WO2014089843A1 - Method and device for data encryption and decryption - Google Patents

Method and device for data encryption and decryption Download PDF

Info

Publication number
WO2014089843A1
WO2014089843A1 PCT/CN2012/086705 CN2012086705W WO2014089843A1 WO 2014089843 A1 WO2014089843 A1 WO 2014089843A1 CN 2012086705 W CN2012086705 W CN 2012086705W WO 2014089843 A1 WO2014089843 A1 WO 2014089843A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
interval
data
value
values
Prior art date
Application number
PCT/CN2012/086705
Other languages
French (fr)
Chinese (zh)
Inventor
桂小林
黄汝维
刘阳
魏广福
晏鹏
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2012/086705 priority Critical patent/WO2014089843A1/en
Priority to CN201280002855.7A priority patent/CN104040935B/en
Publication of WO2014089843A1 publication Critical patent/WO2014089843A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • the invention belongs to the field of software algorithms, and in particular relates to a method and a device for data encryption and decryption.
  • Cloud computing as a new type of network computing model, provides users with on-demand IT services (computing, storage, applications, etc.) in a more economical manner than traditional IT. Since the development concept of cloud computing is in line with the current trend of low-carbon economy and green computing, it has been strongly promoted and promoted by governments and enterprises around the world, and is bringing about tremendous changes in the computing and business fields. However, in the already implemented cloud computing services, privacy security issues have been a concern and have become one of the main factors hindering the development and promotion of cloud computing.
  • the user's privacy data includes sensitive information (such as personal health status, financial information, company important documents, etc.) that can be used to identify or locate personal information (such as phone numbers, addresses, and credit card numbers).
  • sensitive information such as personal health status, financial information, company important documents, etc.
  • personal information such as phone numbers, addresses, and credit card numbers.
  • the privacy security issue of cloud computing stems from the characteristics of cloud computing data outsourcing and service leasing. When user data is stored in the cloud environment, people lose direct control over the data, which may lead to the leakage and abuse of personal privacy data.
  • Encryption is a commonly used method to protect user confidential data. Encryption technology that supports relational operations is an encryption method. It guarantees data security through encryption. At the same time, encrypted data can support relational operations, so that the ciphertext can be directly scoped. Retrieve, sort, etc.
  • Agrawal et al. proposed a preserved symmetric encryption algorithm OPES based on the idea of bucket partitioning and distributed probability mapping, which supports various relational operations on encrypted numerical data.
  • Boldyreva et al. proposed a preservation symmetry based on the binary search and hypergeometric probability distribution.
  • the encryption algorithm OPSE supports various relational operations on encrypted data.
  • the advantage of the above two types of preserving encryption methods is order preservation, that is, the ciphertext reflects the size relationship of the plaintext, thereby facilitating the service provider to index the ciphertext data. , speed up the search, and easy to implement a variety of relational operations.
  • An object of the embodiments of the present invention is to provide a method for data encryption and decryption, which can achieve the advantages of order-preserving, security, less load on calculation and storage, and less influence of data domain changes on computation load.
  • a first aspect of the technical solution a data encryption method, the method comprising:
  • the generating, by the user key and the data to be encrypted, the path from the root node of the random number to the leaf node corresponding to the data to be encrypted is specifically :
  • the number of divided segments is divided into equal intervals to be divided Number of copies; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
  • a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree above the node position, and a value to the node position
  • Determining whether the node location is the selected child node, and if so, the node location is the most The large value is the sum of three values, the three values being the minimum value of the node position, the value interval value of the node position, and the value of the interval field at the node position;
  • the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
  • the selecting, in the range of the interval to which the leaf node belongs, selecting a random number, the ciphertext forming the data to be encrypted includes: When the encrypted data is located at the last layer of the random number, a random number is selected within the interval of the child node where the data to be encrypted is located to form the ciphertext of the data to be encrypted.
  • the decrypted data is converted to a plain text string after the padding value is removed.
  • the recovering, according to the user key and the data to be decrypted, the corresponding root node of the random tree to the data to be decrypted The path of the leaf node is specifically:
  • the number of divisions is an interval that divides the sections to be divided equally The number of copies, where the length of each layer of the random tree is the length of the range plus the length of the interval field;
  • a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree of the node position, and the node position is The sum of the range interval values, the sum of the interval interval values to the node locations;
  • the maximum value of the node location is a sum of three values, wherein the three values are respectively a minimum value of the node location, and the node location a value range value, the value of the interval field at the node location;
  • the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
  • a third aspect a data encryption device, where the device includes:
  • a first converting unit configured to convert the data to be encrypted from the plaintext string into the American Standard Code for Information Interchange (ASCII) code, and convert the number of bits of the converted ASCII code into a multiple of a preset domain value, the preset The domain value is the number of bits of the ASCII code that is encrypted each time;
  • ASCII American Standard Code for Information Interchange
  • An encryption unit configured to determine a height of the random tree according to the preset domain value, and generate a path from a root node of the random tree to a leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and Selecting a random number within a range of values to which the leaf node belongs, forming a ciphertext of the data to be encrypted.
  • the step of performing, in the cryptographic unit, generating, according to the user key and the data to be encrypted, generating a root node from the random number to the data to be encrypted is specifically:
  • a first determining unit configured to determine a number of layers of the random tree, a number of divided shares, the user key, the to-be-encrypted data, and a minimum value and a maximum value of the to-be-divided interval; Describe the number of copies divided into equal intervals; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
  • a first generating unit configured to generate a seed of the random tree according to the user key and the US information exchange standard code of the current node
  • a first dividing unit configured to divide the each of the range of values into the number of divided segments, and generate a random number by using a seed of the random tree, where the random number is used to generate a spacing domain, where each interval domain is Dividing the number of copies and the selected child nodes, and making the total length of the divided interval fields equal to the length of the interval before the segmentation;
  • a second determining unit configured to determine a node location of the encrypted data, where a minimum value of the node location is a sum of three values, where the three values are respectively a minimum value of a random tree above the node location, a sum of value range values to the node position, a sum of interval field interval values to the node position;
  • a first determining unit configured to determine whether the node position is the selected child node, and if yes, The maximum value of the node position is the sum of three values, the three values are respectively the minimum value of the node position, the value range interval value of the node position, and the value of the interval
  • the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
  • a random number is selected in the range of the sub-node where the data to be encrypted is located to form the ciphertext of the data to be encrypted.
  • a device for decrypting data comprising:
  • An obtaining unit configured to acquire a user key and data to be decrypted
  • a decrypting unit configured to recover the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted according to the user key and the data to be decrypted, and decrypt the data to be decrypted;
  • a conversion unit configured to convert the decrypted data into a plaintext string after removing the padding value.
  • a third determining unit configured to determine a height of the random tree, a number of divided shares, the user key, the to-be-decrypted data, a minimum value and a maximum value of the to-be-divided interval; The number of copies of the interval to be divided into equal intervals, wherein the length of each random tree is the length of the range plus the length of the interval;
  • a second dividing unit configured to divide the to-divided interval into equal intervals, and generate a random number by using a seed of the random tree, where the random number is used to generate each interval interval to be divided, The number of divided partitions of the interval domain and the selected child nodes, and the total length of the partitioned partitions, etc. The length of the interval before the segmentation;
  • a second determining unit configured to determine, according to a minimum value of a range of each child node, a location where the ciphertext is located
  • the third dividing unit is configured to generate a random number according to the seed of the random number, and divide, by the random number, the to-divided interval in which the number of nodes is located into two regional values, where the two regional values are the next random tree The total value of the field and the total interval field value of the next random tree;
  • a fourth determining unit configured to determine a node location of the decrypted data, where a minimum value of the node location is a sum of three values, where the three values are respectively a minimum value of a random tree of the layer at the node location, a sum of the value range values of the node locations, a sum of the interval field values to the node locations; a third determining unit, configured to determine whether the node locations are the selected child nodes, and if so, The maximum value of the node position is the sum of three values, the three values are respectively the minimum value of the node position, the value range interval value of the node position, and the value of the interval field at the node position ;
  • the embodiment of the present invention encrypts the data to be encrypted by generating a path from a root node of the random tree to a leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted. And recovering, according to the user key, the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted, and decrypting the data to be decrypted.
  • FIG. 2 is a flowchart of a method for encrypting according to Embodiment 2 of the present invention
  • FIG. 3 is a flowchart of a method for encrypting and decrypting according to Embodiment 3 of the present invention
  • FIG. 4 is a schematic diagram of a method for encrypting and decrypting according to Embodiment 3 of the present invention.
  • FIG. 5 is a structural diagram of a device for a data encryption device according to Embodiment 4 of the present invention.
  • FIG. 6 is a structural diagram of a device of a data encryption device according to Embodiment 4 of the present invention.
  • FIG. 8 is a structural diagram of a device for decrypting a data provided by Embodiment 5 of the present invention.
  • FIG. 10 is a structural diagram of an apparatus for a data decryption apparatus according to Embodiment 7 of the present invention.
  • Embodiments of the invention are a structural diagram of an apparatus for a data decryption apparatus according to Embodiment 7 of the present invention.
  • FIG. 1 is a flowchart of a method for data encryption according to Embodiment 1 of the present invention. As shown in Figure 1, the method includes the following steps:
  • Step 101 Convert the data to be encrypted from a plaintext string to an American Standard Code for Information Interchange (ASCII) code, and convert the number of bits of the converted ASCII code into a multiple of a preset domain value, the preset domain value. Is the number of bits of the ASCII code that is encrypted each time;
  • ASCII American Standard Code for Information Interchange
  • a string of plain text strings input by the user is received, and the plaintext string is converted into a US standard code exchange standard code in advance.
  • the value of the definition field is the number of bits of the US Standard Code for Information Interchange per encryption, for example, pre-defining a 12-bit US exchange standard code each time, the converted US information exchange standard The number of bits in the code is rounded to a multiple of 12.
  • the ASCII code of A is 65, which is 065, and the support is random.
  • the number of the domain is 12, and the height of the random number is 6 layers, that is, each layer encrypts 2 digits of ASCII code, and each time a total of 12 bits are encrypted.
  • the data to be encrypted converted into ASCII code is taken 22 bits at a time, and a 22 identifier is added after the 22-bit ASCII code to make 24 bits, that is, the random tree encryption algorithm is executed twice each time, and the 24-bit ASCII code is encrypted.
  • add 00 after the 10-digit ASCII code add 10 random numbers, and add 10 to identify the number of bits of the ASCII code of the data to be encrypted, and make it into 24 bits for encryption.
  • Step 102 Determine a height of the random tree according to the preset domain value, and generate a path from a root node of the random tree to a leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and A random number is selected in the range of the interval to which the leaf node belongs, and the ciphertext of the data to be encrypted is formed.
  • the height of the random number is 6, that is, according to the preset domain. The value determines the height of the random number.
  • the path from the root node of the random number to the leaf node corresponding to the data to be encrypted is generated according to the user key and the data to be encrypted:
  • the number of divisions is divided into equal intervals to be divided Number of copies; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
  • determining a height level of the random tree dividing the number of copies num, the user key key, the data to be encrypted X, a minimum value min and a maximum value max of the interval to be divided, the num is The number of copies of the interval to be divided into equal intervals, vf is the value range of the interval to be divided, and gf is the interval domain of the interval to be divided.
  • each of the range of values is equally divided into the number of divided parts, and a random number is generated by a seed of the random tree, where the random number is used to generate a spacing field, and the number of divided parts and the selected sub-range of each interval field Node, at the same time, the length of the total interval domain after the division is equal to the length of the interval domain before the division;
  • a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree above the node position, and a value to the node position
  • d n vf n- i/num
  • dd n gf n-1
  • vf n-1 ( max n-1 - min n-1 ) *r n small
  • gf n-1 ( max n-1 - min N-1 ) * ( lr n-1 )
  • r n-1 is a random number generated based on the value of ran-root at the n-1th layer.
  • the maximum value of the node location is a sum of three values, wherein the three values are respectively a minimum value of the node location, and the node location a value range value, the value of the interval field at the node location;
  • the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
  • the encryption algorithm refers to algorithm 1.
  • the ciphertext of the to-be-encrypted data is included in the range of the range to which the leaf node belongs, and the ciphertext of the data to be encrypted includes:
  • Input minimum interval to be divided min, maximum max, number of random tree levels, number of divisions num, key key, force secret data x
  • ; dd
  • ran_root key+ the value of the current node
  • the core part of the invention constructs a random data structure - a random tree.
  • the random tree is a multi-forked tree whose height is determined by the domain. Each node in the tree corresponds to a point in the domain and occupies a sub-interval in the value field.
  • the sub-node interval is a kind of parent node interval. Randomly divided.
  • the present invention is a cryptographic algorithm, ciphertext has order preservation, supports relational operations, and has IND-DNCPA security.
  • the embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key.
  • the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted.
  • FIG. 2 is a flowchart of a method for data decryption according to Embodiment 2 of the present invention. As shown in Figure 2, the method includes the following steps:
  • Step 201 Obtain a user key and data to be decrypted
  • Step 202 Recover the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be decrypted, and decrypt the data to be decrypted;
  • Recovering the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted according to the user key is specifically:
  • the number of divisions is an interval that divides the sections to be divided equally The number of copies, where the length of each layer of the random tree is the length of the range plus the length of the interval field;
  • determining a height level of the random tree, a number of divisions num, the user key key, a ciphertext of the data to be encrypted, a minimum value min and a maximum value max of the interval to be divided, the num is The number of copies of the interval to be divided is equally divided, vf is a value range of the interval to be divided, and gf is a interval domain of the interval to be divided.
  • the random tree seed ran_root key.
  • the selected child node at the same time, the length of the total interval domain after the division is equal to the length of the interval domain before the segmentation;
  • the interval domain gf splitting number m and randomly selecting m child nodes from num child nodes, f an dom(k ey + Xi ) ⁇ i satisfies random (key 1 according to a minimum value of a range of each child node, determining a location at which the ciphertext is located; a position equal to the ciphertext value minus a minimum value of the child node and then subtracting a space
  • a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree above the node position, and a value to the node position
  • the maximum value of the node location is a sum of three values, wherein the three values are respectively a minimum value of the node location, and the node location a value range value, the value of the interval field at the node location;
  • the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
  • Input minimum interval to be divided min, maximum max, number of random tree levels level, number of divisions num, key key, data to be decrypted val
  • ran_root key
  • ran_root key+ the value of the current node
  • Step 203 Convert the decrypted data into a plaintext string after removing the padding value.
  • the ASCII code converted by the plaintext string is obtained, and then converted into a plaintext string by the ASCII code.
  • the embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key.
  • the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted.
  • FIG. 3 is a schematic diagram of a method for data encryption and data decryption according to Embodiment 3 of the present invention. As shown in Figure 3,
  • Step 301 Convert the plaintext string into the American Standard Code for Information Interchange (ASCII) code, and round the number of bits of the converted ASCII code to a multiple of 12, where 12 is the number of bits of the ASCII code that is encrypted each time; When encrypted to 12-bit ASCII, the total length of the zeroth-order random tree can be 10 15 .
  • Step 302 Determine, according to 12, that the height of the random tree is 6, and generate a path from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and belong to the leaf node to which the leaf node belongs.
  • the zeroth layer of data to be encrypted is 01 and will be placed in the first range of the range 01, as shown in Figure 4.
  • the value range of 01 is vf. /100.
  • the value range of the first layer vf ⁇ the interval field gfi, where the 01 interval value is equal to the maximum value of the 01 interval minus the minimum value of the 01 interval, vfi + gfi 01 interval value.
  • Divide ⁇ equal intervals into 100 parts, and divide the number of partitions of the first layer and the selected child nodes according to the first layer random number.
  • the first layer of data to be encrypted is 23 and will be placed in the 23rd range of the partition.
  • the range of 23 is vfi/100o
  • the value range vf 2 and the interval field gf 2 of the second layer, wherein the interval value of 23 is equal to the maximum value of the 23 interval minus the minimum value of the 23 interval, vf 2 + gf 2 23 interval value.
  • the vf 2 is equally divided into 100 parts, and the number of partitions of the second layer and the selected child nodes are divided according to the second layer random number.
  • the second layer of data to be encrypted is 45 and will be placed in the 45th range of the division.
  • the value range vf 3 and the interval field gf 3 of the third layer, where the 45 interval value is equal to the maximum value of the 45 interval minus the most of the 45 interval Small value, vf 3 + gf 3 45 interval value.
  • the vf 3 is equally divided into 100 parts, and the number of partitions of the third layer and the selected child nodes are divided according to the third layer random number.
  • the third layer of data to be encrypted is 67, which will be placed in the 67th range of the division.
  • the value range vf 4 and the interval field gf 4 of the fourth layer, wherein the 67 interval value is equal to the maximum value of the 67 interval minus the minimum value of the 67 interval, vf 4 + gf 4 67 interval value.
  • the vf 4 is equally divided into 100 parts, and the number of partitions of the fourth layer and the selected child nodes are divided according to the fourth layer random number.
  • the fourth layer of data to be encrypted is 89, which will be placed in the 89th range of the partition.
  • the value range vf 5 and the interval field gf 5 of the fifth layer, wherein the 89 interval value is equal to the maximum value of the 89 interval minus the minimum value of the 89 interval, vf 5 + gf 5 89 interval value.
  • the vf 5 is equally divided into 100 parts, and the number of divisions of the fifth layer and the selected child nodes are divided according to the fifth layer random number.
  • the data to be encrypted on the fifth layer is 01, which will be placed in the 01th range of the division.
  • Step 303 Restore the random tree according to the user key and the ciphertext of the data to be encrypted. Deleting the ciphertext of the data to be encrypted by the root node to the path of the leaf node corresponding to the data to be encrypted;
  • the value of ciphertext of 202 is located in the 01 interval of the zeroth layer, that is, the OIASCII code is obtained; the first layer of the random tree is generated according to the ASCII code of 01 and the user key, and it is determined which of the random trees of the first layer is the value of the ciphertext.
  • the interval is located in the 23 interval of the first layer, that is, 23 ASCII code is obtained; according to the ASCII code of 23 and the user key, a random tree of the second layer is generated, and the value of the ciphertext is continuously determined to be located in the random tree of the second layer.
  • Step 304 After the decrypted data to be encrypted is subjected to the erasure value.
  • the last encrypted and decrypted data only needs to eliminate the padding value, because the previous encrypted decrypted data format is valid 22 bits +22 constitutes a 24-bit string.
  • the embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key.
  • the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted.
  • FIG. 5 is a structural diagram of a device for data encryption according to Embodiment 4 of the present invention. As shown in FIG. 5, the device includes the following units:
  • the first converting unit 501 is configured to convert the data to be encrypted from the plaintext string into the American Standard Code for Information Interchange (ASCII) code, and convert the number of bits of the converted ASCII code to a value of a preset domain value.
  • the predetermined domain value is the number of bits of the ASCII code that is encrypted each time;
  • the encryption unit 502 is configured to determine the height of the random tree according to the preset domain value, and according to the user key and
  • the data to be encrypted is generated from a root node of the random tree to a leaf node corresponding to the data to be encrypted, and a random number is selected within the range of the leaf node to form a ciphertext of the data to be encrypted.
  • the encryption unit 502 includes:
  • a first determining unit 601 configured to determine a number of layers of the random tree, a number of divided shares, the user key, the to-be-encrypted data, a minimum value and a maximum value of the interval to be divided; The number of copies to be divided into equal intervals; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
  • a first generating unit 602 configured to generate a seed of the random tree according to the user key and an American Information Exchange Standard Code of the current node;
  • the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
  • the embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key.
  • the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted.
  • FIG. 7 is a structural diagram of a device for decrypting data according to Embodiment 5 of the present invention. As shown in FIG. 7, the device includes the following units:
  • An obtaining unit 701 configured to acquire a user key and data to be decrypted
  • the decrypting unit 702 is configured to recover the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted according to the user key and the data to be decrypted, and decrypt the data to be decrypted;
  • Unit 702 includes:
  • a second generating unit 802 configured to generate a seed of the random tree according to the user key and an American Information Exchange Standard Code of the current node;
  • a second dividing unit 803 configured to divide the interval to be divided into the number of divided segments, and generate a random number by using a seed of the random tree, where the random number is used to generate an interval interval field to be divided.
  • the number of divisions of the interval domain and the selected child node, and the length of the total interval domain after the division is equal to the length of the interval domain before the division;
  • the third determining unit 804 determines, according to the minimum value of the range of each child node, the location where the ciphertext is located; the location is equal to the ciphertext value minus the minimum value of the child node, and then subtracts the location The value obtained after the interval field value before the child node is divided by the interval of the value field division of the child node;
  • the calculating unit 805 is configured to calculate, according to the location where the ciphertext is located, a US standard information exchange standard code of the current node, and generate a seed of the random tree according to the user key and the US exchange standard code of the current node;
  • a fourth determining unit 807 configured to determine a node location of the decrypted data, where a minimum value of the node location is a sum of three values, where the three values are minimum values of a random tree above the node location The sum of the value range values of the node locations, the sum of the interval field values to the node locations; the third determining unit 808, configured to determine whether the node locations are the selected child nodes, and if The maximum value of the node position is the sum of three values, the three values being the most a small value, a value interval value of the node position, a value of the interval field at the node position; if not, a maximum value of the node position is a sum of two values, and the two values are respectively The minimum value of the node location, the value interval value of the node location.
  • the second converting unit 703 is configured to convert the decrypted data to be encrypted into a plaintext string after the padding value is removed.
  • the embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key.
  • the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted.
  • FIG. 9 is a structural diagram of a device for data encryption according to Embodiment 6 of the present invention.
  • FIG. 9 is a data encryption device 900 according to an embodiment of the present invention.
  • the specific implementation of the device does not limit the specific implementation of the device.
  • the device 900 includes:
  • the processor 901, the communication interface 902, and the memory 903 complete communication with each other via the bus 904.
  • the processor 901 is configured to execute a program.
  • the program ⁇ may include program code.
  • the processor 901 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention.
  • CPU central processing unit
  • ASIC Application Specific Integrated Circuit
  • the memory 903 is used to store the program.
  • the memory 903 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory.
  • Program A may specifically include the following code for implementing the following functions:
  • ASCII American Standard Code for Information Interchange
  • the encrypted data is generated from a root node of the random tree to a leaf node corresponding to the to-be-encrypted data, and a random number is selected within a range to which the leaf node belongs to form a ciphertext of the data to be encrypted.
  • FIG. 10 is a structural diagram of a device for decrypting data according to Embodiment 7 of the present invention.
  • FIG. 10 is a device 1000 for decrypting data according to an embodiment of the present invention.
  • the specific embodiment of the present invention does not limit the specific implementation of the device.
  • the device 1000 includes:
  • the processor 1001, the communication interface 1002, and the memory 1003 complete communication with each other via the bus 1004.
  • a communication interface 1002 configured to communicate with a data encryption device
  • the processor 1001 is configured to execute program A.
  • program A can include program code.
  • the processor 1001 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention.
  • CPU central processing unit
  • ASIC Application Specific Integrated Circuit
  • the memory 1003 is configured to store the program eight.
  • the memory 1003 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory.
  • Program A may specifically include the following code for implementing the following functions:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed are a method and device for data encryption and decryption. The method generates a path from a root node of a random tree to a leaf node corresponding to data to be encrypted according to a user key and the data to be encrypted, encrypts the data to be encrypted, restores the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key, and decrypts the data to be encrypted. The advantages of isotonicity, security, less calculation and storage load burden, small influence of a data domain variation on a calculation load and the like can be realized.

Description

一种数据加密、 解密的方法及设备  Method and device for data encryption and decryption
技术领域 Technical field
本发明属于软件算法领域, 尤其涉及一种数据加密、 解密的方法及设备。 背景技术 云计算作为一种新型的网络计算模式, 以一种相比传统 IT更经济的方式向 用户提供按需的 IT服务(计算、 存储和应用等) 。 由于云计算的发展理念符合 当前低碳经济与绿色计算的总体趋势, 它得到了世界各国政府和企业的大力倡 导与推动, 正带来计算领域、 商业领域的巨大变革。 但在已经实现的云计算服 务中, 隐私安全问题一直令人担忧, 并已经成为阻碍云计算发展和推广的主要 因素之一。 用户的隐私数据包括可用来识别或定位个人信息 (例如电话号码、 地址和信用卡号等) , 敏感的信息 (例如个人的健康状况、 财务信息、 公司的 重要文件等) 。 云计算的隐私安全问题源于云计算的数据外包和服务租赁的特 点。 用户数据存储到云环境中, 人们失去对数据的直接控制力, 可能会导致个 人隐私数据的泄漏和滥用。  The invention belongs to the field of software algorithms, and in particular relates to a method and a device for data encryption and decryption. BACKGROUND OF THE INVENTION Cloud computing, as a new type of network computing model, provides users with on-demand IT services (computing, storage, applications, etc.) in a more economical manner than traditional IT. Since the development concept of cloud computing is in line with the current trend of low-carbon economy and green computing, it has been strongly promoted and promoted by governments and enterprises around the world, and is bringing about tremendous changes in the computing and business fields. However, in the already implemented cloud computing services, privacy security issues have been a concern and have become one of the main factors hindering the development and promotion of cloud computing. The user's privacy data includes sensitive information (such as personal health status, financial information, company important documents, etc.) that can be used to identify or locate personal information (such as phone numbers, addresses, and credit card numbers). The privacy security issue of cloud computing stems from the characteristics of cloud computing data outsourcing and service leasing. When user data is stored in the cloud environment, people lose direct control over the data, which may lead to the leakage and abuse of personal privacy data.
加密是一种常用的保护用户机密数据的方法, 支持关系运算的加密技术是 一种加密方法, 它通过加密保证数据安全, 同时加密后的数据能支持关系运算, 从而可直接对密文进行范围检索, 排序等操作。  Encryption is a commonly used method to protect user confidential data. Encryption technology that supports relational operations is an encryption method. It guarantees data security through encryption. At the same time, encrypted data can support relational operations, so that the ciphertext can be directly scoped. Retrieve, sort, etc.
Agrawal 等人基于桶划分和分布概率映射的思想提出了一个保序对称加密 算法 OPES , 支持对加密数值数据的各种关系运算; Boldyreva等人提出一个基 于折半查找和超几何概率分布的保序对称加密算法 OPSE,支持对加密数据的各 种关系运算, 以上两种保序的加密方法的优点是保序性, 即密文反映了明文的 大小关系, 从而方便服务提供者对密文数据建立索引, 加快查找速度, 并易于 实现各种关系运算。  Agrawal et al. proposed a preserved symmetric encryption algorithm OPES based on the idea of bucket partitioning and distributed probability mapping, which supports various relational operations on encrypted numerical data. Boldyreva et al. proposed a preservation symmetry based on the binary search and hypergeometric probability distribution. The encryption algorithm OPSE supports various relational operations on encrypted data. The advantage of the above two types of preserving encryption methods is order preservation, that is, the ciphertext reflects the size relationship of the plaintext, thereby facilitating the service provider to index the ciphertext data. , speed up the search, and easy to implement a variety of relational operations.
Agrawal等人方案的不足是当定义域较大时桶划分的计算负载较大,而且面 对已知明文的攻击时, 当输入分布的桶与对应的输出分布的桶中点的个数足够 多时, 可以通过解方程的方式破解。 Boldyreva等人的方法由于在计算超几何概 率时需要进行多次组合运算, 其计算负载较大。 综上, 保序的加密算法的缺点 是它们都不能同时满足高效性和安全性的要求。 技术问题 本发明实施例的目的在于提供一种数据加密解密的方法, 可以实现保序性、 安全性、 计算和存储负载负担少、 数据域变化对计算负载影响小等优点。 技术解决方案 第一方面, 一种数据加密的方法, 所述方法包括: The disadvantage of Agrawal et al. is that the computational load of bucket partitioning is large when the domain is large, and when the attack of the known plaintext is faced, when the number of buckets in the bucket of the input distribution and the corresponding output distribution is sufficient. , can be solved by solving the equation. The method of Boldyreva et al. requires a large number of combination operations when calculating the hypergeometric probability, and its computational load is large. In summary, the shortcomings of the order-preserving encryption algorithm It is not that they can meet the requirements of efficiency and security at the same time. Technical Problem An object of the embodiments of the present invention is to provide a method for data encryption and decryption, which can achieve the advantages of order-preserving, security, less load on calculation and storage, and less influence of data domain changes on computation load. A first aspect of the technical solution, a data encryption method, the method comprising:
将待加密数据由明文字符串转换成美国信息交换标准代码 ASCII码, 并将 转换后的 ASCII码的位数凑成预先设置的定义域值的倍数, 所述预先设置的定 义域值是每次加密的所述 ASCII码的位数;  Converting the data to be encrypted from the plaintext string to the American Standard Code for Information Interchange (ASCII) code, and converting the number of bits of the converted ASCII code to a multiple of a preset domain value, the preset domain value being each time The number of bits of the encrypted ASCII code;
根据所述预先设置的定义域值确定随机树的高度, 同时根据用户密钥和待 加密数据生成从随机树的根节点到所述待加密数据对应的叶子节点的路径, 并 在所述叶子节点所属的区间范围内选择一个随机数, 形成所述待加密数据的密 文。  Determining a height of the random tree according to the preset domain value, and generating a path from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and at the leaf node A random number is selected within the range of the associated interval to form the ciphertext of the data to be encrypted.
结合第一方面, 在第一方面的第一种可能的实现方式中, 所述根据用户密 钥和待加密数据生成从随机数的根节点到所述待加密数据对应的叶子节点的路 径具体为:  With reference to the first aspect, in a first possible implementation manner of the first aspect, the generating, by the user key and the data to be encrypted, the path from the root node of the random number to the leaf node corresponding to the data to be encrypted is specifically :
确定所述随机树的层数、 分割份数、 所述用户密钥、 所述待加密数据、 待 划分区间的最小值和最大值; 所述分割份数是将所述待划分等间隔划分的份数; 其中, 每层随机树的长度是值域的长度加上间隔域的长度;  Determining the number of layers of the random tree, the number of divided copies, the user key, the data to be encrypted, and the minimum and maximum values of the interval to be divided; the number of divided segments is divided into equal intervals to be divided Number of copies; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
根据所述用户密钥和当前节点的美国信息交换标准代码生成随机树的种 子;  Generating a seed of the random tree according to the user key and the US standard information exchange standard code of the current node;
将所述每段值域等间隔划分成所述分割份数, 通过所述随机树的种子产生 随机数, 所述随机数用于产生间隔域, 每段间隔域的分割份数和选择的子节点, 同时使得分割后的总的间隔域长度等于分割前的间隔域长度;  And each of the range of values is equally divided into the number of divided parts, and a random number is generated by a seed of the random tree, where the random number is used to generate a spacing field, and the number of divided parts and the selected sub-range of each interval field Node, at the same time, the length of the total interval domain after the division is equal to the length of the interval domain before the division;
确定所述加密数据的节点位置, 所述节点位置的最小值是三个值之和, 所 述三个值分别是所述节点位置上一层随机树的最小值, 到所述节点位置的值域 间隔值的总和, 到所述节点位置的间隔域间隔值的总和;  Determining a node position of the encrypted data, where a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree above the node position, and a value to the node position The sum of the domain interval values, the sum of the interval domain values to the node locations;
判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最 大值是三个值之和, 所述三个值分别是所述节点位置的最小值, 所述节点位置 的值域间隔值, 所述间隔域在所述节点位置的值; Determining whether the node location is the selected child node, and if so, the node location is the most The large value is the sum of three values, the three values being the minimum value of the node position, the value interval value of the node position, and the value of the interval field at the node position;
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。  If not, the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
结合第一方面, 在第一方面的第二种可能的实现方式中, 所述并在所述叶 子节点所属的区间范围内选择一个随机数, 形成所述待加密数据的密文包括: 当所述待加密数据位于随机数的最后一层时, 在所述待加密数据所在的子 节点的区间范围内, 选择一个随机数, 形成所述待加密数据的密文。  With reference to the first aspect, in a second possible implementation manner of the first aspect, the selecting, in the range of the interval to which the leaf node belongs, selecting a random number, the ciphertext forming the data to be encrypted includes: When the encrypted data is located at the last layer of the random number, a random number is selected within the interval of the child node where the data to be encrypted is located to form the ciphertext of the data to be encrypted.
第二方面, 一种数据解密的方法, 所述方法包括:  In a second aspect, a method for data decryption, the method comprising:
获取用户密钥和待解密数据;  Obtaining a user key and data to be decrypted;
根据所述用户密钥和所述待解密数据恢复所述从随机树的根节点到所述待 加密数据对应的叶子节点的路径, 将所述待解密数据进行解密;  And recovering, according to the user key and the data to be decrypted, the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted, and decrypting the data to be decrypted;
将解密后的数据经过消除填充值后转换为明文字符串。  The decrypted data is converted to a plain text string after the padding value is removed.
结合第二方面, 在第二方面的第一种可能的实现方式中, 所述根据所述用 户密钥和所述待解密数据恢复所述从随机树的根节点到所述待解密数据对应的 叶子节点的路径具体为:  With reference to the second aspect, in a first possible implementation manner of the second aspect, the recovering, according to the user key and the data to be decrypted, the corresponding root node of the random tree to the data to be decrypted The path of the leaf node is specifically:
确定所述随机树的高度、 分割份数、 所述用户密钥、 所述待解密数据、 待 划分区间的最小值和最大值; 所述分割份数是将所述待划分区间等间隔划分的 份数, 其中, 每层随机树的长度是值域的长度加上间隔域的长度;  Determining a height of the random tree, a number of divisions, the user key, the data to be decrypted, and a minimum value and a maximum value of the interval to be divided; the number of divisions is an interval that divides the sections to be divided equally The number of copies, where the length of each layer of the random tree is the length of the range plus the length of the interval field;
根据所述用户密钥和当前节点的美国信息交换标准代码生成随机树的种 子;  Generating a seed of the random tree according to the user key and the US standard information exchange standard code of the current node;
将所述待划分区间等间隔划分成所述分割份数, 通过所述随机树的种子产 生随机数, 所述随机数用于产生每段待划分区间间隔域, 所述间隔域的分割份 数和选择的子节点, 同时使得分割后的总的间隔域长度等于分割前的间隔域长 度;  Dividing the interval to be divided into the number of divided segments, and generating a random number by using a seed of the random tree, where the random number is used to generate a segment interval field to be divided, and the number of segments in the interval domain And the selected child node, at the same time, the length of the total interval domain after the division is equal to the length of the interval domain before the segmentation;
根据每个子节点的范围的最小值, 判断所述密文所处的位置; 根据所述密 文所处的位置, 计算出当前节点的美国信息交换标准代码, 根据所述用户密钥 和当前节点的美国信息交换标准代码生成随机树的种子;  Determining, according to the minimum value of the range of each child node, a location where the ciphertext is located; calculating, according to the location of the ciphertext, an American Standard Code for Information Interchange of the current node, according to the user key and the current node The US Information Exchange Standard Code generates a seed of a random tree;
根据所述随机数的种子产生随机数, 通过所述随机数将所述节点数所处待 划分区间分成两个区域值, 所述两个区域值是下一层随机树的总的值域值和下 一次随机树的总的间隔域值; Generating a random number according to the seed of the random number, and dividing, by the random number, a section to be divided into the number of nodes to be divided into two area values, where the two area values are total value ranges of the next layer of random trees And under The total interval field value of a random tree;
确定所述待解密数据的节点位置, 所述节点位置的最小值是三个值之和, 所述三个值分别是所述节点位置上一层随机树的最小值, 到所述节点位置的值 域间隔值的总和, 到所述节点位置的间隔域间隔值的总和;  Determining a node position of the data to be decrypted, wherein a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree of the node position, and the node position is The sum of the range interval values, the sum of the interval interval values to the node locations;
判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最 大值是三个值之和, 所述三个值分别是所述节点位置的最小值, 所述节点位置 的值域间隔值, 所述间隔域在所述节点位置的值;  Determining whether the node location is the selected child node, and if so, the maximum value of the node location is a sum of three values, wherein the three values are respectively a minimum value of the node location, and the node location a value range value, the value of the interval field at the node location;
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。  If not, the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
第三方面, 一种数据加密的设备, 所述设备包括:  A third aspect, a data encryption device, where the device includes:
第一转换单元, 用于将待加密数据由明文字符串转换成美国信息交换标准 代码 ASCII码,并将转换后的 ASCII码的位数凑成预先设置的定义域值的倍数, 所述预先设置的定义域值是每次加密的所述 ASCII码的位数;  a first converting unit, configured to convert the data to be encrypted from the plaintext string into the American Standard Code for Information Interchange (ASCII) code, and convert the number of bits of the converted ASCII code into a multiple of a preset domain value, the preset The domain value is the number of bits of the ASCII code that is encrypted each time;
加密单元, 用于根据所述预先设置的定义域值确定随机树的高度, 同时根 据用户密钥和待加密数据生成从随机树的根节点到所述待加密数据对应的叶子 节点的路径, 并在所述叶子节点所属的值域范围内选择一个随机数, 形成所述 待加密数据的密文。  An encryption unit, configured to determine a height of the random tree according to the preset domain value, and generate a path from a root node of the random tree to a leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and Selecting a random number within a range of values to which the leaf node belongs, forming a ciphertext of the data to be encrypted.
结合第三方面, 在第三方面的第一种可能的实现方式中, 所述加密单元中 执行步骤所述根据用户密钥和待加密数据生成从随机数的根节点到所述待加密 数据对应的叶子节点的路径具体为:  With reference to the third aspect, in a first possible implementation manner of the third aspect, the step of performing, in the cryptographic unit, generating, according to the user key and the data to be encrypted, generating a root node from the random number to the data to be encrypted The path of the leaf node is specifically:
第一确定单元, 用于确定所述随机树的层数、 分割份数、 所述用户密钥、 所述待加密数据、 待划分区间的最小值和最大值; 所述分割份数是将所述待划 分等间隔划分的份数; 其中, 每层随机树的长度是值域的长度加上间隔域的长 度;  a first determining unit, configured to determine a number of layers of the random tree, a number of divided shares, the user key, the to-be-encrypted data, and a minimum value and a maximum value of the to-be-divided interval; Describe the number of copies divided into equal intervals; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
第一生成单元, 用于根据所述用户密钥和当前节点的美国信息交换标准代 码生成随机树的种子;  a first generating unit, configured to generate a seed of the random tree according to the user key and the US information exchange standard code of the current node;
第一划分单元, 用于将所述每段值域等间隔划分成所述分割份数, 通过所 述随机树的种子产生随机数, 所述随机数用于产生间隔域, 每段间隔域的分割 份数和选择的子节点, 同时使得分割后的总的间隔域长度等于分割前的间隔域 长度; 第二确定单元, 用于确定所述加密数据的节点位置, 所述节点位置的最小 值是三个值之和, 所述三个值分别是所述节点位置上一层随机树的最小值, 到 所述节点位置的值域间隔值的总和, 到所述节点位置的间隔域间隔值的总和; 第一判断单元, 用于判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最大值是三个值之和, 所述三个值分别是所述节点位置的最 小值, 所述节点位置的值域间隔值, 所述间隔域在所述节点位置的值; a first dividing unit, configured to divide the each of the range of values into the number of divided segments, and generate a random number by using a seed of the random tree, where the random number is used to generate a spacing domain, where each interval domain is Dividing the number of copies and the selected child nodes, and making the total length of the divided interval fields equal to the length of the interval before the segmentation; a second determining unit, configured to determine a node location of the encrypted data, where a minimum value of the node location is a sum of three values, where the three values are respectively a minimum value of a random tree above the node location, a sum of value range values to the node position, a sum of interval field interval values to the node position; a first determining unit, configured to determine whether the node position is the selected child node, and if yes, The maximum value of the node position is the sum of three values, the three values are respectively the minimum value of the node position, the value range interval value of the node position, and the value of the interval field at the node position ;
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。  If not, the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
结合第三方面, 在第三方面的第二种可能的实现方式中, 所述加密单元中 执行步骤并在所述叶子节点所属的值域范围内选择一个随机数, 形成所述待加 密数据的密文中的密文包括:  With reference to the third aspect, in a second possible implementation manner of the third aspect, the performing step is performed by the cryptographic unit, and a random number is selected in a range of values to which the leaf node belongs to form the data to be encrypted. The ciphertext in the ciphertext includes:
当所述待加密数据位于随机数的最后一层时, 在所述待加密数据所在的子 节点的区间范围内, 选择一个随机数, 形成所述待加密数据的密文。  When the data to be encrypted is located in the last layer of the random number, a random number is selected in the range of the sub-node where the data to be encrypted is located to form the ciphertext of the data to be encrypted.
第四方面, 一种数据解密的设备, 所述设备包括:  A device for decrypting data, the device comprising:
获取单元, 用于获取用户密钥和待解密数据;  An obtaining unit, configured to acquire a user key and data to be decrypted;
解密单元, 用于根据所述用户密钥和所述待解密数据恢复所述从随机树的 根节点到所述待解密数据对应的叶子节点的路径, 将所述待解密数据进行解密; 第二转换单元, 用于将解密后的数据经过消除填充值后转换为明文字符串。 结合第四方面, 在第四方面的第一种可能的实现方式中, 所述解密单元中 执行步骤根据所述用户密钥恢复所述从随机树的根节点到所述待解密数据对应 的叶子节点的路径具体为:  a decrypting unit, configured to recover the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted according to the user key and the data to be decrypted, and decrypt the data to be decrypted; a conversion unit, configured to convert the decrypted data into a plaintext string after removing the padding value. With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the performing step in the decrypting unit recovers the leaf corresponding to the to-be-decrypted data from the root node of the random tree according to the user key The path of the node is specifically:
第三确定单元, 用于确定所述随机树的高度、 分割份数、 所述用户密钥、 所述待解密数据、 待划分区间的最小值和最大值; 所述分割份数是将所述待划 分区间等间隔划分的份数, 其中, 每层随机树的长度是值域的长度加上间隔域 的长度;  a third determining unit, configured to determine a height of the random tree, a number of divided shares, the user key, the to-be-decrypted data, a minimum value and a maximum value of the to-be-divided interval; The number of copies of the interval to be divided into equal intervals, wherein the length of each random tree is the length of the range plus the length of the interval;
第二生成单元, 用于根据所述用户密钥和当前节点的美国信息交换标准代 码生成随机树的种子;  a second generating unit, configured to generate a seed of the random tree according to the user key and the US information exchange standard code of the current node;
第二划分单元, 用于将所述待划分区间等间隔划分成所述分割份数, 通过 所述随机树的种子产生随机数, 所述随机数用于产生每段待划分区间间隔域, 所述间隔域的分割份数和选择的子节点, 同时使得分割后的总的间隔域长度等 于分割前的间隔域长度; a second dividing unit, configured to divide the to-divided interval into equal intervals, and generate a random number by using a seed of the random tree, where the random number is used to generate each interval interval to be divided, The number of divided partitions of the interval domain and the selected child nodes, and the total length of the partitioned partitions, etc. The length of the interval before the segmentation;
第二判断单元, 用于根据每个子节点的范围的最小值, 判断所述密文所处 的位置;  a second determining unit, configured to determine, according to a minimum value of a range of each child node, a location where the ciphertext is located;
计算单元, 用于根据所述密文所处的位置, 计算出当前节点的美国信息交 换标准代码, 根据所述用户密钥和当前节点的美国信息交换标准代码生成随机 树的种子;  a calculating unit, configured to calculate, according to the location where the ciphertext is located, a US information exchange standard code of the current node, and generate a seed of the random tree according to the user key and the US standard information exchange standard code of the current node;
第三划分单元 用于根据所述随机数的种子产生随机数, 通过所述随机数将 所述节点数所处待划分区间分成两个区域值, 所述两个区域值是下一层随机树 的总的值域值和下一次随机树的总的间隔域值;  The third dividing unit is configured to generate a random number according to the seed of the random number, and divide, by the random number, the to-divided interval in which the number of nodes is located into two regional values, where the two regional values are the next random tree The total value of the field and the total interval field value of the next random tree;
第四确定单元, 用于确定所述解密数据的节点位置, 所述节点位置的最小 值是三个值之和, 所述三个值分别是所述节点位置上一层随机树的最小值, 到 所述节点位置的值域间隔值的总和, 到所述节点位置的间隔域间隔值的总和; 第三判断单元, 用于判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最大值是三个值之和, 所述三个值分别是所述节点位置的最 小值, 所述节点位置的值域间隔值, 所述间隔域在所述节点位置的值;  a fourth determining unit, configured to determine a node location of the decrypted data, where a minimum value of the node location is a sum of three values, where the three values are respectively a minimum value of a random tree of the layer at the node location, a sum of the value range values of the node locations, a sum of the interval field values to the node locations; a third determining unit, configured to determine whether the node locations are the selected child nodes, and if so, The maximum value of the node position is the sum of three values, the three values are respectively the minimum value of the node position, the value range interval value of the node position, and the value of the interval field at the node position ;
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。 有益效果 与现有技术相比, 本发明实施例通过根据用户密钥和待加密数据生成从随 机树的根节点到所述待加密数据对应的叶子节点的路径, 将所述待加密数据进 行加密, 并根据所述用户密钥恢复所述从随机树的根节点到所述待解密数据对 应的叶子节点的路径, 将所述待解密数据进行解密。 可以实现保序性、 安全性、 计算和存储负载负担少、 数据域变化对计算负载影响小等优点。 附图说明 为了更清楚地说明本发明实施例中的技术方案, 下面将对实施例中所需要 使用的附图作筒单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一 些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。 图 1是本发明实施例一提供的一种加密的方法流程图; If not, the maximum value of the node position is the sum of two values, the two values being the minimum value of the node position and the value interval value of the node position. Advantageous Effects Compared with the prior art, the embodiment of the present invention encrypts the data to be encrypted by generating a path from a root node of the random tree to a leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted. And recovering, according to the user key, the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted, and decrypting the data to be decrypted. The advantages of order-preserving, security, computational and storage load burden, and data domain changes have little impact on the computational load. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings to be used in the embodiments will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative labor. 1 is a flowchart of a method for encrypting according to Embodiment 1 of the present invention;
图 2是本发明实施例二提供的一种加密的方法流程图;  2 is a flowchart of a method for encrypting according to Embodiment 2 of the present invention;
图 3是本发明实施例三提供的一种加密解密的方法流程图;  3 is a flowchart of a method for encrypting and decrypting according to Embodiment 3 of the present invention;
图 4是本发明实施例三提供的一种加密解密的方法示意图;  4 is a schematic diagram of a method for encrypting and decrypting according to Embodiment 3 of the present invention;
图 5是本发明实施例四提供的一种数据加密设备的装置结构图;  FIG. 5 is a structural diagram of a device for a data encryption device according to Embodiment 4 of the present invention; FIG.
图 6是本发明实施例四提供的一种数据加密设备的装置结构图;  6 is a structural diagram of a device of a data encryption device according to Embodiment 4 of the present invention;
图 7是本发明实施例五提供的一种数据解密设备的装置结构图;  7 is a structural diagram of a device of a data decryption apparatus according to Embodiment 5 of the present invention;
图 8是本发明实施例五提供的一种数据解密设备的装置结构图;  FIG. 8 is a structural diagram of a device for decrypting a data provided by Embodiment 5 of the present invention; FIG.
图 9是本发明实施例六提供的一种数据加密设备的装置结构图;  9 is a structural diagram of an apparatus for a data encryption device according to Embodiment 6 of the present invention;
图 10是本发明实施例七提供的一种数据解密设备的装置结构图。 本发明的实施方式  FIG. 10 is a structural diagram of an apparatus for a data decryption apparatus according to Embodiment 7 of the present invention. Embodiments of the invention
为了使本发明的目的、 技术方案及优点更加清楚明白, 以下结合附图及实 施例, 对本发明进行进一步详细说明。 应当理解, 此处所描述的具体实施例仅 仅用以解释本发明, 并不用于限定本发明。  The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡在本发 明的精神和原则之内所作的任何修改、 等同替换和改进等, 均应包含在本发明 的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. Within the scope.
实施例一  Embodiment 1
参考图 1 , 图 1是本发明实施例一提供的一种数据加密的方法流程图。 如图 1所示, 该方法包括以下步骤:  Referring to FIG. 1, FIG. 1 is a flowchart of a method for data encryption according to Embodiment 1 of the present invention. As shown in Figure 1, the method includes the following steps:
步骤 101 ,将待加密数据由明文字符串转换成美国信息交换标准代码 ASCII 码, 并将转换后的 ASCII码的位数凑成预先设置的定义域值的倍数, 所述预先 设置的定义域值是每次加密的所述 ASCII码的位数;  Step 101: Convert the data to be encrypted from a plaintext string to an American Standard Code for Information Interchange (ASCII) code, and convert the number of bits of the converted ASCII code into a multiple of a preset domain value, the preset domain value. Is the number of bits of the ASCII code that is encrypted each time;
本步骤中, 接收用户输入的一串明文字符串, 预先将所述明文字符串转换 成美国信息交换标准代码。 预先设置定义域, 所述定义域的值是每次加密的所 述美国信息交换标准代码的位数, 例如, 预先定义每次加密 12位美国信息交换 标准代码, 将转换后的美国信息交换标准代码的位数凑成 12的倍数。 具体的,假设用户输入一串字符串为 ABCDEF .....,将每个字符转换成 ASCII 码, 并凑成 3位 ASCII码, 如 A的 ASCII码为 65, 凑成 065, 支设随机数的定 义域值为 12, 随机数高度为 6层, 即每层加密 2位 ASCII码, 每次则总共加密 12位。 将转换成 ASCII码的待加密数据每次取 22位, 并在 22位 ASCII码后面 添加一个 22的标识凑成 24位, 即每次运行 2次随机树加密算法, 加密 24位 ASCII码。 当最后只剩下十位 ASCII码, 则在 10位 ASCII码后面添加 00, 再添 加 10位随机数, 再添加 10, 标识待加密数据的 ASCII码的位数, 凑成 24位进 行加密。 当最后只剩下一位 ASCII码, 则在一位 ASCII码后面添加 00, 再添加 19位随机数, 再添加 01 , 标识待加密数据的 ASCII码的位数, 凑成 24位进行 加密。 依次类推。 In this step, a string of plain text strings input by the user is received, and the plaintext string is converted into a US standard code exchange standard code in advance. Defining a definition field, the value of the definition field is the number of bits of the US Standard Code for Information Interchange per encryption, for example, pre-defining a 12-bit US exchange standard code each time, the converted US information exchange standard The number of bits in the code is rounded to a multiple of 12. Specifically, suppose the user enters a string of characters as ABCDEF ....., converts each character into ASCII code, and makes a 3-digit ASCII code. For example, the ASCII code of A is 65, which is 065, and the support is random. The number of the domain is 12, and the height of the random number is 6 layers, that is, each layer encrypts 2 digits of ASCII code, and each time a total of 12 bits are encrypted. The data to be encrypted converted into ASCII code is taken 22 bits at a time, and a 22 identifier is added after the 22-bit ASCII code to make 24 bits, that is, the random tree encryption algorithm is executed twice each time, and the 24-bit ASCII code is encrypted. When there are only ten ASCII codes left, add 00 after the 10-digit ASCII code, add 10 random numbers, and add 10 to identify the number of bits of the ASCII code of the data to be encrypted, and make it into 24 bits for encryption. When there is only one ASCII code left, add 00 after an ASCII code, add a 19-bit random number, and add 01 to identify the number of bits of the ASCII code of the data to be encrypted, and make it into 24 bits for encryption. And so on.
步骤 102, 根据所述预先设置的定义域值确定随机树的高度, 同时根据用户 密钥和待加密数据生成从随机树的根节点到所述待加密数据对应的叶子节点的 路径, 并在所述叶子节点所属的区间范围内选择一个随机数, 形成所述待加密 数据的密文。  Step 102: Determine a height of the random tree according to the preset domain value, and generate a path from a root node of the random tree to a leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and A random number is selected in the range of the interval to which the leaf node belongs, and the ciphertext of the data to be encrypted is formed.
本步骤中, 若预先设置的定义域是 12位美国信息交换标准代码, 并预先设 置每次存放 2位美国信息交换标准代码, 则随机数的高度为 6, 即根据所述预先 设置的定义域值确定随机数的高度。  In this step, if the pre-set domain is a 12-bit US standard code exchange standard code, and the 2-digit US standard code exchange standard code is stored in advance, the height of the random number is 6, that is, according to the preset domain. The value determines the height of the random number.
本步骤中, 所述根据用户密钥和待加密数据生成从随机数的根节点到所述 待加密数据对应的叶子节点的路径具体为:  In this step, the path from the root node of the random number to the leaf node corresponding to the data to be encrypted is generated according to the user key and the data to be encrypted:
确定所述随机树的层数, 分割份数, 所述用户密钥, 所述待加密数据, 待 划分区间的最小值和最大值; 所述分割份数是将所述待划分等间隔划分的份数; 其中, 每层随机树的长度是值域的长度加上间隔域的长度;  Determining the number of layers of the random tree, the number of divisions, the user key, the data to be encrypted, and the minimum and maximum values of the interval to be divided; the number of divisions is divided into equal intervals to be divided Number of copies; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
具体的, 确定所述随机树的高度 level, 分割份数 num, 所述用户密钥 key, 所述待加密数据 X , 待划分区间的最小值 min和最大值 max, 所述 num是将所 述待划分区间等间隔划分的份数, vf是所述待划分区间的值域, gf是所述待划 分区间的间隔域。  Specifically, determining a height level of the random tree, dividing the number of copies num, the user key key, the data to be encrypted X, a minimum value min and a maximum value max of the interval to be divided, the num is The number of copies of the interval to be divided into equal intervals, vf is the value range of the interval to be divided, and gf is the interval domain of the interval to be divided.
根据所述用户密钥和当前节点的美国信息交换标准代码生成随机树的种 子;  Generating a seed of the random tree according to the user key and the US standard information exchange standard code of the current node;
具体的,当所述随机树位于第零层 level=n, n=0时,随机树种子 ran— root=key; 当 level=n, n=l , 2....1evel-2时, 所述 ran— root=key+ x« , 其中, n=0 时, ^ =0 , n=l 时, 第零层随机数加密的待加密数据; n=2 时, 第零层随机数和第一层随机数加密的待加密数据;n=level-2时, 第零 层随机数, 第一层随机数….第 level-2层加密的待加密数据。 Specifically, when the random tree is located at the zeroth layer level=n, n=0, the random tree seed ran_root=key; when level=n, n=l, 2....1evel-2, Ran—root=key+ x « , Where n=0, ^=0, n=l, the zeroth layer random number encrypted data to be encrypted; n=2, the zeroth layer random number and the first layer random number encrypted data to be encrypted; n =level-2, the zeroth layer random number, the first layer random number.... The level-2 layer encrypted data to be encrypted.
将所述每段值域等间隔划分成所述分割份数, 通过所述随机树的种子产生 随机数, 所述随机数用于产生间隔域, 每段间隔域的分割份数和选择的子节点, 同时使得分割后的总的间隔域长度等于分割前的间隔域长度;  And each of the range of values is equally divided into the number of divided parts, and a random number is generated by a seed of the random tree, where the random number is used to generate a spacing field, and the number of divided parts and the selected sub-range of each interval field Node, at the same time, the length of the total interval domain after the division is equal to the length of the interval domain before the division;
具体的, 根据所述 ran— root产生间隔域 gf , 间隔域 gf分裂份数 m和从 num 个子节点中随机选择 m个子节点, f andom(key + Xi )≤i 满足 Specifically, according to the ran-root generation interval domain gf, the interval domain gf splitting number m, and randomly selecting m child nodes from num child nodes, f an dom(k ey + Xi )≤i is satisfied
m + 1  m + 1
^ random (key + . ) > 1  ^ random (key + . ) > 1
i =l  i =l
确定所述加密数据的节点位置, 所述节点位置的最小值是三个值之和, 所 述三个值分别是所述节点位置上一层随机树的最小值, 到所述节点位置的值域 间隔值的总和, 到所述节点位置的间隔域间隔值的总和;  Determining a node position of the encrypted data, where a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree above the node position, and a value to the node position The sum of the domain interval values, the sum of the interval domain values to the node locations;
具体的, 判断 X的位置为 i , 满足 x>xi-l 且 x≤xi , minn = min n_x + (i _ 1) * + ddn * random(key + Xj )Specifically, it is determined that the position of X is i, satisfies x>xi-l and x≤xi, min n = min n _ x + (i _ 1) * + dd n * random(key + Xj )
Figure imgf000010_0001
Figure imgf000010_0001
dn= vfn-i/num, ddn= gfn-1 , vfn-1= ( maxn-1- minn-1 ) *rn小 gfn-1= ( maxn-1- minn-1 ) * ( l-rn-1 ), rn-1是根据 ran— root在第 n-1层的值产生的随机数。 d n = vf n- i/num, dd n = gf n-1 , vf n-1 = ( max n-1 - min n-1 ) *r n small gf n-1 = ( max n-1 - min N-1 ) * ( lr n-1 ), r n-1 is a random number generated based on the value of ran-root at the n-1th layer.
判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最 大值是三个值之和, 所述三个值分别是所述节点位置的最小值, 所述节点位置 的值域间隔值, 所述间隔域在所述节点位置的值;  Determining whether the node location is the selected child node, and if so, the maximum value of the node location is a sum of three values, wherein the three values are respectively a minimum value of the node location, and the node location a value range value, the value of the interval field at the node location;
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。  If not, the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
具体的, 判断 i是否是所述 m个子节点中的任意一个, 若是, 则  Specifically, determining whether i is any one of the m child nodes, and if yes,
maxn=minn+ dn + ddn*random(key+Xi) , 否贝 'J , maxn=minn+ dnMax n =min n + d n + dd n *random(key+Xi) , no shell 'J , max n =min n + d n .
具体的, 加密算法参考算法 1。  Specifically, the encryption algorithm refers to algorithm 1.
可实现的, 所述并在所述叶子节点所属的区间范围内选择一个随机数, 形 成所述待加密数据的密文包括:  The ciphertext of the to-be-encrypted data is included in the range of the range to which the leaf node belongs, and the ciphertext of the data to be encrypted includes:
当所述待加密数据位于随机数的最后一层时, 在所述待加密数据所在的子 节点的区间范围内, 选择一个随机数, 形成所述待加密数据的密文。 具体的,当 level=n, n=level- l时,则所述待力口密数据 x的密文 ciphertext= min,When the data to be encrypted is located at the last layer of the random number, the child where the data to be encrypted is located Within the interval of the node, a random number is selected to form the ciphertext of the data to be encrypted. Specifically, when level=n, n=level-1, the ciphertext ciphertext of the to-be-tightened data x is ciphertext=min,
+ (maxn- minn)* randorr^key+^ + (max n - min n )* randorr^key+^
算法 1 加密算法 Enc() Algorithm 1 Encryption Algorithm Enc()
输入: 待划分区间最小值 min, 最大值 max, 随机树层数 level, 分割份数 num, 密钥 key, 力口密数据 x  Input: minimum interval to be divided min, maximum max, number of random tree levels, number of divisions num, key key, force secret data x
For L=0 to level;  For L=0 to level;
If L==0 then  If L==0 then
ran— root=key ; //产生随机数的种子  Ran—root=key ; //generate the seed of the random number
根据 ran— root产生值域 vf和间隔域 gf;  Generating a value range vf and a spacer field gf according to ran_root;
min=min; max=min+|vf|; dd=|gf|;〃间隔域  Min=min; max=min+|vf|; dd=|gf|;〃interval
6:  6:
7: ran_root=key+当前节点的值; 7: ran_root=key+ the value of the current node;
8 : 根据 ran— root分割数据域 (min, max)产生值域 vf和间隔域 gf;
Figure imgf000011_0001
8: generating a value field vf and a space field gf according to the ran-root split data field (min, max);
Figure imgf000011_0001
11 判断 X的位置为 i, 满足 χ>χμ ι 且 χ<χι 11 Determine the position of X as i, satisfy χ>χ μ ι and χ<χι
12 min=min+(x- 1 )*d+dd* '∑ random(key + χΛ; 12 min=min+(x-1)*d+dd* '∑ random(key + χΛ;
=l  =l
13 根据 ran— root产生一个随机数 r;  13 Generate a random number r according to ran—root;
14 If x==Xi then  14 If x==Xi then
15 max=min+d +dd*random(key+Xi);  15 max=min+d +dd*random(key+Xi);
16 Else  16 Else
17 max=min+d;  17 max=min+d;
18 End If  18 End If
16 dd= d*(l-r);  16 dd= d*(l-r);
17 End If  17 End If
18 End for  18 End for
19 ciphertext=min+(max-min) * random(key+x); 本发明核心部分构建了一种随机数据结构——随机树。 随机树是一棵多叉 树, 其高度由定义域决定, 树中每个节点都对应定义域中的一点, 并占据值域 中的一段子区间, 子节点区间是对父节点区间的一种随机划分。 基于随机树的 加密算法算法 OPEART具有以下特点: (1)加密或解密过程中, 不需要生成整棵 树, 而只需要生成树中从根节点到叶子节点之间的一条路径, 计算负载小; (2) 计算负载不会随着定义域的变化而变化, 适合于定义域较大或动态变化的应用;19 ciphertext=min+(max-min) * random(key+x); The core part of the invention constructs a random data structure - a random tree. The random tree is a multi-forked tree whose height is determined by the domain. Each node in the tree corresponds to a point in the domain and occupies a sub-interval in the value field. The sub-node interval is a kind of parent node interval. Randomly divided. The encryption tree algorithm OPEART based on random tree has the following characteristics: (1) In the process of encryption or decryption, it is not necessary to generate an entire tree, but only a path from the root node to the leaf node in the spanning tree, and the calculation load is small; (2) The computational load does not change as the domain changes, and is suitable for applications that define large or dynamic domains;
(3)无需建立索引, 节省了数据拥有者的计算和存储负载。 本发明是一种加密算 法, 密文具有保序性, 支持关系运算, 并且具有 IND-DNCPA安全性。 (3) No need to build an index, saving the data owner's computing and storage load. The present invention is a cryptographic algorithm, ciphertext has order preservation, supports relational operations, and has IND-DNCPA security.
本发明实施例通过根据用户密钥和待加密数据生成从随机树的根节点到所 述待加密数据对应的叶子节点的路径, 将所述待加密数据进行加密, 并根据所 述用户密钥恢复所述从随机树的根节点到所述待加密数据对应的叶子节点的路 径, 将所述待加密数据进行解密。 可以实现保序性、 安全性、 计算和存储负载 负担少、 数据域变化对计算负载影响小等优点。  The embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key. The path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted. The advantages of order-preserving, security, computational and storage load burden, and data domain changes have little impact on the computational load.
实施例二  Embodiment 2
参考图 2, 图 2是本发明实施例二提供的一种数据解密的方法流程图。 如图 2所示, 该方法包括以下步骤:  Referring to FIG. 2, FIG. 2 is a flowchart of a method for data decryption according to Embodiment 2 of the present invention. As shown in Figure 2, the method includes the following steps:
步骤 201 , 获取用户密钥和待解密数据;  Step 201: Obtain a user key and data to be decrypted;
步骤 202,根据所述用户密钥和所述待解密数据恢复所述从随机树的根节点 到所述待加密数据对应的叶子节点的路径, 将所述待解密数据进行解密;  Step 202: Recover the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be decrypted, and decrypt the data to be decrypted;
根据所述用户密钥恢复所述从随机树的根节点到所述待解密数据对应的叶 子节点的路径具体为:  Recovering the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted according to the user key is specifically:
确定所述随机树的高度、 分割份数、 所述用户密钥、 所述待解密数据、 待 划分区间的最小值和最大值; 所述分割份数是将所述待划分区间等间隔划分的 份数, 其中, 每层随机树的长度是值域的长度加上间隔域的长度;  Determining a height of the random tree, a number of divisions, the user key, the data to be decrypted, and a minimum value and a maximum value of the interval to be divided; the number of divisions is an interval that divides the sections to be divided equally The number of copies, where the length of each layer of the random tree is the length of the range plus the length of the interval field;
具体的, 确定所述随机树的高度 level, 分割份数 num, 所述用户密钥 key, 所述待加密数据的密文 ciphertex, 待划分区间的最小值 min和最大值 max, 所 述 num是将所述待划分区间等间隔划分的份数, vf是所述待划分区间的值域, gf是所述待划分区间的间隔域。  Specifically, determining a height level of the random tree, a number of divisions num, the user key key, a ciphertext of the data to be encrypted, a minimum value min and a maximum value max of the interval to be divided, the num is The number of copies of the interval to be divided is equally divided, vf is a value range of the interval to be divided, and gf is a interval domain of the interval to be divided.
根据所述用户密钥和当前节点的美国信息交换标准代码生成随机树的种 子;  Generating a seed of the random tree according to the user key and the US standard information exchange standard code of the current node;
具体的,当所述随机树位于第零层 level=n, n=0时,随机树种子 ran— root=key。 将所述待划分区间等间隔划分成所述分割份数, 通过所述随机树的种子产 生随机数, 所述随机数用于产生每段待划分区间间隔域, 所述间隔域的分割份 数和选择的子节点, 同时使得分割后的总的间隔域长度等于分割前的间隔域长 度; 具体的, 根据所述 ran— root产生间隔域 gf , 间隔域 gf分裂份数 m和从 num 个子节点中随机选择 m个子节点, f andom(key + Xi )≤i 满足 random (key 1 根据每个子节点的范围的最小值, 判断所述密文所处的位置; 所处的位置 等于所述密文值减去所述子节点的最小值再减去到所述子节点之前的间隔域值 后得到的值除以所述子节点的值域分割的间隔; Specifically, when the random tree is located at the zeroth layer level=n, n=0, the random tree seed ran_root=key. Dividing the interval to be divided into the number of divided segments, and generating a random number by using a seed of the random tree, where the random number is used to generate a segment interval field to be divided, and the number of segments in the interval domain And the selected child node, at the same time, the length of the total interval domain after the division is equal to the length of the interval domain before the segmentation; Specifically, according to the ran-root generation interval domain gf, the interval domain gf splitting number m and randomly selecting m child nodes from num child nodes, f an dom(k ey + Xi )≤i satisfies random (key 1 according to a minimum value of a range of each child node, determining a location at which the ciphertext is located; a position equal to the ciphertext value minus a minimum value of the child node and then subtracting a space interval before the child node The value obtained after the value is divided by the interval of the value field division of the child node;
具体的, 殳每个节点所处范围的下限为 min ( xk ), 其中 ( 0, num-1 ), 判断 ciphertext的位置为 i, 满足 ciphertex≤min ( xk ), 且 ciphertex > minSpecifically, the lower limit of the range in which each node is located is min ( x k ), where ( 0, num-1 ), the position of the ciphertext is determined to be i, the ciphertex ≤ min ( x k ) is satisfied, and ciphertex > min
( k-i ), ( k-i ),
!·- 1  !·- 1
xn = (ciphertex - min(¾_1 ) - ddn * ^ random (key + Xj )) I dn x n = (ciphertex - min(3⁄4_ 1 ) - dd n * ^ random (key + Xj )) I d n
j=l 根据所述密文所处的位置, 计算出当前节点的美国信息交换标准代码, 根 据所述用户密钥和当前节点的美国信息交换标准代码生成随机树的种子;  J=l calculates a US standard information exchange standard code of the current node according to the location of the ciphertext, and generates a seed of the random tree according to the user key and the current information exchange standard code of the current node;
当 level=n, n=l , 2....1evel-2时, 所述 ran— root=key+ x" , When level=n, n=l, 2....1evel-2, the ran_root=key+ x " ,
其中, n=0 时, ^ =0, n=l 时, 第零层随机数加密的待加密数据; n=2 时, 第零层随机数和第一层随机数加密的待加密数据;n=level-2时, 第零 层随机数, 第一层随机数….第 level-2层加密的待加密数据。  Where n=0, ^=0, n=l, the zeroth layer random number encrypted data to be encrypted; n=2, the zeroth layer random number and the first layer random number encrypted data to be encrypted; n =level-2, the zeroth layer random number, the first layer random number.... The level-2 layer encrypted data to be encrypted.
根据所述随机数的种子产生随机数, 通过所述随机数将所述节点数所处待 划分区间分成两个区域值, 所述两个区域值是下一层随机树的总的值域值和下 一次随机树的总的间隔域值;  Generating a random number according to the seed of the random number, and dividing, by the random number, a section to be divided into the number of nodes to be divided into two area values, where the two area values are total value ranges of the next layer of random trees And the total interval field value of the next random tree;
确定所述解密数据的节点位置, 所述节点位置的最小值是三个值之和, 所 述三个值分别是所述节点位置上一层随机树的最小值, 到所述节点位置的值域 间隔值的总和, 到所述节点位置的间隔域间隔值的总和;  Determining a node position of the decrypted data, wherein a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree above the node position, and a value to the node position The sum of the domain interval values, the sum of the interval domain values to the node locations;
具体的,  specific,
i-l  I-l
minn = min η_λ + (i _ 1) * + ddn * ^ random(key + Xj )
Figure imgf000013_0001
( maxn_r minn_i ) *rn小 gfn_1= ( maxn_r minn_i ) * ( l-rn-1 ), rn-1是根据 ran— root在第 n-1层的值产生的随机数。 Min n = min η _ λ + (i _ 1) * + dd n * ^ random(key + Xj )
Figure imgf000013_0001
( max n _r min n _i ) *r n small gf n _ 1= ( max n _r min n _i ) * ( lr n-1 ), r n-1 is a random number generated from the value of ran-root at the n-1th layer.
判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最 大值是三个值之和, 所述三个值分别是所述节点位置的最小值, 所述节点位置 的值域间隔值, 所述间隔域在所述节点位置的值;  Determining whether the node location is the selected child node, and if so, the maximum value of the node location is a sum of three values, wherein the three values are respectively a minimum value of the node location, and the node location a value range value, the value of the interval field at the node location;
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。  If not, the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
具体的, 判断 i是否是所述 m个子节点中的任意一个, 若是, 则  Specifically, determining whether i is any one of the m child nodes, and if yes,
maxn=minn+ dn十 ddn*random(key+Xi) , 否贝l , maxn=minn+ dnMax n =min n + d n ten dd n *random(key+Xi) , no l l , max n =min n + d n .
加密算法参考算法 2。  Encryption algorithm reference algorithm 2.
算法 2 解密算法 Dec() Algorithm 2 decryption algorithm Dec()
输入: 待划分区间最小值 min, 最大值 max, 随机树层数 level, 分割份数 num, 密钥 key, 待解密数据 val  Input: minimum interval to be divided min, maximum max, number of random tree levels level, number of divisions num, key key, data to be decrypted val
1: For L=0 to level 1: For L=0 to level
2: If L==0 then 2: If L==0 then
3: ran_root=key; //产生随机数的种子  3: ran_root=key; //generate the seed of the random number
4: 根据 ran— root产生值域 vf和间隔域 gf;  4: Generate a value range vf and a spacer field gf according to ran_root;
5: min=min; max=min+|vf|; dd=|gf|;〃间隔域  5: min=min; max=min+|vf|; dd=|gf|;
6: Else  6: Else
7: ran_root=key+当前节点的值;  7: ran_root=key+ the value of the current node;
8: 根据 ran— root分割数据域 (min, max)产生值域 vf和间隔域 gf;  8: generating a value field vf and a space field gf according to the ran_root split data field (min, max);
9: d=|vfl/num;  9: d=|vfl/num;
10: 根据 ran— root产生间隔域 gf的分裂份数 m和选择 m个子节点  10: According to ran-root, generate the partition number gf split number m and select m sub-nodes
{x0,...,xm}(i ^ [l,n]), W>¾-∑random(key + xi) < \且∑ random(key + xi) > \ ; {x 0 ,...,x m }(i ^ [l,n]), W>3⁄4-∑random(key + x i ) < \ and ∑ random(key + x i ) >\;
i=\ i=\  i=\ i=\
11 : 假设每个节点所处范围的下限为 min(xk) (k≡ [0,m]), 判断 x的位 11 : Assume that the lower limit of the range of each node is min(x k ) (k≡ [0,m]), and judge the bit of x
置为 i, 满足: val≤min(xk)且 val> min(xk-1), Set i, satisfying: val≤min (x k) and val> min (x k-1 ),
12: x=(val-min-dd* '∑ random(key + x f ) )/d; 12: x=(val-min-dd* '∑ random(key + x f ) )/d;
13: 根据 key和 x产生一个随机数 r;  13: Generate a random number r according to key and x;
14: If x==Xi then  14: If x==Xi then
15: max=min+d*r+dd*random(key+Xi);  15: max=min+d*r+dd*random(key+Xi);
16: Else  16: Else
17: max=min+d*r;  17: max=min+d*r;
18: End If  18: End If
19: dd= d*(l-r);  19: dd= d*(l-r);
20: End If  20: End If
21: plaintext=plaintext+x; //字符串连接 22: End For 21: plaintext=plaintext+x; //string connection 22: End For
步骤 203 , 将解密后的数据经过消除填充值后转换为明文字符串。  Step 203: Convert the decrypted data into a plaintext string after removing the padding value.
本步骤中, 将填充的 00或者 22等填充值消除掉后, 得到由明文字符串转 换的 ASCII码, 然后由所述 ASCII码再转换为明文字符串。  In this step, after the padding value such as 00 or 22 is eliminated, the ASCII code converted by the plaintext string is obtained, and then converted into a plaintext string by the ASCII code.
本发明核心部分构建了一种随机数据结构——随机树。 随机树是一棵多叉 树, 其高度由定义域决定, 树中每个节点都对应定义域中的一点, 并占据值域 中的一段子区间, 子节点区间是对父节点区间的一种随机划分。 基于随机树的 加密算法算法 OPEART具有以下特点: (1)加密或解密过程中, 不需要生成整棵 树, 而只需要生成树中从根节点到叶子节点之间的一条路径, 计算负载小; (2) 计算负载不会随着定义域的变化而变化, 适合于定义域较大或动态变化的应用; (3)无需建立索引, 节省了数据拥有者的计算和存储负载。 本发明是一种加密算 法, 密文具有保序性, 支持关系运算, 并且具有 IND-DNCPA安全性。  The core part of the invention constructs a random data structure - a random tree. The random tree is a multi-forked tree whose height is determined by the domain. Each node in the tree corresponds to a point in the domain and occupies a sub-interval in the value field. The sub-node interval is a kind of parent node interval. Randomly divided. The encryption tree algorithm OPEART based on random tree has the following characteristics: (1) In the process of encryption or decryption, it is not necessary to generate an entire tree, but only a path from the root node to the leaf node in the spanning tree, and the calculation load is small; (2) The computational load does not change with the change of the domain. It is suitable for applications with large or dynamic domains. (3) No need to establish an index, which saves the data owner's computing and storage load. The present invention is a cryptographic algorithm, ciphertext has order preservation, supports relational operations, and has IND-DNCPA security.
本发明实施例通过根据用户密钥和待加密数据生成从随机树的根节点到所 述待加密数据对应的叶子节点的路径, 将所述待加密数据进行加密, 并根据所 述用户密钥恢复所述从随机树的根节点到所述待加密数据对应的叶子节点的路 径, 将所述待加密数据进行解密。 可以实现保序性、 安全性、 计算和存储负载 负担少、 数据域变化对计算负载影响小等优点。  The embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key. The path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted. The advantages of order-preserving, security, computational and storage load burden, and data domain changes have little impact on the computational load.
实施例三  Embodiment 3
参考图 3所示, 图 3是本发明实施例三提供的一种数据加密和数据解密的 方法示意图。 如图 3所示,  Referring to FIG. 3, FIG. 3 is a schematic diagram of a method for data encryption and data decryption according to Embodiment 3 of the present invention. As shown in Figure 3,
步骤 301 ,将明文字符串转换成美国信息交换标准代码 ASCII码, 并将转换 后的 ASCII码的位数凑成 12的倍数, 12是每次加密的所述 ASCII码的位数; 当每次加密为 12位 ASCII码时, 则第零层随机树的总的长度可以为 1015。 步骤 302, 根据 12确定随机树的高度为 6, 同时根据用户密钥和待加密数 据生成从随机树的根节点到所述待加密数据对应的叶子节点的路径, 并在所述 叶子节点所属的区间范围内选择一个随机数, 形成所述待加密数据的密文; 殳设转换后的 ASCII码为 012345678901 , 每层随机树加密 2位 ASCII码, 具体的, 当随机树位于第零层 level=n, n=0时, 随机树种子 ran— root=key, 根据 随机树的种子产生划分第零层随机树总长度为值域 vf。和间隔域 gf。, vf0+ gf0=1015, 将值域 vf。划分为 100份, 并根据随机树的种子产生间隔域 gf。的分割 份数 m和选择的子节点 m, 同时使得分割后的总的间隔域长度等于分割前的间 隔域长度。 Step 301: Convert the plaintext string into the American Standard Code for Information Interchange (ASCII) code, and round the number of bits of the converted ASCII code to a multiple of 12, where 12 is the number of bits of the ASCII code that is encrypted each time; When encrypted to 12-bit ASCII, the total length of the zeroth-order random tree can be 10 15 . Step 302: Determine, according to 12, that the height of the random tree is 6, and generate a path from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and belong to the leaf node to which the leaf node belongs. Select a random number in the interval range to form the ciphertext of the data to be encrypted; set the converted ASCII code to 012345678901, and encrypt the 2-bit ASCII code in each layer of the random tree. Specifically, when the random tree is at the zeroth layer level= When n, n=0, the random tree seed ran_root=key, according to the seed of the random tree, divides the total length of the zeroth random tree into the value domain vf. And the interval field gf. , vf 0+ gf 0 =10 15 , will be the value range vf. Divided into 100 copies, and the interval domain gf is generated based on the seeds of the random tree. Segmentation The number m and the selected child node m are such that the total length of the partitioned partition is equal to the length of the interval before the partition.
第零层待加密的数据为 01 , 将放入划分的第一个值域区间 01内, 如图 4所 示。  The zeroth layer of data to be encrypted is 01 and will be placed in the first range of the range 01, as shown in Figure 4.
判断 01 的区间是否属于选择的子节点, 若是, 则 01 区间的最大值为 max=min+01 的值域 +01 的间隔域; 若否, 贝' J 01 区间的最大值为 max=min+01 的值域。 01的值域为 vf。/100。  Determine whether the interval of 01 belongs to the selected child node. If yes, the maximum value of the 01 interval is the interval field of the range +01 of max=min+01; if not, the maximum value of the interval of the Bay' J 01 is max=min+ The range of 01. The value range of 01 is vf. /100.
在第零层 01的区间内, 按照随机树的种子 ran— root=key+01 , 生成第一层随 机数, 根据所述第一层的随机数将第零层 01区间的区间值, 划分为第一层的值 域 vf^ 间隔域 gfi,其中 01区间值等于 01区间的最大值减去 01区间的最小值, vfi+ gfi=01区间值。  In the interval of the zeroth layer 01, a first layer random number is generated according to the seed ran_root=key+01 of the random tree, and the interval value of the zeroth layer 01 interval is divided according to the random number of the first layer. The value range of the first layer vf^ the interval field gfi, where the 01 interval value is equal to the maximum value of the 01 interval minus the minimum value of the 01 interval, vfi + gfi = 01 interval value.
将 νί等间距划分 100份, 按照所述第一层随机数划分第一层的间隔域的份 数和选择的子节点。 第一层待加密的数据为 23 , 将放入划分的第 23个值域区间 内。  Divide νί equal intervals into 100 parts, and divide the number of partitions of the first layer and the selected child nodes according to the first layer random number. The first layer of data to be encrypted is 23 and will be placed in the 23rd range of the partition.
判断 23 的区间是否属于选择的子节点, 若是, 则 23 区间的最大值为 max=min+23 的值域 +23 的间隔域; 若否, 贝' J 23 区间的最大值为 max=min+23 的值域。 23的值域为 vfi/100o  Determine whether the interval of 23 belongs to the selected child node. If yes, the maximum value of the 23 interval is the interval domain of the range +23 of max=min+23; if not, the maximum value of the interval of the Bay' J 23 is max=min+ The range of 23 values. The range of 23 is vfi/100o
在第一层 23的区间内, 按照随机树的种子 ran— root=key+0123 , 生成第二层 随机数, 根据所述第二层的随机数将第一层 23区间的区间值, 划分为第二层的 值域 vf2和间隔域 gf2,其中 23区间值等于 23区间的最大值减去 23区间的最小 值, vf2+ gf2=23区间值。 In the interval of the first layer 23, a second layer random number is generated according to the seed ran_root=key+0123 of the random tree, and the interval value of the first layer 23 interval is divided according to the random number of the second layer. The value range vf 2 and the interval field gf 2 of the second layer, wherein the interval value of 23 is equal to the maximum value of the 23 interval minus the minimum value of the 23 interval, vf 2 + gf 2 = 23 interval value.
将 vf2等间距划分 100份, 按照所述第二层随机数划分第二层的间隔域的份 数和选择的子节点。 第二层待加密的数据为 45 , 将放入划分的第 45个值域区间 内。 The vf 2 is equally divided into 100 parts, and the number of partitions of the second layer and the selected child nodes are divided according to the second layer random number. The second layer of data to be encrypted is 45 and will be placed in the 45th range of the division.
判断 45 的区间是否属于选择的子节点, 若是, 则 45 区间的最大值为 max=min+45 的值 i或 +45 的间隔 i或; 若否, 贝1 J 45 区间的最大值为 max=min+45 的值域。 45的值域为 vf2/100。 Determine whether the interval of 45 belongs to the selected child node. If yes, the maximum value of the 45 interval is the value i of max=min+45 or the interval i of +45 or; if not, the maximum value of the interval of the Bay 1 J 45 is max= The value range of min+45. Range of 45 vf 2/100.
在第二层 45的区间内, 按照随机树的种子 ran— root=key+012345 , 生成第三 层随机数, 根据所述第三层的随机数将第二层 45区间的区间值, 划分为第三层 的值域 vf3和间隔域 gf3,其中 45区间值等于 45区间的最大值减去 45区间的最 小值, vf3+ gf3=45区间值。 In the interval of the second layer 45, a third layer random number is generated according to the seed ran_root=key+012345 of the random tree, and the interval value of the second layer 45 interval is divided according to the random number of the third layer. The value range vf 3 and the interval field gf 3 of the third layer, where the 45 interval value is equal to the maximum value of the 45 interval minus the most of the 45 interval Small value, vf 3 + gf 3 = 45 interval value.
将 vf3等间距划分 100份, 按照所述第三层随机数划分第三层的间隔域的份 数和选择的子节点。 第三层待加密的数据为 67, 将放入划分的第 67个值域区间 内。 The vf 3 is equally divided into 100 parts, and the number of partitions of the third layer and the selected child nodes are divided according to the third layer random number. The third layer of data to be encrypted is 67, which will be placed in the 67th range of the division.
判断 67 的区间是否属于选择的子节点, 若是, 则 67 区间的最大值为 max=min+67的值 i或 +67的间隔 i或; 若否, 贝1 J 67 区间的最大值为 max=min+67 的值域。 67的值域为 vf3/100。 Determine whether the interval of 67 belongs to the selected child node. If yes, the maximum value of the 67 interval is the value i of max=min+67 or the interval i of +67 or; if not, the maximum value of the interval of the Bay 1 J 67 is max= The value range of min+67. Range 67 to vf 3/100.
在第三层 67的区间内, 按照随机树的种子 ran— root=key+01234567, 生成第 四层随机数, 根据所述第四层的随机数将第三层 67区间的区间值, 划分为第四 层的值域 vf4和间隔域 gf4,其中 67区间值等于 67区间的最大值减去 67区间的 最小值, vf4+ gf4=67区间值。 In the interval of the third layer 67, a fourth layer random number is generated according to the seed ran_root=key+01234567 of the random tree, and the interval value of the third layer 67 interval is divided according to the random number of the fourth layer. The value range vf 4 and the interval field gf 4 of the fourth layer, wherein the 67 interval value is equal to the maximum value of the 67 interval minus the minimum value of the 67 interval, vf 4 + gf 4 = 67 interval value.
将 vf4等间距划分 100份, 按照所述第四层随机数划分第四层的间隔域的份 数和选择的子节点。 第四层待加密的数据为 89, 将放入划分的第 89个值域区间 内。 The vf 4 is equally divided into 100 parts, and the number of partitions of the fourth layer and the selected child nodes are divided according to the fourth layer random number. The fourth layer of data to be encrypted is 89, which will be placed in the 89th range of the partition.
判断 89 的区间是否属于选择的子节点, 若是, 则 89 区间的最大值为 max=min+89的值 i或 +89的间隔 i或; 若否, 贝' J 89 区间的最大值为 max=min+89 的值域。 89的值域为 vf4/100。 Determine whether the interval of 89 belongs to the selected child node. If yes, the maximum value of the 89 interval is the value i of max=min+89 or the interval i of +89 or; if not, the maximum value of the interval of Bay' J 89 is max= The range of values for min+89. Range of 89 vf 4/100.
在第四层 89的区间内, 按照随机树的种子 ran— root=key+0123456789 , 生成 第五层随机数, 根据所述第五层的随机数将第四层 89区间的区间值, 划分为第 五层的值域 vf5和间隔域 gf5,其中 89区间值等于 89区间的最大值减去 89区间 的最小值, vf5+ gf5=89区间值。 In the interval of the fourth layer 89, a fifth layer random number is generated according to the seed ran_root=key+0123456789 of the random tree, and the interval value of the fourth layer 89 interval is divided according to the random number of the fifth layer. The value range vf 5 and the interval field gf 5 of the fifth layer, wherein the 89 interval value is equal to the maximum value of the 89 interval minus the minimum value of the 89 interval, vf 5 + gf 5 = 89 interval value.
将 vf5等间距划分 100份, 按照所述第五层随机数划分第五层的间隔域的份 数和选择的子节点。 第五层待加密的数据为 01 , 将放入划分的第 01个值域区间 内。 The vf 5 is equally divided into 100 parts, and the number of divisions of the fifth layer and the selected child nodes are divided according to the fifth layer random number. The data to be encrypted on the fifth layer is 01, which will be placed in the 01th range of the division.
判断 01 的区间是否属于选择的子节点, 若是, 则 01 区间的最大值为 max=min+01 的值域 +01 的间隔域; 若否, 贝' J 01 区间的最大值为 max=min+01 的值域。 01的值域为 vf5/100。 Determine whether the interval of 01 belongs to the selected child node. If yes, the maximum value of the 01 interval is the interval field of the range +01 of max=min+01; if not, the maximum value of the interval of the Bay' J 01 is max=min+ The range of 01. Range of 01 vf 5/100.
具体的, 当 level=n, n=5时, 则所述待力口密数据 x的密文 ciphertext= min5 + (max5- min5)* random(key+¾)0 ¾ =01+23+45+67+89 ( 0123456789 )。 Specifically, when level=n, n=5, the ciphertext of the to-be-tightened data x is ciphertext=min 5 + (max 5 - min 5 )* random(key+3⁄4) 0 3⁄4 =01+23 +45+67+89 ( 0123456789 ).
步骤 303 ,根据所述用户密钥和所述待加密数据的密文恢复所述从随机树的 根节点到所述待加密数据对应的叶子节点的路径, 将所述待加密数据的密文进 行解密; Step 303: Restore the random tree according to the user key and the ciphertext of the data to be encrypted. Deleting the ciphertext of the data to be encrypted by the root node to the path of the leaf node corresponding to the data to be encrypted;
具体的, 根据加密算法的规则, 生成第零层的随机树(最好说一下第 0层 的 key=key, 与明文无关), 判断密文 ciphertext的值位于第零层的哪个区间, 按 照步骤 202的 ciphertext的数值, 位于第零层的 01区间, 即得到 OIASCII码; 根据 01的 ASCII码和用户密钥生成第一层的随机树, 继续判断 ciphertext的数 值位于第一层的随机树的哪个区间, 根据步骤 202, 位于第一层的 23区间, 即 得到 23 ASCII码;根据 23的 ASCII码和用户密钥生成第二层的随机树,继续判 断 ciphertext的数值位于第二层的随机树的哪个区间, 根据步骤 202, 位于第二 层的 45区间, 即得到 45 ASCII码; ^据 45的 ASCII码和用户密钥生成第三层 的随机树, 继续判断 ciphertext的数值位于第三层的随机树的哪个区间, 根据步 骤 202, 位于第三层的 67区间, 即得到 67 ASCII码; 根据 67的 ASCII码和用 户密钥生成第四层的随机树, 继续判断 ciphertext的数值位于第四层的随机树的 哪个区间, 根据步骤 202, 位于第四层的 89区间, 即得到 89 ASCII码; 根据 89 的 ASCII码和用户密钥生成第五层的随机树, 继续判断 ciphertext的数值位于第 五层的随机树的哪个区间,根据步骤 202,位于第四层的 01区间,即得到 OIASCII 码。  Specifically, according to the rules of the encryption algorithm, a random tree of the zeroth layer is generated (it is better to say that the key=key of the layer 0 is independent of the plaintext), and determine which interval of the zeroth layer the value of the ciphertext ciphertext is, according to the steps. The value of ciphertext of 202 is located in the 01 interval of the zeroth layer, that is, the OIASCII code is obtained; the first layer of the random tree is generated according to the ASCII code of 01 and the user key, and it is determined which of the random trees of the first layer is the value of the ciphertext. The interval, according to step 202, is located in the 23 interval of the first layer, that is, 23 ASCII code is obtained; according to the ASCII code of 23 and the user key, a random tree of the second layer is generated, and the value of the ciphertext is continuously determined to be located in the random tree of the second layer. Which interval, according to step 202, is located in the 45th interval of the second layer, that is, 45 ASCII code; ^ according to 45 ASCII code and user key to generate a third layer of random tree, continue to determine the value of ciphertext is located in the third layer of random Which interval of the tree, according to step 202, is located in the 67th interval of the third layer, that is, 67 ASCII code; according to the ASCII code of 67 and the user key generation The four-layer random tree continues to determine which interval of the fourth-level random tree the ciphertext value is. According to step 202, in the 89th interval of the fourth layer, 89 ASCII code is obtained; according to the ASCII code of 89 and the user key. The random tree of the fifth layer continues to determine which interval of the random tree of the fifth layer the value of the ciphertext is located. According to step 202, the 01 segment of the fourth layer obtains the OIASCII code.
步骤 304, 将解密后的所述待加密数据经过消除填充值后。  Step 304: After the decrypted data to be encrypted is subjected to the erasure value.
具体的, 在最后一个加密解密的数据才需要消除填充值, 因为前面的加密 解密的数据格式是有效的 22位 +22构成一个 24位的字符串。  Specifically, the last encrypted and decrypted data only needs to eliminate the padding value, because the previous encrypted decrypted data format is valid 22 bits +22 constitutes a 24-bit string.
本发明实施例通过根据用户密钥和待加密数据生成从随机树的根节点到所 述待加密数据对应的叶子节点的路径, 将所述待加密数据进行加密, 并根据所 述用户密钥恢复所述从随机树的根节点到所述待加密数据对应的叶子节点的路 径, 将所述待加密数据进行解密。 可以实现保序性、 安全性、 计算和存储负载 负担少、 数据域变化对计算负载影响小等优点。  The embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key. The path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted. The advantages of order-preserving, security, computational and storage load burden, and data domain changes have little impact on the computational load.
实施例四  Embodiment 4
参考图 5所示, 图 5是本发明实施例四提供的一种数据加密的设备结构图。 如图 5所示, 所述设备包括如下单元:  Referring to FIG. 5, FIG. 5 is a structural diagram of a device for data encryption according to Embodiment 4 of the present invention. As shown in FIG. 5, the device includes the following units:
第一转换单元 501 ,用于将待加密数据由明文字符串转换成美国信息交换标 准代码 ASCII码, 并将转换后的 ASCII码的位数凑成预先设置的定义域值的倍 数, 所述预先设置的定义域值是每次加密的所述 ASCII码的位数; 加密单元 502, 用于根据所述预先设置的定义域值确定随机树的高度, 同 时根据用户密钥和待加密数据生成从随机树的根节点到所述待加密数据对应的 叶子节点的路径, 并在所述叶子节点所属的区间范围内选择一个随机数, 形成 所述待加密数据的密文; The first converting unit 501 is configured to convert the data to be encrypted from the plaintext string into the American Standard Code for Information Interchange (ASCII) code, and convert the number of bits of the converted ASCII code to a value of a preset domain value. The predetermined domain value is the number of bits of the ASCII code that is encrypted each time; the encryption unit 502 is configured to determine the height of the random tree according to the preset domain value, and according to the user key and The data to be encrypted is generated from a root node of the random tree to a leaf node corresponding to the data to be encrypted, and a random number is selected within the range of the leaf node to form a ciphertext of the data to be encrypted.
具体的, 加密单元 502包括:  Specifically, the encryption unit 502 includes:
第一确定单元 601 ,用于确定所述随机树的层数,分割份数,所述用户密钥, 所述待加密数据, 待划分区间的最小值和最大值; 所述分割份数是将所述待划 分等间隔划分的份数; 其中, 每层随机树的长度是值域的长度加上间隔域的长 度;  a first determining unit 601, configured to determine a number of layers of the random tree, a number of divided shares, the user key, the to-be-encrypted data, a minimum value and a maximum value of the interval to be divided; The number of copies to be divided into equal intervals; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
第一生成单元 602 ,用于根据所述用户密钥和当前节点的美国信息交换标准 代码生成随机树的种子;  a first generating unit 602, configured to generate a seed of the random tree according to the user key and an American Information Exchange Standard Code of the current node;
第一划分单元 603 , 用于将所述每段值域等间隔划分成所述分割份数, 通过 所述随机树的种子产生随机数, 所述随机数用于产生间隔域, 每段间隔域的分 割份数和选择的子节点, 同时使得分割后的总的间隔域长度等于分割前的间隔 域长度;  a first dividing unit 603, configured to divide the each range of values into the divided number of segments, and generate a random number by using a seed of the random tree, where the random number is used to generate a spacing domain, each interval domain The number of divided parts and the selected child nodes, and the length of the total interval domain after the division is equal to the length of the interval domain before the division;
第二确定单元 604, 用于确定所述加密数据的节点位置, 所述节点位置的最 小值是三个值之和, 所述三个值分别是所述节点位置上一层随机树的最小值, 到所述节点位置的值域间隔值的总和, 到所述节点位置的间隔域间隔值的总和; 第一判断单元 605,用于判断所述节点位置是否是所述选择的子节点,若是, 则所述节点位置的最大值是三个值之和, 所述三个值分别是所述节点位置的最 小值, 所述节点位置的值域间隔值, 所述间隔域在所述节点位置的值;  a second determining unit 604, configured to determine a node location of the encrypted data, where a minimum value of the node location is a sum of three values, where the three values are minimum values of a random tree above the node location The sum of the value interval values of the node locations, the sum of the interval field values to the node locations; the first determining unit 605, configured to determine whether the node locations are the selected child nodes, and if The maximum value of the node position is a sum of three values, the three values are respectively a minimum value of the node position, a value interval value of the node position, and the interval field is at the node position Value
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。  If not, the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
本发明实施例通过根据用户密钥和待加密数据生成从随机树的根节点到所 述待加密数据对应的叶子节点的路径, 将所述待加密数据进行加密, 并根据所 述用户密钥恢复所述从随机树的根节点到所述待加密数据对应的叶子节点的路 径, 将所述待加密数据进行解密。 可以实现保序性、 安全性、 计算和存储负载 负担少、 数据域变化对计算负载影响小等优点。  The embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key. The path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted. The advantages of order-preserving, security, computational and storage load burden, and data domain changes have little impact on the computational load.
实施例五 参考图 7所示, 图 7是本发明实施例五提供的一种数据解密的设备结构图。 如图 7所示, 所述设备包括如下单元: Embodiment 5 Referring to FIG. 7, FIG. 7 is a structural diagram of a device for decrypting data according to Embodiment 5 of the present invention. As shown in FIG. 7, the device includes the following units:
获取单元 701 , 用于获取用户密钥和待解密数据;  An obtaining unit 701, configured to acquire a user key and data to be decrypted;
解密单元 702,用于根据用户密钥和所述待解密数据恢复所述从随机树的根 节点到所述待解密数据对应的叶子节点的路径, 将所述待解密数据进行解密; 所述解密单元 702包括:  The decrypting unit 702 is configured to recover the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted according to the user key and the data to be decrypted, and decrypt the data to be decrypted; Unit 702 includes:
第三确定单元 801 ,用于确定所述随机树的高度、分割份数、所述用户密钥、 所述待解密数据、 待划分区间的最小值和最大值; 所述分割份数是将所述待划 分区间等间隔划分的份数, 其中, 每层随机树的长度是值域的长度加上间隔域 的长度;  a third determining unit 801, configured to determine a height of the random tree, a number of divided shares, the user key, the to-be-decrypted data, a minimum value and a maximum value of the to-be-divided interval; The number of copies of the interval interval is divided, wherein the length of each layer of the random tree is the length of the range plus the length of the interval field;
第二生成单元 802 ,用于根据所述用户密钥和当前节点的美国信息交换标准 代码生成随机树的种子;  a second generating unit 802, configured to generate a seed of the random tree according to the user key and an American Information Exchange Standard Code of the current node;
第二划分单元 803 , 用于将所述待划分区间等间隔划分成所述分割份数, 通 过所述随机树的种子产生随机数, 所述随机数用于产生每段待划分区间间隔域, 所述间隔域的分割份数和选择的子节点, 同时使得分割后的总的间隔域长度等 于分割前的间隔域长度;  a second dividing unit 803, configured to divide the interval to be divided into the number of divided segments, and generate a random number by using a seed of the random tree, where the random number is used to generate an interval interval field to be divided. The number of divisions of the interval domain and the selected child node, and the length of the total interval domain after the division is equal to the length of the interval domain before the division;
第三判断单元 804, 根据每个子节点的范围的最小值, 判断所述密文所处的 位置; 所处的位置等于所述密文值减去所述子节点的最小值再减去到所述子节 点之前的间隔域值后得到的值除以所述子节点的值域分割的间隔;  The third determining unit 804 determines, according to the minimum value of the range of each child node, the location where the ciphertext is located; the location is equal to the ciphertext value minus the minimum value of the child node, and then subtracts the location The value obtained after the interval field value before the child node is divided by the interval of the value field division of the child node;
计算单元 805 , 用于根据所述密文所处的位置, 计算出当前节点的美国信息 交换标准代码, 根据所述用户密钥和当前节点的美国信息交换标准代码生成随 机树的种子;  The calculating unit 805 is configured to calculate, according to the location where the ciphertext is located, a US standard information exchange standard code of the current node, and generate a seed of the random tree according to the user key and the US exchange standard code of the current node;
第三划分单元 806, 用于根据所述随机数的种子产生随机数, 通过所述随机 数将所述节点数所处待划分区间分成两个区域值, 所述两个区域值是下一层随 机树的总的值域值和下一次随机树的总的间隔域值;  a third dividing unit 806, configured to generate a random number according to the seed of the random number, and divide, by the random number, a to-divided interval in which the number of nodes is divided into two area values, where the two area values are next layer The total value range of the random tree and the total interval field value of the next random tree;
第四确定单元 807, 用于确定所述解密数据的节点位置, 所述节点位置的最 小值是三个值之和, 所述三个值分别是所述节点位置上一层随机树的最小值, 到所述节点位置的值域间隔值的总和, 到所述节点位置的间隔域间隔值的总和; 第三判断单元 808,用于判断所述节点位置是否是所述选择的子节点,若是, 则所述节点位置的最大值是三个值之和, 所述三个值分别是所述节点位置的最 小值, 所述节点位置的值域间隔值, 所述间隔域在所述节点位置的值; 若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。 a fourth determining unit 807, configured to determine a node location of the decrypted data, where a minimum value of the node location is a sum of three values, where the three values are minimum values of a random tree above the node location The sum of the value range values of the node locations, the sum of the interval field values to the node locations; the third determining unit 808, configured to determine whether the node locations are the selected child nodes, and if The maximum value of the node position is the sum of three values, the three values being the most a small value, a value interval value of the node position, a value of the interval field at the node position; if not, a maximum value of the node position is a sum of two values, and the two values are respectively The minimum value of the node location, the value interval value of the node location.
第二转换单元 703 ,用于将解密后的所述待加密数据经过消除填充值后转换 为明文字符串。  The second converting unit 703 is configured to convert the decrypted data to be encrypted into a plaintext string after the padding value is removed.
本发明实施例通过根据用户密钥和待加密数据生成从随机树的根节点到所 述待加密数据对应的叶子节点的路径, 将所述待加密数据进行加密, 并根据所 述用户密钥恢复所述从随机树的根节点到所述待加密数据对应的叶子节点的路 径, 将所述待加密数据进行解密。 可以实现保序性、 安全性、 计算和存储负载 负担少、 数据域变化对计算负载影响小等优点。  The embodiment of the present invention generates the path to be encrypted from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and recovers the data to be encrypted according to the user key. The path from the root node of the random tree to the leaf node corresponding to the data to be encrypted is used to decrypt the data to be encrypted. The advantages of order-preserving, security, computational and storage load burden, and data domain changes have little impact on the computational load.
实施例六  Embodiment 6
参考图 9, 图 9是本发明实施例六提供的一种数据加密的设备结构图。 参考 图 9, 图 9是本发明实施例提供的一种数据加密的设备 900, , 本发明具体实施 例并不对所述设备的具体实现做限定。 所述设备 900包括:  Referring to FIG. 9, FIG. 9 is a structural diagram of a device for data encryption according to Embodiment 6 of the present invention. Referring to FIG. 9, FIG. 9 is a data encryption device 900 according to an embodiment of the present invention. The specific implementation of the device does not limit the specific implementation of the device. The device 900 includes:
处理器 (processor)901 , 通信接口 (Communications Interface)902 , 存者器 (memory)903 , 总线 904。  A processor 901, a communications interface 902, a memory 903, and a bus 904.
处理器 901 , 通信接口 902, 存储器 903通过总线 904完成相互间的通信。 通信接口 902, 用于与数据解密设备进行通信;  The processor 901, the communication interface 902, and the memory 903 complete communication with each other via the bus 904. a communication interface 902, configured to communicate with a data decryption device;
处理器 901 , 用于执行程序 Α。  The processor 901 is configured to execute a program.
具体地, 程序 Α可以包括程序代码。  Specifically, the program Α may include program code.
处理器 901 可能是一个中央处理器 CPU , 或者是特定集成电路 ASIC ( Application Specific Integrated Circuit ), 或者是被配置成实施本发明实施例的 一个或多个集成电路。  The processor 901 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention.
存储器 903 , 用于存放程序 。 存储器 903可能包含高速 RAM存储器, 也 可能还包括非易失性存储器(non-volatile memory ), 例如至少一个磁盘存储器。 程序 A具体可以包括以下用于实现以下功能的代码:  The memory 903 is used to store the program. The memory 903 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory. Program A may specifically include the following code for implementing the following functions:
将明文字符串转换成美国信息交换标准代码 ASCII码,并将转换后的 ASCII 码的位数凑成预先设置的定义域值的倍数, 所述预先设置的定义域值是每次加 密的所述 ASCII码的位数;  Converting the plaintext string into the American Standard Code for Information Interchange (ASCII) code, and multiplying the number of bits of the converted ASCII code into a multiple of a pre-set domain value, the pre-set domain value being each encrypted The number of bits in ASCII code;
根据所述预先设置的定义域值确定随机树的高度, 同时根据用户密钥和待 加密数据生成从随机树的根节点到所述待加密数据对应的叶子节点的路径, 并 在所述叶子节点所属的区间范围内选择一个随机数, 形成所述待加密数据的密 文。 Determining the height of the random tree according to the preset domain value, and according to the user key and waiting The encrypted data is generated from a root node of the random tree to a leaf node corresponding to the to-be-encrypted data, and a random number is selected within a range to which the leaf node belongs to form a ciphertext of the data to be encrypted.
实施例七  Example 7
参考图 10, 图 10是本发明实施例七提供的一种数据解密的设备结构图。 参 考图 10, 图 10是本发明实施例提供的一种数据解密的设备 1000, , 本发明具体 实施例并不对所述设备的具体实现做限定。 所述设备 1000包括:  Referring to FIG. 10, FIG. 10 is a structural diagram of a device for decrypting data according to Embodiment 7 of the present invention. Referring to FIG. 10, FIG. 10 is a device 1000 for decrypting data according to an embodiment of the present invention. The specific embodiment of the present invention does not limit the specific implementation of the device. The device 1000 includes:
处理器 (processor) 1001 , 通信接口(Communications Interface) 1002 , 存储器 (memory) 1003 , 总线 1004。  A processor 1001, a communication interface 1002, a memory 1003, and a bus 1004.
处理器 1001 , 通信接口 1002, 存储器 1003通过总线 1004完成相互间的通 信。  The processor 1001, the communication interface 1002, and the memory 1003 complete communication with each other via the bus 1004.
通信接口 1002, 用于与数据加密设备进行通信;  a communication interface 1002, configured to communicate with a data encryption device;
处理器 1001 , 用于执行程序 A。  The processor 1001 is configured to execute program A.
具体地, 程序 A可以包括程序代码。  In particular, program A can include program code.
处理器 1001 可能是一个中央处理器 CPU , 或者是特定集成电路 ASIC ( Application Specific Integrated Circuit ), 或者是被配置成实施本发明实施例的 一个或多个集成电路。  The processor 1001 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention.
存储器 1003 , 用于存放程序八。 存储器 1003可能包含高速 RAM存储器, 也可能还包括非易失性存储器( non-volatile memory ) ,例如至少一个磁盘存储器。 程序 A具体可以包括以下用于实现以下功能的代码:  The memory 1003 is configured to store the program eight. The memory 1003 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory. Program A may specifically include the following code for implementing the following functions:
获取用户密钥和待加密数据的密文;  Obtaining the user key and the ciphertext of the data to be encrypted;
根据所述用户密钥和所述待加密数据的密文恢复所述从随机树的根节点到 所述待加密数据对应的叶子节点的路径, 将所述待加密数据的密文进行解密; 将解密后的所述待加密数据经过消除填充值后转换为明文字符串。  Recovering the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the ciphertext of the data to be encrypted, and decrypting the ciphertext of the data to be encrypted; The decrypted data to be encrypted is converted into a plaintext string after the padding value is eliminated.
以上所述仅为本发明的优选实施方式, 并不构成对本发明保护范围的限定。 任何在本发明的精神和原则之内所作的任何修改、 等同替换和改进等, 均应包 含在本发明要求包含范围之内。  The above is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要 求 书 Claim
1、 一种数据加密的方法, 其特征在于, 所述方法包括: A data encryption method, the method comprising:
将待加密数据由明文字符串转换成美国信息交换标准代码 ASCII码, 并将 转换后的 ASCII码的位数凑成预先设置的定义域值的倍数, 所述预先设置的定 义域值是每次加密的所述 ASCII码的位数;  Converting the data to be encrypted from the plaintext string to the American Standard Code for Information Interchange (ASCII) code, and converting the number of bits of the converted ASCII code to a multiple of a preset domain value, the preset domain value being each time The number of bits of the encrypted ASCII code;
根据所述预先设置的定义域值确定随机树的高度, 同时根据用户密钥和待 加密数据生成从随机树的根节点到所述待加密数据对应的叶子节点的路径, 并 在所述叶子节点所属的区间范围内选择一个随机数, 形成所述待加密数据的密 文。  Determining a height of the random tree according to the preset domain value, and generating a path from the root node of the random tree to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and at the leaf node A random number is selected within the range of the associated interval to form the ciphertext of the data to be encrypted.
2、 根据权利要求 1 所述的方法, 其特征在于, 所述根据用户密钥和待加 密数据生成从随机数的根节点到所述待加密数据对应的叶子节点的路径具体 为:  The method according to claim 1, wherein the path of generating the root node from the random number to the leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted is specifically:
确定所述随机树的层数、 分割份数、 所述用户密钥、 所述待加密数据, 待 划分区间的最小值和最大值; 所述分割份数是将所述待划分等间隔划分的份数; 其中, 每层随机树的长度是值域的长度加上间隔域的长度;  Determining the number of layers of the random tree, the number of divided copies, the user key, the data to be encrypted, and the minimum and maximum values of the interval to be divided; the number of divided segments is divided into equal intervals to be divided Number of copies; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
根据所述用户密钥和当前节点的美国信息交换标准代码生成随机树的种 子;  Generating a seed of the random tree according to the user key and the US standard information exchange standard code of the current node;
将所述每段值域等间隔划分成所述分割份数, 通过所述随机树的种子产生 随机数, 所述随机数用于产生间隔域, 每段间隔域的分割份数和选择的子节点, 同时使得分割后的总的间隔域长度等于分割前的间隔域长度;  And each of the range of values is equally divided into the number of divided parts, and a random number is generated by a seed of the random tree, where the random number is used to generate a spacing field, and the number of divided parts and the selected sub-range of each interval field Node, at the same time, the length of the total interval domain after the division is equal to the length of the interval domain before the division;
确定所述加密数据的节点位置, 所述节点位置的最小值是三个值之和, 所 述三个值分别是所述节点位置上一层随机树的最小值, 到所述节点位置的值域 间隔值的总和, 到所述节点位置的间隔域间隔值的总和;  Determining a node position of the encrypted data, where a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree above the node position, and a value to the node position The sum of the domain interval values, the sum of the interval domain values to the node locations;
判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最 大值是三个值之和, 所述三个值分别是所述节点位置的最小值, 所述节点位置 的值域间隔值, 所述间隔域在所述节点位置的值;  Determining whether the node location is the selected child node, and if so, the maximum value of the node location is a sum of three values, wherein the three values are respectively a minimum value of the node location, and the node location a value range value, the value of the interval field at the node location;
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。  If not, the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
3、 根据权利要求 1所述的方法, 其特征在于, 所述并在所述叶子节点所属 的区间范围内选择一个随机数, 形成所述待加密数据的密文包括: 当所述待加密数据位于随机数的最后一层时, 在所述待加密数据所在的子 节点的区间范围内, 选择一个随机数, 形成所述待加密数据的密文。 The method according to claim 1, wherein the ciphertext for forming the data to be encrypted comprises: selecting a random number in the range of the interval to which the leaf node belongs: When the data to be encrypted is located in the last layer of the random number, within the range of the sub-node where the data to be encrypted is located, a random number is selected to form the ciphertext of the data to be encrypted.
4、 一种数据解密的方法, 其特征在于, 所述方法包括:  A method for decrypting data, characterized in that the method comprises:
获取用户密钥和待解密数据;  Obtaining a user key and data to be decrypted;
根据所述用户密钥和所述待解密数据恢复所述从随机树的根节点到所述待 加密数据对应的叶子节点的路径, 将所述待解密数据进行解密;  And recovering, according to the user key and the data to be decrypted, the path from the root node of the random tree to the leaf node corresponding to the data to be encrypted, and decrypting the data to be decrypted;
将解密后的数据经过消除填充值后转换为明文字符串。  The decrypted data is converted to a plain text string after the padding value is removed.
5、 根据权利要求 4所述的方法, 其特征在于, 所述根据所述用户密钥和所 述待解密数据恢复所述从随机树的根节点到所述待解密数据对应的叶子节点的 路径具体为:  The method according to claim 4, wherein the recovering the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted according to the user key and the data to be decrypted Specifically:
确定所述随机树的高度、 分割份数、 所述用户密钥、 所述待解密数据、 待 划分区间的最小值和最大值; 所述分割份数是将所述待划分区间等间隔划分的 份数, 其中, 每层随机树的长度是值域的长度加上间隔域的长度;  Determining a height of the random tree, a number of divisions, the user key, the data to be decrypted, and a minimum value and a maximum value of the interval to be divided; the number of divisions is an interval that divides the sections to be divided equally The number of copies, where the length of each layer of the random tree is the length of the range plus the length of the interval field;
根据所述用户密钥和当前节点的美国信息交换标准代码生成随机树的种 子;  Generating a seed of the random tree according to the user key and the US standard information exchange standard code of the current node;
将所述待划分区间等间隔划分成所述分割份数, 通过所述随机树的种子产 生随机数, 所述随机数用于产生每段待划分区间间隔域, 所述间隔域的分割份 数和选择的子节点, 同时使得分割后的总的间隔域长度等于分割前的间隔域长 度;  Dividing the interval to be divided into the number of divided segments, and generating a random number by using a seed of the random tree, where the random number is used to generate a segment interval field to be divided, and the number of segments in the interval domain And the selected child node, at the same time, the length of the total interval domain after the division is equal to the length of the interval domain before the segmentation;
根据每个子节点的范围的最小值, 判断所述密文所处的位置; 根据所述密 文所处的位置, 计算出当前节点的美国信息交换标准代码, 根据所述用户密钥 和当前节点的美国信息交换标准代码生成随机树的种子;  Determining, according to the minimum value of the range of each child node, a location where the ciphertext is located; calculating, according to the location of the ciphertext, an American Standard Code for Information Interchange of the current node, according to the user key and the current node The US Information Exchange Standard Code generates a seed of a random tree;
根据所述随机数的种子产生随机数, 通过所述随机数将所述节点数所处待 划分区间分成两个区域值, 所述两个区域值是下一层随机树的总的值域值和下 一次随机树的总的间隔域值;  Generating a random number according to the seed of the random number, and dividing, by the random number, a section to be divided into the number of nodes to be divided into two area values, where the two area values are total value ranges of the next layer of random trees And the total interval field value of the next random tree;
确定所述待解密数据的节点位置, 所述节点位置的最小值是三个值之和, 所述三个值分别是所述节点位置上一层随机树的最小值, 到所述节点位置的值 域间隔值的总和, 到所述节点位置的间隔域间隔值的总和;  Determining a node position of the data to be decrypted, wherein a minimum value of the node position is a sum of three values, wherein the three values are respectively a minimum value of a random tree of the node position, and the node position is The sum of the range interval values, the sum of the interval interval values to the node locations;
判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最 大值是三个值之和, 所述三个值分别是所述节点位置的最小值, 所述节点位置 的值域间隔值, 所述间隔域在所述节点位置的值; Determining whether the node location is the selected child node, and if so, the maximum value of the node location is a sum of three values, wherein the three values are respectively a minimum value of the node location, and the node location a value range value, the value of the interval field at the node location;
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。  If not, the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
6、 一种数据加密的设备, 其特征在于, 所述设备包括:  6. A data encryption device, the device comprising:
第一转换单元, 用于将待加密数据由明文字符串转换成美国信息交换标准 代码 ASCII码,并将转换后的 ASCII码的位数凑成预先设置的定义域值的倍数, 所述预先设置的定义域值是每次加密的所述 ASCII码的位数;  a first converting unit, configured to convert the data to be encrypted from the plaintext string into the American Standard Code for Information Interchange (ASCII) code, and convert the number of bits of the converted ASCII code into a multiple of a preset domain value, the preset The domain value is the number of bits of the ASCII code that is encrypted each time;
加密单元, 用于根据所述预先设置的定义域值确定随机树的高度, 同时根 据用户密钥和待加密数据生成从随机树的根节点到所述待加密数据对应的叶子 节点的路径, 并在所述叶子节点所属的值域范围内选择一个随机数, 形成所述 待加密数据的密文。  An encryption unit, configured to determine a height of the random tree according to the preset domain value, and generate a path from a root node of the random tree to a leaf node corresponding to the data to be encrypted according to the user key and the data to be encrypted, and Selecting a random number within a range of values to which the leaf node belongs, forming a ciphertext of the data to be encrypted.
7、 根据权利要求 6所述的数据加密的设备, 其特征在于, 所述加密单元中 执行步骤所述根据用户密钥和待加密数据生成从随机数的根节点到所述待加密 数据对应的叶子节点的路径具体为:  The data encryption device according to claim 6, wherein the step of performing, in the encrypting unit, generating, according to the user key and the data to be encrypted, a root node corresponding to the data to be encrypted The path of the leaf node is specifically:
第一确定单元, 用于确定所述随机树的层数、 分割份数、 所述用户密钥、 所述待加密数据、 待划分区间的最小值和最大值; 所述分割份数是将所述待划 分等间隔划分的份数; 其中, 每层随机树的长度是值域的长度加上间隔域的长 度;  a first determining unit, configured to determine a number of layers of the random tree, a number of divided shares, the user key, the to-be-encrypted data, and a minimum value and a maximum value of the to-be-divided interval; Describe the number of copies divided into equal intervals; wherein, the length of each layer of the random tree is the length of the range plus the length of the interval field;
第一生成单元, 用于根据所述用户密钥和当前节点的美国信息交换标准代 码生成随机树的种子;  a first generating unit, configured to generate a seed of the random tree according to the user key and the US information exchange standard code of the current node;
第一划分单元, 用于将所述每段值域等间隔划分成所述分割份数, 通过所 述随机树的种子产生随机数, 所述随机数用于产生间隔域, 每段间隔域的分割 份数和选择的子节点, 同时使得分割后的总的间隔域长度等于分割前的间隔域 长度;  a first dividing unit, configured to divide the each of the range of values into the number of divided segments, and generate a random number by using a seed of the random tree, where the random number is used to generate a spacing domain, where each interval domain is Dividing the number of copies and the selected child nodes, and making the total length of the divided interval fields equal to the length of the interval before the segmentation;
第二确定单元, 用于确定所述加密数据的节点位置, 所述节点位置的最小 值是三个值之和, 所述三个值分别是所述节点位置上一层随机树的最小值, 到 所述节点位置的值域间隔值的总和, 到所述节点位置的间隔域间隔值的总和; 第一判断单元, 用于判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最大值是三个值之和, 所述三个值分别是所述节点位置的最 小值, 所述节点位置的值域间隔值, 所述间隔域在所述节点位置的值; 若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。 a second determining unit, configured to determine a node location of the encrypted data, where a minimum value of the node location is a sum of three values, where the three values are respectively a minimum value of a random tree above the node location, a sum of value range values to the node position, a sum of interval field interval values to the node position; a first determining unit, configured to determine whether the node position is the selected child node, and if yes, The maximum value of the node position is the sum of three values, the three values are respectively the minimum value of the node position, the value range interval value of the node position, and the value of the interval field at the node position ; If not, the maximum value of the node position is the sum of two values, the two values being the minimum value of the node position and the value interval value of the node position.
8、 根据权利要求 6所述的设备, 其特征在于, 所述加密单元中执行步骤并 在所述叶子节点所属的值域范围内选择一个随机数, 形成所述待加密数据的密 文中的密文包括:  The device according to claim 6, wherein the encrypting unit performs a step and selects a random number in a range of values to which the leaf node belongs to form a secret in the ciphertext of the data to be encrypted. The text includes:
当所述待加密数据位于随机数的最后一层时, 在所述待加密数据所在的子 节点的区间范围内, 选择一个随机数, 形成所述待加密数据的密文。  When the data to be encrypted is located in the last layer of the random number, a random number is selected in the range of the sub-node where the data to be encrypted is located to form the ciphertext of the data to be encrypted.
9、 一种数据解密的设备, 其特征在于, 所述设备包括:  9. A device for decrypting data, characterized in that the device comprises:
获取单元, 用于获取用户密钥和待解密数据;  An obtaining unit, configured to acquire a user key and data to be decrypted;
解密单元, 用于根据所述用户密钥和所述待解密数据恢复所述从随机树的 根节点到所述待解密数据对应的叶子节点的路径, 将所述待解密数据进行解密; 第二转换单元, 用于将解密后的数据经过消除填充值后转换为明文字符串。 a decrypting unit, configured to recover the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted according to the user key and the data to be decrypted, and decrypt the data to be decrypted; a conversion unit, configured to convert the decrypted data into a plaintext string after removing the padding value.
10、 根据权利要求 9所述的设备, 其特征在于, 所述解密单元中执行步骤 根据所述用户密钥恢复所述从随机树的根节点到所述待解密数据对应的叶子节 点的路径具体为: The device according to claim 9, wherein the performing step in the decrypting unit recovers the path from the root node of the random tree to the leaf node corresponding to the data to be decrypted according to the user key. For:
第三确定单元, 用于确定所述随机树的高度、 分割份数、 所述用户密钥、 所述待解密数据、 待划分区间的最小值和最大值; 所述分割份数是将所述待划 分区间等间隔划分的份数, 其中, 每层随机树的长度是值域的长度加上间隔域 的长度;  a third determining unit, configured to determine a height of the random tree, a number of divided shares, the user key, the to-be-decrypted data, a minimum value and a maximum value of the to-be-divided interval; The number of copies of the interval to be divided into equal intervals, wherein the length of each random tree is the length of the range plus the length of the interval;
第二生成单元, 用于根据所述用户密钥和当前节点的美国信息交换标准代 码生成随机树的种子;  a second generating unit, configured to generate a seed of the random tree according to the user key and the US information exchange standard code of the current node;
第二划分单元, 用于将所述待划分区间等间隔划分成所述分割份数, 通过 所述随机树的种子产生随机数, 所述随机数用于产生每段待划分区间间隔域, 所述间隔域的分割份数和选择的子节点, 同时使得分割后的总的间隔域长度等 于分割前的间隔域长度;  a second dividing unit, configured to divide the to-divided interval into equal intervals, and generate a random number by using a seed of the random tree, where the random number is used to generate each interval interval to be divided, Deriving the number of partitions of the interval domain and the selected child nodes, and making the total length of the partitioned partitions equal to the length of the interval domain before the segmentation;
第二判断单元, 用于根据每个子节点的范围的最小值, 判断所述密文所处 的位置;  a second determining unit, configured to determine, according to a minimum value of a range of each child node, a location where the ciphertext is located;
计算单元, 用于根据所述密文所处的位置, 计算出当前节点的美国信息交 换标准代码, 根据所述用户密钥和当前节点的美国信息交换标准代码生成随机 树的种子; 第三划分单元 用于根据所述随机数的种子产生随机数, 通过所述随机数将 所述节点数所处待划分区间分成两个区域值, 所述两个区域值是下一层随机树 的总的值域值和下一次随机树的总的间隔域值; a calculating unit, configured to calculate, according to the location where the ciphertext is located, a US standard information exchange standard code of the current node, and generate a seed of the random tree according to the user key and the US standard information exchange standard code of the current node; The third dividing unit is configured to generate a random number according to the seed of the random number, and divide, by the random number, the to-divided interval in which the number of nodes is located into two regional values, where the two regional values are the next random tree The total value of the field and the total interval field value of the next random tree;
第四确定单元, 用于确定所述待解密数据的节点位置, 所述节点位置的最 小值是三个值之和, 所述三个值分别是所述节点位置上一层随机树的最小值, 到所述节点位置的值域间隔值的总和, 到所述节点位置的间隔域间隔值的总和; 第三判断单元, 用于判断所述节点位置是否是所述选择的子节点, 若是, 则所述节点位置的最大值是三个值之和, 所述三个值分别是所述节点位置的最 小值, 所述节点位置的值域间隔值, 所述间隔域在所述节点位置的值;  a fourth determining unit, configured to determine a node location of the data to be decrypted, where a minimum value of the node location is a sum of three values, where the three values are minimum values of a random tree above the node location The sum of the value range values of the node locations, the sum of the interval field values to the node locations; the third determining unit, configured to determine whether the node locations are the selected child nodes, and if so, The maximum value of the node location is the sum of three values, the three values are respectively the minimum value of the node location, the value interval value of the node location, and the interval domain is at the node location. Value
若否, 则所述节点位置的最大值是两个值之和, 所述两个值分别是所述节 点位置的最小值, 所述节点位置的值域间隔值。  If not, the maximum value of the node position is the sum of two values, the two values being the minimum of the node position and the value interval value of the node position.
PCT/CN2012/086705 2012-12-14 2012-12-14 Method and device for data encryption and decryption WO2014089843A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2012/086705 WO2014089843A1 (en) 2012-12-14 2012-12-14 Method and device for data encryption and decryption
CN201280002855.7A CN104040935B (en) 2012-12-14 2012-12-14 A kind of data encryption, the method and apparatus of decryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/086705 WO2014089843A1 (en) 2012-12-14 2012-12-14 Method and device for data encryption and decryption

Publications (1)

Publication Number Publication Date
WO2014089843A1 true WO2014089843A1 (en) 2014-06-19

Family

ID=50933745

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/086705 WO2014089843A1 (en) 2012-12-14 2012-12-14 Method and device for data encryption and decryption

Country Status (2)

Country Link
CN (1) CN104040935B (en)
WO (1) WO2014089843A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108063756A (en) * 2017-11-21 2018-05-22 阿里巴巴集团控股有限公司 A kind of key management method, device and equipment
CN108173885A (en) * 2018-03-27 2018-06-15 国家基础地理信息中心 Data ciphering method, data decryption method and relevant apparatus

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SG10201609090XA (en) * 2016-10-31 2018-05-30 Huawei Int Pte Ltd System and method for controlling access to encrypted vehicular data
CN110213228B (en) * 2019-04-25 2021-09-07 平安科技(深圳)有限公司 Method, device, storage medium and computer equipment for authenticating communication
CN113434877B (en) * 2021-06-23 2024-07-05 平安国际智慧城市科技股份有限公司 Encryption and decryption methods, devices, equipment and storage medium for user input data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040107341A1 (en) * 2002-12-02 2004-06-03 Hall William E. Parallelizable authentication tree for random access storage
CN1898899A (en) * 2004-09-14 2007-01-17 索尼株式会社 Information processing method, decryption processing method, information processing device, and computer program
CN101873214A (en) * 2009-04-24 2010-10-27 索尼株式会社 Method for generating, encrypting and decrypting key in broadcast encryption as well as device
CN101894244A (en) * 2009-05-20 2010-11-24 鸿富锦精密工业(深圳)有限公司 System and method for enciphering electronic data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040107341A1 (en) * 2002-12-02 2004-06-03 Hall William E. Parallelizable authentication tree for random access storage
CN1898899A (en) * 2004-09-14 2007-01-17 索尼株式会社 Information processing method, decryption processing method, information processing device, and computer program
CN101873214A (en) * 2009-04-24 2010-10-27 索尼株式会社 Method for generating, encrypting and decrypting key in broadcast encryption as well as device
CN101894244A (en) * 2009-05-20 2010-11-24 鸿富锦精密工业(深圳)有限公司 System and method for enciphering electronic data

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108063756A (en) * 2017-11-21 2018-05-22 阿里巴巴集团控股有限公司 A kind of key management method, device and equipment
US10931651B2 (en) 2017-11-21 2021-02-23 Advanced New Technologies Co., Ltd. Key management
CN108173885A (en) * 2018-03-27 2018-06-15 国家基础地理信息中心 Data ciphering method, data decryption method and relevant apparatus
CN108173885B (en) * 2018-03-27 2020-09-15 国家基础地理信息中心 Data encryption method, data decryption method and related devices

Also Published As

Publication number Publication date
CN104040935B (en) 2017-06-20
CN104040935A (en) 2014-09-10

Similar Documents

Publication Publication Date Title
CN112800445B (en) Boolean query method for forward and backward security and verifiability of ciphertext data
CN110610105B (en) Secret sharing-based authentication method for three-dimensional model file in cloud environment
CN107291861B (en) Encryption graph-oriented approximate shortest distance query method with constraints
CN110413652B (en) Big data privacy retrieval method based on edge calculation
Xi et al. Privacy preserving shortest path routing with an application to navigation
CN113221155B (en) Multi-level and multi-level encrypted cloud storage system
WO2014089843A1 (en) Method and device for data encryption and decryption
CN112332979B (en) Ciphertext search method, system and equipment in cloud computing environment
CN106874516A (en) Efficient cipher text retrieval method based on KCB trees and Bloom filter in a kind of cloud storage
CN116070276A (en) Ciphertext duplicate checking and storing method based on homomorphic encryption and Simhash
CN104636673B (en) A kind of secure storage method of data under big data background
CN114142996B (en) Searchable encryption method based on SM9 cryptographic algorithm
CN109783456B (en) Duplication removing structure building method, duplication removing method, file retrieving method and duplication removing system
CN111698222A (en) Covert communication method of special bitcoin address generated based on vanitygen
CN113114454B (en) Efficient privacy outsourcing k-means clustering method
CN112866299A (en) Encrypted data deduplication and sharing device and method for mobile edge computing network
Abo-Alian et al. Auditing-as-a-service for cloud storage
KR100951034B1 (en) Method of producing searchable keyword encryption based on public key for minimizing data size of searchable keyword encryption and method of searching data based on public key through that
Ba et al. A Blockchain‐Based CP‐ABE Scheme with Partially Hidden Access Structures
CN113158087A (en) Query method and device for space text
Gong et al. Research on database ciphertext retrieval based on homomorphic encryption
Loh et al. A multi-client DSSE scheme supporting range queries
Xu et al. Symmetric searchable encryption with supporting search pattern and access pattern protection in multi‐cloud
CN110851850A (en) Searchable encryption system based on general circuit access structure
CN105610898B (en) A kind of location privacy protection method based on lattice

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12889945

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12889945

Country of ref document: EP

Kind code of ref document: A1