CN117879939A - Autonomous path agent re-encryption method based on threshold value - Google Patents
Autonomous path agent re-encryption method based on threshold value Download PDFInfo
- Publication number
- CN117879939A CN117879939A CN202410038623.1A CN202410038623A CN117879939A CN 117879939 A CN117879939 A CN 117879939A CN 202410038623 A CN202410038623 A CN 202410038623A CN 117879939 A CN117879939 A CN 117879939A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- key
- encryption
- path
- encryptor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000009286 beneficial effect Effects 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to the field of cloud computing data security, in particular to an autonomous path agent re-encryption method based on a threshold value, which comprises the following steps: initializing a system, generating required parameters by an encryptor, encrypting a data file of a consignor, and uploading the encrypted data file to a cloud service provider; the encryptor generates a re-encryption key according to the parameters, divides the key into n parts by utilizing a secret sharing scheme, and sends the n parts to n agents; the agent can re-encrypt the original ciphertext sent by the cloud service provider after receiving the re-encryption key and send the re-encrypted original ciphertext to the consignee; the trusted party can integrate the t parts of sub-ciphertext into a complete ciphertext after receiving the t parts of sub-ciphertext, and decrypt the complete ciphertext by using the private key. The method effectively solves the problems of single-point faults and collusion attacks of single agents on the premise that the agents are not trusted, and improves the safety of data sharing.
Description
Technical Field
The invention relates to the field of cloud computing data security, in particular to an autonomous path agent re-encryption method based on a threshold value.
Background
With advances in network technology and increasing demand for computing resources, cloud computing and its applications have received widespread attention in recent years. In cloud computing, users are able to utilize powerful computing resources and obtain sufficient storage space in terms of cost effectiveness and less manual management, so users are willing to outsource data to cloud servers to reduce maintenance costs and enhance accessibility and availability.
However, when users encrypt and outsource data to public cloud storage, they often pay attention to the privacy security of the data, so that proxy re-encryption technology is generally adopted to re-encrypt the data so as to ensure the security of the data, and the data sharing among cloud data users is facilitated. However, because single-point faults, collusion attacks and the like easily occur to a single agent, an autonomous path agent re-encryption method based on a threshold value is needed, the problem that the agent is unsafe is effectively solved, and the safety of data sharing is improved.
Disclosure of Invention
In order to solve the problems in the background art, the invention provides an autonomous path agent re-encryption method based on a threshold value, which improves the security of data sharing and comprises the following steps:
s1: initializing a system, generating required parameters by an encryptor, encrypting a data file of a consignor, and uploading the encrypted data file to a cloud service provider;
further, the generating the required parameters includes: and initializing a system, wherein an encryptor generates public parameters, public and private key pairs of a user and a entrusting path according to the input security parameters.
Further, the generating the delegated path includes: when the commissioner finds that the commissioner is too busy to process too many encrypted files, the commissioner can share the encrypted files to the trusted user for processing, and at the moment, the commissioner can generate a commission path for data commission according to the public parameters and the public key of the trusted user, the commission right can be automatically commissioned to the next commission person in the path when the commission person in the path can not decrypt.
Further, the encrypting step includes: and the encryptor encrypts the data file which the consignee wants to process by the consignee by using the public parameter, the short random value and the public key of the consignee, and sends the encrypted original ciphertext to the cloud service provider for storage, so that the local burden of the consignee is reduced.
S2: the encryptor generates a re-encryption key according to the parameters, divides the key into n parts by utilizing a secret sharing scheme, and sends the n parts to n agents;
further, generating the re-encryption key according to the parameters includes: when the encryptor allows the agent to re-encrypt the encrypted file, a re-encryption key is generated according to the public parameter, the entrusted path and the public and private key pair of the user, and the re-encryption key is divided into n parts by utilizing a secret sharing scheme and is sent to n agents.
Further, the dividing the proxy re-encryption key into n shares includes: when the encryptor generates the re-encryption key, the encryptor wants to distribute the key to n agents, firstly, a threshold value is set as t, a t-1 th order polynomial f (x) is constructed, the encryptor calculates n secret values respectively, the calculated values are used as sub-re-encryption keys to n agents, and the re-encryption key is updated according to the conditions of the agents.
Further, the updating the re-encryption key includes: when there are fewer than T-1 agents revealing the key or some agents need to be deleted within the time period T, data for generating a new key may be generated by constructing a new polynomial and replacing the old key with the newly generated key.
S3: the agent re-encrypts the original ciphertext sent by the cloud service provider after receiving the re-encryption key and sends the original ciphertext to the consignee;
further, the re-encrypting the original ciphertext includes: after receiving n copies of the re-encryption key, the proxy can re-encrypt the original ciphertext by using the re-encryption key to finally generate a re-encrypted ciphertext, and if a user is too busy to process data at the moment, the proxy can send the re-encrypted ciphertext to other trusted persons in the trusted path according to the priority of the trusted path.
S4: the entrusted party can integrate the sub-ciphertexts with more than t shares into a complete ciphertext and decrypt the complete ciphertext by using the private key of the entrusted party;
further, the decrypting the re-encrypted ciphertext includes: after the entrusted party receives t parts and more of the re-encrypted ciphertext, the t parts and more of the re-encrypted ciphertext can be calculated through a Lagrange interpolation method, the complete ciphertext contained in the polynomial can be finally obtained, and the final ciphertext can be decrypted by utilizing the private key of the entrusted party, so that data sent by the entrusted party can be obtained.
The invention has the beneficial effects that:
in order to protect the privacy and the safety of data in the data sharing process, the invention provides an autonomous path proxy re-encryption method based on a threshold value aiming at the problem that a proxy re-encryption scheme proxy is not trusted, and a client can share the data to a trusted user through a proxy path so as to realize the controllability of sharing the data path in the data sharing process; the encryptor encrypts the data by using the short random value, and only when the encryptor allows the agent to re-encrypt the data, the agent can generate a re-encryption key by using the same short random value, so that the agent is prevented from re-encrypting the data file shared by the commissioner infinitely; the re-encryption key is divided into n parts by using the threshold value in the secret sharing scheme and distributed to n agents, so that the agents are effectively prevented from revealing the key, and collusion attack of the agents and malicious users is prevented, and the security and privacy in the data sharing process are improved.
Drawings
FIG. 1 is a schematic flow chart of the method of the present invention;
FIG. 2 is a flow chart of generating a re-encryption key in accordance with the present invention;
FIG. 3 is a flow chart of the re-encryption of the original ciphertext in accordance with the present invention;
Detailed Description
The following description of the embodiments of the present invention will be made more apparent and fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the present invention provides an autonomous path agent re-encryption method based on a threshold value, comprising:
s1: initializing a system, generating required parameters by an encryptor, encrypting a data file of a consignor, and uploading the encrypted data file to a cloud service provider;
further, the generating the required parameters includes: initializing a system, and generating public parameters, public and private key pairs of a user and a entrusting path according to input security parameters;
specifically, the encryptor selects prime order p and cyclic group G according to security parameter lambda 1 、G 2 And selects bilinear map e: g 1 ×G 1 →G 2 Let g 0 ,g 1 Is G 1 Is described, and a hash function H: g 2 →G 1 And modeled as RO, a field GF (q) is selected, where q=p k K is a positive prime number, the security parameter para= (G) 1 ,G 2 ,g 0 ,g 1 ,p,e,H)。
Further, according to the security parameter para, sk is randomly selected i =x i As a private key of the user,as the public key of the user.
Further, the generating the delegated path includes: when the commissioner finds that the commissioner is too busy to process too many encrypted files, the commissioner can share the encrypted files to the trusted user for processing, and at the moment, the commissioner can generate a commission path for data commission according to the public parameters and the public key of the trusted user, the commission right is automatically commissioned to the next commissioned person in the path from high to low if the commissioned person in the path can not decrypt.
Specifically, according to the security parameters para and the user public key pk i Generating a delegation path for delegating encrypted files by user iWherein->Is the public key of the trusted party on the trusted path, l i For the length of the delegated path, i.e. the delegated path contains l in total i And delegates.
Further, the encrypting step includes: and the encryptor encrypts the data file which the delegator wants to process by the delegator by using the public parameters, the short random value and the public key of the delegator, and sends the encrypted original ciphertext to a cloud service provider for storage, so that the local burden of the delegator is reduced.
Specifically, the encryptor randomly selects a short random value, and calculates the original ciphertext under the public key as the original ciphertext according to the public parameter and the public key of the entrusterWherein c 1 ,c 2 The calculation formula of (2) is
(1) G in 0 、g 1 Is the generator in the public parameter para, r is the encryptor slaveIn the data block, m is the data plaintext shared by the entrusters, pk i Is the principal's public key.
S2: the encryptor generates a re-encryption key according to the parameters, divides the key into n parts by utilizing a secret sharing scheme, and sends the n parts to n agents;
referring to fig. 2, the generating the re-encryption key specifically includes:
firstly, judging whether an encryptor allows an agent to re-encrypt an original ciphertext, and if not, interrupting operation; and if the proxy is allowed to re-encrypt the data file, performing the next operation to generate a re-encryption key. The formula for calculating the re-encryption key is
(2) Where r is the encryptor slaveBecause the encryptor allows the proxy to re-encrypt the original ciphertext, the short random value should be consistent with the short random value r in formula (1), so that the trusted party can decrypt the correct data file g when decrypting 0 、g 1 X is a generator in the public parameter para j 、X j-1 From encryptor R G 1 Randomly selected values, H (X j )、H(X j-1 ) Representation of X j 、X j-1 Hash value is performed.
Further, the dividing the proxy re-encryption key into n shares includes: when the encryptor generates the re-encryption key, the encryptor wants to distribute the key to n agents, then the secret sharing scheme is utilized to generate n sub-re-encryption keys, firstly, a threshold value is set as t, a t-1 degree polynomial f (x) is constructed, the encryptor calculates n secret values respectively, and the calculated values are used as sub-re-encryption keys to n agents.
Specifically, a polynomial of degree t-1 is constructed by first selecting a large prime number q and s<q, and randomly generating t-1 different random numbers a 0 ,a 1 ,…,a t-1 These random numbers are used to define a polynomial equation as
f(x)=a 0 +a 1 ·x+a 2 ·x 2 +...+a t-1 ·x t-1 mod q (3)
(3) Removing a in 0 The coefficients other than that are randomly generated, and a 1 ,a 2 ,...,a t-1 E GF (q), and taking the re-encryption key generated by the formula (2) as a constant term a in the polynomial 0 I.e.From which n points are constructed and set to 1, 2..n, and f (1), f (2), are calculated, and f (n), then the n-parts subre-encryption key generated by equation (3) is +.>Will be sent to n agents.
Further, the updating of the re-encryption key includes: when there are fewer than T-1 agents revealing keys or partial agents need to be deleted within the time period T, data of a new partial key may be generated by constructing a new polynomial and replacing the old key with the newly generated partial key.
Specifically, when the re-encryption key is generated for a period of time, judging the key condition stored in the proxy or the proxy condition, if the re-encryption key does not need to be updated, continuing storing the re-encryption key generated before by the proxy; if there are fewer than T-1 agents revealing keys or if a partial agent needs to be deleted within the time period T, indicating that the sub-re-encryption key stored by the partial agent is updated, the agent will select element ω, (b) zm ) m∈(1,...,ω) E GF (q), and constructing a new polynomial as using a secret sharing scheme
φ z (y)=b z1 ·y+b z2 ·y+...+b zω ·y w (4)
(4) In b z0 0, thus phi z (0) Is 0; order theThen the current agent receives j zc Post-computation new key part is +.>And sends the new key portion to the proxy and updates.
S3: the agent re-encrypts the original ciphertext sent by the cloud service provider after receiving the re-encryption key and sends the original ciphertext to the consignee;
the re-encrypting the original ciphertext comprises the following steps: after receiving n parts of re-encryption keys, the proxy can re-encrypt the original ciphertext by using the re-encryption keys to finally generate re-encrypted ciphertext, and if a user is too busy to process data at the moment, the proxy can send the re-encrypted ciphertext to other consignees in the consignee path.
Referring to fig. 3, specifically, after step S2 is completed, the proxy will first send the ciphertextIs decomposed intoAccording to the public parameter para, the entrusted path pa i Re-encrypting the original ciphertext by using the re-encryption key to obtain a re-encrypted ciphertext; and then the proxy inquires whether the delegate has an encryption file transmitted by the null processing delegate according to the priority of the delegate path, if the delegate path has a file which cannot be processed due to the fact that the user is busy, the proxy does not continue to transmit the re-encryption ciphertext to the user, but continues to inquire other delegates in the delegate path, and when the delegate has the null processing file, the proxy re-encrypts the original ciphertext by using the re-encryption key related to the delegate and transmits the re-encrypted ciphertext to the delegate.
S4: the entrusted party can integrate the sub-ciphertexts with more than t shares into a complete ciphertext and decrypt the complete ciphertext by using the private key of the entrusted party.
Further, the decrypting the re-encrypted ciphertext includes: after the entrusted party receives t parts and more of the re-encrypted ciphertext, the t parts and more of the re-encrypted ciphertext can be calculated through a Lagrange interpolation method, the complete ciphertext contained in the polynomial can be finally obtained, and the final ciphertext can be decrypted by utilizing the private key of the entrusted party, so that data sent by the entrusted party can be obtained.
Specifically, when the trusted party receives t or more re-encrypted ciphertexts, the complete ciphertext can be calculated by using the Lagrange interpolation formula, and the Lagrange interpolation formula is
(5) X in the middle i 、x j Are the obtained re-encrypted ciphertext portion content, f (x i ) For x=x i The value of the time, t is a set threshold value, and q is a large prime number selected randomly in advance.
Obtaining the complete re-encryption ciphertext according to calculationThe delegate can use its own private key calculation to obtain the encrypted file data sent by the delegate.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. An autonomous path agent re-encryption method based on a threshold value, comprising:
s1: initializing a system, generating required parameters by an encryptor, encrypting a data file of a consignor, and uploading the encrypted data file to a cloud service provider;
s2: the encryptor generates a re-encryption key according to the parameters, divides the key into n parts by utilizing a secret sharing scheme, and sends the n parts to n agents;
s3: the agent re-encrypts the original ciphertext sent by the cloud service provider after receiving the re-encryption key and sends the original ciphertext to the consignee;
s4: the entrusted party can integrate the sub-ciphertexts with more than t shares into a complete ciphertext and decrypt the complete ciphertext by using the private key of the entrusted party.
2. The method of autonomous path agent re-encryption based on threshold values of claim 1, wherein the generating the required parameters comprises: the system is initialized, and public parameters, public and private key pairs of users and a entrusting path are generated according to the input security parameters.
3. The method for re-encrypting an autonomous path agent based on a threshold value of claim 2, wherein said generating a delegated path comprises: when the commissioner finds that the commissioner is too busy to process too many encrypted files, the commissioner can share the encrypted files to the trusted user for processing, and at the moment, the commissioner can generate a commission path for data commission according to the public parameters and the public key of the trusted user, the commission right can be automatically commissioned to the next commission person in the path when the commission person in the path can not decrypt.
4. The method of threshold-based autonomous path agent re-encryption of claim 2, wherein said encrypting step comprises: and the encryptor encrypts the data file which the consignee wants to process by the consignee by using the public parameter, the short random value and the public key of the consignee, and sends the encrypted original ciphertext to the cloud service provider for storage, so that the local burden of the consignee is reduced.
5. The method of autonomous path agent re-encryption based on threshold values of claim 1, wherein the encryptor generating the re-encryption key based on the parameters comprises: when the encryptor allows the agent to re-encrypt the encrypted file, a re-encryption key is generated according to the public parameter, the entrusted path and the public and private key pair of the user, and the re-encryption key is divided into n parts by utilizing a secret sharing scheme and is sent to n agents.
6. The method for autonomous path proxy re-encryption based on a threshold value of claim 5, wherein said dividing the proxy re-encryption key into n shares comprises: when the encryptor generates the re-encryption key, the encryptor wants to distribute the key to n agents, firstly, a threshold value is set as t, a t-1 th order polynomial f (x) is constructed, the encryptor calculates n secret values respectively, the calculated values are used as sub-re-encryption keys to n agents, and the re-encryption key is updated according to the conditions of the agents.
7. The method of autonomous path agent re-encryption based on threshold values of claim 6, wherein said updating the re-encryption key comprises: when there are fewer than T-1 agents revealing the key or some agents need to be deleted within the time period T, data for generating a new key may be generated by constructing a new polynomial and replacing the old key with the newly generated key.
8. The method for re-encrypting an autonomous path agent based on a threshold value according to claim 1, wherein said re-encrypting the original ciphertext comprises: after receiving n copies of the re-encryption key, the proxy can re-encrypt the original ciphertext by using the re-encryption key to finally generate a re-encrypted ciphertext, and if a user is too busy to process data at the moment, the proxy can send the re-encrypted ciphertext to other consignees in the consignee path according to the priority of the consignee path.
9. The method for re-encrypting the autonomous path agent based on the threshold value according to claim 1, wherein said decrypting the re-encrypted ciphertext comprises: after the trusted party receives the t parts and above of the re-encrypted ciphertext, the Lagrange interpolation method can be used for calculating the t parts and above of the re-encrypted ciphertext, and finally the complete ciphertext contained in the polynomial can be obtained. And the final ciphertext can be decrypted by using the private key of the user, so that the data sent by the client can be finally obtained.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410038623.1A CN117879939A (en) | 2024-01-10 | 2024-01-10 | Autonomous path agent re-encryption method based on threshold value |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410038623.1A CN117879939A (en) | 2024-01-10 | 2024-01-10 | Autonomous path agent re-encryption method based on threshold value |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117879939A true CN117879939A (en) | 2024-04-12 |
Family
ID=90584167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410038623.1A Pending CN117879939A (en) | 2024-01-10 | 2024-01-10 | Autonomous path agent re-encryption method based on threshold value |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117879939A (en) |
-
2024
- 2024-01-10 CN CN202410038623.1A patent/CN117879939A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhao et al. | Trusted data sharing over untrusted cloud storage providers | |
| Han et al. | A data sharing protocol to minimize security and privacy risks of cloud storage in big data era | |
| Kumar et al. | Secure storage and access of data in cloud computing | |
| Lin et al. | A collaborative key management protocol in ciphertext policy attribute-based encryption for cloud data sharing | |
| CN102655508B (en) | Method for protecting privacy data of users in cloud environment | |
| CN107154845B (en) | BGN type ciphertext decryption outsourcing scheme based on attributes | |
| KR101021708B1 (en) | Group Key Distribution Method and Server and Client for Implementing the Same | |
| JP6341599B2 (en) | Encryption data update system and encryption data update method | |
| CN114513327B (en) | Block chain-based Internet of things private data rapid sharing method | |
| Tiwari et al. | SecCloudSharing: Secure data sharing in public cloud using ciphertext‐policy attribute‐based proxy re‐encryption with revocation | |
| CN103607278A (en) | Safe data cloud storage method | |
| Belguith et al. | Lightweight Attribute-Based Encryption Supporting Access Policy Update for Cloud Assitsed IoT | |
| JP7212697B2 (en) | Communication terminal, communication system, and program | |
| JP2005252384A (en) | Encrypted data storage server system, encrypted data storage method, and re-encryption method | |
| JP2019102970A (en) | Data sharing server device, key generation server device, communication terminal, and program | |
| CN114697042A (en) | Block chain-based Internet of things security data sharing proxy re-encryption method | |
| CN110912691B (en) | Ciphertext distribution method, device and system based on grid access control encryption algorithm in cloud environment and storage medium | |
| CN116405320B (en) | Data transmission method and device | |
| CN104796411A (en) | Method for safely transmitting, storing and utilizing data in cloud and mobile terminal | |
| Kumar et al. | Privacy Preserving Data Sharing in Cloud Using EAE Technique | |
| JP2006227411A (en) | Communications system, encryption device, key generator, key generating method, restoration device, communication method, encryption method, and cryptography restoration method | |
| US20220150224A1 (en) | Encryption using recursive key | |
| Kapusta et al. | Secure data sharing with fast access revocation through untrusted clouds | |
| CN117879939A (en) | Autonomous path agent re-encryption method based on threshold value | |
| Dhal et al. | RACC: An efficient and revocable fine grained access control model for cloud storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |