CN106161428A - A kind of ciphertext can the encryption attribute scheme of comparison of equalization - Google Patents

Abstract

The invention discloses an attribute encryption scheme in which ciphertexts can be compared equally, which can realize safe ciphertext comparison. The invention includes: initializing system security parameters, establishing attribute complete set U, generating master key msk, and generating public parameters params. The key generation center generates a private key sk according to the user attribute set S and the master key msk and sends it to the user. The data owner first defines the access control structure A and related attribute sets and its mapping function ρ on the control matrix according to params, and then generates keyword ciphertext CT ₁ and data ciphertext CT ₂ and sends them to the ciphertext manager. The ciphertext manager can store and extract the ciphertext according to the key word ciphertext CT ₁ comparison. When the user wants to get the ciphertext related to the keywords, the ciphertext form of the keywords is sent to the ciphertext manager, and the ciphertext manager obtains the ciphertext of the relevant data and sends it to the user according to the ciphertext comparison of the keywords. You can decrypt the data ciphertext according to your own private key to obtain the corresponding data.

Description

A Attribute Encryption Scheme with Equally Comparable Ciphertexts

technical field

The invention relates to cryptography and belongs to the field of cloud storage management, in particular to an attribute encryption scheme with comparable ciphertexts.

Background technique

The attribute-based encryption scheme was first proposed by Sahai and Waters in the article "Fuzzy identity-based encryption" in 2005. Attribute-based encryption was developed on the basis of identity-based encryption. Later, attribute-based encryption was divided into ciphertext-based Policy-based attribute encryption system and key-based attribute encryption system. The access strategy structure of the ciphertext-based attribute encryption system is controlled by the encryptor, and the ciphertext is related to the access strategy structure. If the private key of the data user satisfies the access strategy, the plaintext can be obtained. Completely different from the ciphertext-based policy, in the key-based attribute encryption system, the access policy structure is controlled by the key generation center, and the user's private key is related to the access policy structure. When the data owner encrypts the data according to the attribute set , the user can decrypt the data if and only if the attribute set satisfies the control policy related to the user's private key. Since attribute-based encryption adopts a one-to-many form (that is, one ciphertext can be decrypted by multiple users with different private keys), attribute-based encryption is a very important means to ensure cloud data security. The private key management of attribute encryption is the same as that of identity encryption, requiring the private key center to manage public and private keys.

Attribute encryption mainly includes four processes of system establishment, private key generation, encryption and decryption. Attribute encryption is often used to solve data security in cloud services, but attribute-encrypted data is stored in the cloud in the form of ciphertext, which brings great inconvenience to cloud service providers to manage data storage structures. Combining the public key encryption system and the encryption system based on keyword search, Guomin Yang proposed a public key encryption system based on ciphertext comparison (PKEET), which has a function called Test function, which can detect any two ciphertexts Whether it is the result of the same data encryption, and construct an encryption scheme based on keyword search. Cloud service providers can organize and manage data ciphertexts based on keyword ciphertext comparisons. The user can encrypt the keyword and send it to the cloud service provider. The cloud service provider can extract the data according to the ciphertext comparison result of the keyword and send the ciphertext data to the user. If the user has the private key of the ciphertext, he can get the corresponding answer. Since the ciphertext of PKEET can be compared by anyone, Q.Tang proposed PKEET based on the fine-grained authorization mechanism. In this scheme, only authorized users can use the Test function. Due to the complexity of public-private key management in public-key encryption systems, MaS. proposed an identity-based ciphertext comparable scheme (IDEET), which takes advantage of the convenience of public-private key management in identity-based encryption systems.

Since the traditional public key encryption system and the identity-based encryption system are all one-to-one encryption systems, attribute encryption means that the data owner encrypts a piece of data through an access policy, and the encrypted data can be encrypted by multiple attributes. Users who meet the access policy to decrypt. Therefore, attribute encryption is more suitable for cloud storage scenarios. On the basis of the attribute-based encryption system and the above-mentioned comparable ciphertext encryption system, we propose an attribute-based encryption system in which ciphertexts can be equal and comparable, and give a specific scheme on this system. Attribute-based ciphertexts with equal comparisons are one-to-many encryption schemes, that is, one ciphertext can be decrypted by multiple people. Moreover, the cloud service provider can use the Test function to store and extract the ciphertext, and the Test function provides great convenience for the cloud service provider to manage the ciphertext. Therefore, this solution is more suitable for scenarios such as cloud services.

Contents of the invention

The purpose of the present invention is to propose an attribute encryption concept based on ciphertexts that can be compared equally and realize a scheme, and this scheme can ensure that the ciphertext manager can compare whether any two ciphertexts are the encryption results of the same data, but the ciphertext The file manager cannot decrypt it.

The invention discloses an attribute encryption scheme in which ciphertexts can be compared equally. The main steps include:

System initialization: input system security parameter λ and attribute set U, output public parameter params and master key msk.

Extract the private key: input the master key and a user's attribute combination S, and output the user's private key sk.

Encryption: Input public parameters params, message M and access control structure A, and output ciphertext CT.

Decryption: Input the ciphertext CT and the private key sk, and output the message M.

Comparison: Input two ciphertexts CT ₁ , CT ₂ . If CT ₁ and CT ₂ are the result of the same message encryption, output True, otherwise output False.

Owing to adopting above-mentioned technical scheme, the beneficial effect of the present invention is:

(1) The ciphertext manager can organize and manage ciphertexts according to the comparability of ciphertexts. Compared with traditional encryption schemes, the ciphertext can be stored in the server in an organized manner.

(2) Flexibility: This scheme is an attribute encryption scheme based on ciphertext strategy. The attributes in the access control structure can be "ANDed" and "ORed", so that the user owner can flexibly control the decryptor.

(3) The administrator of the ciphertext has the authority to compare the ciphertext, but cannot recover the plaintext. Therefore, on the premise that the ciphertext manager effectively manages the data, the security of the data is guaranteed.

(4) Reduced public key management and verification overhead: this scheme is an attribute-based encryption system, so it does not require the certificate management agency CA to manage the public key certificate, nor does it require the user to authenticate the public key.

Description of drawings

The present invention will be illustrated by way of specific examples and accompanying drawings, wherein:

Fig. 1 is the encryption operation flowchart of the embodiment of the present invention;

Fig. 2 is the decryption operation flowchart of the embodiment of the present invention;

Fig. 3 is a schematic diagram of the system structure of Embodiment 1 of the present invention.

detailed description

In order to make the solution technology and applicability of the present invention clearer, the present invention will be described in more detail below in conjunction with specific implementation examples and accompanying drawings.

Implementation example 1

Referring to Figure 3, the specific execution steps include setting the system security parameters, key space, message space, and public parameters by the private key generation center, and generating the public key in the attribute set. The specific description is as follows:

(1) System initialization

(1.1) Suppose the system security parameter is λ, p is a large prime number, G ₁ represents the cyclic additive group of order p, g∈G ₁ represents the generator of G ₁ , and G ₂ represents the cyclic multiplicative group of order p. e represents a bilinear map G ₁ ×G ₁ →G ₂ . Define a secure Hash function H, H represents the secure hash function mapped from G ₂ to G ₁ , representing _U elements h ₁ , h ₂ ,...,hu ∈ G ₁ of user attributes. The user private key key space is K∈G ₁ , and the encrypted message space is G ₁ . Represents the set obtained by removing zero elements from the finite field Z _p ={0,1,...,p-1}.

(1.2) The private key generation center is randomly selected Calculate and obtain the public key as p _pub =(e(g,g) ^α ,g ^a ); the master key as: msk=g ^α .

Based on the above settings, the obtained public parameters are: params=(G ₁ , G ₂ , p, g, e, H, p _pub , U).

(1.3) The private key generation center will publicize the parameter params.

(2) Extract the private key

(2.1) The private key generation center obtains the user attribute information set S.

(2.2) The private key generation center is randomly selected And calculate according to master key msk and user attribute set S

(2.3) The private key generation center sends sk to a single user whose attribute set is S (if there are multiple users, randomly select multiple t, generate different sk and send them to different users).

(3) encryption

The data owner can generate an access control structure (A _l×n ,ρ) according to the params, {ρ:ρ(i)∈G ₁ ,i∈{1,2...l}} represents the i-th row of the matrix to the attribute space, and randomly select vectors and calculate Then randomly select r ₁ ,r ₂ ...r _l ∈ Z _p and calculate the ciphertext CT:

C _s ＝g ^s , C _t ＝M ^s , C＝MH(e(g,g) ^αs ),

Then send (CT,A _l×n ,ρ) to the ciphertext manager.

(4) Decryption

(4.1) Assuming that the attribute set of the data user is S, the data owner obtains the private key sk from the private key generation center, and obtains (CT,A _l×n ,ρ) from the ciphertext manager. Define And I={i:ρ(i)∈S}.

(4.2) If S satisfies (A _l×n ,ρ), then according to {ω _i ∈ Z _p } _i∈I can be calculated in polynomial time.

(4.3) According to the above, it can be calculated Then the plaintext M=C/H(e(g,g) ^αs ) can be obtained.

(5) compare

(5.1) The ciphertext manager inputs two comparison ciphertexts CT ₁ and CT ₂ to the Test algorithm.

(5.2) Test algorithm calculation and If the two are equal, return True to the ciphertext manager, and the ciphertext manager determines that CT ₁ and CT ₂ are ciphertexts encrypted with the same plaintext. Otherwise, it returns False, and the ciphertext manager can judge that CT ₁ and CT ₂ are ciphertexts encrypted with different plaintexts.

The above is only a specific embodiment of the present invention. Any feature disclosed in this specification (including appended claims, abstract and drawings), unless specifically stated, can be replaced by other equivalent or similar purposes. Each feature is one example only of a series of equivalent or similar features, unless expressly stated otherwise. The present invention may extend to any new features or any new combination disclosed in this specification, as well as the steps of any new method or process or any new combination disclosed.

Claims (5)

1. a ciphertext can the encryption attribute scheme of comparison of equalization, it is characterised in that comprise the following steps:

System initialization: setting security of system parameter as λ, p is Big prime, G₁Represent the circled addition group that rank are p, g ∈ G₁Represent G₁ Generation unit, G₂Represent the circulation multiplicative group that rank are p.E represents bilinear map G₁×G₁→G₂.The Hash of one safety of definition Function H, H represent from G₂It is mapped to G₁Secure hash function, represent U element h of user property₁,h₂...h_u∈G₁.User Private key space is K ∈ G₁, encryption message space is G₁。Represent finite field Z_p=0,1 ..., p-1} removes neutral element institute The set obtained.Private key generates center and randomly selectsCalculating and obtaining PKI is p_pub=(e (g, g)^α,g^a)；Main close Key is: msk=g^α.Based on above-mentioned setting, the open parameter obtained is: params=(G₁,G₂,p,g,e,H,p_pub,U)。

Extract private key: the attribute of input master key and certain user combines S, exports the private key sk of this user.Private key generates center and selects at random TakeAnd calculate according to master key msk and user property set S

Encryption: input common parameter params, message M and access control structure A, export ciphertext CT.Data owner can root According to params, generate and access control structure (A_l×n, ρ), { ρ: ρ (i) ∈ G₁, { 1,2...l}} represents matrix the i-th row to attribute to i ∈ The mapping in space, and randomly select vectorAnd calculatingThe most random Choose r₁,r₂...r_l∈Z_pWith calculate ciphertext CT:

C_s=g^s,C_t=M^s, C=MH (e (g, g)^αs),

Then by (CT, A_l×n, ρ) and it is sent to ciphertext manager.

Deciphering: input ciphertext CT and private key sk, output message M.The property set assuming data user is S, then data owner from Private key generates center and obtains private key sk, and from ciphertext, manager obtains (CT, A_l×n, ρ), definitionAnd I={i: ρ (i) ∈S}.If S meets (A_l×n, ρ), then basis{ ω can be calculated in polynomial time_i∈Z_p }_i∈I。

According to calculating aboveThen can obtain in plain text M=C/H (e (g, g)^αs)。

Relatively: input two ciphertexts CT₁, CT₂.Test algorithm calculatesWithIf both are equal, return To ciphertext manager True, ciphertext manager then judges CT₁And CT₂It it is the ciphertext of identical plain text encryption.Otherwise return False, close Literary composition manager may determine that CT₁And CT₂It it is the ciphertext of different plain text encryption.

2. the method for claim 1, it is characterised in that this AES, compared to other encryption attribute algorithms, adds Comparing function, the i.e. ciphertext of this encryption attribute algorithm have comparability, add the gerentocratic function of cloud storage.

3. the method such as claim 1, described in 2, it is characterised in that this AES provides cloud storage manager to be had and compare The function of ciphertext, manager can utilize this function not knowing to store and extract in the case of in plain text ciphertext, but this manager Can not recover from ciphertext in plain text.

4. the method for claim 1, it is characterised in that this AES make use of Bilinear map to carry out structure at encrypting stage Making the function of comparable ciphertext, be simultaneously introduced a secure hash function H, H represents from G₂It is mapped to G₁Secure Hash letter Number.

5. the method for claim 1, it is characterised in that this AES also utilizes secure Hash letter at decryption phase Number H, to ensure that plaintext space is at G₁In.