CN114785622B - Access control method, device and storage medium for multi-identification network - Google Patents

Abstract

The application provides an access control method and related equipment of a multi-identification network, which can realize user revocation and decentralization at the same time, and avoid possible single-point faults. The method comprises the following steps: determining a global public parameter and a master key by the multi-identification system node according to the group generator and the global attribute set, wherein the multi-identification system node is any one node in a multi-identification system network; the multi-identification system node determines an attribute set private key according to the global public parameter, the user global unique identification, the master key, the current time period and the global attribute set; the multi-identification system node determines a target ciphertext according to the global public parameter, the target content plaintext, the access structure of the plaintext and the current time period; and the multi-identification system node sends the target ciphertext, the attribute set private key and the global public parameter to the terminal equipment corresponding to the target user so as to decrypt the target ciphertext and obtain a decryption result.

Description

Access control method, device and storage medium for multi-identity network

technical field

The present application belongs to the field of multi-identity networks, and in particular relates to an access control method, device and storage medium for a multi-identity network.

Background technique

The multi-identity network system is a new type of network system proposed in 2019. The purpose is to break the embarrassing situation that the top-level domain names of the traditional Internet Protocol (IP) network are controlled by a single organization. The multi-identity network system can be compatible with a variety of network addressing identities, including but not limited to identity identity, content identity, ground-air identity, and IP identity. Users accessing the network must embed the identity identifier distributed by the Multi-Identifier System (MIS) in the network packet, otherwise the network packet will not be forwarded, that is to say, the identity identifier is a Multi-Identifier Network (Multi-Identifier Network). , MIN) core identity.

In the content transmission process of the multi-identity network system, the content blocks are often stored in the network nodes in the form of plaintext, which will lead to security problems, so the content in the network nodes should be cached in ciphertext. In a one-to-one communication mode, content providers can choose to encrypt content using traditional symmetric keys to ensure data security and privacy. However, in the MIN scenario, if the traditional encryption scheme is used, the ciphertexts when different users request the same content block will be different. In this case, the Multi-Identifier Router (MIR) cache function is invalid, and the MIN efficient network The distribution function will also be degraded.

SUMMARY OF THE INVENTION

The present application provides an access control method, device and storage medium for a multi-identity network. By introducing the parameter of time period to participate in key generation and content encryption, user revocation is achieved, and decentralization is achieved, avoiding the need for possible single point of failure.

A first aspect of the present application provides an access control method for a multi-identity network, including:

If the multi-ID system node receives the key generation request, the multi-ID system node obtains the group generator and the global attribute set corresponding to the cyclic group, and the multi-ID system node is any node in the multi-ID system network;

The multi-identity system node determines a global public parameter and a master key according to the group generator and the global attribute set;

The multi-identity system node determines the attribute corresponding to the target user in the current time period according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period and the global attribute set collection private key;

The multi-identity system node determines the target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period;

The multi-identity system node sends the target ciphertext, the attribute set private key, and the global public parameter to the terminal device corresponding to the target user, so that the terminal device according to the attribute set private key , the target attribute set, and the global public parameter to decrypt the target ciphertext to obtain a decryption result, where the target attribute set is the attribute set corresponding to the target user.

A second aspect of the present application provides an access control method for a multi-identity network, including:

The terminal device sends a key generation request to the multi-identity system node, so that the multi-identity system node obtains the group generator and the global attribute set corresponding to the cyclic group, and determines the global public according to the group generator and the global attribute set parameters and a master key, and the attribute set private key corresponding to the target user is determined according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period, and the global attribute set , and determine the target ciphertext corresponding to the target content plaintext according to the global public parameters, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period, and return the target ciphertext, the attribute set private key and the global public parameter;

receiving, by the terminal device, the target ciphertext, the attribute set private key, and the global public parameter sent by the multi-identity system node;

The terminal device decrypts the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.

A third aspect of the present application provides a multi-identity system node, including:

an acquisition unit, configured to acquire the group generator and the global attribute set corresponding to the cyclic group when receiving the key generation request, and the multi-identity system node is any node in the multi-identity system network;

a first determining unit, configured to determine a global public parameter and a master key according to the group generator and the global attribute set;

The second determining unit is configured to determine the corresponding target user in the current time period according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period and the global attribute set attribute collection private key;

a third determining unit, configured to determine the target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period;

A sending unit, configured to send the target ciphertext, the attribute set private key and the global public parameter to the terminal device corresponding to the target user, so that the terminal device can make the attribute set private key, The target attribute set and the global public parameter decrypt the target ciphertext to obtain a decryption result, where the target attribute set is the attribute set corresponding to the target user.

A fourth aspect of the present application provides a terminal device, including:

a sending unit, configured to send a key generation request to a multi-identity system node, so that the multi-identity system node obtains the group generator and the global attribute set corresponding to the cyclic group, and according to the group generator and the global attribute set Determine the global public parameter and the master key, and determine the attribute corresponding to the target user according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period and the global attribute set Collect private keys, and determine the target ciphertext corresponding to the target content plaintext according to the global public parameters, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period, and return the target ciphertext, the private key of the attribute set, and the global public parameter;

a receiving unit, configured to receive the target ciphertext, the attribute set private key and the global public parameter sent by the multi-identity system node;

A decryption unit, configured to decrypt the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.

A fifth aspect of the embodiments of the present application provides a computer device, which includes at least one connected processor, a memory, and a transceiver, wherein the memory is used to store program codes, and the processor is used to call a program in the memory. The program code is used to execute the steps of the access control method for the multi-identity network described in the first aspect.

A sixth aspect of the embodiments of the present application provides a computer storage medium, which includes instructions that, when executed on a computer, cause the computer to execute the steps of the access control method for a multi-identity network described in the first aspect above.

Compared with the related art, in the embodiment provided by this application, the parameter of the time period is introduced to participate in the generation of the key and the encryption of the content, so as to realize the user's revocation. At the same time, each attribute mechanism is deployed on the MIS node, and the original The single-attribute organization is expanded to a multi-attribute organization, which realizes decentralization and avoids possible single points of failure.

Description of drawings

1 is a network architecture diagram of a multi-identity network system provided by an embodiment of the present application;

2 is a schematic diagram of a complete MIR forwarding process provided in an embodiment of the present application;

3 is a schematic flowchart of encryption of ciphertext policy attributes provided by an embodiment of the present application;

4 is a schematic flowchart of encryption of key policy attributes provided by an embodiment of the present application;

5 is a schematic diagram of an application scenario of encryption based on a ciphertext policy attribute provided by an embodiment of the present application;

6 is a schematic diagram of a MIN cache content access control model provided by an embodiment of the present application;

7 is a schematic flowchart of an access control method for a multi-identity network provided by an embodiment of the present application;

8 is another schematic flowchart of the access control method for a multi-identity network provided by an embodiment of the present application;

9 is another schematic flowchart of the access control method for a multi-identity network provided by an embodiment of the present application;

10 is a schematic diagram of a virtual structure of a multi-identity network node provided by an embodiment of the present application;

11 is a schematic diagram of a virtual structure of a terminal device provided by an embodiment of the application;

12 is a schematic diagram of the hardware structure of a multi-identity network node provided by an embodiment of the present application;

FIG. 13 is a schematic diagram of a hardware structure of a terminal device provided by an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments.

Please refer to FIG. 1. FIG. 1 is a network architecture diagram of a multi-identity network system provided by an embodiment of the present application. The multi-identity network system re-divides the network into two mutually supporting components: a management plane and a data plane. The plane and data plane are explained in detail:

In the management plane, the consortium blockchain built with the Parallel Proof of Vote (PPoV) algorithm as the core subdivides the network space into top-down hierarchical network domains, and builds a decentralized Network Identity Management and Resolution System, or MIS. MIS provides the ability for multiple participants to manage and co-govern on an equal footing. In addition to managing and parsing network identifiers, MIS also undertakes the responsibilities of user identity management and providing a reliable root of trust. New users who want to access a multi-identity network must first The identity registration is carried out through the MIS, otherwise the sent MIN network packet will not pass the authentication of the MIR.

In the data plane, the interconnected MIRs, as the core of the data plane, form a data transmission plane that supports multiple network identifiers and push-pull communication semantics. As an indispensable part of the data plane, MIR is responsible for network packet forwarding, content caching, user identity authentication, and mutual translation between different network identities.

In the multi-identity network, in order to meet different network requirements in different scenarios, two complementary communication semantics are designed, namely push communication semantics and pull communication semantics. The semantics are explained in detail:

Push communication semantics is the most intuitive and sender-dominated communication method. This communication semantics can easily realize point-to-point communication between nodes in the network. In MIN, a generic push package is used to meet the needs of push communication semantics. Similar to IP, the general push packet needs to add the source ID and destination ID to the network packet, where the source ID is used to tell the network ID of the sender of the network packet to the correspondent node, and the multi-ID router reads the destination from the TLV structure according to the After identification, the network packet is forwarded to the next hop router. In the push communication semantics of MIN, routing forwarding is stateless, because MIR can forward general push packets by querying the routing information table (Forward Information Base, FIB), without saving the relevant information of network packets, There is also no need to modify any table entries.

The pull-type communication semantics in MIN is a communication mode driven by the data receiver. In the pull-type communication semantics, MIN no longer pays attention to the point-to-point communication between the two communicating parties, but focuses on the content of the communication process. . In the modern Internet environment, the two communicating parties are usually not equal, and can be divided into content requesters and content creators. Therefore, MIN defines both parties in pull communication as content producers and consumers. The consumer sends an Interest packet to the MIN network, and the MIR will forward the Interest packet to any network node that can satisfy the request, but not necessarily to the content producer node, which can satisfy the Interest packet request. The node will encapsulate the content from the cache space of the network node into a data packet, and send the data packet back to the consumer according to the original forwarding path. This communication method decouples content, content producers, and content locations, helping to reduce overall network traffic.

According to the characteristics of the two communication semantics of push and pull, the multi-identity router designs four data structures for efficient forwarding of network packets: Content Store (CS), Pending Interest Table (PIT), The Strategy Table (ST) and the Forward Information Base (FIB) are described below:

The data structure of the content repository serves the pull-type communication. When the content producer returns the content data packet along the request path, MIR can decide whether to cache the content in the content repository according to the algorithm. Usually the content stored in the content warehouse takes data packets as the smallest unit, and a small number of studies store complete content data in the content warehouse. The existence of the content repository allows the consumer's request to be satisfied on the MIR without necessarily sending the request to the producer's server. The content is cached in the MIR, which removes the binding relationship between the content and the location, and gives the multi-identity network the ability to distribute content efficiently.

The data structure of the pending interest table serves the pull-type communication, and its entry records the inbound and outbound logic interface (Logic Face) and destination identifier of the interest packet, so that the data packet can be returned according to the original path. When multiple Interests requesting the same content are sent to the MIR, only the first arriving Interest will be forwarded to the next hop by the MIR, and the remaining Interests will only insert the information to be recorded into the PIT entry , this is the aggregation function of PIT. The aggregation function can significantly reduce repeated requests for the same content, while also giving the multi-identity network the ability to distribute content efficiently.

The policy table can independently set different routing modes for the destination identifiers of different prefixes. The routing strategy of MIR will affect the selection of interest packets and general push packet forwarding exits, thereby changing their forwarding paths. This scheme can improve the flexibility of multi-identity network routing and forwarding. Likewise, the longest prefix matcher is applied to the policy table for MIR to quickly retrieve and forward the routing policy applied to the network packet.

Forwarding information sheet. The forwarding information table serves both push and pull communication semantics. FIB is used to manage the forwarding path of Interest packets and general push packets. Each FIB entry stores a list of logical interfaces that can be forwarded. For each interest packet and general push packet entering the MIR, the corresponding entry in the FIB will be queried according to the longest prefix matching principle.

Please refer to FIG. 2 , which is a schematic diagram of a complete MIR forwarding process provided by an embodiment of the present application. As shown in FIG. 2 , in addition to the above four data structures, a packet validator and an identifier selector are also introduced into the MIR.

Among them, the packet verifier is the first module that MIR needs to enter after receiving the network packet. The packet verifier will read the identity information of the identity area in the MIN network packet, if and only if the identity can be recognized by MIR and Only after the verification is passed, the next process of forwarding can be entered. MIR uses the Goroutine Pool to verify the MIN network grouping in parallel. On the premise of ensuring the security of MIN network, the work efficiency of MIR is improved as much as possible. The identifier selector identifies the MIN network packet as an interest packet, a data packet or a general push packet by reading the identifier, and then the network packet will enter the corresponding forwarding process.

The forwarding process of interest packets is relatively the most complicated. First, check whether there is content that can satisfy the request cached in the content warehouse of MIR. If the content is retrieved, it is taken out from the cache space and packaged into data packets and press Return directly to the original path; if it cannot be satisfied in the content warehouse, query the PIT table. If it is found that there is an interest packet requesting the same content, only the logical interface that should be returned will be inserted into the entry; if it cannot be found in the PIT Find the entry corresponding to the ID of the Interest packet, create a PIT entry and insert it into the table according to the information of the Interest packet, and then go to the FIB to query the logical interface corresponding to the next-hop MIR that can forward the ID, and finally The Interest packet is forwarded. If there is no query in the FIB, it means that the MIR cannot forward the Interest packet, and returns NACK along the sending path of the Interest packet or discards it.

For data packets, the corresponding PIT entry should be queried in the PIT first according to the identifier name. If it cannot be queried, it means that there is a problem in the forwarding process, and the data packet will be discarded; the logical interface number, and forward the data packet to the MIR corresponding to the logical interface. At the same time, before forwarding, the content in the data packet will be cached in the content warehouse according to the content caching algorithm.

The push semantic transmission in the MIN network is a stateless transmission process, so the general push packet only needs to query the FIB of the MIR and forward the general push packet to the corresponding logical interface in the FIB entry; The FIB finds the corresponding entry, indicating that there is no rule for forwarding the network packet in the MIR, and the general push packet is discarded.

In the process of content transmission in the multi-ID system, content blocks are often stored in each multi-ID system node in plaintext, which will lead to security problems, so the content in each multi-ID system node should be cached in ciphertext. In a one-to-one communication mode, content providers can choose to encrypt content using traditional symmetric keys to ensure data security and privacy. However, in the MIN scenario, if the traditional encryption scheme is used, the ciphertexts when different users request the same content block will be different. In this case, the MIR caching function will fail, and the efficient network distribution function of MIN will also be degraded.

In the attribute encryption scheme, a set of attribute lists can be regarded as the user's identity, and the user will have a set of public keys corresponding to the attribute list one-to-one, and the ciphertext will also be associated with a set of attribute sets representing the access structure. closely related. Only when the user's attribute list can meet the requirements of the ciphertext access structure, the plaintext can be obtained accurately. The fine-grained access control capability of attribute encryption can be applied to one-to-many content encryption and decryption scenarios.

At present, attribute encryption can be subdivided into two different directions: (a) Ciphertext-Policy Attribute-based Encryption (CP-ABE). In CP-ABE, the ciphertext CT and the access structure A are correlated with each other. , binding, the attribute list and the key are interrelated and bound, only when the attribute set meets the requirements of the access structure, the ciphertext is allowed to be decrypted, as shown in Figure 3. (b) Key-Policy Attribute-based Encryption (KP-ABE). The attribute list is embedded in the ciphertext CT in KP-ABE. At this time, the access structure and the key are related and bound to each other. When the attribute list of the ciphertext meets the requirements of the access structure A, the ciphertext is allowed to be decrypted, as shown in Figure 4. shown.

，则内容提供商的内容可以被Alice和Carol解密，但是不能被Bob解密，这是由他们的属性列表是否满足访问策略所决定的。The following three modules, as the core of the CP-ABE scheme, jointly form a system model for fine-grained access control and content privacy protection: Content Provider (CP), Attribute Authority (AA), and Consumer (Consumer). Among them, the attribute management agency is regarded as a fully trusted organization. It first distributes the public key of the system to the content provider, and distributes the private key of the attribute according to the consumer's attribute list. The content provider integrates the original data into ciphertext according to different access policies A, and only consumers who satisfy the access structure A can decrypt the ciphertext. For example, in Figure 5, the content provider restricts the access policy

, the content provider's content can be decrypted by Alice and Carol, but not by Bob, which is determined by whether their attribute list satisfies the access policy.

The in-network cache in the MIN system can decouple the binding location relationship between content and content providers, significantly improving network performance. However, while the efficiency increases, the content is cached in the network node MIR that can be seen everywhere in the network, which also causes the content provider to be unable to manage the cached content. Before doing any processing, the content is stored in plaintext in the form of In MIR, as long as any user knows the identity of the content, he can request the content without going through any access control. The privacy of the content cannot be guaranteed, and the security of the network is greatly reduced. The traditional symmetric/asymmetric encryption algorithm can achieve better privacy protection in point-to-point communication, but in the process of MIN pull-type semantic transmission, the one-to-one encryption algorithm cannot use the caching function. It is an irreconcilable contradiction between one-to-one encryption and one-to-many content transmission.

Therefore, in order to realize the privacy protection and fine-grained access control of the content in the pull-type semantic transmission of MIN, this application adopts CP-ABE as the encryption algorithm of the system, which can realize the fine-grained access control of different users, and the content only needs to be The feature of encrypting once ensures that the caching mechanism of MIR can also work properly. The present application improves on the basis of T-CP-ABE, and introduces the parameter of time period into the algorithm to participate in the generation of the key and the encryption of the content, so as to realize the user's revocation. The content-level revocation is also implemented using MIR's cache timing deletion function. Moreover, combined with the MIS blockchain, each attribute organization is deployed on the MIS node, and the original single attribute organization is expanded into a multi attribute organization, which realizes decentralization and avoids possible single points of failure. Therefore, the access control method for a multi-identity network provided by the embodiments of the present application can not only implement fine-grained access control and privacy protection of cached content, but also have the functions of multi-attribute organization, revocation, and traceability.

Please refer to FIG. 6. FIG. 6 is a schematic diagram of a MIN cache content access control model provided by an embodiment of the present application. The MIN cache content access control model is composed of the following entities: a content provider (CP), a content consumer ( CC), Multi-Identity Router (MIR), Attribute Authority (AA).

Content Provider (CP): The content provider will set different access policies for different content, and encrypt the content according to the access policy and the identifier corresponding to the current time period. Moreover, due to the characteristics of MIR itself, after the encrypted content is encapsulated into the data packet, the expiration time of the content can be set in it. If it is aligned with this time period, it can ensure that the previous encrypted data will not be stored in the network cache. , there is no need to initiate a request to the MIR to actively replace the content that should be re-encrypted.

Content Consumer (CC): Each content consumer will have a globally defined identity UUID assigned by MIS, which is the basis for users to join the multi-identity network. Assign a series of properties. Content consumers apply for attribute private keys from multiple attribute agencies, and use the private keys to decrypt the content obtained from MIR or content providers, if and only if the attributes of the consumer can meet the requirements of the content access structure and are private. The content consumer can obtain the plaintext only when the time period when the key is generated and the time period when the ciphertext is encrypted is the same period, otherwise the ciphertext cannot be decrypted.

Multi-Identifier Router (MIR): Multi-Identifier Router has the functions of forwarding, routing and caching. The content of the data packet is transparent to MIR, even if the content of the data packet is encrypted and stored, it will not affect the caching function of MIR. During caching, the freshness period field filled in by the content provider will affect the duration of the cache, and content outside this time range will be removed from the cache space. In this solution, the freshness period field will be set to the expiration time of this time period to ensure that the MIR will not cache the encrypted content of the previous time period within this time period.

Attribute Authority (AA): In this access control model, there are multiple attribute authorities, each of which will run on the MIS node, and the AA on the MIS shares the same global public parameters with the main key. Although the attribute agency can run on the chain to ensure data unification, the attribute agency is designed as a scheme that does not require data synchronization. All attribute agencies jointly manage an attribute space. When AA receives a key generation request, it will generate a key at the same time. After all nodes have synchronized the operation, AA will send the generated key to the consumer to ensure that each attribute authorization operation can be traced back. From the consumer's point of view, each AA can be considered to provide the same quality of key generation service, which can be considered as a whole.

MIS: MIS, as a part of the multi-identity network, also assumes corresponding responsibilities in this application. Each AA runs on the MIS node, and the MIS blockchain also endows the AA with anti-collusion features. MIS will save the public parameters and the log of key authorization in the blockchain to ensure that they will not be tampered with. And the MIS will provide a synchronized time period identification for the AA and the CP.

The following describes an access control method for a multi-identity network from the perspective of a multi-identity system node. The multi-identity system node may be a server or a service unit in the server, which is not specifically limited.

Please refer to FIG. 7 in conjunction. FIG. 7 is a schematic flowchart of an access control method for a multi-identity network provided by an embodiment of the present application, including:

701. If the multi-identity system node receives the key generation request, the multi-identity system node acquires the group generator and the global attribute set corresponding to the cyclic group.

的群生成元，该曲线参数

包括素数的个数以及每个素数的位数，全局属性集合为该MIS节点所对应的所有属性集合，该MIS节点为多标识系统网络中的任意一个节点，也就是说该MIS中包括多个MIS节点，各个MIS节点之间是可以相互通信的。多标识系统节点可以根据

，可以得到椭圆曲线和双线性映射关系

，椭圆曲线中的所有元素均为循环群

上的点，另外属性集合可以由所有区块链节点共同协商确定。In this embodiment, in the multi-identity access control model, there are multiple attribute authorization agencies, each authorization agency will run on the multi-identity system MIS node, and the AA on the MIS node shares the same global public parameters and the main The key, if the MIS node receives the key generation request, it can obtain the group generator and the global attribute set corresponding to the cyclic group, where the group generator is a parameter with a curve

The group generator of , the curve parameter

Including the number of prime numbers and the number of digits of each prime number, the global attribute set is all attribute sets corresponding to the MIS node, and the MIS node is any node in the multi-identification system network, that is to say, the MIS includes multiple MIS nodes, each MIS node can communicate with each other. Multi-identity system nodes can be based on

, the elliptic curve and bilinear mapping relationship can be obtained

, all elements in the elliptic curve are cyclic groups

In addition, the set of attributes can be determined by common negotiation of all blockchain nodes.

702. The multi-identity system node determines the global public parameter and the master key according to the group generator and the global attribute set.

In this embodiment, after acquiring the group generator and the global attribute set corresponding to the cyclic group, the multi-identity system node can determine the global public parameter and the master key according to the group generator and the global attribute set. Specifically, the following formula can be used. Determine the global public parameters and master key:

；

;

；

;

为全局公共参数，

，

分别为互不相同的素数，

分别为阶为N的循环群，

为

的双线性映射，

为

的生成元，

为

的第

个子群，

，

为

中的元素，

，

为正整数，

，

为全局属性集合，

，

为所述主密钥，

为

中的任意一个元素，

为

的第

个子群。in,

is a global public parameter,

,

are different prime numbers, respectively,

are cyclic groups of order N, respectively.

for

The bilinear map of ,

for

the generator of ,

for

First

subgroup,

,

for

elements in ,

,

is a positive integer,

,

is a collection of global properties,

,

is the master key,

for

any element of ,

for

First

subgroup.

，选择一个哈希函数

，

被建模为随机预言模型，具体就是随机生成一个正整数，之后建立当前时间周期time与该正整数的映射。另外，多标识系统节点在生成全局公共参数之后，可以将该全局公共参数存储至MIS区块链中，同时通过加密通信隧道将MSK发送给其他MIS节点。It should be noted that about

, choose a hash function

,

It is modeled as a random oracle model. Specifically, a positive integer is randomly generated, and then a mapping between the current time period time and the positive integer is established. In addition, after generating the global public parameter, the multi-identity system node can store the global public parameter in the MIS blockchain, and at the same time send the MSK to other MIS nodes through the encrypted communication tunnel.

703. The multi-identity system node determines the private key of the attribute set corresponding to the target user according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period, and the global attribute set.

In this embodiment, the multi-identity system node determines the private key of the attribute set corresponding to the target user according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period, and the global attribute set. The following formula determines the private key of the attribute set corresponding to the target user in the current time period:

；

;

为全局公共参数，

为目标用户所对应的全局唯一标识，

为所述目标属性集合，

为主密钥，

为当前时间周期，

为当前时间周期内目标用户所对应的属性集合私钥，

定义如下：in,

is a global public parameter,

is the global unique identifier corresponding to the target user,

is the set of target attributes,

master key,

is the current time period,

is the private key of the attribute set corresponding to the target user in the current time period,

Defined as follows:

；

;

为

的生成元，

，

为正整数，

，

为

中的元素，

为

的第

个子群，

为阶为N的循环群，

，

，

为哈希函数，

，

为

中的第

个子群，

，

为

中的第

个子群，

，

为目标属性集合，

，

、

、

、

、

、以及

为属性私钥参数，

为自定义的变量。in,

for

the generator of ,

,

is a positive integer,

,

for

elements in ,

for

First

subgroup,

is a cyclic group of order N,

,

,

is the hash function,

,

for

in the

subgroup,

,

for

in the

subgroup,

,

is the target attribute set,

,

,

,

,

,

,as well as

is the attribute private key parameter,

for custom variables.

或

，则重新随机选择

并重新计算。多标识系统节点在计算完成后可以将

与目标用户的全局唯一标识

的映射关系保存在MIS区块链中，而生成的密钥不会保存在区块链中。It should be noted that after the multi-identity system node determines the private key of the attribute set corresponding to the target user in the current time period, if the multi-identity system node determines

or

, then randomly select

and recalculate. After the calculation of the multi-identity system node is completed, the

Globally unique identifier with the target user

The mapping relationship is stored in the MIS blockchain, and the generated key is not stored in the blockchain.

704. The multi-identity system node determines the target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period.

In this embodiment, the multi-identity system node determines the target ciphertext corresponding to the target content plaintext according to the global public parameters, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period. Specifically, the target content can be generated by the following formula. Ciphertext:

；

;

为目标密文，

、

、

、

以及

为密文参数，

为访问结构，所述访问结构为

的二维矩阵，

为所述访问结构中的第i行

映射到属性

的映射函数，

为目标内容明文，

为

的双线性映射，

为阶为N的所述循环群，

，

为正整数，

为向量

中的元素，

，

均为随机选择的正整数，

为

的生成元，

为

中的任意一个元素，

为

的第

个子群，

，

为随机指定的参数，且

，

为全局属性集合。in,

is the target ciphertext,

,

,

,

as well as

is the ciphertext parameter,

is an access structure, the access structure is

The two-dimensional matrix of ,

is the i-th row in the access structure

map to property

the mapping function,

is the plaintext of the target content,

for

The bilinear map of ,

is the cyclic group of order N,

,

is a positive integer,

as a vector

elements in ,

,

are randomly selected positive integers,

for

the generator of ,

for

any element of ,

for

First

subgroup,

,

is a randomly assigned parameter, and

,

is a collection of global properties.

705. The multi-identity system node sends the target ciphertext, the private key of the attribute set, and the global public parameter to the terminal device corresponding to the target user.

In this embodiment, after encrypting the plaintext of the target content to obtain the target ciphertext, the multi-identity system node can send the target ciphertext, the private key of the attribute set and the global public parameter to the terminal device corresponding to the target user, so that the terminal device Decrypt the target ciphertext according to the private key of the attribute set, the target attribute set and the global public parameter to obtain a decryption result, and the target attribute set is the attribute set corresponding to the target user.

；并根据属性私钥参数

确定泄露的密钥所对应的全局唯一标识。也即多标识系统节点在进行追踪时，首先校验待追踪的密钥的完整性，如果不完整的话，则输出，表示不能追溯到泄露密钥的用户，如果目标属性密钥完整，则首先在密钥中搜索属性密钥参数

，并为

赋值

，之后在MIS区块链中

与

的映射表中查找，即可以得到泄露密钥的用户的UUID。多标识系统节点可以通过如下公式验证目标属性密钥的完整性：It should be noted that the multi-identity system node can also trace the UUID of the consumer corresponding to the key. Specifically, the multi-identity system node verifies the integrity of the target attribute key, and the target attribute key is a leaked key; If the integrity verification of the target attribute key is passed, the multi-identity system node determines the attribute private key parameter from the target attribute key

; and according to the attribute private key parameter

Determine the globally unique identifier corresponding to the compromised key. That is to say, when the multi-identity system node is tracking, it first checks the integrity of the key to be tracked. If it is not complete, it will be output, indicating that it cannot be traced back to the user who leaked the key. If the target attribute key is complete, first Search property key parameter in key

, and for

assign

, and later in the MIS blockchain

and

You can get the UUID of the user who leaked the key by looking it up in the mapping table. The multi-identity system node can verify the integrity of the target attribute key through the following formula:

，使得

，

, so that

,

，

为

的生成元，

，

为正整数，

，

为

的第

个子群，

为阶为N的所述循环群，

，，

为哈希函数，

，

为

中的第

个子群，

，

为

中的第

个子群，

，

，

、

、

、

、

、以及

为属性私钥参数，

为自定义的变量，

分别为阶为N的所述循环群，

为

的双线性映射，

为

的生成元，

为

的第

个子群，

为所述目标属性集合，

为所述当前时间周期。in,

,

for

the generator of ,

,

is a positive integer,

,

for

First

subgroup,

is the cyclic group of order N,

,,

is the hash function,

,

for

in the

subgroup,

,

for

in the

subgroup,

,

,

,

,

,

,

,as well as

is the attribute private key parameter,

for custom variables,

are the cyclic groups of order N, respectively,

for

The bilinear map of ,

for

the generator of ,

for

First

subgroup,

is the set of target attributes,

is the current time period.

In addition, the multi-identity system node can also delete the cache of the previous time period through the cache expiration function of the multi-identity router, thereby realizing the revocation of content and user levels and the traceability of leaked keys.

To sum up, it can be seen that in the embodiment provided by this application, the parameter of time period is introduced to participate in the generation of the key and the encryption of the content, thereby realizing the user revocation, and at the same time deploying each attribute mechanism on the MIS node , expanding the original single-attribute institution into a multi-attribute institution, realizing decentralization and avoiding possible single point of failure.

The access control method for the multi-identity network according to the embodiment of the present application is described above from the perspective of a multi-identity system node, and is described below from the perspective of a terminal device.

Please refer to FIG. 8. FIG. 8 is another schematic flowchart of an access control method for a multi-identity network provided by an embodiment of the present application, including:

801. The terminal device sends a key generation request to a multi-identity system node.

In this embodiment, the terminal device is the device corresponding to the target user, and the terminal device can send a key generation request to refer to the multi-identity system node, so that the multi-identity system node obtains the group generator and the global attribute set corresponding to the cyclic group, and Determine the global public parameter and the master key according to the group generator and the global attribute set, and determine the attribute corresponding to the target user according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period and the global attribute set Set the private key, and determine the target ciphertext corresponding to the target content plaintext according to the global public parameters, the target content plaintext, the access structure corresponding to the target content plaintext and the current time period, and return the target ciphertext, attribute set private key and Global public parameters.

It should be noted that the above has described how the nodes of the multi-identification system obtain the group generator and the global attribute set, how to determine the global public parameters and master key according to the group generator and the global attribute set, how to determine the global public parameters and the master key according to the global public parameters, The corresponding global unique identifier, master key, current time period and global attribute set determine the attribute set private key corresponding to the target user and how to use the global public parameters, target content plaintext, the access structure corresponding to the target content plaintext and the current time period Determining the target ciphertext corresponding to the plaintext of the target content will be described in detail, and details will not be repeated here.

802. The terminal device receives the target ciphertext, the private key of the attribute set, and the global public parameter sent by the multi-identity system node.

803. The terminal device decrypts the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.

重新划分为几个部分，记为

，目标用户的属性集合私钥记为

，首先判断目标用户所对应的目标属性集合是否符合目标密文目标密文

的访问结构

的要求，若不符合，则输出，若符合，则通过如下公式对目标密文进行解密，得到目标内容明文：In this embodiment, the terminal device can convert the target ciphertext

re-divided into several parts, denoted as

, the attribute set private key of the target user is recorded as

, first determine whether the target attribute set corresponding to the target user conforms to the target ciphertext target ciphertext

access structure

If it does not meet the requirements, output it. If it does, decrypt the target ciphertext through the following formula to obtain the target content plaintext:

为所述目标内容明文，

为密文参数，

，

和

为中间参数，通过如下公式确定

和

：in,

for the target content in plaintext,

is the ciphertext parameter,

,

and

is an intermediate parameter, determined by the following formula

and

:

为

的双线性映射，

为

的生成元，

为

的第

个子群，

为阶为N的循环群，

为

中的任意一个元素，

，

，

为正整数，

为哈希函数，

为所述目标属性集合

中的第i个属性，

和

为与

不同的密文参数，

，

，

，

，

为所述访问结构中的第i行，所述访问结构为

的二维矩阵，

为所述向量

中的元素，

，

均为随机选择的正整数；in,

for

The bilinear map of ,

for

the generator of ,

for

First

subgroup,

is a cyclic group of order N,

for

any element of ,

,

,

is a positive integer,

is the hash function,

set of properties for the target

The ith attribute in ,

and

for and

different ciphertext parameters,

,

,

,

,

is the i-th row in the access structure, the access structure is

The two-dimensional matrix of ,

for the vector

elements in ,

,

are randomly selected positive integers;

；

;

以及

为属性私钥参数，

为密文参数

，

为

中的第

个子群，

，

为

中的第

个子群。

as well as

is the attribute private key parameter,

is the ciphertext parameter

,

for

in the

subgroup,

,

for

in the

subgroup.

To sum up, it can be seen that in the embodiment provided by this application, the parameter of time period is introduced to participate in the generation of the key and the encryption of the content, thereby realizing the user revocation, and at the same time deploying each attribute mechanism on the MIS node , expand the original single-attribute organization into a multi-attribute organization, realize decentralization, avoid possible single point of failure, and send the key and ciphertext containing the time period to the terminal device, and the terminal device will perform the ciphertext processing. Decryption ensures that only the key of the current time period can decrypt the ciphertext of the current time period, thereby improving the security of information transmission.

The following is an explanation from the perspective of the interaction between a multi-identity system node and a terminal device. Please refer to FIG. 9. FIG. 9 is another schematic flowchart of the access control method for a multi-identity network provided by an embodiment of the present application, including:

901. The terminal device sends a key generation request to a multi-identity system node.

902. The multi-identity system node acquires the group generator and the global attribute set corresponding to the cyclic group.

903. The multi-identity system node determines the global public parameter and the master key according to the group generator and the global attribute set.

904. The multi-identity system node determines the private key of the attribute set corresponding to the target user according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period, and the global attribute set.

905. The multi-identity system node determines the target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period.

906. The multi-identity system node sends the target ciphertext, the private key of the attribute set, and the global public parameter to the terminal device corresponding to the target user.

It should be noted that steps 902 to 906 are similar to steps 701 to 705 in FIG. 7 , which have been described in detail in FIG. 7 above, and will not be repeated here.

907. The terminal device decrypts the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.

It should be noted that step 907 is similar to step 803 in FIG. 8 , which has been described in detail in FIG. 8 above, and will not be repeated here.

To sum up, it can be seen that in the embodiment provided by this application, the parameter of time period is introduced to participate in the generation of the key and the encryption of the content, thereby realizing the user revocation, and at the same time deploying each attribute mechanism on the MIS node , expand the original single-attribute organization into a multi-attribute organization, realize decentralization, avoid possible single point of failure, and send the key and ciphertext containing the time period to the terminal device, and the terminal device will perform the ciphertext processing. Decryption ensures that only the key of the current time period can decrypt the ciphertext of the current time period, thereby improving the security of information transmission.

The embodiments of the present application are described above from the perspective of a method for controlling a multi-identity network, and the embodiments of the present application are described below from the perspectives of a multi-identity system node and a terminal device.

Please refer to FIG. 10. FIG. 10 is a schematic diagram of a virtual structure of a multi-identity system node provided by an embodiment of the present application. The multi-identity system node 1000 includes:

an obtaining unit 1001, configured to obtain a group generator and a global attribute set corresponding to a cyclic group when a key generation request is received, where the multi-identity system node is any node in the multi-identity system network;

a first determining unit 1002, configured to determine a global public parameter and a master key according to the group generator and the global attribute set;

The second determining unit 1003 is configured to determine, according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period and the global attribute set, the target user corresponding to the target user in the current time period Attribute collection private key;

A third determining unit 1004, configured to determine the target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period;

The sending unit 1005 is configured to send the target ciphertext, the private key of the attribute set and the global public parameter to the terminal device corresponding to the target user, so that the terminal device can set the private key according to the attribute set , the target attribute set, and the global public parameter to decrypt the target ciphertext to obtain a decryption result, where the target attribute set is the attribute set corresponding to the target user.

In a possible design, the first determining unit 1002 is specifically used for:

The global public parameter and the master key are determined by the following formulas:

；

;

；

;

为所述全局公共参数，

，

分别为互不相同的素数，

分别为阶为N的所述循环群，

为

的双线性映射，

为

的生成元，

为

的第

个子群，

，

，

为正整数，

，

为所述全局属性集合，

，

为所述主密钥，

为

中的任意一个元素，

为

的第

个子群。in,

for the global public parameter,

,

are different prime numbers, respectively,

are the cyclic groups of order N, respectively,

for

The bilinear map of ,

for

the generator of ,

for

First

subgroup,

,

,

is a positive integer,

,

is the set of global properties,

,

is the master key,

for

any element of ,

for

First

subgroup.

In a possible design, the second determining unit 1003 is specifically used for:

The private key of the attribute set is determined by the following formula:

；

;

为所述全局公共参数，

为所述目标用户所对应的全局唯一标识，

为所述目标属性集合，

为所述主密钥，

为所述当前时间周期，

为所述当前时间周期内目标用户所对应的属性集合私钥，

定义如下：in,

for the global public parameter,

is the global unique identifier corresponding to the target user,

is the set of target attributes,

is the master key,

for the current time period,

is the private key of the attribute set corresponding to the target user in the current time period,

Defined as follows:

；

;

为

的生成元，

，

为正整数，

，

为

的第

个子群，

为阶为N的所述循环群，

，

，

为哈希函数，

，

为

中的第

个子群，

，

为

中的第

个子群，

，

为所述目标属性集合，

，

、

、

、

、

、以及

为属性私钥参数，

为自定义的变量。in,

for

the generator of ,

,

is a positive integer,

,

for

First

subgroup,

is the cyclic group of order N,

,

,

is the hash function,

,

for

in the

subgroup,

,

for

in the

subgroup,

,

is the set of target attributes,

,

,

,

,

,

,as well as

is the attribute private key parameter,

for custom variables.

In a possible design, the third determining unit 1004 is specifically used for:

The target ciphertext is generated by the following formula:

；

;

为所述目标密文，

、

、

、

以及

为密文参数，

为所述访问结构，所述访问结构为

的二维矩阵，

为所述访问结构中的第i行

映射到属性

的映射函数，

为所述目标内容明文，

为

的双线性映射，

为阶为N的所述循环群，

，

为正整数，

为向量

中的元素，

，

均为随机选择的正整数，

为

的生成元，

为

中的任意一个元素，

为

的第

个子群，

，

为随机指定的参数，且

，

为全局属性集合。in,

is the target ciphertext,

,

,

,

as well as

is the ciphertext parameter,

is the access structure, the access structure is

The two-dimensional matrix of ,

is the i-th row in the access structure

map to property

the mapping function,

for the target content in plaintext,

for

The bilinear map of ,

is the cyclic group of order N,

,

is a positive integer,

as a vector

elements in ,

,

are randomly selected positive integers,

for

the generator of ,

for

any element of ,

for

First

subgroup,

,

is a randomly assigned parameter, and

,

is a collection of global properties.

In a possible design, the multi-identity network node 100 further includes:

Tracking unit 1006, the tracking unit 1006 is used for:

Verifying the integrity of the target attribute key, which is a leaked key;

；If the integrity verification of the target attribute key is passed, determine the attribute private key parameter from the target attribute key

;

确定所述目标属性密钥所对应的全局唯一标识。According to the attribute private key parameter

Determine the global unique identifier corresponding to the target attribute key.

In a possible design, the tracking unit 1006 is specifically used for:

The integrity of the target attribute key is verified by the following formula:

，使得

，

, so that

,

，

为

的生成元，

，

为正整数，

，

为

的第

个子群，

为阶为N的所述循环群，

，，

为哈希函数，

，

为

中的第

个子群，

，

为

中的第

个子群，

，

，

、

、

、

、

、以及

为属性私钥参数，

为自定义的变量，

分别为阶为N的所述循环群，

为

的双线性映射，

为

的生成元，

为

的第

个子群，

为所述目标属性集合，

为所述当前时间周期。in,

,

for

the generator of ,

,

is a positive integer,

,

for

First

subgroup,

is the cyclic group of order N,

,,

is the hash function,

,

for

in the

subgroup,

,

for

in the

subgroup,

,

,

,

,

,

,

,as well as

is the attribute private key parameter,

for custom variables,

are the cyclic groups of order N, respectively,

for

The bilinear map of ,

for

the generator of ,

for

First

subgroup,

is the set of target attributes,

is the current time period.

Please refer to FIG. 11. FIG. 11 is a schematic diagram of a virtual structure of a terminal device provided by an embodiment of the present application. The terminal device 1100 includes:

The sending unit 1101 is configured to send a key generation request to the multi-identity system node, so that the multi-identity system node obtains the group generator and the global attribute set corresponding to the cyclic group, and according to the group generator and the global attribute set The set determines the global public parameter and the master key, and according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period and the global attribute set, determines the target user corresponding to the set. attribute set private key, and determine the target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period, and return the the target ciphertext, the private key of the attribute set, and the global public parameter;

a receiving unit 1102, configured to receive the target ciphertext, the attribute set private key and the global public parameter sent by the multi-identity system node;

The decryption unit 1103 is configured to decrypt the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.

In a possible design, the decryption unit 1103 is specifically used for:

If the attribute set meets the requirements of the target access structure, the target ciphertext is decrypted by the following formula to obtain the target content plaintext:

为所述目标内容明文，

为密文参数，

，

和

为中间参数，通过如下公式确定

和

：in,

for the target content in plaintext,

is the ciphertext parameter,

,

and

is an intermediate parameter, determined by the following formula

and

:

为

的双线性映射，

为

的生成元，

为

的第

个子群，

为阶为N的循环群，

为

中的任意一个元素，

，

，

为正整数，

为哈希函数，

为所述目标属性集合

中的第i个属性，

和

为与

不同的密文参数，

，

，

，

，

为所述访问结构中的第i行，所述访问结构为

的二维矩阵，

为所述向量

中的元素，

，

均为随机选择的正整数；in,

for

The bilinear map of ,

for

the generator of ,

for

First

subgroup,

is a cyclic group of order N,

for

any element of ,

,

,

is a positive integer,

is the hash function,

set of properties for the target

The ith attribute in ,

and

for and

different ciphertext parameters,

,

,

,

,

is the i-th row in the access structure, the access structure is

The two-dimensional matrix of ,

for the vector

elements in ,

,

are randomly selected positive integers;

；

;

以及

为属性私钥参数，

为密文参数

，

为

中的第

个子群，

，

为

中的第

个子群。

as well as

is the attribute private key parameter,

is the ciphertext parameter

,

for

in the

subgroup,

,

for

in the

subgroup.

The embodiments of the present application also provide a computer device. The multi-identity system node provided by the embodiment of the present application may be deployed on the computer device. FIG. 12 exemplarily provides a possible architectural diagram of a computer device. As shown in FIG. 12 , the computer device 1200 may include a processor 1201 , a memory 1202 , a communication interface 1203 and a bus 1204 . In the computer device, the number of processors 1201 may be one or more, and FIG. 12 only illustrates one of the processors 1201 . Optionally, the processor 1201 may be a central processing unit (Central Processing Unit, CPU). If the computer device has multiple processors 1201, the multiple processors 1201 may be of different types, or may be the same. Optionally, multiple processors of the computer device may also be integrated into a multi-core processor.

The memory 1202 stores computer instructions and data, and the memory 1202 may store computer instructions and data required to implement the functions of the first multi-identification system node provided by the embodiments of the present application. The memory 1202 may be any one or any combination of the following storage media: non-volatile memory (such as read-only memory (Read-Only Memory, ROM), solid state disk (Solid State Disk, SSD), hard disk (Hard Disk) Drive, HDD), optical disc, etc., volatile memory.

The communication interface 1203 may be any one or any combination of the following devices: a network interface (eg, an Ethernet interface), a wireless network card, and other devices with a network access function.

The communication interface 1203 is used for data communication between the computer device and other nodes or other computer devices.

FIG. 12 also exemplarily depicts bus 1204 . The bus 1204 can connect the processor 1201 with the memory 1202 and the communication interface 1203 . In this way, through the bus 1204, the processor 1201 can access the memory 1202, and can also use the communication interface 1203 to perform data interaction with other nodes or other computer devices.

In the present application, the computer device executes the computer instructions in the memory 1202 to implement the function of the first multi-identity system node provided by the embodiment of the present application. For example, a computer device executing the computer instructions in memory 1202 can perform the operations performed by the multi-identity system nodes described above.

Next, another terminal device provided by this application is introduced. As shown in FIG. 13 , the terminal device 1300 includes:

The receiver 1301, the transmitter 1302, the processor 1303, and the memory 1304 (wherein the number of the processors 1303 in the terminal device 1300 may be one or more, and one processor is taken as an example in FIG. 13). In some embodiments of the present application, the receiver 1301 , the transmitter 1302 , the processor 1303 and the memory 1304 may be connected by a bus or in other ways, wherein the connection by a bus is taken as an example in FIG. 13 .

Memory 1304 may include read-only memory and random access memory, and provides instructions and data to processor 1303 . A portion of memory 1304 may also include NVRAM. The memory 1304 stores operating system and operation instructions, executable modules or data structures, or a subset thereof, or an extended set thereof, wherein the operation instructions may include various operation instructions for implementing various operations. The operating system may include various system programs for implementing various basic services and handling hardware-based tasks.

The processor 1303 controls the operation of the terminal device, and the processor 1303 may also be referred to as a CPU. In a specific application, various components of the terminal device are coupled together through a bus system, where the bus system may include a power bus, a control bus, a status signal bus, and the like in addition to a data bus. However, for the sake of clarity, the various buses are referred to as bus systems in the figures.

The access control method for the multi-identity network disclosed in the above embodiments of the present application may be applied to the processor 1303 or implemented by the processor 1303 . The processor 1303 may be an integrated circuit chip, which has signal processing capability. In the implementation process, each step of the above-mentioned method shown in FIG. 1 can be completed by an integrated logic circuit of hardware in the processor 1303 or an instruction in the form of software. The above-mentioned processor 1303 may be a general-purpose processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, and discrete hardware components. The methods, steps, and logic block diagrams disclosed in the embodiments of this application can be implemented or executed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in the memory 1304, and the processor 1303 reads the information in the memory 1304, and completes the steps of the above method in combination with its hardware.

In this embodiment of the present application, the processor 1303 is configured to execute the technical solutions of the foregoing embodiments of the access control method for a multi-identity network, and the implementation principles and technical effects thereof are similar, and are not repeated here.

Embodiments of the present application further provide a computer-readable medium, including computer-executable instructions, and the computer-executable instructions can enable a server to execute the access control method for a multi-identity network described in the foregoing embodiments. Repeat.

Those of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by program instructions related to hardware. The aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the steps including the above method embodiments are executed; and the foregoing storage medium includes: ROM, RAM, magnetic disk or optical disk and other media that can store program codes.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features thereof can be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present application. scope.

Claims (8)

1. An access control method for a multiple identity network, comprising:

if a multi-identification system node receives a key generation request, the multi-identification system node acquires a group generator and a global attribute set corresponding to a cyclic group, wherein the multi-identification system node is any one node in a multi-identification system network, and is an MIS node which is deployed and based on a multi-identification system MIS block chain;

the multi-identification system node determines a global public parameter and a master key according to the group generator and the global attribute set;

the multi-identification system node determines an attribute set private key corresponding to the target user in the current time period according to the global public parameter, the global unique identification corresponding to the target user, the master key, the current time period and the global attribute set;

the multi-identification system node determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext and the current time period;

the multi-identification system node sends the target ciphertext, the attribute set private key and the global public parameter to a terminal device corresponding to the target user, so that the terminal device decrypts the target ciphertext according to the attribute set private key, the target attribute set and the global public parameter to obtain a decryption result, wherein the target attribute set is an attribute set corresponding to the target user;

the determining, by the multi-identifier system node, the attribute set private key corresponding to the target user in the current time period according to the global public parameter, the global unique identifier corresponding to the target user, the master key, the current time period, and the global attribute set includes:

determining the attribute set private key by the following formula:

；

wherein,

for the purpose of the global common parameter,

is a global unique identifier corresponding to the target user,

in order for the set of target properties to be described,

in order to be able to use said master key,

for the purpose of said current time period,

the attribute set private key corresponding to the target user in the current time period,

the definition is as follows:

；

wherein,

is composed of

The generation element of (a) is generated,

，

is a positive integer which is a multiple of,

，

is composed of

To (1) a

The number of the sub-groups,

for the cyclic group of order N,

，

，

in order to be a function of the hash function,

，

is composed of

To (1)

The number of the sub-groups,

，

is composed of

To (1)

The number of the sub-groups,

，

in order for the set of target properties to be described,

，

、

、

、

、

and, and

for the attribute private key parameter to be,

is a self-defined variable;

the determining, by the multi-identity system node, a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, the access structure corresponding to the target content plaintext, and the current time period includes:

generating the target ciphertext by:

；

wherein,

in order to be the target cipher-text,

、

、

、

and

as the parameter of the cipher-text,

for the access structure, the access structure is

Is determined by the two-dimensional matrix of (a),

for the ith row in the access structure

Mapping to attributes

The mapping function of (a) is selected,

in the clear for the target content in question,

is composed of

The bilinear mapping of the image to be displayed,

for the cyclic group of order N,

，

is a positive integer and is a non-zero integer,

is a vector

The elements (A) and (B) in (B),

，

are all positive integers which are randomly selected,

is composed of

The generation element of (a) is generated,

is composed of

Any one of the elements of (a) or (b),

is composed of

To (1) a

The number of the sub-groups,

，

are randomly assigned parameters, and

，

is a global set of attributes.

2. The method of claim 1, wherein determining, by the multi-identity system node, a global public parameter and a master key based on the group generator and the set of global attributes comprises:

determining the global public parameter and the master key by:

；

；

wherein,

for the purpose of the global common parameter,

，

are respectively the prime numbers which are different from each other,

the cyclic groups of order N are each the cyclic groups,

is composed of

The bilinear mapping of the image to be displayed,

is composed of

The generation element(s) of (a),

is composed of

To (1) a

The number of the sub-groups,

，

，

is a positive integer and is a non-zero integer,

，

for the set of global properties,

，

in order to be able to use said master key,

is composed of

Any one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),

is composed of

To (1) a

The individual subgroups.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

the multi-identification system node verifies the integrity of a target attribute key, wherein the target attribute key is a leaked key;

if the integrity verification of the target attribute key passes, the multi-identification system node determines an attribute private key parameter from the target attribute key

；

The multi-identification system sectionThe point according to the attribute private key parameter

And determining the global unique identification corresponding to the target attribute key.

4. The method of claim 3, wherein verifying the integrity of the target attribute key by the multi-identity system node comprises:

verifying the integrity of the target attribute key by the following formula:

so that

，

Wherein,

，

is composed of

The generation element of (a) is generated,

，

is a positive integer and is a non-zero integer,

，

is composed of

To (1) a

The number of the sub-groups,

for the cyclic group of order N,

，

，

in order to be a function of the hash function,

，

is composed of

To (1)

The number of the sub-groups,

，

is composed of

To (1)

The number of the sub-groups,

，

，

、

、

、

、

and, and

for the attribute private key parameter to be,

is a variable which is self-defined,

the cyclic groups of order N, respectively,

is composed of

The bilinear mapping of the image to be displayed,

is composed of

The generation element of (a) is generated,

is composed of

To (1) a

The number of the sub-groups,

for the set of target attributes to be used,

is the current time period.

5. An access control method for a multiple identity network, comprising:

the method comprises the steps that terminal equipment sends a key generation request to a multi-identification system node, so that the multi-identification system node obtains a group generator and a global attribute set corresponding to a cyclic group, determines a global public parameter and a master key according to the group generator and the global attribute set, determines an attribute set private key corresponding to a target user according to the global public parameter, a global unique identifier corresponding to the target user, the master key, a current time period and the global attribute set, determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext and the current time period, and returns the target ciphertext, the attribute set private key and the global public parameter, the multi-identification system node is an MIS node which is provided with a block chain based on a multi-identification system MIS (management information system), the attribute set private key is determined by the multi-identification system node through the following formula:

；

wherein,

for the purpose of the global common parameter,

is a global unique identifier corresponding to the target user,

in order to target the set of attributes,

in order to be able to use said master key,

for the purpose of said current time period,

the attribute set private key corresponding to the target user in the current time period,

the definition is as follows:

；

wherein,

is composed of

The generation element of (a) is generated,

，

is a positive integer and is a non-zero integer,

，

is composed of

To (1) a

The number of the sub-groups,

for the cyclic group of order N,

，

，

in order to be a function of the hash function,

，

is composed of

To (1)

The number of the sub-groups,

，

is composed of

To (1)

The number of the sub-groups,

，

for the set of target attributes to be used,

，

、

、

、

、

and, and

for the attribute private key parameter to be,

is a self-defined variable;

the target ciphertext is generated by the multi-identification system node through the following formula:

；

wherein,

in order to be the target cipher-text,

、

、

、

and

as the parameter of the cipher-text,

for the access structure, the access structure is

Is determined by the two-dimensional matrix of (a),

for the ith row in the access structure

Mapping to attributes

The mapping function of (a) is selected,

in the clear for the target content, the content is,

is composed of

The bilinear mapping of the image to be displayed,

for the cyclic group of order N,

，

is a positive integer and is a non-zero integer,

is a vector

The elements (A) and (B) in (B),

，

are all positive integers which are randomly selected, and the number of the positive integers is less than the number of the negative integers,

is composed of

The generation element(s) of (a),

is composed of

Any one of the elements of (a) or (b),

is composed of

To (1)

The number of the sub-groups,

，

are randomly assigned parameters, and

，

is a global attribute set;

the terminal equipment receives the target ciphertext, the attribute set private key and the global public parameter which are sent by the multi-identification system node;

and the terminal equipment decrypts the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.

6. The method of claim 5, wherein the terminal device decrypting the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result comprises:

if the attribute set meets the requirement of a target access structure, decrypting the target ciphertext through the following formula to obtain the target content plaintext:

wherein,

in the clear for the target content in question,

as the parameter of the cipher-text,

，

and

for intermediate parameters, the determination is made by the following formula

And

：

wherein,

is composed of

The bilinear mapping of the image to be displayed,

is composed of

The generation element of (a) is generated,

is composed of

To (1) a

The number of the sub-groups,

for a cyclic group of order N,

is composed of

Any one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),

，

，

is a positive integer and is a non-zero integer,

in order to be a function of the hash function,

for the target attribute set

The (c) th attribute of (a),

and

is prepared by reacting with

The different ciphertext parameters may be different for each of the ciphertext parameters,

，

，

，

，

for the ith row in the access structure, the access structure is

Is determined by the two-dimensional matrix of (a),

as a vector

The elements (A) and (B) in (B),

，

all are randomly selected positive integers;

；

and

for the attribute private key parameter to be,

as a parameter of the ciphertext

，

Is composed of

To (1)

The number of the sub-groups,

，

is composed of

To (1)

Individual subgroups.

7. A multi-identity system node, comprising:

the system comprises an acquisition unit, a key generation unit and a management information center (MIS) unit, wherein the acquisition unit is used for acquiring a group generator and a global attribute set corresponding to a cyclic group when receiving a key generation request, the multi-identification system node is any one node in a multi-identification system network, and the multi-identification system node is an MIS node which is deployed on the basis of a multi-identification system MIS block chain;

a first determining unit, configured to determine a global public parameter and a master key according to the group generator and the global attribute set;

a second determining unit, configured to determine, according to the global public parameter, a global unique identifier corresponding to a target user, the master key, a current time period, and the global attribute set, an attribute set private key corresponding to the target user in the current time period;

a third determining unit, configured to determine a target ciphertext corresponding to the target content plaintext according to the global common parameter, the target content plaintext, an access structure corresponding to the target content plaintext, and the current time period;

a sending unit, configured to send the target ciphertext, the attribute set private key, and the global public parameter to a terminal device corresponding to the target user, so that the terminal device decrypts the target ciphertext according to the attribute set private key, the target attribute set, and the global public parameter to obtain a decryption result, where the target attribute set is an attribute set corresponding to the target user;

the second determining unit is specifically configured to determine the attribute set private key by using the following formula:

；

wherein,

for the purpose of the global common parameter,

is the global unique identification corresponding to the target user,

for the set of target attributes to be used,

in order to be able to use said master key,

for the purpose of said current time period,

the private key of the attribute set corresponding to the target user in the current time period,

is defined as follows：

；

Wherein,

is composed of

The generation element of (a) is generated,

，

is a positive integer and is a non-zero integer,

，

is composed of

To (1) a

The number of the sub-groups,

for the cyclic group of order N,

，

，

in order to be a function of the hash function,

，

is composed of

To

The number of the sub-groups,

，

is composed of

To (1)

The number of the sub-groups,

，

for the set of target attributes to be used,

，

、

、

、

、

and, and

for the attribute private key parameter to be,

is a self-defined variable;

the third determining unit is specifically configured to generate the target ciphertext according to the following formula:

；

wherein,

in the form of the target ciphertext,

、

、

、

and

is a parameter of the ciphertext to be,

for the access structure, the access structure is

Is determined by the two-dimensional matrix of (a),

for the ith row in the access structure

Mapping to attributes

The mapping function of (a) is selected,

in the clear for the target content in question,

is composed of

The bilinear mapping of (a) is performed,

for the cyclic group of order N,

，

is a positive integer and is a non-zero integer,

is a vector

The elements (A) and (B) in (B),

，

are all positive integers which are randomly selected,

is composed of

The generation element of (a) is generated,

is composed of

Any one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),

is composed of

To (1) a

The number of the sub-groups,

，

are randomly assigned parameters, and

，

is a global set of attributes.

8. A terminal device, comprising:

a sending unit, configured to send a key generation request to a multi-identification system node, so that the multi-identification system node obtains a group generator and a global attribute set corresponding to a cyclic group, determines a global public parameter and a master key according to the group generator and the global attribute set, determines an attribute set private key corresponding to a target user according to the global public parameter, a global unique identifier corresponding to the target user, the master key, a current time period, and the global attribute set, determines a target ciphertext corresponding to the target content plaintext according to the global public parameter, the target content plaintext, an access structure corresponding to the target content plaintext, and the current time period, and returns the target ciphertext, the attribute set private key, and the global public parameter, where the multi-identification system node is an MIS node that deploys a block chain based on a multi-identification MIS system (management information system), the attribute set private key is determined by the multi-identification system node through the following formula:

；

wherein,

as a result of the global common parameter,

is the global unique identification corresponding to the target user,

in order to target the set of attributes,

in order to be able to use said master key,

for the purpose of said current time period,

the attribute set private key corresponding to the target user in the current time period,

the definition is as follows:

；

wherein,

is composed of

The generation element of (a) is generated,

，

is a positive integer and is a non-zero integer,

，

is composed of

To (1) a

The number of the sub-groups,

for the cyclic group of order N,

，

，

in order to be a function of the hash function,

，

is composed of

To (1)

The number of the sub-groups,

，

is composed of

To (1)

The number of the sub-groups,

，

for the set of target attributes to be used,

，

、

、

、

、

and, and

for the attribute private key parameter to be,

is a self-defined variable;

the target ciphertext is generated by the multi-identification system node through the following formula:

；

wherein,

in the form of the target ciphertext,

、

、

、

and

as the parameter of the cipher-text,

for the access structure, the access structure is

Is determined by the two-dimensional matrix of (a),

for the ith row in the access structure

Mapping to attributes

The mapping function of (a) is selected,

in the clear for the target content in question,

is composed of

The bilinear mapping of (a) is performed,

for the cyclic group of order N,

，

is a positive integer and is a non-zero integer,

is a vector

The elements (A) and (B) in (B),

，

are all positive integers which are randomly selected,

is composed of

The generation element of (a) is generated,

is composed of

Any one of the elements of (a), (b), (c), (d) and (d) any one of the (d) in any one of the (d), (d) and (d) any one of) an),

is composed of

To (1) a

The number of the sub-groups,

，

are randomly assigned parameters, and

，

is a global attribute set;

a receiving unit, configured to receive the target ciphertext, the attribute set private key, and the global public parameter sent by the multi-identity system node;

and the decryption unit is used for decrypting the target ciphertext according to the attribute set private key and the global public parameter to obtain a decryption result.

Images