on a data encryption key to obtain a ciphertext data content comprises:
encrypting the data content by a block encryption algorithm, wherein the block encryption algorithm at least comprises an AES algorithm and an SM4 algorithm.
4. The method of claim 1, wherein the data encryption key and the index generation key comprise:
a random value is generated as a seed for key generation, and then a corresponding encryption key is generated for each file using the seed and a key derivation function.
5. The method of claim 1, wherein storing the ciphertext data content and the ciphertext index library in a ciphertext database, further comprises:
and establishing a data deletion table in the ciphertext database, wherein the data deletion table is used for recording deleted data, and when the query result contains the deleted data, the decryption operation of the deleted data is skipped by accessing the table during decryption, so that the returned query result does not contain the deleted data.
6. The method of claim 1, before processing the target query key through a trapdoor generation key to generate a query ciphertext, comprising:
and obtaining a trapdoor generation key based on the trapdoor generation algorithm of token/nonce.
7. A ciphertext database query system based on searchable encryption, the system comprising:
the data encryption module is used for acquiring plaintext source data, and the plaintext source data comprises a data file name and data content; carrying out data encryption on the data content based on a data encryption key to obtain ciphertext data content;
the ciphertext index database construction module is used for extracting keywords from the data content to obtain a keyword list, generating a key based on an index according to the data file name to obtain a ciphertext index database, and correspondingly storing the ciphertext data content and the ciphertext index database into the ciphertext database;
the ciphertext database storage module is used for storing the ciphertext data content and the ciphertext index library;
the query trapdoor generation module is used for acquiring a target query keyword, and processing the target query keyword through a trapdoor generation key to generate a query ciphertext;
the ciphertext index library query module is used for querying in the ciphertext index library based on the query ciphertext to obtain a ciphertext query result and obtain corresponding ciphertext data content;
and the data decryption module is used for carrying out data decryption on the ciphertext data content based on the data decryption key to obtain plaintext data content.
8. The system of claim 7, further comprising:
and the key management and authorization module responds to a decryption authorization request of a plaintext source data provider and generates a data decryption key of the plaintext source data.
9. The system of claim 7, wherein the data encryption module comprises:
encrypting the data content by a block encryption algorithm, wherein the block encryption algorithm comprises at least an AES algorithm and an SM4 algorithm.
10. The system of claim 7, wherein the ciphertext database storage module further comprises:
and establishing a data deletion table, wherein the data deletion table is used for recording deleted data, and when the query result contains the deleted data, the decryption operation of the deleted data is skipped by accessing the table during decryption, so that the returned query result does not contain the deleted data.
CN202211027665.2A 2022-08-22 2022-08-25 Ciphertext database query method and system based on searchable encryption Pending CN115459967A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211007665 2022-08-22
CN2022110076656 2022-08-22

Publications (1)

Publication Number Publication Date
CN115459967A true CN115459967A (en) 2022-12-09

Family

ID=84297869

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211027665.2A Pending CN115459967A (en) 2022-08-22 2022-08-25 Ciphertext database query method and system based on searchable encryption

Country Status (1)

Country Link
CN (1) CN115459967A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116305293B (en) * 2023-05-15 2023-08-22 杭州安司源科技有限公司 Encryption search method and encryption search system
CN116701493A (en) * 2023-08-07 2023-09-05 中电信量子科技有限公司 Database operation method supporting fuzzy query and user side

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116305293B (en) * 2023-05-15 2023-08-22 杭州安司源科技有限公司 Encryption search method and encryption search system
CN116701493A (en) * 2023-08-07 2023-09-05 中电信量子科技有限公司 Database operation method supporting fuzzy query and user side
CN116701493B (en) * 2023-08-07 2023-10-31 中电信量子科技有限公司 Database operation method supporting fuzzy query and user side

Similar Documents

Publication Publication Date Title
WO2022007889A1 (en) Searchable encrypted data sharing method and system based on blockchain and homomorphic encryption
CN110224986B (en) Efficient searchable access control method based on hidden policy CP-ABE
CN108494768B (en) Ciphertext searching method and system supporting access control
Salam et al. Implementation of searchable symmetric encryption for privacy-preserving keyword search on cloud storage
US7373330B1 (en) Method and apparatus for tracking and controlling e-mail forwarding of encrypted documents
CN109361644B (en) Fuzzy attribute based encryption method supporting rapid search and decryption
CN111339539B (en) Efficient encrypted image retrieval method under multi-user environment
CN111639357B (en) Encryption network disk system and authentication method and device thereof
CN114417073B (en) Neighbor node query method and device of encryption graph and electronic equipment
CN111159352B (en) Encryption and decryption method supporting multi-keyword weighted retrieval and result ordering and capable of being verified
Rashid et al. Secure enterprise data deduplication in the cloud
Cui et al. Harnessing encrypted data in cloud for secure and efficient image sharing from mobile devices
CN115459967A (en) Ciphertext database query method and system based on searchable encryption
Verma Secure client-side deduplication scheme for cloud with dual trusted execution environment
KR101140576B1 (en) Multi?user search system and method of encrypted document
Yang et al. Mu-teir: Traceable encrypted image retrieval in the multi-user setting
Yan et al. Secure and efficient big data deduplication in fog computing
CN109672525B (en) Searchable public key encryption method and system with forward index
CN108920968B (en) File searchable encryption method based on connection keywords
WO2019178792A1 (en) Ciphertext search method and system supporting access control
KR101422759B1 (en) Secure method for data store and share in data outsourcing
US20220209945A1 (en) Method and device for storing encrypted data
KR102386717B1 (en) Data access control system based anonymous user attribute and method thereof
Shen et al. Multi-Keywords Searchable Attribute-Based Encryption With Verification and Attribute Revocation Over Cloud Data
CN111835731B (en) Novel dynamic symmetric searchable encryption method and device for resisting file injection attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination