WO2020082692A1 - Cp-abe-based policy update method and system - Google Patents

Cp-abe-based policy update method and system Download PDF

Info

Publication number
WO2020082692A1
WO2020082692A1 PCT/CN2019/080917 CN2019080917W WO2020082692A1 WO 2020082692 A1 WO2020082692 A1 WO 2020082692A1 CN 2019080917 W CN2019080917 W CN 2019080917W WO 2020082692 A1 WO2020082692 A1 WO 2020082692A1
Authority
WO
WIPO (PCT)
Prior art keywords
update
ciphertext
data
terminal
new
Prior art date
Application number
PCT/CN2019/080917
Other languages
French (fr)
Chinese (zh)
Inventor
王树兰
王汇文
王磊
Original Assignee
深圳技术大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳技术大学 filed Critical 深圳技术大学
Publication of WO2020082692A1 publication Critical patent/WO2020082692A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Definitions

  • the invention relates to the technical field of data encryption, and in particular to a policy updating method and system based on CP-ABE (Ciphertext policy-Attribute-based encryption, ciphertext policy attribute encryption).
  • CP-ABE Ciphertext policy-Attribute-based encryption, ciphertext policy attribute encryption
  • the ABE (Attribute Based Encryption) mechanism is used as an end-to-end data encryption mode in cloud storage systems, allowing users to customize access policies and encrypt data, so that access control can be flexibly implemented.
  • This application provides a CP-ABE-based strategy update method and system, which can solve the technical problems of the existing strategy update method in which the calculation amount of the data ownership terminal and the communication overhead between the data ownership terminal and the cloud server are large .
  • the first aspect of the present invention provides a policy update method based on CP-ABE, which includes:
  • the data ownership terminal encrypts the target data using a preset encryption algorithm and uploads the generated ciphertext to the cloud server;
  • the data possession terminal generates an update key based on the new access policy in the data possession terminal, and uploads the new access policy and the update key to the cloud server;
  • the cloud server uses the received new access policy and the update key to update the ciphertext.
  • the step of the cloud server using the received new access policy and the update key to update the ciphertext includes:
  • the step of generating an update key based on the new access policy in the data possession terminal includes:
  • the data possession terminal uses the encrypted information in the target data, the new access policy, and the old access policy to run a preset key update algorithm to generate the update key.
  • the method further includes:
  • the new data in the data owner terminal is encrypted using the access policy corresponding to the ciphertext, and the generated new ciphertext is uploaded to the Cloud server.
  • the step of encrypting new data in the data-owning terminal using the access policy corresponding to the ciphertext includes:
  • the new data is encrypted by using the access strategy and secret value corresponding to the ciphertext, and the preset update file and secret value algorithm to generate the new ciphertext.
  • the method further includes:
  • the data ownership terminal uses the access policy and secret value corresponding to the ciphertext, as well as a preset update file and secret value algorithm to update the new data Encrypt, and upload the generated new ciphertext to the cloud server;
  • the cloud server Generate an update key based on the new access policy in the data possession terminal, and upload the new access policy and the update key to the cloud server; wherein, the cloud server receives the new ciphertext After the new access policy and the updated key are used, the new ciphertext is updated using the new access policy and the updated key.
  • a second aspect of the present invention provides a policy update system based on CP-ABE, the system includes a data ownership terminal and a cloud server, and the data ownership terminal is in communication connection with the cloud server;
  • the data possession terminal is used to encrypt the target data using a preset encryption algorithm, upload the generated ciphertext to the cloud server, and when it is necessary to update the ciphertext policy, based on the data possession
  • the new access policy in the terminal generates an update key, and uploads the new access policy and the update key to the cloud server;
  • the cloud server is used to update the ciphertext using the received new access policy and the update key.
  • the system further includes a data usage terminal that is in communication connection with the cloud server, and the data usage terminal is used to download ciphertext from the cloud server and decrypt it.
  • the system further includes an attribute authorization terminal, which is in communication with the data usage terminal and the data ownership terminal, respectively, and the attribute authorization terminal is used to generate a public key and The private key and the user private key corresponding to the data usage terminal.
  • the policy update method based on CP-ABE provided by the present invention includes: a data ownership terminal for encrypting target data using a preset encryption algorithm, and uploading the generated cipher text to a cloud server, and a data ownership terminal based on The new access policy generates an update key and uploads the update key to the cloud server; the cloud server is used to update the ciphertext using the received update key.
  • the data ownership terminal no longer needs to perform calculations related to the ciphertext update, which can effectively reduce the data ownership terminal The amount of calculation in the computer, as well as reducing the communication overhead between the data ownership terminal and the cloud server.
  • FIG. 1 is a schematic structural diagram of a policy update system based on CP-ABE in an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a policy update method based on CP-ABE in an embodiment of the present invention
  • FIG. 3 is a schematic diagram of conversion from an access tree to an access tree in an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of conversion from an access tree to an LSSS matrix in an embodiment of the present invention
  • FIG. 5 is a schematic diagram of access tree policy update in an embodiment of the present invention.
  • FIG. 1 is a schematic structural diagram of a policy update system based on CP-ABE in an embodiment of the present invention.
  • the above system includes a data ownership terminal 10, a cloud server 20, a data usage terminal 30, and an attribute authorization terminal 40.
  • the data ownership terminal 10 is in communication connection with the cloud server 20
  • the data usage terminal 30 is in communication connection with the cloud server 20
  • the attribute authorization terminal 40 is in communication connection with the data usage terminal 10 and the data ownership terminal 30, respectively.
  • the data ownership terminal 10 is used to encrypt the target data using a preset encryption algorithm and upload the generated ciphertext to the cloud server 20, and when it is necessary to update the ciphertext policy, based on the data ownership terminal 10 Generates a new update key and uploads the updated key to the cloud server 20.
  • the data ownership terminal 10 can also be used to update files during file update. If similar files need to be encrypted, new files can be encrypted according to the old policy in the policy update and uploaded to the cloud server 20.
  • the cloud server 20 is used to update the ciphertext using the received update key.
  • the cloud server 20 is also used to provide computing and storage services, store ciphertext uploaded by the data ownership terminal 10, and provide ciphertext download service to the data usage terminal 30. It is also responsible for updating ciphertext and updating files.
  • the data usage terminal 30 is used to download the ciphertext from the cloud server 20, and when its attribute satisfies the access policy corresponding to the ciphertext, the downloaded ciphertext can be decrypted.
  • the attribute authorization terminal 40 is used to generate the public key and the private key corresponding to the above system, and manage the attribute domain thereof, and provide the user private key for the data usage terminal 30 according to the attribute set initialized by the system.
  • FIG. 2 is a schematic flowchart of a policy update method based on CP-ABE in an embodiment of the present invention.
  • the above method includes:
  • Step 201 The data ownership terminal encrypts the target data using a preset encryption algorithm, and uploads the generated cipher text to the cloud server.
  • Step 202 The data ownership terminal generates an update key based on the new access policy in the data ownership terminal, and uploads the new access policy and the update key to the cloud server;
  • Step 203 The cloud server uses the received new access policy and the update key to update the ciphertext.
  • the CP-ABE mechanism mainly includes four algorithms: Setup, Encrypt, KeyGen, Decrypt.
  • the specific functions are as follows:
  • the system initialization algorithm takes the security parameter ⁇ and the attribute field U as input, and outputs the system public key PK and master private key MSK.
  • Encrypt (PK, A, m) The data encryption algorithm takes the system public key PK, data m, and access structure A as input, and outputs the ciphertext CT. The algorithm encrypts the data m and generates a ciphertext CT, where the ciphertext CT implies the access structure A. Only the data usage terminal 30 that meets the attributes of the access structure can decrypt the data.
  • KeyGen (MSK, S): The key generation algorithm takes the master private key MSK and the attribute set S as input, and outputs the user private key SK.
  • Decrypt (PK, CT, SK): The data decryption algorithm takes the system public key PK, ciphertext CT (impliedly including access structure A) and private key SK (including attribute set S) as inputs. Only when the attribute set S of the data usage terminal 30 satisfies the attributes in the access structure A, the data usage terminal 30 decrypts the ciphertext and returns the data m.
  • UpdateKeyGen (PK, EnInfo (m), A, A '):
  • the update key algorithm takes the public parameter PK, data m encryption information EnInfo (m), the old strategy A and the new strategy A' as input, and outputs the update password of the data m Key UK m .
  • CTUpdate (CT, UK m ):
  • the update ciphertext algorithm takes the ciphertext CT and the update key UK m of the data m as input, and outputs the new ciphertext CT ′.
  • UpdateFile (PK, A, m '):
  • the update file and secret value algorithm take the public parameter PK, file m' and access structure A 'as input, output the ciphertext CT ms , and the value changed during the entire update process is m 'And secret value s.
  • a more efficient policy update and file update CP-ABE solution is provided.
  • the advantage of this solution is to flexibly use policy update and file update to solve problems in practical applications, while reducing end-to-end Communication overhead.
  • Encrypt (PK, (M, ⁇ ), m) data encryption; the data-owning terminal takes the public parameters PK, data m and LSSS (linear secret sharing scheme) access control strategy (M, ⁇ ) as input , Where the function of the function ⁇ in the access control strategy (M, ⁇ ) maps each row in the matrix M to attributes one by one. Finally, the Encrypt algorithm outputs the ciphertext CT.
  • the attribute authorization terminal judges the legitimacy of the user's identity and provides the corresponding private key for it.
  • a random number t ⁇ Z p is generated.
  • the user's private key is:
  • Decrypt (CT, SK): data decryption.
  • the data usage terminal downloads the ciphertext CT of the file to be decrypted from the cloud server, and takes the ciphertext CT and its private key SK as input.
  • the data m is obtained through the above-mentioned calculation data using terminal.
  • PolicyUpdate Policy update.
  • Policy update mainly includes three parts: LSSS structure update, key update and cipher text update.
  • the biggest challenge in the CP-ABE mechanism is the strategy update.
  • the data ownership terminal needs to decrypt the old ciphertext first, then encrypt the obtained data m, and finally upload the newly generated ciphertext to the cloud server
  • the data-owning terminal has to perform a large amount of calculations, consume a large amount of communication with the cloud server, and the storage pressure of the cloud server is large.
  • this embodiment adopts a strategy update mechanism.
  • the data-owning terminal first retains the secret value s and the encrypted information EnInfo (m) in the first encrypted data m, while retaining the attribute parameter ⁇ i and attribute mask ⁇ i 'of each attribute in the encryption algorithm, and then generates an update Key, upload it to the cloud server, and finally use the policy parameters and policy mask in the old ciphertext to update the LSSS matrix of the access policy (M, ⁇ ), and update the policy of the specified ciphertext to generate a new ciphertext Text.
  • the access control strategy can also be used as a representation of the access control scheme in the local structure.
  • the old strategy LSSS structure (M, ⁇ ) is converted into a new strategy LSSS structure (M ', ⁇ '). If a new secret value s is selected under the new access strategy and encrypted calculation is performed, it will result in excessive calculation and communication costs.
  • the expression is divided into three parts: one is the access control strategy (M, ⁇ ); the second is the ciphertext subset C, C 0 that encrypts the data m; the third is the strategy set that encrypts the access control strategy (M, ⁇ )
  • the data ownership terminal obtains the public key PK from the attribute authorization terminal, And perform encryption calculations locally. In the above process, the communication between the data ownership terminal and the attribute authorization terminal is frequent, and the calculation of the data ownership terminal is repeated.
  • the secret value s is not changed during the policy update, and only the old policy is used to update the policy.
  • the encrypted information EnInfo (m) of the data m needs to contain two random vectors with
  • the public key of each attribute x consists of Said.
  • the data ownership terminal will construct the update key through the key update algorithm and upload it to the cloud server; after the cloud server obtains the update key, it will run the ciphertext update algorithm to update the ciphertext, which is converted from the old access control strategy to the new LSSS transformation.
  • the conversion process is divided into two stages: access tree to access tree, and access tree to matrix.
  • FIG. 3 is a schematic diagram of the conversion from access tree to access tree in an embodiment of the present invention.
  • each non-leaf node represents a threshold
  • each leaf node represents an attribute.
  • the access strategy in the new strategy is (E, (A, B, C, (A, F, 2), 2), 2), attribute set ⁇ A, B, C, E, F ⁇ . Relative to the old strategy, an attribute F and an AND threshold are added.
  • FIG. 4 is a schematic diagram of conversion of an access tree to an LSSS matrix in an embodiment of the present invention.
  • the access tree is on the left, and the access strategy is (E, (A, B, C, D, 2), 2) .
  • the access strategy (M, ⁇ ) of LSSS On the right is the access strategy (M, ⁇ ) of LSSS, where M is a matrix, and the corresponding attributes E, A of the first row, second row, third row, fourth row, and fifth row are mapped by the mapping function ⁇ , respectively , B, C, D.
  • Given an attribute set S if and only if the attribute set S is marked to each row in the matrix M and includes a vector (1,0, ..., 0), then S satisfies the LSSS access strategy.
  • the AND or threshold policy tree generates the LSSS matrix through the Lewko-Waters algorithm, as follows:
  • the above formula describes the conversion of the general algorithm Boolean formula into an equivalent LSSS matrix.
  • the Boolean formula is regarded as an access tree.
  • the internal nodes have AND gates, OR gates, and leaf nodes with attributes. 1,0, ..., 0) is set as the shared vector of LSSS.
  • the root node of the vector label tree is (1) (the length of the reference vector is 1), then down the tree hierarchy, each node is marked as a vector assigned by its parent node, and finally a global counter variable is initialized c is 1, after traversing the access tree, c is the longest length of the vector.
  • parent node is an AND gate and is marked as a vector v
  • the leaf nodes labeled by the vector are converted into each row in the LSSS matrix. If these vectors have different lengths, the vector tail will be padded with vector 0 to achieve the same vector length.
  • UpdateKeyGen (PK, EnInfo (m), A, A '): key update.
  • the data ownership terminal takes as input the public parameter PK, the encrypted information EnInfo (m) of the data m, the old access policy A and the new access policy A '.
  • the new access strategy is a matrix M ′ of n ′ ⁇ l ′
  • each leaf node in the access tree is mapped to each row in M ′ through a mapping function ⁇ ′, where each row vector in M ′ represents an attribute. Since the mapping functions ⁇ and ⁇ 'are non-injective, we denote num ⁇ (i), M and num ⁇ (i), M' as the number of attributes of the attribute ⁇ (i) in the matrix M and M ', respectively.
  • the update key algorithm first compares A and A 'and divides the attributes of the new access strategy into three parts:
  • the existing attribute set in the old strategy is defined as I 1, M ' (Type1);
  • FIG. 5 is a schematic diagram of access tree policy update in an embodiment of the present invention.
  • the old strategy is on the left and the new strategy is on the right. Observe the leaf nodes of the new and old strategies.
  • the attributes A, B, C, E exist in the old strategy, then they are divided into the set I 1, M ' (Type1); If it appears twice in the new strategy, it is divided into the set I 2, M ' (Type 2); if the attribute F does not exist in the old strategy, it is divided into the set I 3, M' (Type 3).
  • the analysis will proceed from the ciphertext structure.
  • the ciphertext part produced by the Encrypt algorithm the ciphertext of each attribute is set to:
  • h ⁇ (i) is a hash function, which represents that the ciphertext subset corresponds to an attribute
  • ⁇ i ′ is a random number in the Z p domain, whose main function is to disguise
  • the attribute parameter ⁇ i is also used as a random mask of the ciphertext subset C 1, i .
  • the attribute parameter ⁇ i splits the secret value s of the ciphertext into each attribute according to the access policy, and calls it the policy parameter, and ⁇ i ′ is the policy parameter mask.
  • the data ownership terminal calculates the LSSS matrix (M ', ⁇ ') according to the new strategy, and generates a random variable at the same time
  • the old strategy parameter of the attribute ⁇ (i) is ⁇ i
  • the old strategy parameter mask is ⁇ i '
  • the new policy parameter of the attribute ⁇ (j) is ⁇ j
  • the new policy parameter mask is ⁇ j ′.
  • the final update key UK m is:
  • UK m ((Type1, ⁇ UK j, i, m ⁇ (j, i) ⁇ I1, M ' ), (Type2, ⁇ UK j, i, m ⁇ (j, i) ⁇ I2, M' ), (Type3, ⁇ UK j, i, m ⁇ (j, i) ⁇ I3M ' ))
  • the data ownership terminal sends the update key UK m to the cloud server.
  • the cloud server receives the update key UK m , it will update the old policy according to the policy parameters in UK m and run the ciphertext update algorithm CTUpdate , Update the corresponding ciphertext of each attribute.
  • CTUpdate (CT, UK m ): cipher text update.
  • the final new ciphertext CT ' is constructed as:
  • the file update is introduced in the CP-ABE scheme with policy update.
  • the original intention of introducing file update lies in two points: One is that in actual applications, files of the same type usually need to be updated For example, a report is revised through version one and version two ... repeatedly to produce the final version; the second is that in the process of policy update, the secret value s of data m remains unchanged, which will bring There are security risks. Therefore, the secret value s needs to be improved in the scheme design.
  • FileUpdate File update.
  • the significance of file update is that in real life, the information usually needs to be updated.
  • file update refers to updating file m and secret value s.
  • the algorithm is described as follows:
  • UpdateFile (PK, (M ', ⁇ '), m '): update files and secret values.
  • the data-owning terminal takes as input the public parameters PK, the new file m 'and the LSSS access control strategy (M', ⁇ '), where the function of the function ⁇ ' in the access control strategy (M ', ⁇ ') is included in the matrix M '
  • Each line of the is mapped one by one with the attributes.
  • the UpdateFile algorithm outputs the ciphertext CT ms .
  • M is the l ⁇ n matrix and l is the number of ciphertext attributes.
  • Select random number s' and random vector before updating file Where y 2 , ..., y n are for sharing the secret value s' of the encryption index.
  • M i is the i-th row of the matrix M corresponding to the vector.
  • a random number r 1 ', ..., r l ' ⁇ Z p and an attribute mask ⁇ 1 ”, ..., ⁇ l ” ⁇ Z p are generated.
  • a user must review every week in a department of a hospital, and the case information may be very different each time after the review, and these case information belong to the same type of file, the difference is the generation time, so they belong to the same access Strategy.
  • the user will encrypt the new case according to the access strategy retained by the previous encryption operation and upload it to the hospital's server, so as to realize the file update.
  • the user is in the hospital A, but needs to be referred to the hospital B for personal reasons.
  • the doctor in the hospital B needs to view the user's case information.
  • the user can open the case information in the hospital A to the hospital B by modifying the access policy.
  • the attending doctor so as to effectively carry out treatment and reduce the user's overhead.
  • the policy update method based on CP-ABE includes: the data ownership terminal encrypts the target data using a preset encryption algorithm, and uploads the generated ciphertext to the cloud server, and if necessary, the above ciphertext
  • the policy is updated, an update key is generated based on the new access policy in the data possession terminal, and the update key is uploaded to the cloud server; the cloud server uses the received update key to update the ciphertext.
  • the data ownership terminal no longer needs to perform calculations related to the ciphertext update, which can effectively reduce the data ownership terminal The amount of calculation in the computer, as well as reducing the communication overhead between the data ownership terminal and the cloud server.
  • the security of the above method is demonstrated by selecting the plaintext attack (Chosen Plaintext Attack, CPA) security game and the decision q-parallel BDHE hypothesis, in which the CPA security game It is based on the CP-ABE scheme.
  • CPA plaintext Attack
  • the user private key SK is associated with the attribute set
  • the ciphertext CT is associated with the access structure established by the data ownership terminal.
  • adversary A needs to select the access structure A * to be challenged. If the attribute set associated with the user's private key SK does not satisfy A * , then the adversary can obtain all SK.
  • the next CPA security game it is assumed that both the challenger and the adversary are transmitting in a completely secure channel in the process of exchanging information.
  • Adversary A selects the access structure A * of the challenge and transmits A * to the challenger
  • the challenger First run the Setup algorithm in the scheme, then generate the system public key PK, and finally send the PK to the opponent A.
  • the attribute set selected by adversary A is defined as And to the challenger Ask the user for the private key SK repeatedly.
  • the challenger After receiving the inquiry, it will run the KeyGen algorithm of the scheme, and finally send the generated SK to the opponent A.
  • adversary A In the challenge phase, adversary A first asks the challenger Submit two equal-length messages m 0 , m 1 ⁇ G T , and then the challenger Randomly select a bit ⁇ ⁇ 0,1 ⁇ , and run the Encrypt algorithm in the scheme at the same time. When encrypting, use A * to encrypt m ⁇ . Last challenger Send the encrypted ciphertext CT * to adversary A.
  • Query Phase2 Same process as the query phase of Query Phase1, the only difference is that the private key SK queried by adversary A does not satisfy A * .
  • Simulator B needs a q-parallel BDHE to challenge y, T.
  • Adversary A gives the algorithm's challenge access structure (M * , ⁇ * ), where the matrix M * has n * columns.
  • U ⁇ h 1 , ..., h U ⁇
  • the elements correspond one-to-one with the attributes contained in the attribute field U.
  • the h x of Simulator B is as follows:
  • Query Phase1 In the first phase of the query, Simulator B repeatedly asks the user's private key SK through the query. Assume that the simulator B can obtain a set of attribute sets S by querying for SK, but S does not satisfy the LSSS matrix M * .
  • Simulator B starts by implicitly defining t:
  • Simulator B calculates K as follows:
  • this embodiment establishes a challenge ciphertext.
  • Simulator B can choose a secret split, which can offset the internal terms. Simulator B will choose a random number based on his feeling And share the secret value vector
  • the simulator B selects the random values r 1 ', ..., r l '.
  • Query Phase2 The process is the same as Query Phase1 and will not be described in detail here.
  • the challenge ciphertext is an effective ciphertext, where the advantage of adversary A is Adv A , as shown below:
  • T is a random element on the group G T , it means that the challenge ciphertext is a completely random ciphertext.
  • Opponent A has Therefore, Simulator B has an advantage that cannot be ignored in decision-making q-parallel BDHE games.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed are a CP-ABE-based policy update method and system. The method comprises: a data owning terminal encrypting target data by means of a pre-set encryption algorithm and uploading a generated ciphertext to a cloud-end server, and generating an updated key on the basis of a new access policy in the data owning terminal and uploading the updated key to the cloud-end server; and the cloud-end server updating the ciphertext by means of the received updated key. Thus, in the present invention, ciphertext updating in a data owning terminal is entrusted to a cloud-end server, so that the data owning terminal does not need to perform computation related to ciphertext updating, and thus, the amount of computation of the data owning terminal can be efficiently reduced and the overhead of communication between the data owning terminal and the cloud-end server can be reduced.

Description

基于CP-ABE的策略更新方法与系统Strategy update method and system based on CP-ABE 技术领域Technical field
本发明涉及数据加密技术领域,尤其涉及一种基于CP-ABE(Ciphertext policy-Attribute-based encryption,密文策略属性加密)的策略更新方法与系统。The invention relates to the technical field of data encryption, and in particular to a policy updating method and system based on CP-ABE (Ciphertext policy-Attribute-based encryption, ciphertext policy attribute encryption).
背景技术Background technique
目前,ABE(Attribute Based Encryption,基于属性加密)机制作为云存储系统中端到端数据的加密模式,允许用户自定义访问策略并加密数据,从而可灵活的实现访问控制。At present, the ABE (Attribute Based Encryption) mechanism is used as an end-to-end data encryption mode in cloud storage systems, allowing users to customize access policies and encrypt data, so that access control can be flexibly implemented.
在大数据背景下,当越来越多的企业和事业单位将数据存储到云端服务器时,数据拥有终端可能需要动态的、频繁的改变访问策略,因此策略更新成为一个重要的研究问题。在传统加密机制中要实现策略更新,加密方需要先解密旧密文,再将得到的明文进行加密,最后将生成的新密文上传至云端服务器,而在整个过程中数据拥有终端的计算量,以及数据拥有终端与云端服务器之间的通信开销均较大。In the context of big data, when more and more enterprises and institutions store data on cloud servers, data-owning terminals may need to dynamically and frequently change access policies, so policy updating becomes an important research issue. To implement policy update in the traditional encryption mechanism, the encryptor needs to decrypt the old ciphertext, then encrypt the obtained plaintext, and finally upload the generated new ciphertext to the cloud server, and the data has the terminal's calculation amount in the entire process. , And the communication overhead between the data ownership terminal and the cloud server is relatively large.
发明内容Summary of the invention
本申请提供了一种基于CP-ABE的策略更新方法与系统,可以解决现有策略更新方法存在数据拥有终端的计算量,以及数据拥有终端与云端服务器之间的通信开销均较大的技术问题。This application provides a CP-ABE-based strategy update method and system, which can solve the technical problems of the existing strategy update method in which the calculation amount of the data ownership terminal and the communication overhead between the data ownership terminal and the cloud server are large .
具体的,本发明第一方面提供一种基于CP-ABE的策略更新方法,该方法包括:Specifically, the first aspect of the present invention provides a policy update method based on CP-ABE, which includes:
数据拥有终端利用预设的加密算法对目标数据进行加密,并将生成的密文上传至云端服务器;The data ownership terminal encrypts the target data using a preset encryption algorithm and uploads the generated ciphertext to the cloud server;
所述数据拥有终端基于所述数据拥有终端中的新访问策略生成更新密钥, 并将所述新访问策略与所述更新密钥上传至所述云端服务器;The data possession terminal generates an update key based on the new access policy in the data possession terminal, and uploads the new access policy and the update key to the cloud server;
所述云端服务器利用接收到的所述新访问策略与所述更新密钥,更新所述密文。The cloud server uses the received new access policy and the update key to update the ciphertext.
可选地,所述云端服务器利用接收到的所述新访问策略与所述更新密钥,更新所述密文的步骤包括:Optionally, the step of the cloud server using the received new access policy and the update key to update the ciphertext includes:
利用所述新访问策略对所述密文对应的旧访问策略进行LSSS矩阵更新;Using the new access policy to update the LSSS matrix of the old access policy corresponding to the ciphertext;
利用更新后的LSSS矩阵、所述更新密钥及预设的密文更新算法,对所述密文进行策略更新,生成新的密文。Use the updated LSSS matrix, the update key, and the preset ciphertext update algorithm to perform policy update on the ciphertext to generate a new ciphertext.
可选地,所述基于所述数据拥有终端中的新访问策略生成更新密钥的步骤包括:Optionally, the step of generating an update key based on the new access policy in the data possession terminal includes:
所述数据拥有终端利用所述目标数据中的加密信息、所述新访问策略及所述旧访问策略,运行预设的密钥更新算法生成所述更新密钥。The data possession terminal uses the encrypted information in the target data, the new access policy, and the old access policy to run a preset key update algorithm to generate the update key.
可选地,所述方法还包括:Optionally, the method further includes:
所述数据拥有终端在需要对所述密文进行文件更新时,利用所述密文对应的访问策略对所述数据拥有终端中的新数据进行加密,并将生成的新密文上传至所述云端服务器。When the data owner terminal needs to update the ciphertext file, the new data in the data owner terminal is encrypted using the access policy corresponding to the ciphertext, and the generated new ciphertext is uploaded to the Cloud server.
可选地,所述利用所述密文对应的访问策略对所述数据拥有终端中的新数据进行加密的步骤包括:Optionally, the step of encrypting new data in the data-owning terminal using the access policy corresponding to the ciphertext includes:
利用所述密文对应的访问策略与秘密值,以及预设的更新文件和秘密值算法,对所述新数据进行加密,生成所述新密文。The new data is encrypted by using the access strategy and secret value corresponding to the ciphertext, and the preset update file and secret value algorithm to generate the new ciphertext.
可选地,所述方法还包括:Optionally, the method further includes:
所述数据拥有终端在同时需要对所述密文进行策略更新与文件更新时,利用所述密文对应的访问策略与秘密值,以及预设的更新文件和秘密值算法,对所述新数据进行加密,并将生成的新密文上传至所述云端服务器;When the data ownership terminal needs to update the ciphertext and file at the same time, it uses the access policy and secret value corresponding to the ciphertext, as well as a preset update file and secret value algorithm to update the new data Encrypt, and upload the generated new ciphertext to the cloud server;
基于所述数据拥有终端中的新访问策略生成更新密钥,并将所述新访问策 略与所述更新密钥上传至所述云端服务器;其中,所述云端服务器在接收到所述新密文与所述新访问策略及所述更新密钥后,利用所述新访问策略与所述更新密钥更新所述新密文。Generate an update key based on the new access policy in the data possession terminal, and upload the new access policy and the update key to the cloud server; wherein, the cloud server receives the new ciphertext After the new access policy and the updated key are used, the new ciphertext is updated using the new access policy and the updated key.
本发明第二方面提供一种基于CP-ABE的策略更新系统,该系统包括数据拥有终端和云端服务器,所述数据拥有终端与所述云端服务器通信连接;A second aspect of the present invention provides a policy update system based on CP-ABE, the system includes a data ownership terminal and a cloud server, and the data ownership terminal is in communication connection with the cloud server;
所述数据拥有终端用于利用预设的加密算法对目标数据进行加密,并将生成的密文上传至所述云端服务器,以及在需要对所述密文进行策略更新时,基于所述数据拥有终端中的新访问策略生成更新密钥,并将所述新访问策略与所述更新密钥上传至所述云端服务器;The data possession terminal is used to encrypt the target data using a preset encryption algorithm, upload the generated ciphertext to the cloud server, and when it is necessary to update the ciphertext policy, based on the data possession The new access policy in the terminal generates an update key, and uploads the new access policy and the update key to the cloud server;
所述云端服务器用于利用接收到的所述新访问策略与所述更新密钥,更新所述密文。The cloud server is used to update the ciphertext using the received new access policy and the update key.
可选地,所述系统还包括数据使用终端,所述数据使用终端与所述云端服务器通信连接,所述数据使用终端用于从所述云端服务器下载密文,并进行解密。Optionally, the system further includes a data usage terminal that is in communication connection with the cloud server, and the data usage terminal is used to download ciphertext from the cloud server and decrypt it.
可选地,所述系统还包括属性授权终端,所述属性授权终端分别与所述数据使用终端及所述数据拥有终端通信连接,所述属性授权终端用于生成所述系统对应的公钥与私钥,以及生成所述数据使用终端对应的用户私钥。Optionally, the system further includes an attribute authorization terminal, which is in communication with the data usage terminal and the data ownership terminal, respectively, and the attribute authorization terminal is used to generate a public key and The private key and the user private key corresponding to the data usage terminal.
本发明所提供基于CP-ABE的策略更新方法,包括:数据拥有终端用于利用预设的加密算法对目标数据进行加密,并将生成的密文上传至云端服务器,以及基于数据拥有终端中的新访问策略生成更新密钥,并将该更新密钥上传至云端服务器;云端服务器用于利用接收到的更新密钥,更新上述密文。相较于现有技术而言,本发明中通过将数据拥有终端中的密文更新委托给云端服务器,使数据拥有终端不需要再进行与密文更新相关的计算,从而可以有效降低数据拥有终端中的计算量,以及减少数据拥有终端与云端服务器之间的通信开销。The policy update method based on CP-ABE provided by the present invention includes: a data ownership terminal for encrypting target data using a preset encryption algorithm, and uploading the generated cipher text to a cloud server, and a data ownership terminal based on The new access policy generates an update key and uploads the update key to the cloud server; the cloud server is used to update the ciphertext using the received update key. Compared with the prior art, by entrusting the ciphertext update in the data ownership terminal to the cloud server in the present invention, the data ownership terminal no longer needs to perform calculations related to the ciphertext update, which can effectively reduce the data ownership terminal The amount of calculation in the computer, as well as reducing the communication overhead between the data ownership terminal and the cloud server.
附图说明BRIEF DESCRIPTION
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly explain the embodiments of the present invention or the technical solutions in the prior art, the following will briefly introduce the drawings required in the embodiments or the description of the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present invention. For those skilled in the art, without paying any creative labor, other drawings can be obtained based on these drawings.
图1为本发明实施例中基于CP-ABE的策略更新系统的结构示意图;1 is a schematic structural diagram of a policy update system based on CP-ABE in an embodiment of the present invention;
图2为本发明实施例中基于CP-ABE的策略更新方法的流程示意图;2 is a schematic flowchart of a policy update method based on CP-ABE in an embodiment of the present invention;
图3为本发明实施例中访问树到访问树的转换示意图;FIG. 3 is a schematic diagram of conversion from an access tree to an access tree in an embodiment of the present invention;
图4为本发明实施例中访问树到LSSS矩阵的转换示意图;4 is a schematic diagram of conversion from an access tree to an LSSS matrix in an embodiment of the present invention;
图5为本发明实施例中访问树策略更新的示意图。FIG. 5 is a schematic diagram of access tree policy update in an embodiment of the present invention.
具体实施方式detailed description
为使得本发明的发明目的、特征、优点能够更加的明显和易懂,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而非全部实施例。基于本发明中的实施例,本领域技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, features, and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be described clearly and completely in conjunction with the drawings in the embodiments of the present invention. Obviously, the description The embodiments are only a part of the embodiments of the present invention, but not all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without making creative efforts fall within the protection scope of the present invention.
参照图1,图1为本发明实施例中基于CP-ABE的策略更新系统的结构示意图,在本实施例中,上述系统包括数据拥有终端10、云端服务器20、数据使用终端30及属性授权终端40,数据拥有终端10与云端服务器20通信连接,数据使用终端30与云端服务器20通信连接,属性授权终端40分别与数据使用终端10及数据拥有终端30通信连接。1, FIG. 1 is a schematic structural diagram of a policy update system based on CP-ABE in an embodiment of the present invention. In this embodiment, the above system includes a data ownership terminal 10, a cloud server 20, a data usage terminal 30, and an attribute authorization terminal 40. The data ownership terminal 10 is in communication connection with the cloud server 20, the data usage terminal 30 is in communication connection with the cloud server 20, and the attribute authorization terminal 40 is in communication connection with the data usage terminal 10 and the data ownership terminal 30, respectively.
其中,数据拥有终端10用于利用预设的加密算法对目标数据进行加密,并将生成的密文上传至云端服务器20,以及在需要对上述密文进行策略更新时,基于数据拥有终端10中的新访问策略生成更新密钥,并将该更新密钥上传至云端服务器20。另外,数据拥有终端10还可以用于文件更新中的更新文件,若 需要对同类文件进行加密,可根据策略更新中的旧策略对新的文件进行加密,并上传到云端服务器20。Among them, the data ownership terminal 10 is used to encrypt the target data using a preset encryption algorithm and upload the generated ciphertext to the cloud server 20, and when it is necessary to update the ciphertext policy, based on the data ownership terminal 10 Generates a new update key and uploads the updated key to the cloud server 20. In addition, the data ownership terminal 10 can also be used to update files during file update. If similar files need to be encrypted, new files can be encrypted according to the old policy in the policy update and uploaded to the cloud server 20.
云端服务器20用于利用接收到的更新密钥,更新上述密文。其中,云端服务器20还用于提供计算和存储服务,存储由数据拥有终端10上传的密文,向数据使用终端30提供密文下载服务。同时也还负责更新密文和更新文件。The cloud server 20 is used to update the ciphertext using the received update key. The cloud server 20 is also used to provide computing and storage services, store ciphertext uploaded by the data ownership terminal 10, and provide ciphertext download service to the data usage terminal 30. It is also responsible for updating ciphertext and updating files.
数据使用终端30用于从云端服务器20下载密文,当其属性满足密文对应的访问策略时,即可对下载的密文进行解密。The data usage terminal 30 is used to download the ciphertext from the cloud server 20, and when its attribute satisfies the access policy corresponding to the ciphertext, the downloaded ciphertext can be decrypted.
属性授权终端40用于生成上述系统对应的公钥与私钥,以及管理其属性域,根据系统初始化的属性集合,为数据使用终端30提供用户私钥。The attribute authorization terminal 40 is used to generate the public key and the private key corresponding to the above system, and manage the attribute domain thereof, and provide the user private key for the data usage terminal 30 according to the attribute set initialized by the system.
基于上述系统,描述本发明实施例所提供的基于CP-ABE的策略更新方法。Based on the above system, a policy update method based on CP-ABE provided by an embodiment of the present invention will be described.
参照图2,图2为本发明实施例中基于CP-ABE的策略更新方法的流程示意图,本发明实施例中,上述方法包括:Referring to FIG. 2, FIG. 2 is a schematic flowchart of a policy update method based on CP-ABE in an embodiment of the present invention. In the embodiment of the present invention, the above method includes:
步骤201、数据拥有终端利用预设的加密算法对目标数据进行加密,并将生成的密文上传至云端服务器。Step 201: The data ownership terminal encrypts the target data using a preset encryption algorithm, and uploads the generated cipher text to the cloud server.
步骤202、所述数据拥有终端基于所述数据拥有终端中的新访问策略生成更新密钥,并将所述新访问策略与所述更新密钥上传至所述云端服务器;Step 202: The data ownership terminal generates an update key based on the new access policy in the data ownership terminal, and uploads the new access policy and the update key to the cloud server;
步骤203、所述云端服务器利用接收到的所述新访问策略与所述更新密钥,更新所述密文。Step 203: The cloud server uses the received new access policy and the update key to update the ciphertext.
具体的,基于图1所示系统,以下详细描述本发明中所涉及到的各个算法。Specifically, based on the system shown in FIG. 1, each algorithm involved in the present invention is described in detail below.
其中,CP-ABE机制主要包括4个算法:Setup、Encrypt、KeyGen、Decrypt,具体功能所实现的功能如下:Among them, the CP-ABE mechanism mainly includes four algorithms: Setup, Encrypt, KeyGen, Decrypt. The specific functions are as follows:
Setup(λ,U):系统初始化算法将安全参数λ和属性域U作为输入,输出系统公钥PK和主私钥MSK。Setup (λ, U): The system initialization algorithm takes the security parameter λ and the attribute field U as input, and outputs the system public key PK and master private key MSK.
Encrypt(PK,A,m):数据加密算法将系统公钥PK、数据m及访问结构A作为输入,输出密文CT。该算法将对数据m进行加密并生成密文CT,其中密文CT隐含着访问结构A,只有满足访问结构的属性的数据使用终端30才能解密数 据。Encrypt (PK, A, m): The data encryption algorithm takes the system public key PK, data m, and access structure A as input, and outputs the ciphertext CT. The algorithm encrypts the data m and generates a ciphertext CT, where the ciphertext CT implies the access structure A. Only the data usage terminal 30 that meets the attributes of the access structure can decrypt the data.
KeyGen(MSK,S):密钥生成算法将主私钥MSK和属性集合S作为输入,输出用户私钥SK。KeyGen (MSK, S): The key generation algorithm takes the master private key MSK and the attribute set S as input, and outputs the user private key SK.
Decrypt(PK,CT,SK):数据解密算法将系统公钥PK、密文CT(隐含包括访问结构A)和私钥SK(包含属性集合S)作为输入。只有当数据使用终端30属性集合S满足访问结构A中的属性,数据使用终端30解密密文并返回数据m。Decrypt (PK, CT, SK): The data decryption algorithm takes the system public key PK, ciphertext CT (impliedly including access structure A) and private key SK (including attribute set S) as inputs. Only when the attribute set S of the data usage terminal 30 satisfies the attributes in the access structure A, the data usage terminal 30 decrypts the ciphertext and returns the data m.
UpdateKeyGen(PK,EnInfo(m),A,A'):更新密钥算法将公共参数PK、数据m加密信息EnInfo(m)、旧策略A和新策略A'作为输入,输出数据m的更新密钥UK mUpdateKeyGen (PK, EnInfo (m), A, A '): The update key algorithm takes the public parameter PK, data m encryption information EnInfo (m), the old strategy A and the new strategy A' as input, and outputs the update password of the data m Key UK m .
CTUpdate(CT,UK m):更新密文算法将密文CT和数据m的更新密钥UK m作为输入,输出新密文CT'。 CTUpdate (CT, UK m ): The update ciphertext algorithm takes the ciphertext CT and the update key UK m of the data m as input, and outputs the new ciphertext CT ′.
UpdateFile(PK,A,m'):更新文件和秘密值算法将公共参数PK、文件m'及访问结构A'作为输入,输出密文CT ms,而在整个更新过程中所改变的值为m'和秘密值s。 UpdateFile (PK, A, m '): The update file and secret value algorithm take the public parameter PK, file m' and access structure A 'as input, output the ciphertext CT ms , and the value changed during the entire update process is m 'And secret value s.
其中,在本实施例中提供了一种更加高效的策略更新和文件更新CP-ABE方案,该方案优势在于灵活的运用策略更新和文件更新来解决实际应用中的问题,同时减少端与端之间的通信开销。Among them, in this embodiment, a more efficient policy update and file update CP-ABE solution is provided. The advantage of this solution is to flexibly use policy update and file update to solve problems in practical applications, while reducing end-to-end Communication overhead.
具体所实现的功能如下:The specific functions implemented are as follows:
Setup(λ,U):系统初始化;属性授权终端将安全参数λ和系统中的属性域U作为输入。选取素数阶为p的双线性群G 0,双线性映射e:G 0×G 0→G T,群G 0的生成元g,随机预言机h将属性域U的元素映射为h 1,...,h U∈G 0,并定义为U={h 1,...,h U},其中元素与属性域U中包含的属性一一对应。除此之外,选择两个随机数α,a∈Z p,并计算生成公钥PK和主私钥MSK: Setup (λ, U): system initialization; the attribute authorization terminal takes the security parameter λ and the attribute field U in the system as inputs. Select bilinear group G 0 with prime order p, bilinear mapping e: G 0 × G 0 → G T , generator g of group G 0 , random predictor h maps the elements of attribute domain U to h 1 , ..., h U ∈G 0 , and defined as U = {h 1 , ..., h U }, where the elements correspond to the attributes contained in the attribute domain U one-to-one. In addition, select two random numbers α, a∈Z p and calculate and generate the public key PK and the master private key MSK:
PK=(g,e(g,g) α,g a,h 1,....,h U),MSK=g a   (1) PK = (g, e (g, g) α , g a , h 1 , ..., h U ), MSK = g a (1)
Encrypt(PK,(M,ρ),m):数据加密;数据拥有终端将公共参数PK、数据m及LSSS(linear secret sharing scheme,线性密钥共享体制)访问控制策略(M,ρ)作 为输入,其中访问控制策略(M,ρ)中函数ρ的功能将矩阵M中的每一行与属性一一映射。最后,Encrypt算法输出密文CT。Encrypt (PK, (M, ρ), m): data encryption; the data-owning terminal takes the public parameters PK, data m and LSSS (linear secret sharing scheme) access control strategy (M, ρ) as input , Where the function of the function ρ in the access control strategy (M, ρ) maps each row in the matrix M to attributes one by one. Finally, the Encrypt algorithm outputs the ciphertext CT.
其中M为l×n矩阵,l为密文属性的数目。在进行加密操作前,首先选择一个随机向量
Figure PCTCN2019080917-appb-000001
其中y 2,...,y n是为了分享加密指数秘密值s。然后计算
Figure PCTCN2019080917-appb-000002
其中Μ i是向量相对应的矩阵M第i行。最后生成随机数r 1,...,r l∈Z p和属性掩码λ 1',...,λ l'∈Z p。计算密文: Where M is the l × n matrix and l is the number of ciphertext attributes. Before performing the encryption operation, first select a random vector
Figure PCTCN2019080917-appb-000001
Where y 2 , ..., y n are for sharing the secret value s of the encryption index. Then calculate
Figure PCTCN2019080917-appb-000002
Where M i is the i-th row of the matrix M corresponding to the vector. Finally, a random number r 1 , ..., r l ∈Z p and an attribute mask λ 1 ', ..., λ l ' ∈Z p are generated. Calculate the ciphertext:
C=m·e(g,g) αs,C 0=g s    (2) C = m · e (g, g) αs , C 0 = g s (2)
对于i∈[1,l],计算For i∈ [1, l], calculate
Figure PCTCN2019080917-appb-000003
Figure PCTCN2019080917-appb-000003
上述等式被描述为(Μ,ρ)。The above equation is described as (Μ, ρ).
最后,密文为Finally, the ciphertext is
Figure PCTCN2019080917-appb-000004
Figure PCTCN2019080917-appb-000004
其中EnInfo(m)是数据m加密过程中的随机数集合,即EnInfo(m)={r 1,....,r l}。 Where EnInfo (m) is a set of random numbers during the encryption of data m, that is, EnInfo (m) = {r 1 , ..., r l }.
KeyGen(MSK,S):密钥生成。属性授权终端将主私钥MSK和用户属性集合S作为输入,其中属性集合S={A 1,...,A x}。当数据使用终端向属性授权终端注册时,属性授权终端判断用户身份的合法性后,为其提供相应的私钥。同时生成随机数t∈Z p。计算用户的私钥SK: KeyGen (MSK, S): key generation. The attribute authorization terminal takes the master private key MSK and the user attribute set S as inputs, where the attribute set S = {A 1 , ..., A x }. When the data usage terminal registers with the attribute authorization terminal, the attribute authorization terminal judges the legitimacy of the user's identity and provides the corresponding private key for it. At the same time, a random number t ∈ Z p is generated. Calculate the user's private key SK:
Figure PCTCN2019080917-appb-000005
Figure PCTCN2019080917-appb-000005
用户的私钥为:The user's private key is:
Figure PCTCN2019080917-appb-000006
Figure PCTCN2019080917-appb-000006
Decrypt(CT,SK):数据解密。数据使用终端从云端服务器下载将要解密文件的密文CT,将密文CT和其私钥SK作为输入。其中密文CT包括访问控制策略的属性集合
Figure PCTCN2019080917-appb-000007
将其定义为I={i:ρ(i)∈S},并计算{ω i∈Z p},如果{λ i}是矩阵Μ中有效的分享秘密值s,则∑ i∈Iω iλ i=s。然后进行解密计算: Decrypt (CT, SK): data decryption. The data usage terminal downloads the ciphertext CT of the file to be decrypted from the cloud server, and takes the ciphertext CT and its private key SK as input. The ciphertext CT includes the attribute set of the access control strategy
Figure PCTCN2019080917-appb-000007
Define it as I = {i: ρ (i) ∈S}, and calculate {ω i ∈Z p }, if {λ i } is an effective shared secret value s in matrix M, then ∑ i∈I ω i λ i = s. Then perform decryption calculations:
Figure PCTCN2019080917-appb-000008
Figure PCTCN2019080917-appb-000008
Figure PCTCN2019080917-appb-000009
Figure PCTCN2019080917-appb-000009
通过上述计算数据使用终端获得数据m。The data m is obtained through the above-mentioned calculation data using terminal.
进一步地,在本实施例中,为了更新存储在云端服务器中加密数据的访问策略,我们将数据拥有终端的密文更新委托给云端服务器,这样可以减少端与端之间的通信开销,并降低数据拥有终端的计算开销。Further, in this embodiment, in order to update the access strategy of encrypted data stored in the cloud server, we delegate the ciphertext update of the data-owning terminal to the cloud server, which can reduce the communication overhead between the terminals and reduce The data has the computing overhead of the terminal.
PolicyUpdate:策略更新。策略更新主要包括LSSS结构更新、密钥更新和密文更新三部分。在CP-ABE机制中最大的挑战就是策略更新,传统中要实现策略更新,数据拥有终端需要先解密旧密文,再将得到的数据m进行加密,最后将新生成的密文上传到云端服务器,而在整个过程中数据拥有终端所要承担的计算量大,与云端服务器之间的通信消耗大,云端服务器的存储压力大。为了解决上述问题,本实施例采用策略更新机制的方式来解决。数据拥有终端首先将第一次加密数据m中的秘密值s和加密信息EnInfo(m)保留下来,同时保留加密算法中每个属性的属性参数λ i和属性掩码λ i',然后生成更新密钥,并将其上传到云端服务器,最后利用旧密文中的策略参数和策略掩码对访问策略(M,ρ)进行LSSS矩阵更新,并对指定的密文进行策略更新,生成新的密文。具体包括: PolicyUpdate: Policy update. Policy update mainly includes three parts: LSSS structure update, key update and cipher text update. The biggest challenge in the CP-ABE mechanism is the strategy update. In the traditional way to implement strategy update, the data ownership terminal needs to decrypt the old ciphertext first, then encrypt the obtained data m, and finally upload the newly generated ciphertext to the cloud server However, in the whole process, the data-owning terminal has to perform a large amount of calculations, consume a large amount of communication with the cloud server, and the storage pressure of the cloud server is large. In order to solve the above problems, this embodiment adopts a strategy update mechanism. The data-owning terminal first retains the secret value s and the encrypted information EnInfo (m) in the first encrypted data m, while retaining the attribute parameter λ i and attribute mask λ i 'of each attribute in the encryption algorithm, and then generates an update Key, upload it to the cloud server, and finally use the policy parameters and policy mask in the old ciphertext to update the LSSS matrix of the access policy (M, ρ), and update the policy of the specified ciphertext to generate a new ciphertext Text. This includes:
一、LSSS结构更新1. LSSS structure update
访问控制策略也可以作为访问控制方案在局部结构中的表示。在策略更新机制中将旧策略LSSS结构中(M,ρ)转换成新策略LSSS结构(M',ρ')。如果在新的访问策略下选择新的秘密值s并进行加密计算,会导致计算开销和通信开销过大。在密文集合
Figure PCTCN2019080917-appb-000010
表达式中分为三部分:一是访问控制策略(M,ρ);二是对数据m加密的密文子集合C,C 0;三是对访问控制策略(M,ρ)加密的策略集合
Figure PCTCN2019080917-appb-000011
其中密文子集合表达式为C=m·e(g,g) αs,C 0=g s,若要再次生成新的秘密值s进行加密操作,数据拥有 终端从属性授权终端获得公钥PK,并在本地进行加密计算。而在上述的过程中数据拥有终端和属性授权终端之间的通信频繁,数据拥有终端计算重复,因此在策略更新中不改变秘密值s,仅充分利用旧策略进行策略更新。为了再随机化加密秘密值s,数据m的加密信息EnInfo(m)需包含两个随机向量
Figure PCTCN2019080917-appb-000012
Figure PCTCN2019080917-appb-000013
每个属性x的公钥由
Figure PCTCN2019080917-appb-000014
所表示。数据拥有终端将通过密钥更新算法构造更新密钥,并上传到云端服务器;云端服务器获得更新密钥后运行密文更新算法更新密文,通过从旧访问控制策略转换到新策略的LSSS转换。转换过程分两个阶段:访问树到访问树,访问树到矩阵,具体转换过程如图3所示,图3为本发明实施例中访问树到访问树的转换示意图。 The access control strategy can also be used as a representation of the access control scheme in the local structure. In the strategy update mechanism, the old strategy LSSS structure (M, ρ) is converted into a new strategy LSSS structure (M ', ρ'). If a new secret value s is selected under the new access strategy and encrypted calculation is performed, it will result in excessive calculation and communication costs. Collection in ciphertext
Figure PCTCN2019080917-appb-000010
The expression is divided into three parts: one is the access control strategy (M, ρ); the second is the ciphertext subset C, C 0 that encrypts the data m; the third is the strategy set that encrypts the access control strategy (M, ρ)
Figure PCTCN2019080917-appb-000011
The expression of the ciphertext sub-collection is C = m · e (g, g) αs and C 0 = g s . To generate a new secret value s again for encryption operation, the data ownership terminal obtains the public key PK from the attribute authorization terminal, And perform encryption calculations locally. In the above process, the communication between the data ownership terminal and the attribute authorization terminal is frequent, and the calculation of the data ownership terminal is repeated. Therefore, the secret value s is not changed during the policy update, and only the old policy is used to update the policy. In order to randomize the encrypted secret value s again, the encrypted information EnInfo (m) of the data m needs to contain two random vectors
Figure PCTCN2019080917-appb-000012
with
Figure PCTCN2019080917-appb-000013
The public key of each attribute x consists of
Figure PCTCN2019080917-appb-000014
Said. The data ownership terminal will construct the update key through the key update algorithm and upload it to the cloud server; after the cloud server obtains the update key, it will run the ciphertext update algorithm to update the ciphertext, which is converted from the old access control strategy to the new LSSS transformation. The conversion process is divided into two stages: access tree to access tree, and access tree to matrix. The specific conversion process is shown in FIG. 3, which is a schematic diagram of the conversion from access tree to access tree in an embodiment of the present invention.
在图3中,左边的是旧策略A,右边的是新策略A'。观察旧策略中的访问策略是(E,(A,B,C,D,2),2),在门限访问树中,每个非叶节点代表一个门限,每个叶节点代表一个属性,上述的属性集合{A,B,C,D,E}。给定一个属性集合S,对于每个叶节点,如果相关的属性在S中,则表示S满足访问策略A的叶节点。在(t,n)门限节点中,n是子节点的数目,1≤t≤n是门限的值,如果t=1表示“或”门,而t=n表示“与”门。而新策略中的访问策略是(E,(A,B,C,(A,F,2),2),2),属性集合{A,B,C,E,F}。相对于旧策略增加一个属性F和一个“与”门门限。In Figure 3, the old strategy A is on the left, and the new strategy A 'is on the right. Observe that the access strategy in the old strategy is (E, (A, B, C, D, 2), 2). In the threshold access tree, each non-leaf node represents a threshold, and each leaf node represents an attribute. Set of attributes {A, B, C, D, E}. Given an attribute set S, for each leaf node, if the relevant attribute is in S, it means that S satisfies the leaf node of access policy A. In the (t, n) threshold node, n is the number of child nodes, 1 ≤ t ≤ n is the threshold value, if t = 1 represents the OR gate, and t = n represents the AND gate. The access strategy in the new strategy is (E, (A, B, C, (A, F, 2), 2), 2), attribute set {A, B, C, E, F}. Relative to the old strategy, an attribute F and an AND threshold are added.
参照图4,图4为本发明实施例中访问树到LSSS矩阵的转换示意图,图4中,左边是访问树,访问策略是(E,(A,B,C,D,2),2)。右边是LSSS的访问策略(M,ρ),其中M是矩阵,并通过映射函数ρ分别映射第一行、第二行、第三行、第四行和第五行为相对应的属性E,A,B,C,D。给定一个属性集合S,当且仅当属性集合S标记到矩阵M中的每一行并且包括矢量(1,0,...,0),这样S满足LSSS访问策略。Referring to FIG. 4, FIG. 4 is a schematic diagram of conversion of an access tree to an LSSS matrix in an embodiment of the present invention. In FIG. 4, the access tree is on the left, and the access strategy is (E, (A, B, C, D, 2), 2) . On the right is the access strategy (M, ρ) of LSSS, where M is a matrix, and the corresponding attributes E, A of the first row, second row, third row, fourth row, and fifth row are mapped by the mapping function ρ, respectively , B, C, D. Given an attribute set S, if and only if the attribute set S is marked to each row in the matrix M and includes a vector (1,0, ..., 0), then S satisfies the LSSS access strategy.
其中,与或门限策略树的布尔公式为:Among them, the Boolean formula of the AND or threshold policy tree is:
E∧(((A∧B)∨(C∧D))∨((A∧B)∧(C∧D)))E∧ (((A∧B) ∨ (C∧D)) ∨ ((A∧B) ∧ (C∧D)))
其中,与或门限策略树通过Lewko-Waters算法生成LSSS矩阵,具体如下:Among them, the AND or threshold policy tree generates the LSSS matrix through the Lewko-Waters algorithm, as follows:
Figure PCTCN2019080917-appb-000015
Figure PCTCN2019080917-appb-000015
其中,上述公式描述的是通用算法布尔公式转换成等价的LSSS矩阵,将布尔公式认为是一个访问树,内部节点有“与”门、“或”门和具有属性的叶节点,并将(1,0,...,0)设为LSSS的共享矢量。首先矢量标记树的根节点为(1)(代指向量的长度为1),然后沿着树的层次向下,将每个节点标记为由其父节点分配的向量,最后初始化一个全局计数器变量c为1,遍历完访问树后,c即向量的最长长度。Among them, the above formula describes the conversion of the general algorithm Boolean formula into an equivalent LSSS matrix. The Boolean formula is regarded as an access tree. The internal nodes have AND gates, OR gates, and leaf nodes with attributes. 1,0, ..., 0) is set as the shared vector of LSSS. First, the root node of the vector label tree is (1) (the length of the reference vector is 1), then down the tree hierarchy, each node is marked as a vector assigned by its parent node, and finally a global counter variable is initialized c is 1, after traversing the access tree, c is the longest length of the vector.
在整个遍历的过程中遵循以下规则:Follow the following rules throughout the traversal process:
1、如果父节点为“或”门,并标记为矢量v。则其子节点也被标记为v(变量c不变)。1. If the parent node is an OR gate and it is marked as vector v. Then its child nodes are also marked as v (variable c is unchanged).
2、如果父节点为“与”门,并标记为矢量v,则在结尾处加上0(如果有必要的情况下)使其长度为c。然后标记一个子节点为矢量v|1(父节点|子节点连接);标记另一个为矢量(0,...,0)|-1,其中(0,...,0)表示的是0向量的长度为c。2. If the parent node is an AND gate and is marked as a vector v, then add 0 (if necessary) at the end to make its length c. Then mark one child node as vector v | 1 (parent node | child node connection); mark the other as vector (0, ..., 0) | -1, where (0, ..., 0) means The length of the 0 vector is c.
一旦完成整个树的标记,向量标记的叶节点转换成LSSS矩阵中的每一行,若这些向量长度不同,将在向量尾部填充矢量0,从而达到相同的向量长度。Once the entire tree is marked, the leaf nodes labeled by the vector are converted into each row in the LSSS matrix. If these vectors have different lengths, the vector tail will be padded with vector 0 to achieve the same vector length.
二、密钥更新Second, the key update
UpdateKeyGen(PK,EnInfo(m),A,A'):密钥更新。数据拥有终端将公共参数PK、数据m的加密信息EnInfo(m)、旧访问策略A和新访问策略A'作为输入。假设新访问策略是n'×l'的矩阵M',通过映射函数ρ'将访问树中的每个叶节点映射到M'中的每一行,其中M'中每一行矢量代表一个属性。由于映射函数ρ和ρ'是非内射,我们将num ρ(i),M和num ρ(i),M'分别表示属性ρ(i)在矩阵M和M'中的属性 数量。在旧密文中的旧策略转换为新策略时,根据数据拥有终端所遇到的不同情况分别进行讨论。更新密钥算法首先对A和A'进行比较,将新访问策略的属性分为三个部分: UpdateKeyGen (PK, EnInfo (m), A, A '): key update. The data ownership terminal takes as input the public parameter PK, the encrypted information EnInfo (m) of the data m, the old access policy A and the new access policy A '. Assuming that the new access strategy is a matrix M ′ of n ′ × l ′, each leaf node in the access tree is mapped to each row in M ′ through a mapping function ρ ′, where each row vector in M ′ represents an attribute. Since the mapping functions ρ and ρ 'are non-injective, we denote num ρ (i), M and num ρ (i), M' as the number of attributes of the attribute ρ (i) in the matrix M and M ', respectively. When the old strategy in the old ciphertext is converted to the new strategy, it is discussed separately according to the different situations encountered by the data-owning terminal. The update key algorithm first compares A and A 'and divides the attributes of the new access strategy into three parts:
(1)在旧策略中已存在的属性集合,定义为I 1,M'(Type1); (1) The existing attribute set in the old strategy is defined as I 1, M ' (Type1);
(2)在旧策略中已存在且出现两次或者以上的属性集合,定义为I 2,M'(Type2); (2) The attribute set that has existed in the old strategy and appears twice or more is defined as I 2, M ' (Type2);
(3)在旧策略中不存在的属性集合,定义为I 3,M'(Type3)。 (3) The attribute set that does not exist in the old strategy is defined as I 3, M ' (Type 3).
参照图5,图5为本发明实施例中访问树策略更新的示意图。图5中,其中左边为旧策略,右边为新策略。观察新、旧策略的叶节点,在新策略中属性A,B,C,E存在旧策略,则划分到集合I 1,M'(Type1);新策略中属性A已存在旧策略,且在新策略中出现两次,则划分到集合I 2,M'(Type2);属性F不存在旧策略中,则划分到集合I 3,M'(Type3)。 Referring to FIG. 5, FIG. 5 is a schematic diagram of access tree policy update in an embodiment of the present invention. In Figure 5, the old strategy is on the left and the new strategy is on the right. Observe the leaf nodes of the new and old strategies. In the new strategy, the attributes A, B, C, E exist in the old strategy, then they are divided into the set I 1, M ' (Type1); If it appears twice in the new strategy, it is divided into the set I 2, M ' (Type 2); if the attribute F does not exist in the old strategy, it is divided into the set I 3, M' (Type 3).
根据上述策略更新中的分类,接下来从密文结构进行分析。在Encrypt算法生产的密文部分,将每个属性的密文设定为:According to the classification in the above strategy update, the analysis will proceed from the ciphertext structure. In the ciphertext part produced by the Encrypt algorithm, the ciphertext of each attribute is set to:
Figure PCTCN2019080917-appb-000016
Figure PCTCN2019080917-appb-000016
在公式(9)密文集合中h ρ(i)是哈希函数,其代表该密文子集对应是某个属性,而λ i'则是Z p域的一个随机数,其主要作用是掩饰属性参数λ i,同时作为密文子集C 1,i的随机掩码。属性参数λ i根据访问策略将密文的秘密值s拆分到每个属性,并将其称策略参数,而λ i'为策略参数掩码。 In the ciphertext set of formula (9), h ρ (i) is a hash function, which represents that the ciphertext subset corresponds to an attribute, and λ i ′ is a random number in the Z p domain, whose main function is to disguise The attribute parameter λ i is also used as a random mask of the ciphertext subset C 1, i . The attribute parameter λ i splits the secret value s of the ciphertext into each attribute according to the access policy, and calls it the policy parameter, and λ i ′ is the policy parameter mask.
对于策略更新中的三种类型Type1,Type2,Type3,分别做出如下操作:For the three types Type1, Type2, and Type3 in the policy update, the following operations are respectively made:
1)若新策略中的属性对应的是Type1,只需在已有密文的基础上,根据更新策略中C 3,i的策略参数λ i即可; 1) If the attribute in the new strategy corresponds to Type1, just based on the existing ciphertext, according to the strategy parameter λ i of the update strategy C 3, i ;
2)若新策略中的属性对应的是Type2,首先需要更新C 1,i和C 3,i中的策略参数λ i、随机数r i和参数掩码λ i',同时还有C 2,i的随机数r i,然后通过映射函数ρ,将其与相同属性的Type1密文区分开; 2) If the attribute in the new strategy corresponds to Type 2, you first need to update the strategy parameters λ i , random numbers r i and the parameter mask λ i ′ in C 1, i and C 3 , as well as C 2, random number r i of i, then the mapping function ρ, which is separate from the ciphertext Type1 same region attribute;
3)若新策略中的属性对应的是Type3的属性,由于在旧策略中没有相同的属性密文,故数据拥有终端需要在本地重新计算密文C 1,i,C 2,i,C 3,i3) If the attributes in the new policy correspond to Type 3 attributes, since the old policy does not have the same attribute ciphertext, the data-owning terminal needs to recalculate the ciphertext C 1, i , C 2, i , C 3 locally , I.
在策略更新方案中,数据拥有终端根据新的策略,计算出LSSS矩阵(M',ρ'),同时生成随机变量
Figure PCTCN2019080917-appb-000017
其中秘密值s为向量的首元素。然后计算
Figure PCTCN2019080917-appb-000018
定义I M'={1,...,l}为M'的索引集合。其中(j,i)表示旧策略中某属性索引为i,在新策略中索引为j。在密文旧策略中(M,ρ),属性ρ(i)的旧策略参数为λ i,旧策略参数掩码为λ i';而在密文新策略中(M',ρ'),属性ρ(j)的新策略参数为λ j,新策略参数掩码为λ j'。 In the strategy update scheme, the data ownership terminal calculates the LSSS matrix (M ', ρ') according to the new strategy, and generates a random variable at the same time
Figure PCTCN2019080917-appb-000017
The secret value s is the first element of the vector. Then calculate
Figure PCTCN2019080917-appb-000018
Define I M ' = {1, ..., l} as the index set of M'. Where (j, i) indicates that an attribute index is i in the old strategy and j is the index in the new strategy. In the old ciphertext strategy (M, ρ), the old strategy parameter of the attribute ρ (i) is λ i , and the old strategy parameter mask is λ i '; while in the new ciphertext strategy (M', ρ '), The new policy parameter of the attribute ρ (j) is λ j , and the new policy parameter mask is λ j ′.
对于j∈[1,l'],如果(j,i)∈I 1,M'(Type1),算法生成更新密钥: For j∈ [1, l '], if (j, i) ∈I 1, M' (Type1), the algorithm generates an update key:
UK j,i,m=a(λ ji)   (10) UK j, i, m = a (λ ji ) (10)
如果(j,i)∈I 2,M'(Type2),算法生成随机数a j,r jj'∈Z p,同时生成更新密钥: If (j, i) ∈I 2, M ' (Type2), the algorithm generates random numbers a j , r j , λ j ' ∈Z p , and generates an update key at the same time:
Figure PCTCN2019080917-appb-000019
Figure PCTCN2019080917-appb-000019
如果(j,i)∈I 3,M'(Type3),算法生成随机数r jj'∈Z p,同时生成更新密钥: If (j, i) ∈I 3, M ' (Type3), the algorithm generates random numbers r j , λ j ' ∈Z p , and also generates an update key:
Figure PCTCN2019080917-appb-000020
Figure PCTCN2019080917-appb-000020
最终获得更新密钥UK m为: The final update key UK m is:
UK m=((Type1,{UK j,i,m} (j,i)∈I1,M'),(Type2,{UK j,i,m} (j,i)∈I2,M'),(Type3,{UK j,i,m} (j,i)∈I3M')) UK m = ((Type1, {UK j, i, m } (j, i) ∈I1, M ' ), (Type2, {UK j, i, m } (j, i) ∈I2, M' ), (Type3, {UK j, i, m } (j, i) ∈I3M ' ))
                                                  (13)数据拥有终端将更新密钥UK m发送给云端服务器,云端服务器一旦接收到更新密钥UK m,将会根据UK m中的策略参数对旧策略进行更新,并运行密文更新算法CTUpdate,将对应的每个属性的密文进行更新操作。 (13) The data ownership terminal sends the update key UK m to the cloud server. Once the cloud server receives the update key UK m , it will update the old policy according to the policy parameters in UK m and run the ciphertext update algorithm CTUpdate , Update the corresponding ciphertext of each attribute.
三、密文更新Three, cipher text update
CTUpdate(CT,UK m):密文更新。云端服务器一旦接收到更新密钥UK m,将以旧密文CT和更新密钥UK m作为输入。运行CTUpdate算法,对相应的属性密文进 行更新。 CTUpdate (CT, UK m ): cipher text update. Once the cloud server receives the update key UK m , it will use the old ciphertext CT and the update key UK m as inputs. Run the CTUpdate algorithm to update the corresponding attribute ciphertext.
如果Type1(j∈I 1,M'),则更新后的密文C' j计算为: If Type1 (j ∈ I 1, M ' ), the updated ciphertext C' j is calculated as:
Figure PCTCN2019080917-appb-000021
Figure PCTCN2019080917-appb-000021
其中r j=r i,与原本密文保持一致,在数据m加密操作过程中会保留加密信息EnInfo(m),并且包括所有的随机数r i,EnInfo(m)={r 1,...,r n}。 Where r j = r i , which is consistent with the original ciphertext, and the encrypted information EnInfo (m) is retained during the encryption operation of the data m, and includes all random numbers r i , EnInfo (m) = {r 1 , .. ., r n }.
如果Type2(j∈I 2,M'),则更新后的密文C' j计算为: If Type2 (j ∈ I 2, M ' ), the updated ciphertext C' j is calculated as:
Figure PCTCN2019080917-appb-000022
Figure PCTCN2019080917-appb-000022
其中r j=a jr iWhere r j = a j r i .
如果Type3(j∈I 3,M'),则更新后的密文C' j计算为: If Type3 (j ∈ I 3, M ' ), the updated ciphertext C' j is calculated as:
Figure PCTCN2019080917-appb-000023
Figure PCTCN2019080917-appb-000023
最终新密文CT'构造为:The final new ciphertext CT 'is constructed as:
Figure PCTCN2019080917-appb-000024
Figure PCTCN2019080917-appb-000024
进一步地,在本实施例中,在具有策略更新的CP-ABE方案中引入了文件更新,引入文件更新的初衷在于两点:一是在实际应用中,相对于同类型的文件通常是需要更新的,例如一份报告,都是经过版本一、版本二....反复修改,产生最终版;二是在策略更新的过程中,数据m的秘密值s是保持不变的,会带来安全隐患,因此,方案设计中关于秘密值s的地方需要改进。Further, in this embodiment, the file update is introduced in the CP-ABE scheme with policy update. The original intention of introducing file update lies in two points: One is that in actual applications, files of the same type usually need to be updated For example, a report is revised through version one and version two ... repeatedly to produce the final version; the second is that in the process of policy update, the secret value s of data m remains unchanged, which will bring There are security risks. Therefore, the secret value s needs to be improved in the scheme design.
FileUpdate:文件更新。文件更新的意义在于,在实际生活中信息通常是需要更新,对于同类型的文件,一旦文件进行修改,则需要通过重新设置访问权限进行加密操作,并将生成的新密文上传到云端服务器。数据拥有终端每一次的加密会导致计算开销较大,故文件更新的探究意义很有必要。FileUpdate: File update. The significance of file update is that in real life, the information usually needs to be updated. For files of the same type, once the file is modified, you need to reset the access permissions to encrypt the operation, and upload the new ciphertext generated to the cloud server. Every encryption of the data ownership terminal will cause a large calculation overhead, so it is necessary to explore the significance of the file update.
考虑到后面提出的文件更新、策略更新方案,文件更新指的是更新文件m和 秘密值s,算法描述如下:Considering the file update and policy update schemes proposed later, file update refers to updating file m and secret value s. The algorithm is described as follows:
UpdateFile(PK,(M',ρ'),m'):更新文件和秘密值。数据拥有终端将公共参数PK、新的文件m'及LSSS访问控制策略(M',ρ')作为输入,其中访问控制策略(M',ρ')中函数ρ'的功能将矩阵M'中的每一行与属性一一映射。最后,UpdateFile算法输出密文CT msUpdateFile (PK, (M ', ρ'), m '): update files and secret values. The data-owning terminal takes as input the public parameters PK, the new file m 'and the LSSS access control strategy (M', ρ '), where the function of the function ρ' in the access control strategy (M ', ρ') is included in the matrix M ' Each line of the is mapped one by one with the attributes. Finally, the UpdateFile algorithm outputs the ciphertext CT ms .
其中M为l×n矩阵,l为密文属性的数目。在更新文件前选择随机数s'和随机向量
Figure PCTCN2019080917-appb-000025
其中y 2,...,y n是为了分享加密指数秘密值s'。然后计算
Figure PCTCN2019080917-appb-000026
其中M i是向量相对应的矩阵M第i行。最后生成随机数r 1',...,r l'∈Z p和属性掩码λ 1”,...,λ l”∈Z p。计算密文: Where M is the l × n matrix and l is the number of ciphertext attributes. Select random number s' and random vector before updating file
Figure PCTCN2019080917-appb-000025
Where y 2 , ..., y n are for sharing the secret value s' of the encryption index. Then calculate
Figure PCTCN2019080917-appb-000026
Where M i is the i-th row of the matrix M corresponding to the vector. Finally, a random number r 1 ', ..., r l ' ∈Z p and an attribute mask λ 1 ”, ..., λ l ” ∈ Z p are generated. Calculate the ciphertext:
Figure PCTCN2019080917-appb-000027
Figure PCTCN2019080917-appb-000027
其中among them
Figure PCTCN2019080917-appb-000028
Figure PCTCN2019080917-appb-000028
最终将CT ms上传到云端服务器。 Finally upload the CT ms to the cloud server.
进一步地,为了解决计算开销和通信开销过大的问题,设计出文件更新加策略更新的方案,主要分为三种方案:Further, in order to solve the problem of excessive calculation overhead and communication overhead, a scheme for updating files and adding strategies is designed, which is mainly divided into three schemes:
(1)文件更新,策略不变(Scheme1)(1) The file is updated and the strategy remains unchanged (Scheme1)
在Scheme1中,首先运行Encrypt算法,并获得访问控制策略(M,ρ)和秘密值s,然后运行UpdateFile算法,并生成密文CT m,最后将其上传到云端服务器。 In Scheme1, first run the Encrypt algorithm, and obtain the access control strategy (M, ρ) and secret value s, then run the UpdateFile algorithm, and generate the ciphertext CT m , and finally upload it to the cloud server.
例如,用户在某医院某科室每周都要复查,而复查后每次的病例信息可能都大不相同,而这些病例信息属于同种类型的文件,不同的在于生成时间,故属于同样的访问策略。用户会根据先前加密操作保留下来访问策略对新的病例进行加密,并上传到医院的服务器,从而实现文件更新。For example, a user must review every week in a department of a hospital, and the case information may be very different each time after the review, and these case information belong to the same type of file, the difference is the generation time, so they belong to the same access Strategy. The user will encrypt the new case according to the access strategy retained by the previous encryption operation and upload it to the hospital's server, so as to realize the file update.
(2)文件不变,策略更新(Scheme2)(2) The file remains unchanged and the strategy is updated (Scheme2)
在Scheme2中,首先运行UpdateKeyGen算法,生成更新密钥UK m,然后将UK m上传给云端服务器,一旦云端服务器获得UK m,将对密文CT中相应属性的密文 进行更新,最终生成更新密文CT'。 In Scheme2, first run the UpdateKeyGen algorithm to generate the update key UK m , and then upload UK m to the cloud server. Once the cloud server obtains UK m , the cipher text of the corresponding attribute in the cipher text CT will be updated to finally generate the update password. Text CT '.
例如,用户在A医院就诊,但由于个人原因需要转诊到B医院,B医院主治医生需要查看该用户的病例信息,此时用户可以将在A医院的病例信息通过修改访问策略开放给B医院的主治医生,从而有效的进行治疗和减少用户的开销。For example, the user is in the hospital A, but needs to be referred to the hospital B for personal reasons. The doctor in the hospital B needs to view the user's case information. At this time, the user can open the case information in the hospital A to the hospital B by modifying the access policy. The attending doctor, so as to effectively carry out treatment and reduce the user's overhead.
(3)文件更新,策略更新(Scheme3)(3) File update, strategy update (Scheme3)
在Scheme3中,首先运行UpdateFile算法,生成密文CT ms,并将其上传到云端服务器,然后数据拥有终端再运行UpdateKeyGen算法,其中根据密文CT ms中的访问控制策略(M',ρ')进行LSSS访问策略更新,将获得更新密钥UK m'上传到云端服务器,一旦云端服务器获得UK m',将对密文CT ms中相应属性的密文进行更新,最终生成更新密文CT′ msIn Scheme3, first run the UpdateFile algorithm to generate the ciphertext CT ms and upload it to the cloud server, and then run the UpdateKeyGen algorithm on the data ownership terminal, according to the access control strategy (M ', ρ') in the ciphertext CT ms Update the LSSS access policy and upload the updated key UK m ' to the cloud server. Once the cloud server obtains the UK m' , the cipher text of the corresponding attribute in the cipher text CT ms will be updated to finally generate the updated cipher text CT ′ ms .
其中计算更新密文CT′ msWhich calculates the updated ciphertext CT ′ ms :
Figure PCTCN2019080917-appb-000029
Figure PCTCN2019080917-appb-000029
本发明实施例所提供基于CP-ABE的策略更新方法,包括:数据拥有终端利用预设的加密算法对目标数据进行加密,并将生成的密文上传至云端服务器,以及在需要对上述密文进行策略更新时,基于数据拥有终端中的新访问策略生成更新密钥,并将该更新密钥上传至所述云端服务器;云端服务器利用接收到的更新密钥,更新所述密文。相较于现有技术而言,本发明中通过将数据拥有终端中的密文更新委托给云端服务器,使数据拥有终端不需要再进行与密文更新相关的计算,从而可以有效降低数据拥有终端中的计算量,以及减少数据拥有终端与云端服务器之间的通信开销。The policy update method based on CP-ABE provided by the embodiment of the present invention includes: the data ownership terminal encrypts the target data using a preset encryption algorithm, and uploads the generated ciphertext to the cloud server, and if necessary, the above ciphertext When the policy is updated, an update key is generated based on the new access policy in the data possession terminal, and the update key is uploaded to the cloud server; the cloud server uses the received update key to update the ciphertext. Compared with the prior art, by entrusting the ciphertext update in the data ownership terminal to the cloud server in the present invention, the data ownership terminal no longer needs to perform calculations related to the ciphertext update, which can effectively reduce the data ownership terminal The amount of calculation in the computer, as well as reducing the communication overhead between the data ownership terminal and the cloud server.
进一步的,为了更好的说明本发明所能实现的有益效果,以下通过选择明文攻击(Chosen Plaintext Attack,CPA)安全游戏和决策q-parallel BDHE假设来证明上述方法的安全性,其中CPA安全游戏是基于CP-ABE方案。Further, in order to better illustrate the beneficial effects that the present invention can achieve, the security of the above method is demonstrated by selecting the plaintext attack (Chosen Plaintext Attack, CPA) security game and the decision q-parallel BDHE hypothesis, in which the CPA security game It is based on the CP-ABE scheme.
首先,以下简要介绍CPA安全游戏。First, the following briefly introduces CPA security games.
在高效的策略更新和文件更新CP-ABE方案中,已知用户私钥SK与属性集 合相关联,密文CT与数据拥有终端制定的访问结构相关联。根据已知条件,在制定的安全模型中,首先敌手A需要选择将被挑战的访问结构A *,若用户私钥SK相关联的属性集合不满足A *,那么敌手就可以获得所有的SK。在接下来的CPA安全游戏中,假设挑战者与敌手之间在交互信息的过程中都在完全安全的信道中传输。 In the efficient policy update and file update CP-ABE scheme, it is known that the user private key SK is associated with the attribute set, and the ciphertext CT is associated with the access structure established by the data ownership terminal. According to known conditions, in the formulated security model, first, adversary A needs to select the access structure A * to be challenged. If the attribute set associated with the user's private key SK does not satisfy A * , then the adversary can obtain all SK. In the next CPA security game, it is assumed that both the challenger and the adversary are transmitting in a completely secure channel in the process of exchanging information.
SystemInit:敌手A选择挑战的访问结构A *,并将A *传送给挑战者
Figure PCTCN2019080917-appb-000030
SystemInit: Adversary A selects the access structure A * of the challenge and transmits A * to the challenger
Figure PCTCN2019080917-appb-000030
Setup:在系统初始化阶段,挑战者
Figure PCTCN2019080917-appb-000031
首先运行方案中的Setup算法,然后产生系统公钥PK,最后将PK传送给敌手A。 Setup: During the system initialization phase, the challenger
Figure PCTCN2019080917-appb-000031
First run the Setup algorithm in the scheme, then generate the system public key PK, and finally send the PK to the opponent A.
Query Phase1:在询问第一阶段,将敌手A选择的属性集合定义为
Figure PCTCN2019080917-appb-000032
并向挑战者
Figure PCTCN2019080917-appb-000033
反复询问用户私钥SK。与此同时,若挑战者
Figure PCTCN2019080917-appb-000034
收到询问后,便会运行方案的KeyGen算法,最终将产生的SK传送给敌手A。 Query Phase1: In the first phase of inquiry, the attribute set selected by adversary A is defined as
Figure PCTCN2019080917-appb-000032
And to the challenger
Figure PCTCN2019080917-appb-000033
Ask the user for the private key SK repeatedly. At the same time, if the challenger
Figure PCTCN2019080917-appb-000034
After receiving the inquiry, it will run the KeyGen algorithm of the scheme, and finally send the generated SK to the opponent A.
Challenge:在挑战阶段,敌手A首先向挑战者
Figure PCTCN2019080917-appb-000035
提交两个等长的消息m 0,m 1∈G T,然后挑战者
Figure PCTCN2019080917-appb-000036
随机选择一个比特μ∈{0,1},同时运行方案中的Encrypt算法,加密时使用A *加密m μ。最后挑战者
Figure PCTCN2019080917-appb-000037
将加密产生的密文CT *传送给敌手A。 Challenge: In the challenge phase, adversary A first asks the challenger
Figure PCTCN2019080917-appb-000035
Submit two equal-length messages m 0 , m 1 ∈G T , and then the challenger
Figure PCTCN2019080917-appb-000036
Randomly select a bit μ∈ {0,1}, and run the Encrypt algorithm in the scheme at the same time. When encrypting, use A * to encrypt m μ . Last challenger
Figure PCTCN2019080917-appb-000037
Send the encrypted ciphertext CT * to adversary A.
Query Phase2:与Query Phase1询问阶段流程相同,唯一不同是敌手A询问的私钥SK不满足A *Query Phase2: Same process as the query phase of Query Phase1, the only difference is that the private key SK queried by adversary A does not satisfy A * .
Guess:在猜测阶段,敌手A首先输出猜测值
Figure PCTCN2019080917-appb-000038
然后对猜测值进行判断:若
Figure PCTCN2019080917-appb-000039
那么敌手A获得安全游戏的胜利。在此游戏中,敌手A能够赢得该安全游戏的概率为
Figure PCTCN2019080917-appb-000040
Guess: In the guess phase, adversary A first outputs the guess value
Figure PCTCN2019080917-appb-000038
Then judge the guess value:
Figure PCTCN2019080917-appb-000039
Then adversary A wins the security game. In this game, the probability that opponent A can win the safety game is
Figure PCTCN2019080917-appb-000040
引理:如果不存在概率多项式时间(PPT)敌手能以不可忽略的优势攻破上述所提出的CPA安全游戏,那么该方案是安全。Lemma: If there is no probabilistic polynomial time (PPT) adversary who can break the above-mentioned CPA security game with a non-negligible advantage, then the scheme is safe.
以下为安全证明:The following is the safety certificate:
定理:假设决策q-parallel BDHE假设成立,那么不存在概率多项式时间敌手可以选择性地破坏提出的高效的策略更新和文件更新的CP-ABE方案中矩阵 大小为l *×n *的挑战,其中l *,n *≤q。 Theorem: Assuming that the decision-making q-parallel BDHE assumption holds, then there is no probabilistic polynomial time adversary can selectively destroy the challenge of the proposed efficient strategy update and file update in the CP-ABE scheme with a matrix size of l * × n * , where l * , n * ≤q.
证明:在高效的策略更新和文件更新CP-ABE方案的CPA安全性游戏中,假设敌手A存在不可忽略的优势ε=Adv A可攻破上述方案。此外,假设敌手A选择一个挑战的矩阵M *,其中矩阵M *的维度至少为q。然后,构建一个模拟者B,它能够决策q-parallel BDHE的问题。 Proof: In the CPA security game of efficient strategy update and file update CP-ABE scheme, it is assumed that opponent A has a non-negligible advantage ε = Adv A can break the above scheme. Furthermore, suppose adversary A chooses a challenging matrix M * , where the dimension of matrix M * is at least q. Then, build a simulator B, which can decide the problem of q-parallel BDHE.
SystemInit:模拟者B需要一个q-parallel BDHE挑战y,T。敌手A给出算法的挑战访问结构(M **),其中矩阵M *有n *列。 SystemInit: Simulator B needs a q-parallel BDHE to challenge y, T. Adversary A gives the algorithm's challenge access structure (M * , ρ * ), where the matrix M * has n * columns.
Setup:在系统初始化阶段,模拟者B选择一个随机数α'∈Z p,并记α=α'+α q+1。模拟者计算e(g,g) α如下表达式:e(g,g) α=e(g a,g aq)e(g,g) α'Setup: In the system initialization phase, Simulator B chooses a random number α'∈Z p and writes α = α ′ + α q + 1 . The simulator calculates e (g, g) α as follows: e (g, g) α = e (g a , g aq ) e (g, g) α ′ .
描述模拟者B“项目”中的群元素h 1,...,h U∈G,随机预言机h将属性域U的元素映射为h 1,...,h U∈G,并定义为U={h 1,...,h U},其中元素与属性域U中包含的属性一一对应。对于每个属性x,其中x的范围1≤x≤U,首先选择一个随机值z x。将X表示为集合的角标i,例如ρ *(i)=x。模拟者B的h x如下: Describe the group elements h 1 , ..., h U ∈G in the “item” of Simulator B. The random oracle predictor maps the elements of the attribute domain U to h 1 , ..., h U ∈G, and is defined as U = {h 1 , ..., h U }, where the elements correspond one-to-one with the attributes contained in the attribute field U. For each attribute x, where the range of x 1 ≤ x ≤ U, first select a random value z x . Let X be the index i of the set, for example, ρ * (i) = x. The h x of Simulator B is as follows:
Figure PCTCN2019080917-appb-000041
Figure PCTCN2019080917-appb-000041
上述表达式需要注意的有两点:1)如果
Figure PCTCN2019080917-appb-000042
使得
Figure PCTCN2019080917-appb-000043
)参数随机分布是由于
Figure PCTCN2019080917-appb-000044
值所决定的。 There are two points to note in the above expression: 1) If
Figure PCTCN2019080917-appb-000042
Make
Figure PCTCN2019080917-appb-000043
) The random distribution of parameters is due to
Figure PCTCN2019080917-appb-000044
Value.
Query Phase1:在询问第一阶段模拟者B通过查询反复询问用户私钥SK。假设模拟者B可以通过对于SK查询获得一组属性集合S,但S不满足LSSS矩阵M *Query Phase1: In the first phase of the query, Simulator B repeatedly asks the user's private key SK through the query. Assume that the simulator B can obtain a set of attribute sets S by querying for SK, but S does not satisfy the LSSS matrix M * .
模拟者B首先选择随机数r∈Z p和向量
Figure PCTCN2019080917-appb-000045
然后将ω 1定义为ω 1=-1,最后对于所有i都满足ρ *(i)∈S,使得其满足等式
Figure PCTCN2019080917-appb-000046
再根据LSSS矩阵的定义,向量ω在矩阵中是必须存在。若这个向量不存在,那么向量(1,0,0,...,0)将会存在属性集合S的跨度中。 Simulator B first selects the random number r ∈ Z p and the vector
Figure PCTCN2019080917-appb-000045
Then define ω 1 as ω 1 = -1, and finally satisfy ρ * (i) ∈S for all i so that it satisfies the equation
Figure PCTCN2019080917-appb-000046
According to the definition of the LSSS matrix, the vector ω must exist in the matrix. If this vector does not exist, then the vector (1,0,0, ..., 0) will exist in the span of the attribute set S.
模拟者B以隐式定义t为起点:Simulator B starts by implicitly defining t:
Figure PCTCN2019080917-appb-000047
Figure PCTCN2019080917-appb-000047
上述表达式可通过设置
Figure PCTCN2019080917-appb-000048
来执行。 The above expression can be set by
Figure PCTCN2019080917-appb-000048
To execute.
经过观察t由预定义,其中g at包含
Figure PCTCN2019080917-appb-000049
的项,这样就可以将未知的项相互抵消,同时生成K。模拟者B计算K如下: After observation t is predefined, where g at contains
Figure PCTCN2019080917-appb-000049
Items, so that the unknown items can cancel each other and generate K at the same time. Simulator B calculates K as follows:
Figure PCTCN2019080917-appb-000050
Figure PCTCN2019080917-appb-000050
接下来需要计算
Figure PCTCN2019080917-appb-000051
首先,考虑到在x∈S中没有i使得ρ *(i)=x,对于这些情况我们简化设置使得
Figure PCTCN2019080917-appb-000052
然后,更加艰巨的任务是对于所有属性x∈S创建关键组件K x,其中属性x是使用的访问结构,对于这些密钥要确保不能以
Figure PCTCN2019080917-appb-000053
形式模拟出。可以通过
Figure PCTCN2019080917-appb-000054
将上述所有项抵消掉,同时将X设置成为所有i的集合,使得其满足等式ρ *(i)=x。模拟者B生成K x如下: Next need to calculate
Figure PCTCN2019080917-appb-000051
First, considering that there is no i in x ∈ S such that ρ * (i) = x, for these cases we simplify the setting such that
Figure PCTCN2019080917-appb-000052
Then, the more difficult task is to create a key component K x for all attributes x ∈ S , where attribute x is the access structure used. For these keys, make sure that
Figure PCTCN2019080917-appb-000053
The form is simulated. able to pass
Figure PCTCN2019080917-appb-000054
All of the above terms are canceled out, and X is set to the set of all i so that it satisfies the equation ρ * (i) = x. Simulator B generates K x as follows:
Figure PCTCN2019080917-appb-000055
Figure PCTCN2019080917-appb-000055
Challenge:在挑战阶段,本实施例建立了挑战密文。敌手A首先向模拟者B提交两个等长的消息m 0,m 1∈G T,然后模拟者B随机选择一个比特
Figure PCTCN2019080917-appb-000056
通过方案的Encrypt算法产生C=m βT·e(g s,g α')和C'=g s。接下来最难的部分是模拟C i,因为内部包括的项需要相互抵消。然而模拟者B可以选择秘密分割,这样可以抵消内部的项。模拟者B会凭感觉选择随机数
Figure PCTCN2019080917-appb-000057
和分享秘密值的向量
Figure PCTCN2019080917-appb-000058
Challenge: In the challenge phase, this embodiment establishes a challenge ciphertext. Adversary A first submits two messages of equal length m 0 , m 1 ∈G T to Simulator B, then Simulator B randomly selects a bit
Figure PCTCN2019080917-appb-000056
Through the Encrypt algorithm of the scheme, C = m β T · e (g s , g α ′ ) and C ′ = g s are generated. The next most difficult part is to simulate C i because the items included inside need to cancel each other out. However, Simulator B can choose a secret split, which can offset the internal terms. Simulator B will choose a random number based on his feeling
Figure PCTCN2019080917-appb-000057
And share the secret value vector
Figure PCTCN2019080917-appb-000058
Figure PCTCN2019080917-appb-000059
Figure PCTCN2019080917-appb-000059
除此之外,模拟者B选择随机值r 1',...,r l'。 In addition to this, the simulator B selects the random values r 1 ', ..., r l '.
对于i=1,...,n *,我们将R i定义为所有k≠i的集合,例如ρ *(i)=ρ *(k)。换言而知,集合中所有其他行表示具有相同属性标记为i行,然后生成挑战密文中的部件: For i = 1, ..., n * , we define R i as the set of all k ≠ i, for example, ρ * (i) = ρ * (k). In other words, all other rows in the set are marked as row i with the same attributes, and then the parts in the challenge ciphertext are generated:
Figure PCTCN2019080917-appb-000060
Figure PCTCN2019080917-appb-000060
Query Phase2:与Query Phase1流程相同,在此不详细描述。Query Phase2: The process is the same as Query Phase1 and will not be described in detail here.
Guess:在猜测阶段,敌手A最终输出一个猜测的
Figure PCTCN2019080917-appb-000061
首先模拟者B通过输出的结果来判断猜想:若输出0,则使得β=β',则
Figure PCTCN2019080917-appb-000062
输出1表明它认为T是群G T上的随机元素。 Guess: In the guessing phase, adversary A finally outputs a guess
Figure PCTCN2019080917-appb-000061
First, the simulator B judges the conjecture by the output result: if 0 is output, then β = β ', then
Figure PCTCN2019080917-appb-000062
Output 1 indicates that it considers T to be a random element on group G T.
如果T=e(g,g) abc,那么挑战密文就是一份有效的密文,其中敌手A的优势是Adv A,如下所示: If T = e (g, g) abc , then the challenge ciphertext is an effective ciphertext, where the advantage of adversary A is Adv A , as shown below:
Figure PCTCN2019080917-appb-000063
Figure PCTCN2019080917-appb-000063
如果T是群G T上的随机元素,则表明挑战密文是一份完全随机的密文。敌手A拥有
Figure PCTCN2019080917-appb-000064
因此,模拟者B在决策q-parallel BDHE游戏中有不可忽视的优势。 If T is a random element on the group G T , it means that the challenge ciphertext is a completely random ciphertext. Opponent A has
Figure PCTCN2019080917-appb-000064
Therefore, Simulator B has an advantage that cannot be ignored in decision-making q-parallel BDHE games.
综上所述,通过CPA安全游戏和决策q-parallel BDHE假设可证明高效的策略更新和文件更新CP-ABE方案是安全的。In summary, through the CPA security game and decision-making q-parallel BDHE hypothesis, it can prove that the efficient strategy update and file update CP-ABE scheme is safe.
以上为对本发明所提供的一种基于CP-ABE的策略更新方法与系统的描述,对于本领域的技术人员,依据本发明实施例的思想,在具体实施方式及应用范围上均会有改变之处,综上,本说明书内容不应理解为对本发明的限制。The above is a description of a CP-ABE-based policy update method and system provided by the present invention. For those skilled in the art, according to the ideas of the embodiments of the present invention, there will be changes in specific implementation and application scope In summary, the content of this specification should not be construed as limiting the invention.

Claims (9)

  1. 一种基于CP-ABE的策略更新方法,其特征在于,所述方法包括:A policy update method based on CP-ABE, characterized in that the method includes:
    数据拥有终端利用预设的加密算法对目标数据进行加密,并将生成的密文上传至云端服务器;The data ownership terminal encrypts the target data using a preset encryption algorithm and uploads the generated ciphertext to the cloud server;
    所述数据拥有终端基于所述数据拥有终端中的新访问策略生成更新密钥,并将所述新访问策略与所述更新密钥上传至所述云端服务器;The data ownership terminal generates an update key based on the new access policy in the data ownership terminal, and uploads the new access policy and the update key to the cloud server;
    所述云端服务器利用接收到的所述新访问策略与所述更新密钥,更新所述密文。The cloud server uses the received new access policy and the update key to update the ciphertext.
  2. 如权利要求1所述的方法,其特征在于,所述云端服务器利用接收到的所述新访问策略与所述更新密钥,更新所述密文的步骤包括:The method of claim 1, wherein the step of updating the ciphertext by the cloud server using the received new access policy and the update key includes:
    利用所述新访问策略对所述密文对应的旧访问策略进行LSSS矩阵更新;Using the new access policy to update the LSSS matrix of the old access policy corresponding to the ciphertext;
    利用更新后的LSSS矩阵、所述更新密钥及预设的密文更新算法,对所述密文进行策略更新,生成新的密文。Use the updated LSSS matrix, the update key, and the preset ciphertext update algorithm to perform policy update on the ciphertext to generate a new ciphertext.
  3. 如权利要求2所述的方法,其特征在于,所述基于所述数据拥有终端中的新访问策略生成更新密钥的步骤包括:The method of claim 2, wherein the step of generating an update key based on the new access policy in the data possession terminal includes:
    所述数据拥有终端利用所述目标数据中的加密信息、所述新访问策略及所述旧访问策略,运行预设的密钥更新算法生成所述更新密钥。The data possession terminal uses the encrypted information in the target data, the new access policy, and the old access policy to run a preset key update algorithm to generate the update key.
  4. 如权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1, wherein the method further comprises:
    所述数据拥有终端在需要对所述密文进行文件更新时,利用所述密文对应的访问策略对所述数据拥有终端中的新数据进行加密,并将生成的新密文上传至所述云端服务器。When the data owner terminal needs to update the ciphertext file, the new data in the data owner terminal is encrypted using the access policy corresponding to the ciphertext, and the generated new ciphertext is uploaded to the Cloud server.
  5. 如权利要求4所述的方法,其特征在于,所述利用所述密文对应的访问策略对所述数据拥有终端中的新数据进行加密的步骤包括:The method according to claim 4, wherein the step of encrypting new data in the data-owning terminal using the access policy corresponding to the ciphertext includes:
    利用所述密文对应的访问策略与秘密值,以及预设的更新文件和秘密值算法,对所述新数据进行加密,生成所述新密文。The new data is encrypted by using the access strategy and secret value corresponding to the ciphertext, and the preset update file and secret value algorithm to generate the new ciphertext.
  6. 如权利要求1至5任意一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 5, wherein the method further comprises:
    所述数据拥有终端在同时需要对所述密文进行策略更新与文件更新时,利用所述密文对应的访问策略与秘密值,以及预设的更新文件和秘密值算法,对所述新数据进行加密,并将生成的新密文上传至所述云端服务器;When the data ownership terminal needs to update the ciphertext and file at the same time, it uses the access policy and secret value corresponding to the ciphertext, as well as a preset update file and secret value algorithm to update the new data Encrypt, and upload the generated new ciphertext to the cloud server;
    基于所述数据拥有终端中的新访问策略生成更新密钥,并将所述新访问策略与所述更新密钥上传至所述云端服务器;其中,所述云端服务器在接收到所述新密文与所述新访问策略及所述更新密钥后,利用所述新访问策略与所述更新密钥更新所述新密文。Generate an update key based on the new access policy in the data possession terminal, and upload the new access policy and the update key to the cloud server; wherein, the cloud server receives the new ciphertext After the new access policy and the updated key are used, the new ciphertext is updated using the new access policy and the updated key.
  7. 一种基于CP-ABE的策略更新系统,其特征在于,所述系统包括数据拥有终端和云端服务器,所述数据拥有终端与所述云端服务器通信连接;A policy update system based on CP-ABE, characterized in that the system includes a data ownership terminal and a cloud server, and the data ownership terminal is in communication connection with the cloud server;
    所述数据拥有终端用于利用预设的加密算法对目标数据进行加密,并将生成的密文上传至所述云端服务器,以及在需要对所述密文进行策略更新时,基于所述数据拥有终端中的新访问策略生成更新密钥,并将所述新访问策略与所述更新密钥上传至所述云端服务器;The data possession terminal is used to encrypt the target data using a preset encryption algorithm, upload the generated ciphertext to the cloud server, and when it is necessary to update the ciphertext policy, based on the data possession The new access policy in the terminal generates an update key, and uploads the new access policy and the update key to the cloud server;
    所述云端服务器用于利用接收到的所述新访问策略与所述更新密钥,更新所述密文。The cloud server is used to update the ciphertext using the received new access policy and the update key.
  8. 如权利要求7所述的系统,其特征在于,所述系统还包括数据使用终端,所述数据使用终端与所述云端服务器通信连接,所述数据使用终端用于从所述云端服务器下载密文,并进行解密。The system according to claim 7, wherein the system further includes a data usage terminal, the data usage terminal is in communication connection with the cloud server, and the data usage terminal is used to download the ciphertext from the cloud server And decrypt it.
  9. 如权利要求8所述的系统,其特征在于,所述系统还包括属性授权终端,所述属性授权终端分别与所述数据使用终端及所述数据拥有终端通信连接,所述属性授权终端用于生成所述系统对应的公钥与私钥,以及生成所述数据使用终端对应的用户私钥。The system according to claim 8, wherein the system further comprises an attribute authorization terminal, the attribute authorization terminal is in communication with the data usage terminal and the data ownership terminal, and the attribute authorization terminal is used for Generate a public key and a private key corresponding to the system, and generate a user private key corresponding to the data usage terminal.
PCT/CN2019/080917 2018-10-22 2019-04-02 Cp-abe-based policy update method and system WO2020082692A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811228328.3 2018-10-22
CN201811228328.3A CN109561067B (en) 2018-10-22 2018-10-22 Strategy updating method and system based on CP-ABE

Publications (1)

Publication Number Publication Date
WO2020082692A1 true WO2020082692A1 (en) 2020-04-30

Family

ID=65865075

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/080917 WO2020082692A1 (en) 2018-10-22 2019-04-02 Cp-abe-based policy update method and system

Country Status (2)

Country Link
CN (1) CN109561067B (en)
WO (1) WO2020082692A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519049A (en) * 2019-08-07 2019-11-29 赤峰学院 A kind of cloud data protection system based on credible performing environment
CN112994880B (en) * 2021-03-19 2022-11-01 深圳大学 Ciphertext policy attribute-based encryption method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580205A (en) * 2015-01-05 2015-04-29 南京邮电大学 CP-ABE-based fixed ciphertext length proxy re-encryption system and method in cloud computing
US20160055347A1 (en) * 2014-08-19 2016-02-25 Electronics And Telecommunications Research Institute Data access control method in cloud
CN107370604A (en) * 2017-07-07 2017-11-21 华中科技大学 A kind of more granularity access control methods under big data environment
CN107743133A (en) * 2017-11-30 2018-02-27 中国石油大学(北京) Mobile terminal and its access control method and system based on trustable security environment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10445109B2 (en) * 2016-06-30 2019-10-15 Digicert, Inc. Automated propagation of server configuration on a server cluster
CN108076028A (en) * 2016-11-18 2018-05-25 中兴通讯股份有限公司 The method, apparatus and system of a kind of encryption attribute
CN107302524B (en) * 2017-06-02 2020-10-09 西安电子科技大学 Ciphertext data sharing system under cloud computing environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160055347A1 (en) * 2014-08-19 2016-02-25 Electronics And Telecommunications Research Institute Data access control method in cloud
CN104580205A (en) * 2015-01-05 2015-04-29 南京邮电大学 CP-ABE-based fixed ciphertext length proxy re-encryption system and method in cloud computing
CN107370604A (en) * 2017-07-07 2017-11-21 华中科技大学 A kind of more granularity access control methods under big data environment
CN107743133A (en) * 2017-11-30 2018-02-27 中国石油大学(北京) Mobile terminal and its access control method and system based on trustable security environment

Also Published As

Publication number Publication date
CN109561067A (en) 2019-04-02
CN109561067B (en) 2020-07-28

Similar Documents

Publication Publication Date Title
CN109768987B (en) Block chain-based data file safe and private storage and sharing method
Dong et al. Achieving an effective, scalable and privacy-preserving data sharing service in cloud computing
WO2016197680A1 (en) Access control system for cloud storage service platform and access control method therefor
CN114039790B (en) Fine-grained cloud storage security access control method based on blockchain
Zaghloul et al. P-MOD: Secure privilege-based multilevel organizational data-sharing in cloud computing
CN105049430B (en) A kind of ciphertext policy ABE base encryption method with efficient user revocation
CN114065265A (en) Fine-grained cloud storage access control method, system and equipment based on block chain technology
CN106059763B (en) The properties base multi-mechanism hierarchical Ciphertext policy weight encryption method of cloud environment
CN104320393B (en) The controllable efficient attribute base proxy re-encryption method of re-encryption
CN110247767B (en) Revocable attribute-based outsourcing encryption method in fog calculation
CN104158880B (en) User-end cloud data sharing solution
CN109740364B (en) Attribute-based ciphertext searching method capable of controlling searching authority
CN106656997B (en) One kind being based on the cross-domain friend-making method for secret protection of mobile social networking proxy re-encryption
CN110266687B (en) Method for designing Internet of things security agent data sharing module by adopting block chain technology
CN109617855B (en) File sharing method, device, equipment and medium based on CP-ABE layered access control
CN105721146B (en) A kind of big data sharing method towards cloud storage based on SMC
CN109327448B (en) Cloud file sharing method, device, equipment and storage medium
CN106612169A (en) Safe data sharing method in cloud environment
Lin et al. A blockchain-based fine-grained data sharing scheme for e-healthcare system
CN104836790B (en) Fine-grained access control method is stored based on the chain type of encryption attribute and timestamp
CN111917721A (en) Attribute encryption method based on block chain
Chaudhary et al. RMA-CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT devices
CN115964751A (en) Data security storage and access control method based on attribute classification and grading
WO2020082692A1 (en) Cp-abe-based policy update method and system
Zhu et al. Secure verifiable aggregation for blockchain-based federated averaging

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19876223

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19876223

Country of ref document: EP

Kind code of ref document: A1