[go: up one dir, main page]

CN119203220A - An oblivious dynamically searchable encryption method - Google Patents

An oblivious dynamically searchable encryption method Download PDF

Info

Publication number
CN119203220A
CN119203220A CN202411242931.2A CN202411242931A CN119203220A CN 119203220 A CN119203220 A CN 119203220A CN 202411242931 A CN202411242931 A CN 202411242931A CN 119203220 A CN119203220 A CN 119203220A
Authority
CN
China
Prior art keywords
keyword
random
document
client
row
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202411242931.2A
Other languages
Chinese (zh)
Other versions
CN119203220B (en
Inventor
姜正涛
温家琦
周涵瑜
吴正阳
张京良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhiheng Network Security Technology Co ltd
Original Assignee
Communication University of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Communication University of China filed Critical Communication University of China
Priority to CN202411242931.2A priority Critical patent/CN119203220B/en
Publication of CN119203220A publication Critical patent/CN119203220A/en
Application granted granted Critical
Publication of CN119203220B publication Critical patent/CN119203220B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an unintentional dynamic searchable encryption method, which relates to the technical field of information security, and comprises the steps of constructing a new Labeled PSI technology by using a coding algorithm and a decoding algorithm expressed in a formal mode OKVS based on a receiver processor and a sender processor and combining a VOLE technology at a bottom layer module to obtain an intersection Z of the two parties and a corresponding label, negotiating a database updating method by a client and a server together at an application layer to dynamically update a database, negotiating a database searching method by the client and the server together to decrypt a document, and completing unintentional dynamic searchable encryption processing. The invention improves the safety and efficiency of the dynamic searchable encryption technology.

Description

Inadvertent dynamic searchable encryption method
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an inadvertent dynamic searchable encryption method.
Background
In the digital economic age of information technology development, data has become a new production element, and the process of storing and processing the data gradually shifts to the cloud. But in cloud environments the user is separated from the data, the user cannot control the data, and the presence of private content prevents the full release of the data value. The data is encrypted and then stored by introducing the high-strength cipher primitives, so that the privacy security of the data can be effectively protected, but a user cannot perform meaningful operation and search operation through ciphertext data. Therefore, how to perform efficient and secure retrieval on ciphertext data becomes a challenging problem.
The searchable encryption technique (Searchable Encryption, SE) allows the user to efficiently perform retrieval operations in ciphertext. However, most of the existing SE schemes are multi-faceted static data sets, and the search index needs to be reconstructed if the stored data is updated, meanwhile, some schemes are constructed by adopting complex cipher primitives, so that the theory effect is good, the actual efficiency is extremely poor, and the applicable scenes are limited. Accordingly, scholars have proposed dynamic searchable encryption techniques (Dynamic Searchable Encryption, DSE) and inadvertent keyword search techniques (Oblivious Keyword Search, OKS) to remedy this deficiency.
DSE allows users to dynamically add or delete encrypted databases, while OKS can hide the statistics of keyword ciphertext, providing better privacy protection. OKS can be regarded as a special tagged unbalanced privacy set intersection (Labeled PSI), so that the privacy security can be better protected by designing a searchable encryption scheme based on Labeled PSI protocol.
The private collection intersection (PRIVATE SET Intersection, PSI) belongs to a specific application problem in the field of secure multiparty computing, and is one of the hot spot problems of privacy protection. PSI allows participants to compute intersections using a local data set through a series of underlying cryptographic techniques, and does not reveal any information other than intersections, which may be available to either a participant or all participants. Although PSI technology is well established, its application in the field of dynamic searchable encryption has not been studied.
From the presently disclosed codes, papers and patents, the existing DSE schemes face a series of privacy security problems such as leakage of search modes and access modes, and the like, and meanwhile, a formalized security model covering the actual capability of an attacker is lacking to prove the security of the DSE schemes, in terms of updating efficiency, index structures are frequently updated due to data insertion and deletion operations, the updating efficiency is low due to unreasonable index structures along with the continuous increase of data quantity and user quantity, and key management becomes more complex, and in terms of searching efficiency, a large number of ciphertext copies need to be transmitted by the traditional method, so that the searching communication cost is huge.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides an inadvertent dynamic searchable encryption method, which solves the problems of low efficiency, high communication overhead and query privacy leakage in the prior art when supporting dynamic data update.
In order to achieve the purpose, the technical scheme adopted by the invention is that the inadvertently dynamic searchable encryption method comprises the following steps:
S1, constructing Labeled PSI protocols based on OKVS and VOLE technical frames by using an encoding algorithm and a decoding algorithm expressed in a formal manner based on a receiver processor and a sender processor at a bottom layer module, and obtaining an intersection result Z and a corresponding label by the receiver processor, wherein the intersection result Z is a keyword set to be searched, and a document identifier set corresponding to the keyword is stored in the corresponding label;
S2, negotiating a database updating method jointly by the client and the server at the application layer, encrypting the plaintext document and completing ciphertext database updating operation, negotiating a database searching method jointly by the client and the server, completing unintentional dynamic searchability of multiple keywords based on Labeled PSI protocols, and decrypting the document after obtaining the searching result by the client.
Further, the step S1 includes the steps of:
s101, generating a random matrix M by a receiver processor according to a key value set (k, v), wherein each row of the random matrix M comprises a random block with fixed length and random starting position, k represents the key set, and v represents a value vector;
S102, according to random block elements, a coding algorithm of OKVS is expressed in a formalized mode to solve z in a linear system M.z=v, wherein z represents a coding result of a key value set after OKVS coding;
S103, recovering a value v i corresponding to the given arbitrary key k i by a decoding algorithm of formal representation OKVS according to the obtained z;
S104, in order to construct Labeled PSI protocols, a receiver processor encodes all keys based on OKVS and encapsulates the encoding results by using a VOLE protocol, wherein after the sender processor and the receiver processor call the VOLE protocol, the sender processor obtains parameters delta, B, the receiver processor obtains parameters A and C and satisfies C=delta A+B, labeled PSI protocols encapsulate OKVS encoding results by using random variables, the encapsulation process is that the receiver processor encapsulates A '=A+P and transmits the A' =A+P to the sender processor, and the sender processor encapsulates K=delta A '+B so that the parameters A and C=delta A' +B are satisfied:
K=ΔA'+B=Δ(A+P)+B=ΔA+B+ΔP=C+ΔP
Wherein delta represents a random scalar generated by the VOLE protocol functional module, A, B and C represent random vectors generated by the VOLE protocol functional module, C=delta A+B is satisfied, A' represents a mask after information is packaged, P represents a coding result after a dataset of a receiver processor is OKVS coded, and K represents an intermediate calculation vector of a sender processor;
S105, according to the packaging result, based on OKVS decoding algorithm of S103, by respectively calculating X ', L ' and Y ', the intersection result Z and the corresponding label are obtained by the receiver processor, and the construction of Labeled PSI protocol is completed:
Z=X'∩Y'
wherein Z represents the final intersection result of Labeled PSI protocols, X ' represents the mask ciphertext of the local set X of the sender processor, L ' represents the ciphertext set after encrypting the document identifier L, and Y ' represents the mask ciphertext of the local set Y of the receiver processor.
Still further, the step S101 includes the steps of:
a1, generating a random matrix M by a receiver processor according to a key value set (k, v), wherein each row of the random matrix M comprises a random block with a fixed length b w and a random starting position;
a2, for each row in the random matrix M, randomly selecting s i as a random block starting position of the ith row by a receiver processor;
a3, generating a b w -bit random block element by using a random predictor according to a key k i corresponding to each row i of the matrix.
Still further, the step S102 includes the steps of:
B1, sequencing by a receiver processor according to the starting position s i of each row of random blocks in the random matrix M, and re-labeling;
B2, traversing random block elements of each row in the random matrix M by a receiver processor, and when M [ i ] [ j ] =1, processing all elements meeting M [ i '] [ j ] =1, i' > i and s i is less than or equal to j by using the following formula:
M[i']=M[i']⊕M[i]
v[i']=v[i']⊕v[i]
wherein, mi represents the elements of the ith row and the jth column in the random matrix M, mi represents all the elements of the ith row in the random matrix M, v i ' represents the elements of the ith row in the value vector, s i represents the initial column position of the ith row random block in the random matrix M, mi ' represents all the elements of the ith row in the random matrix M, v i represents the elements of the ith row in the value vector, mi ' j represents the elements of the jth column in the random matrix M, wherein, the jth column of the random matrix M subjected to row processing operation has only the elements of the ith row as 1, and the elements of the ith row are all 0;
And B3, according to the processing result of the step B2, solving z in the linear system by utilizing the following formula, wherein when a certain row element is 0 in the row processing process, the z is directly made to be ≡F m, otherwise:
zi=<zi,M[i]>+vi
Where F m represents a vector space with dimension m, z i represents the i-th row element of z, and v i represents the i-th row element in the value vector.
Still further, the step S103 includes the steps of:
c1, let v be≡0, calculate the random block start position s≡H (k) corresponding to given arbitrary key k value and element in random block Wherein v represents a value corresponding to a given arbitrary key k value, H (·) represents a random hash function, b w represents the length of each row of random block of the random matrix M, and k represents an arbitrary key to be decoded;
C2, according to the calculation result of the step C1, for j E [1, b w ], v++u [ j ' ]. Z [ s+j-1] is calculated as the last return value, and the recovery of the value v i corresponding to the given arbitrary key k i is completed, wherein j represents the column position of each row of random block in the random matrix M, u [ j ' ] represents the j ' th bit element of the random block, and s represents the starting position of the random block.
Still further, the step S104 includes the steps of:
d1, in order to construct Labeled PSI protocols, a VOLE protocol is called by both a sender processor and a receiver processor, wherein the receiver processor encodes all keys based on OKVS and encapsulates the encoding result by utilizing the VOLE protocol;
d2, after the operation of the VOLE protocol is finished, receiving and obtaining parameters delta and B by a sender processor, and receiving and obtaining parameters A and C by a receiver processor, wherein delta represents a random scalar generated by a VOLE protocol function module, A, B and C represent random vectors generated by the VOLE protocol function module, and C=delta A+B is satisfied;
D3, encapsulating the a 'by the receiver processor, and transmitting the a' to the sender processor by using the following formula:
A'=A+P
Wherein P represents the coding result of OKVS by the receiver, A' represents the mask after the information is packaged;
d4, according to a', calculating K by the sender processor using:
K=ΔA'+B=Δ(A+P)+B=ΔA+B+ΔP=C+ΔP
Where K represents the intermediate calculation vector of the sender processor and P represents the encoding result of the receiver processor dataset after OKVS encoding.
Still further, the step S105 includes the steps of:
E1, according to the encapsulation result, based on OKVS decoding algorithm of S103, the sender processor calculates X 'and L' by using the following formulas respectively:
X'={Ho(Decode(K,x)-ΔHF(x))|x∈X}
L'={Sym_En(Kdoc,l)|l∈L[x]}
Wherein, H o and H F each represent a random hash function, decode (K, X) represents a decoding operation of OKVS, K represents an intermediate calculation vector of a sender processor, X represents an element in a set X, sym_En represents a secure symmetric encryption algorithm, K doc represents a document encryption key, lx represents a document identifier set corresponding to the element X, L represents one element in the document identifier set Lx, and X represents a set of Labeled PSI protocols used by a server;
E2, calculating Y 'by the access processor by using the following formula, and sending the Y' to the sender processor;
Y'={Ho(Decode(C,y),y)|y∈Y}
wherein Decode (C, Y) represents the decoding operation of OKVS, Y represents an element in set Y, C represents a random vector generated by the VOLE protocol;
E3, according to the X 'and the Y', calculating Z by using the following formula to obtain the result of the original data set X and Y:
Z=X'∩Y';
And E4, obtaining a corresponding label { Lz|z epsilon Z } according to Z, and completing construction of Labeled PSI protocols, wherein Lz represents a document identifier set corresponding to the intersection set element Z.
Still further, the step S2 includes the steps of:
S201, respectively generating a secret key, an empty keyword state table and an empty encryption database at a client;
s202, negotiating a database updating method by the client and the server together, encrypting the plaintext document, and completing the ciphertext database updating operation;
S203, negotiating a database searching method by the client and the server together according to the updating result, completing the unintentional dynamic searchability of the multiple keywords based on Labeled PSI protocols, and decrypting the document after obtaining the searching result by the client.
Still further, the step S202 includes the steps of:
F1, generating a series of empty lists T w,Tkw,Tdic,Tcount,Tupdate by the client, wherein a table T w is used for storing keyword information in the updating process, a table T kw is used for storing mapping from a keyword w to a keyword token kt w, a table T dic is used for storing ciphertext information on a document index chain DIC, a table T count is used for storing the number of documents corresponding to the keyword w, and a table T update is used for storing all ciphertext information in the updating process;
F2, extracting documents one by one in a document database DB by a client, calculating a table T w by the client for any keyword w, and searching the keyword sigma [ w ] from a local keyword state table;
f3, responding to the fact that the keyword sigma [ w ] is not found, enabling sigma [ w ] ≡0, and calculating to obtain the latest update times n update of the keyword w;
F4, according to the calculation result of the step F3, the client searches (kt w,stw)←Tkw [ w ] from the table T kw, and if not found, kt w←F(Ks, w) is calculated, And T kw←Tkw∪{w,(ktw,stw), where T kw [ w ] represents the mapping of the keyword w to the keyword token kt w and the search token st w, F (K s, w) represents a pseudo-random function, H () represents a hash function,The latest update times of the keyword w are represented;
F5, according to the calculation result of the step F4, searching T count [ w ] from a table T count by the client, and in response to the fact that the T count [ w ] is not found, making T count [ w ] ≡0 and obtaining c w←Tcount [ w ] +1, wherein T count [ w ] represents and stores a list of the number of document identifiers corresponding to the keyword w, and c w represents the number of documents corresponding to the keyword w in the updating operation process;
F6, according to the calculation result of the step F5, calculating to obtain calculation document encryption information loc (i.e. H (st w,cw)、eid←Sym_En(Kdoc, id)) and T dic[stw]←Tdic[stw { (loc, eid) }, wherein loc represents the address of each node of the document index chain DIC, eid represents the ciphertext encrypted by the document identifier id, sym_En represents symmetric encryption operation, K doc represents a document encryption key, and T dic[stw represents a document index chain corresponding to the search token st w;
f7, for any keyword w epsilon T w, calculating sigma [ w ] ++1, (kt w,stw)←Tkw[w]、cw←Tcount [ w ] and value ≡G (st w,1λ)⊕(op||cw)) by a client, saving (kt w,(value,Tdic[stw ])) in a table T update, and sending the table T update to a server by the client, wherein all keyword sets involved in the updating process are saved in the table T w, sigma [ w ] represents a client local keyword state table, c w represents the number of documents corresponding to the keyword w in the updating process, T count [ w ] represents the number of documents corresponding to the keyword w, value represents an operation information mask of the updating process, G () represents a hash function, op=0 represents a document adding operation, op=1 represents a document deleting operation, and lambda represents a calculation safety parameter;
and F8, merging the table T update with the encryption database EDB by the server to finish updating operation of the ciphertext database.
Still further, the step S203 includes the steps of:
G1, generating Y 'by a client according to an updating result, R' is { }, kt w←F(Ks,w)、stw←H(ktw and sigma [ w ] are calculated for any keyword w, and a search token st w is stored to Y ', wherein Y' represents a set of the client for Labeled PSI protocol, R represents a final result set, kt w represents a keyword token, F (K s, w) represents a pseudo-random function, st w represents a search token, H () represents a hash function, sigma [ w ] represents a keyword, and kt w represents a keyword token;
G2, generating X ", lx≡ { }, for the encryption database EDB, calculating st w←H(ktw,ci by the server, wherein X" represents the set of servers for Labeled PSI protocol, lx represents the set of document identifiers for the corresponding element X, c i represents the c i th node;
G3, according to the generated search token st w, op and c w are obtained through calculation by using the following formula:
(op||cw)←value⊕G(stw,1λ)
Wherein c w represents the number of documents corresponding to the keyword w in the update operation process, value represents an operation information mask corresponding to the update process, G () represents a hash function, op represents an operation type, op=0 represents a document adding operation, op=1 represents a document deleting operation, and λ represents a calculation security parameter;
G4, from 1 to c w, calculating to obtain loc (H) (st w, j) and Eid (EDB) (loc), wherein loc represents the address of the j-th node of the document index chain DIC, and the encrypted ciphertext of the Eid document identifier id, and EDB represents an encrypted database;
G5, saving, by the server, the search token st w to X ", and adding the encrypted document identifier of op=0 to lx, removing the document encrypted identifier of op=1 from lx;
G6, the client and the server call Labeled PSI the protocol together, after Labeled PSI the protocol is operated, the client receives the final result intersection I=X '-U Y' and { L [ Y '] |y' ∈I } corresponding to the intersection element, wherein L [ Y '] represents the encrypted document to be searched by the client, and Y' represents the intersection element;
and G7, saving the L [ y' ] to the set R by the client, decrypting the document by using the key, and completing the encryption processing of the unintentional dynamic searchable.
The invention has the beneficial effects that:
(1) The invention is applicable to new cryptography parameters, the research of PSI in the field of searchable encryption is still blank in the prior art, and the invention provides a new and effective careless keyword search protocol; compared with the traditional dynamic searchable encryption protocol, the invention supports multi-keyword search, realizes forward security and backward security, and protects privacy security of a search mode in the search process;
(2) Compared with the OKS protocol, the method has the advantages that the number of ciphertext is equal to the product of the number of keywords and the number of files, the communication cost is only equal to the number of files corresponding to the query keyword set, the communication efficiency is high, the formal security model is utilized to prove the security of the protocol, namely, the random predictive model is utilized to simulate common attacks, such as keyword attack selection, and the security of the protocol is proved.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
FIG. 2 is a schematic diagram of a dynamic searchable encryption system model that satisfies a single read-single write architecture according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and all the inventions which make use of the inventive concept are protected by the spirit and scope of the present invention as defined and defined in the appended claims to those skilled in the art.
Examples
As shown in fig. 1 to 2, the invention provides an inadvertent dynamic searchable encryption method, which comprises a bottom layer module (Labeled PSI) and an application layer, wherein the bottom layer module is mainly used for supporting the implementation of an application layer search algorithm, and the technical structure of the bottom layer module consists of Oblivious Key-Value Stores (OKVS for inadvertent key Value storage) and Vector Oblivious Linear Evaluation (VOLE for transparent vector linear estimation), and mainly comprises two entities, namely a Sender processor Sender and a Receiver processor Receiver. Wherein, the Sender processor Sender holds a data set X, and for any X epsilon X, the Sender processor Sender holds a group of corresponding tag sets { Lx|x epsilon X }, and the Receiver processor Receiver holds a data set Y; the technical architecture consists of Oblivious Key-Value Stores (OKVS) and Vector Oblivious Linear Evaluation (VOLE). The dynamic searchable encryption scheme related to the invention can be divided into three stages of Setup, update and Search, and is based on a special secondary index structure, wherein the index structure comprises keyword index chains (Keyword index chain, KIC) and document index chains (Document index chain, DIC), the keyword index chains KIC are used for storing keyword Update information, the document index chains DIC are used for storing encrypted document information, each keyword w corresponds to one keyword index chain KIC, each keyword index chain KIC comprises n nodes, each node represents one Update operation of the keyword, and the node is linked with one document index chain DIC, and each node of the document index chains DIC corresponds to one encrypted keyword/document pair. The Labeled PSI protocol is a labeled unbalanced privacy set intersection technology. The implementation method is as follows:
S1, constructing Labeled PSI protocols based on OKVS and VOLE technical frameworks by using an encoding algorithm and a decoding algorithm expressed in a formal manner based on a receiver processor and a sender processor at a bottom layer module, and obtaining an intersection result Z and a corresponding label by the receiver processor, wherein the intersection result Z is a keyword set to be searched, and a document identifier set corresponding to the keyword is stored in the corresponding label, and the implementation method is as follows:
S101, generating a random matrix M by a receiver processor according to a key value set (k, v), wherein each row of the random matrix M comprises a random block with fixed length and random starting position, k represents the key set, and v represents a value vector, and the implementation method is as follows:
a1, generating a random matrix M by a receiver processor according to a key value set (k, v), wherein each row of the random matrix M comprises a random block with a fixed length b w and a random starting position;
a2, for each row in the random matrix M, randomly selecting s i as a random block starting position of the ith row by a receiver processor;
a3, generating a b w -bit random block element by using a random predictor according to a key k i corresponding to each row i of the matrix.
In this embodiment, the Receiver processor Receiver generates a random matrix M ε F n×m, each row of which includes a random block of length b w, except that the elements in the random block are randomly taken from {0,1}, the elements outside the block are all 0, for each row i ε [1, n ] in the random matrix, the Receiver processor Receiver randomly selects s i←H(ki) as the starting position of the random block for the ith row, where k i represents the ith key, and then generates the random block elements of bits b w using a random predictor
S102, according to random block elements, a coding algorithm of OKVS is expressed in a formalized mode to solve z in a linear system M.z=v, wherein z represents a coding result of a key value set after OKVS coding, and the implementation method is as follows:
B1, sequencing by a receiver processor according to the starting position s i of each row of random blocks in the random matrix M, and re-labeling;
B2, traversing random block elements of each row in the random matrix M by a receiver processor, and when M [ i ] [ j ] =1, processing all elements meeting M [ i '] [ j ] =1, i' > i and s i is less than or equal to j by using the following formula:
wherein, mi represents the elements of the ith row and the jth column in the random matrix M, mi represents all the elements of the ith row in the random matrix M, v i ' represents the elements of the ith row in the value vector, s i represents the initial column position of the ith row random block in the random matrix M, mi ' represents all the elements of the ith row in the random matrix M, v i represents the elements of the ith row in the value vector, mi ' j represents the elements of the jth column in the random matrix M, wherein, the jth column of the random matrix M subjected to row processing operation has only the elements of the ith row as 1, and the elements of the ith row are all 0;
And B3, according to the processing result of the step B2, solving z in the linear system by utilizing the following formula, wherein when a certain row element is 0 in the row processing process, the z is directly made to be ≡F m, otherwise:
zi=<zi,M[i]>+vi
Where F m represents a vector space with dimension m, z i represents the i-th row element of z, and v i represents the i-th row element in the value vector.
In this embodiment, the encoding algorithm Encode of OKVS is calculated in this step, OKVS is expressed in a formalized form, i.e., the linear system mxz=v needs to be solved, where v= { v 1,v2,...,vn }, M is a random matrix generated from { k 1,k2,...,kn } in I, v represents a value set, v n represents an n-th element, k n represents an n-th element, and I represents a key value set;
The Receiver processor Receiver calculates P=OKVS.Encode (I), wherein the input parameter is I= { (k 1,v1),(k2,v2),...,(kn,vn) }, P represents information coded by OKVS coding algorithm, k n,vn represents nth key and value respectively, firstly the Receiver processor Receiver needs to order according to the starting position s i of each row of random block of the random matrix M and re-label, s 1≤s2≤...≤sn,sn represents the starting position of the nth row of random block in the random matrix M, then the Receiver processor Receiver traverses the random block element j of each row of the random matrix, if M [ I ] [ j ] = 1, all rows I 'satisfying I' > I & s i′ +.j are processed:
Finally, solving the solution z of the linear system according to z i=<zi,M[i]>+vi, and if a certain row element is found to be 0 in the row processing process, directly letting z+.F m.
S103, recovering a value v i corresponding to a given arbitrary key k i by a decoding algorithm of formal representation OKVS according to the obtained z, wherein the implementation method is as follows:
c1, let v be≡0, calculate the random block start position s≡H (k) corresponding to given arbitrary key k value and element in random block Wherein v represents a value corresponding to a given arbitrary key k value, H (·) represents a random hash function, b w represents the length of each row of random block of the random matrix M, and k represents an arbitrary key to be decoded;
C2, according to the calculation result of the step C1, for j E [1, b w ], v++u [ j ' ]. Z [ s+j-1] is calculated as the last return value, and the recovery of the value v i corresponding to the given arbitrary key k i is completed, wherein j represents the column position of each row of random block in the random matrix M, u [ j ' ] represents the j ' th bit element of the random block, and s represents the starting position of the random block.
In this embodiment, this step calculates OKVS a decoding algorithm Decode, which in formalized representation OKVS, i.e., given an arbitrary key value k, the decoder can recover its corresponding value v;
the decoding party has a solution z of a linear system and an arbitrary key value k; let v+.0, the decoder first calculates the random block start position s+.H (k) corresponding to the key and the elements in the block Then for j e 1, b w, and calculating v ≡ v+u [ j ] & z [ s+j-1] as the last return value.
S104, in order to construct Labeled PSI protocols, a receiver processor encodes all keys based on OKVS and encapsulates the encoding results by using a VOLE protocol, wherein after the sender processor and the receiver processor call the VOLE protocol, the sender processor obtains parameters delta, B, the receiver processor obtains parameters A and C and satisfies C=delta A+B, labeled PSI protocols encapsulate OKVS encoding results by using random variables, the encapsulation process is that the receiver processor encapsulates A '=A+P and transmits the A' =A+P to the sender processor, and the sender processor encapsulates K=delta A '+B so that the parameters A and C=delta A' +B are satisfied:
K=ΔA'+B=Δ(A+P)+B=ΔA+B+ΔP=C+ΔP
Wherein Δ represents a random scalar generated by the VOLE protocol function module, a, B, and C each represent a random vector generated by the VOLE protocol function module, and satisfy c=Δa+b, a' represents a mask after information is encapsulated, K represents an intermediate calculation vector of the sender processor, and P represents an encoding result after the receiver processor dataset is OKVS encoded, which is implemented as follows:
d1, in order to construct Labeled PSI protocols, a VOLE protocol is called by both a sender processor and a receiver processor, wherein the receiver processor encodes all keys based on OKVS and encapsulates the encoding result by utilizing the VOLE protocol;
d2, after the operation of the VOLE protocol is finished, receiving and obtaining parameters delta and B by a sender processor, and receiving and obtaining parameters A and C by a receiver processor, wherein delta represents a random scalar generated by a VOLE protocol function module, A, B and C represent random vectors generated by the VOLE protocol function module, and C=delta A+B is satisfied;
D3, encapsulating the a 'by the receiver processor, and transmitting the a' to the sender processor by using the following formula:
A'=A+P
Wherein P represents the coding result of OKVS by the receiver, A' represents the mask after the information is packaged;
d4, according to a', calculating K by the sender processor using:
K=ΔA'+B=Δ(A+P)+B=ΔA+B+ΔP=C+ΔP
Where K represents the intermediate calculation vector of the sender processor and P represents the encoding result of the receiver processor dataset after OKVS encoding.
S105, according to the packaging result, based on OKVS decoding algorithm of S103, by respectively calculating X ', L ' and Y ', the intersection result Z and the corresponding label are obtained by the receiver processor, and the construction of Labeled PSI protocol is completed:
Z=X'∩Y'
wherein, Z represents Labeled PSI final intersection result of protocol, X ' represents mask ciphertext of local set X of sender processor, L ' represents ciphertext set after encrypting document identifier L, namely encrypted document identifier corresponding to keyword in encryption database EDB, Y ' represents mask ciphertext of local set Y of receiver processor, and the implementation method is as follows:
E1, according to the encapsulation result, based on OKVS decoding algorithm of S103, the sender processor calculates X 'and L' by using the following formulas respectively:
X'={Ho(Decode(K,x)-ΔHF(x))|x∈X}
L'={Sym_En(Kdoc,l)|l∈L[x]}
Wherein, H o and H F each represent a random hash function, decode (K, X) represents a decoding operation of OKVS, K represents an intermediate calculation vector of a sender processor, X represents an element in a set X, namely a keyword, sym_En represents a secure symmetric encryption algorithm, K doc represents a document encryption key, lx represents a set of document identifiers corresponding to the element X, L represents one element in the set of document identifiers Lx, and X represents a set of Labeled PSI protocols used by a server;
E2, calculating Y 'by the access processor by using the following formula, and sending the Y' to the sender processor;
Y'={H°(Decode(C,y),y)|y∈Y}
wherein Decode (C, Y) represents the decoding operation of OKVS, Y represents an element in the set Y, i.e., a keyword, C represents a random vector generated by the VOLE protocol;
E3, according to the X 'and the Y', calculating Z by using the following formula to obtain the result of the original data set X and Y:
Z=X'∩Y'
And E4, obtaining a corresponding label { Lz|z epsilon Z } according to Z, and completing construction of Labeled PSI protocols, wherein Lz represents a document identifier set corresponding to the intersection set element Z.
S2, negotiating a database updating method by the client and the server together at an application layer, encrypting a plaintext document and completing ciphertext database updating operation, negotiating a database searching method by the client and the server together, completing unintentional dynamic searchability of multiple keywords based on Labeled PSI protocols, decrypting the document after obtaining a searching result by the client, and realizing the method as follows:
S201, respectively generating a secret key, an empty keyword state table and an empty encryption database at a client;
In this embodiment, the Client generates the key { K s,Kdoc }, an empty key state table σ, and an empty encryption database EDB.
S202, respectively generating a secret key, an empty keyword state table and an empty encryption database at a client, wherein the implementation method comprises the following steps:
F1, generating a series of empty lists T w,Tkw,Tdic,Tcount,Tupdate by the client, wherein a table T w is used for storing keyword information in the updating process, a table T kw is used for storing mapping from a keyword w to a keyword token kt w, a table T dic is used for storing ciphertext information on a document index chain DIC, a table T count is used for storing the number of documents corresponding to the keyword w, and a table T update is used for storing all ciphertext information in the updating process;
F2, extracting documents one by one in a document database DB by a client, calculating a table T w by the client for any keyword w, and searching the keyword sigma [ w ] from a local keyword state table;
f3, responding to the fact that the keyword sigma [ w ] is not found, enabling sigma [ w ] ≡0, and calculating to obtain the latest update times n update of the keyword w;
F4, according to the calculation result of the step F3, the client searches (kt w,stw)←Tkw [ w ] from the table T kw, and if not found, kt w←F(Ks, w) is calculated, And T kw←Tkw∪{w,(ktw,stw), where T kw [ w ] represents the mapping of the keyword w to the keyword token kt w and the search token st w, F (K s, w) represents a pseudo-random function, H () represents a hash function,The latest update times of the keyword w are represented;
F5, according to the calculation result of the step F4, searching T count [ w ] from a table T count by the client, and in response to the fact that the T count [ w ] is not found, making T count [ w ] ≡0 and obtaining c w←Tcount [ w ] +1, wherein T count [ w ] represents and stores a list of the number of document identifiers corresponding to the keyword w, and c w represents the number of documents corresponding to the keyword w in the updating operation process;
F6, according to the calculation result of the step F5, calculating to obtain calculation document encryption information loc (i.e. H (st w,cw)、eid←Sym_En(Kdoc, id)) and T dic[stw]←Tdic[stw { (loc, eid) }, wherein loc represents the address of each node of the document index chain DIC, eid represents the ciphertext encrypted by the document identifier id, sym_En represents symmetric encryption operation, K doc represents a document encryption key, and T dic[stw represents a document index chain corresponding to the search token st w;
F7, for any keyword w E T w, computing sigma [ w ] ≡sigma [ w ] +1, (kt w,stw)←Tkw[w]、cw←Tcount [ w ] and And (kt w,(value,Tdic[stw ])) is saved in a table T update, and the table T update is sent to a server by a client, wherein the table T w stores all keyword sets involved in the updating process, sigma [ w ] represents a client local keyword state table, c w represents the number of documents corresponding to the keyword w in the updating process, T count [ w ] represents the number of documents corresponding to the keyword w, value represents an operation information mask of the updating process, G () represents a hash function, op represents an operation type, op=0 represents a document adding operation, op=1 represents a document deleting operation, lambda represents a calculation security parameter;
and F8, merging the table T update with the encryption database EDB by the server to finish updating operation of the ciphertext database.
In this embodiment, the Client and the Server together negotiate a database Update algorithm Update.
In this embodiment, the Client first generates a series of empty lists T w,Tkw,Tdic,Tcount,Tupdate, where T w is used to store keyword information in the current update process, T kw is used to store a mapping from the keyword w to the keyword token kt w, T dic is used to store ciphertext information on the DIC, T count is used to store the number of documents corresponding to the keyword w, and T update is used to store all ciphertext information in the current update process;
client first reads from document database The method comprises the steps of extracting documents doc= (id, W id) one by one, calculating T w←Tw { W } for any W epsilon W id by a Client, searching a local keyword state table for the keyword sigma [ W ], if not, enabling sigma [ W ]. Times of 0 to be found, obtaining the latest update times n update +% sigma [ W ] +1 of the keyword W, and searching (kt w,stw)←Tkw [ W ] from a list T kw by the Client, if not, calculating kt w←F(Ks, W), and,T kw←Tkw∪{w,(ktw,stw); the Client searches T count [ w ] from the list T count, if not, T count [ w ] ≡0 is caused to obtain c w←Tcount [ w ] +1, and then document encryption information loc≡H (st w,cw)、eid←Sym_En(Kdoc, id) and T dic[stw]←Tdic[stw ≡ { (loc, eid) } are calculated;
Table T w holds all keyword sets in the current update process, and for any w ε T w, client computes σ [ w ] ≡σ [ w ] +1, (kt w,stw)←Tkw[w]、cw←Tcount [ w ] and And (kt w,(value,Tdic[stw ])) is saved in a table T update, finally, the Client sends the list T update to the Server, and the Server merges the list T update with the encryption database EDB, namely EDB≡EDB u T update.
S203, negotiating a database searching method by the client and the server together according to the updating result, completing the unintentional dynamic searchability of the multiple keywords based on Labeled PSI protocol, decrypting the document after obtaining the searching result by the client, and realizing the method as follows:
G1, generating Y 'by a client according to an updating result, R' is { }, kt w←F(Ks,w)、stw←H(ktw and sigma [ w ] are calculated for any keyword w, and a search token st w is stored to Y ', wherein Y' represents a set of the client for Labeled PSI protocol, R represents a final result set, kt w represents a keyword token, F (K s, w) represents a pseudo-random function, st w represents a search token, H () represents a hash function, sigma [ w ] represents a keyword, and kt w represents a keyword token;
G2, generating X ", lx≡ { }, for the encryption database EDB, calculating st w←H(ktw,ci by the server, wherein X" represents the set of servers for Labeled PSI protocol, lx represents the set of document identifiers for the corresponding element X, c i represents the c i th node;
G3, according to the generated search token st w, op and c w are obtained through calculation by using the following formula:
(op||cw)←value⊕G(stw,1λ)
Wherein c w represents the number of documents corresponding to the keyword w in the update operation process, value represents an operation information mask corresponding to the update process, G () represents a hash function, op represents an operation type, op=0 represents a document adding operation, op=1 represents a document deleting operation, and λ represents a calculation security parameter;
G4, from 1 to c w, calculating to obtain loc (H) (st w, j) and Eid (EDB) (loc), wherein loc represents the address of the j-th node of the document index chain DIC, and the encrypted ciphertext of the Eid document identifier id, and EDB represents an encrypted database;
G5, saving, by the server, the search token st w to X ", and adding the encrypted document identifier of op=0 to lx, removing the document encrypted identifier of op=1 from lx;
G6, the client and the server call Labeled PSI the protocol together, after Labeled PSI the protocol is operated, the client receives the final result intersection I=X '-U Y' and { L [ Y '] |y' ∈I } corresponding to the intersection element, wherein L [ Y '] represents the encrypted document to be searched by the client, and Y' represents the intersection element;
and G7, saving the L [ y' ] to the set R by the client, decrypting the document by using the key, and completing the encryption processing of the unintentional dynamic searchable.
In this embodiment, the Client and the Server together negotiate a database Search algorithm Search.
In this embodiment, the Client generates Y ", r≡ { }, calculates kt w←F(Ks,w)、stw←H(ktw, σ [ w ]) for any w∈q, and saves the search token st w to Y"; the Server generates X ", lx ] ≡ { }, calculates st w←H(ktw, i) for the encryption database EDB, where i=1, 2, and calculates from the generated st w Op and c w are obtained, then loc≡H (st w, j), eid≡EDB [ loc ], where j ε [1, c w ]; the Server saves the search token st w to X ", adds the encrypted document identifier of op=0 to Lx, and removes the document encrypted identifier of op=1 from Lx; the Client and the Server call Labeled PSI the protocol together, wherein the Client plays the role of Receiver processor Receiver, the Server plays the role of Sender processor Sender, after the protocol runs, the Client receives the final result intersection I=X". U.Y "and { L [ Y '] |y'. E.I } corresponding to the intersection element, the Client saves the final result L [ Y ] into the set R, and decrypts the document by using the key K doc.
In this embodiment, the present invention is a dynamic searchable encryption model based on a single read single write system model. The invention can be divided into three stages of Setup, update and Search, wherein in the Update stage, the constructed secondary index structure comprises a keyword index chain KIC and a document index chain DIC, namely the part of a dotted line box in figure 2, and in the Search stage, keyword searching is carried out by calling Labeled PSI modules.
In the embodiment, the method and the device are mainly applicable to dynamic data updating scenes and are divided into two entities, namely a Client and a Server. The data document doc= (id, W id) contains a unique document identifier id e {0,1} * and a set of keywords W id, in a plaintext databaseIn (c), the document identifier set corresponding to the keyword W is set as DB (W) = { id|w e W id }. In Setup phase, client generates two symmetric encryption keys K s and K doc, an empty keyword state table σ and an empty ciphertext database EDB, where K s is used for encryption generation of various tokens, K doc is used for encryption of document identifiers, σ is used for saving the number of updates of each keyword
In this embodiment, in order to improve data updating efficiency and reduce communication complexity, the present invention optimizes a traditional inverted index structure and adjusts the structure into a secondary index structure, which includes a keyword index chain KIC and a document index chain DIC. If each update operation is only for one keyword/document pair, the length of the keyword index chain KIC will become longer and one keyword/document set at a time can be processed by introducing the document index chain DIC.
Due to plaintext databasesSimilar to the forward index structure, to encrypt it according to the index structure, a temporary empty mapping table T w,Tkw,Tdic,Tcount,Tupdate needs to be introduced, and each mapping table function is as described above, so the Update phase Client includes the following steps:
Step S1, client side is from plaintext database Extracting a document doc= (id, W id), and storing a keyword W corresponding to the document to T w;
step S2, calculating the latest update times of the keyword w If the keyword w information is not stored in the keyword state table sigma in the process, making sigma [ w ] ≡0;
Step S3, if the information of the keyword w is stored in the mapping table T kw, directly extracting (kt w,stw)←Tkw [ w ]; if the keyword w is processed for the first time, calculating a keyword token kt w and a search token st w corresponding to the keyword w, wherein the formula is as follows:
and saves it into mapping table T kw, i.e., T kw←Tkw∪{w,(ktw,stw);
Step S4, calculating the number c w of document identifiers added to DIC by the keyword w in the round, if the information of the keyword w is stored in the mapping table T count, making c w←Tcount [ w ] +1, otherwise, making T count [ w ] > be less than 0, and calculating the value of c w;
Step S5, calculating encrypted document information loc≡H (st w,cw)、eid←Sym_En(Kdoc, id) and T dic[stw]←Tdic[stw { (loc, eid) };
Repeating S1 to S5 until all documents in the plaintext document database DB are processed, wherein a table T w stores all keyword sets in the updating process, and aiming at all w epsilon T w, constructing a ciphertext database EDB according to the index structure;
Step S6, calculating sigma [ w ] ≡sigma [ w ] +1, (kt w,stw)←Tkw[w]、cw←Tcount [ w ] and value ≡G (st w,1λ)⊕(op||cw) for any keyword w epsilon T w by the Client, wherein value is information stored by a KIC node and comprises the corresponding keyword w update type (op=0 is an adding operation and op=1 is a deleting operation) and the number of documents corresponding to the keyword w c w in the updating process, and storing (kt w,(value,Tdic[stw) in a table T update by the Client and sending the information to a Server.
The Update phase Server updates the local ciphertext database EDB according to the table T update.
Because Labeled PSI protocol is used to ensure the safe operation of the Search mechanism in the Search stage, some safety parameters need to be preset before the formal operation of the protocol to initialize the data set, the Server acts as a Sender role and the Client acts as a Receiver role in the protocol operation stage. In the dynamic searchable encryption Search mechanism provided by the embodiment of the present invention, the Search stage needs the Client side and the Server Fang Shou to generate the data set of locally running Labeled PSI protocol, and mainly includes the following steps:
step S1, client generates a local data set Y' according to a search keyword set Q, and calculates kt w←F(Ks, w) and st w←H(ktw, sigma [ w ] for any keyword w epsilon Q, wherein F is a pseudo-random function, H is a random hash function, sigma is a keyword state table locally held by the Client;
Step S2, the Server generates a local data set X 'according to the ciphertext database EDB, generates a label set L [ X ] corresponding to any X E X', calculates st w←H(ktw, i) and i=1, 2 according to the generated st w, calculates (op|c w)←value⊕G(stw,1λ) to obtain operation types op of all nodes on the KIC and the number c w of the nodes corresponding to the DIC, and then calculates
Loc≡h (st w,j),j=1,2,...,cw and eid≡edb [ loc ];
And step S3, the Server saves all st w to a data set X' and processes the documents corresponding to the keywords according to the operation type op. Specifically, the encrypted document identifier of op=0 is saved to the data set L [ x ], and the encrypted document identifier of op=1 is removed from the data set L [ x ];
step S4, the Client and the Server call Labeled PSI the protocol together, wherein the Client plays the role of Receiver processor Receiver, the Server plays the role of Sender processor Sender, the protocol operation is finished, the Client receives the final result intersection I=X ', U Y' and { L [ Y '] |y' ∈I } corresponding to the intersection element;
Because the Client uses the latest updating times sigma [ w ] of each keyword to dynamically generate a search token st w, the Client cannot obtain a search result by using the previous search token st w', and the forward privacy security of a user is ensured;
and S5, the Client uses the key K doc to decrypt the data set L [ y' ] to obtain a final plaintext result.
Those of ordinary skill in the art will appreciate that the embodiments described herein are intended to aid the reader in understanding the practice of the invention and that the scope of the invention is not limited to such specific statements and embodiments. Those of ordinary skill in the art can make various other specific modifications and combinations from the teachings of the present disclosure without departing from the spirit thereof, and such modifications and combinations remain within the scope of the present disclosure.

Claims (10)

1.一种不经意动态可搜索加密方法,其特征在于,包括以下步骤:1. A method for inadvertent dynamic searchable encryption, characterized in that it comprises the following steps: S1、在底层模块,基于接收方处理器与发送方处理器,利用以形式化表示OKVS的编码算法和解码算法,并基于OKVS以及VOLE技术框架构建Labeled PSI协议,由接收方处理器得到交集结果Z及对应的标签,其中,交集结果Z为所要查找的关键词集合,对应的标签中保存有关键词对应的文档标识符集合;S1. In the bottom layer module, based on the receiving processor and the sending processor, the encoding algorithm and decoding algorithm of the OKVS are formally represented, and the Labeled PSI protocol is constructed based on the OKVS and VOLE technical framework. The receiving processor obtains the intersection result Z and the corresponding label, where the intersection result Z is the keyword set to be searched, and the corresponding label stores the document identifier set corresponding to the keyword; S2、在应用层,由客户端和服务器共同协商一数据库更新方法,对明文文档进行加密处理,并完成密文数据库更新操作;并由客户端和服务器共同协商一数据库搜索方法,基于Labeled PSI协议完成多关键词的不经意动态可搜索,由客户端得到搜索结果后对文档进行解密。S2. At the application layer, the client and the server jointly negotiate a database update method, encrypt the plaintext document, and complete the ciphertext database update operation; and the client and the server jointly negotiate a database search method, complete multi-keyword dynamic search based on the Labeled PSI protocol, and the client decrypts the document after obtaining the search results. 2.根据权利要求1所述的不经意动态可搜索加密方法,其特征在于,所述步骤S1包括以下步骤:2. The inadvertent dynamic searchable encryption method according to claim 1, wherein step S1 comprises the following steps: S101、由接收方处理器根据键值集合(k,v)生成一随机矩阵M,其中,随机矩阵M的每一行均包括一个固定长度、起始位置随机的随机块,k表示键集合,v表示值向量;S101, a receiving processor generates a random matrix M according to a key value set (k, v), wherein each row of the random matrix M includes a random block of a fixed length and a random starting position, k represents the key set, and v represents the value vector; S102、根据随机块元素,以形式化表示OKVS的编码算法,以求解线性系统M·z=v中的z;其中,z表示键值集合经过OKVS编码后的编码结果;S102, formalizing the encoding algorithm of OKVS according to the random block elements to solve z in the linear system M·z=v; wherein z represents the encoding result of the key value set after OKVS encoding; S103、根据求解得到的z,以形式化表示OKVS的解码算法,恢复给定任意键ki对应的值viS103, based on the solved z, a decoding algorithm of OKVS is formally represented to restore the value vi corresponding to any given key k i ; S104、为构建Labeled PSI协议,由接收方处理器基于OKVS对所有键进行编码,并利用VOLE协议封装编码结果;其中,发送方处理器和接收方处理器调用VOLE协议后,发送方处理器得到参数Δ,B,接收方处理器得到参数A,C,且满足C=ΔA+B;Labeled PSI协议利用随机变量对OKVS编码结果进行封装,封装过程为:接收方处理器封装A'=A+P,并将其传输给发送方处理器;发送方处理器封装K=ΔA'+B,使得其满足:S104. To construct the Labeled PSI protocol, the receiving processor encodes all keys based on OKVS and encapsulates the encoding results using the VOLE protocol. After the sending processor and the receiving processor call the VOLE protocol, the sending processor obtains parameters Δ,B, and the receiving processor obtains parameters A,C, and C=ΔA+B. The Labeled PSI protocol encapsulates the OKVS encoding results using random variables. The encapsulation process is as follows: the receiving processor encapsulates A'=A+P and transmits it to the sending processor; the sending processor encapsulates K=ΔA'+B, so that it satisfies: K=ΔA'+B=Δ(A+P)+B=ΔA+B+ΔP=C+ΔPK=ΔA'+B=Δ(A+P)+B=ΔA+B+ΔP=C+ΔP 其中,Δ表示VOLE协议功能模块生成的随机标量,A,B,C均表示VOLE协议功能模块生成的随机矢量,且满足C=ΔA+B,A'表示对信息进行封装后的掩码,P表示接收方处理器数据集经OKVS编码之后的编码结果,K表示发送方处理器的中间计算矢量;Wherein, Δ represents the random scalar generated by the VOLE protocol function module, A, B, and C all represent random vectors generated by the VOLE protocol function module, and satisfy C = ΔA + B, A' represents the mask after the information is encapsulated, P represents the encoding result of the receiving processor data set after OKVS encoding, and K represents the intermediate calculation vector of the sending processor; S105、根据封装结果,基于S103的OKVS解码算法,通过分别计算X'、L'以及Y',由接收方处理器得到交集结果Z及对应的标签,完成对Labeled PSI协议的构建:S105. According to the encapsulation result, based on the OKVS decoding algorithm of S103, by calculating X', L' and Y' respectively, the receiving processor obtains the intersection result Z and the corresponding label, and completes the construction of the Labeled PSI protocol: Z=X'∩Y'Z=X'∩Y' 其中,Z表示Labeled PSI协议最终的交集结果,X'表示发送方处理器本地集合X的掩码密文,L'表示对文档标识符l加密后的密文集合,Y'表示接收方处理器本地集合Y的掩码密文。Among them, Z represents the final intersection result of the Labeled PSI protocol, X' represents the masked ciphertext of the local set X of the sender processor, L' represents the ciphertext set after the document identifier l is encrypted, and Y' represents the masked ciphertext of the local set Y of the receiver processor. 3.根据权利要求2所述的不经意动态可搜索加密方法,其特征在于,所述步骤S101包括以下步骤:3. The inadvertent dynamic searchable encryption method according to claim 2, wherein step S101 comprises the following steps: A1、由接收方处理器根据键值集合(k,v)生成一随机矩阵M,其中,该随机矩阵M的每一行均包括一长度固定为bw、起始位置随机的随机块;A1. The receiving processor generates a random matrix M according to the key value set (k, v), wherein each row of the random matrix M includes a random block with a fixed length of b w and a random starting position; A2、对于随机矩阵M中的每一行,由接收方处理器随机选择si作为第i行的随机块起始位置;A2. For each row in the random matrix M, the receiving processor randomly selects si as the starting position of the random block in the i-th row; A3、根据矩阵每一行i对应的键ki,利用随机预言机生成bw位的随机块元素。A3. According to the key k i corresponding to each row i of the matrix, a random oracle is used to generate a random block element of b w bits. 4.根据权利要求2所述的不经意动态可搜索加密方法,其特征在于,所述步骤S102包括以下步骤:4. The inadvertent dynamic searchable encryption method according to claim 2, wherein step S102 comprises the following steps: B1、由接收方处理器根据随机矩阵M中每行随机块的起始位置si进行排序,并重新标号;B1. The receiving processor sorts the random blocks in each row in the random matrix M according to their starting positions si and renumbers them; B2、由接收方处理器遍历随机矩阵M中每一行的随机块元素,当M[i][j]=1时,则利用下式,对所有满足M[i'][j]=1、i'>i和si≤j的所有元素进行处理:B2. The receiving processor traverses the random block elements of each row in the random matrix M. When M[i][j]=1, the following formula is used to process all elements that satisfy M[i'][j]=1, i'>i and s i ≤j: 其中,M[i][j]表示随机矩阵M中第i行第j列的元素,M[i]表示随机矩阵M中第i行的所有元素,v[i']表示值向量中第i'行元素,si表示随机矩阵M中第i行随机块的起始列位置,M[i']表示随机矩阵M中第i'行的所有元素,v[i]表示值向量中第i行元素,M[i'][j]表示随机矩阵M中第i'行第j列元素,其中,经过行处理操作的随机矩阵M第j列只有第i行的元素为1,i'>i行的元素均为0;Wherein, M[i][j] represents the element in the i-th row and j-th column of the random matrix M, M[i] represents all elements in the i-th row of the random matrix M, v[i'] represents the element in the i'th row of the value vector, si represents the starting column position of the random block in the i-th row of the random matrix M, M[i'] represents all elements in the i'th row of the random matrix M, v[i] represents the element in the i-th row of the value vector, and M[i'][j] represents the element in the i'th row and j-th column of the random matrix M. Among them, after the row processing operation, only the elements in the i-th row of the j-th column of the random matrix M are 1, and the elements in the i'>i row are all 0; B3、根据步骤B2的处理结果,利用下式求解线性系统中的z,其中,当在行处理过程中,存在某一行元素全为0,则直接令z←Fm;否则:B3. According to the processing result of step B2, the following formula is used to solve z in the linear system, wherein, when there is a row whose elements are all 0 during the row processing, z←F m is directly set; otherwise: zi=<zi,M[i]>+vi z i = <z i ,M[i]> + v i 其中,Fm表示维度为m的向量空间,zi表示z的第i行元素,vi表示值向量中第i行元素。Where Fm represents a vector space of dimension m, zi represents the i-th row element of z, and vi represents the i-th row element in the value vector. 5.根据权利要求2所述的不经意动态可搜索加密方法,其特征在于,所述步骤S103包括以下步骤:5. The inadvertent dynamic searchable encryption method according to claim 2, wherein step S103 comprises the following steps: C1、令v←0,计算给定任意键k值对应的随机块起始位置s←H(k)以及随机块中元素其中,v表示给定任意键k值对应的值,H(·)表示随机哈希函数,bw表示随机矩阵M每一行随机块的长度,k表示需要进行解码的任意键;C1. Let v←0, calculate the starting position s←H(k) of the random block and the element in the random block corresponding to any key k value Where v represents the value corresponding to a given arbitrary key k, H(·) represents a random hash function, bw represents the length of each random block in the random matrix M, and k represents an arbitrary key to be decoded; C2、根据步骤C1的计算结果,对于j∈[1,bw],计算v←v+u[j']·z[s+j-1]为最后返回值,完成对给定任意键ki对应的值vi的恢复,其中,j表示随机矩阵M中每一行随机块的列位置,u[j']表示随机块的第j'位元素,s表示随机块的起始位置。C2. According to the calculation result of step C1, for j∈[1, bw ], calculate v←v+u[j']·z[s+j-1] as the final return value to complete the recovery of the value vi corresponding to any given key ki , where j represents the column position of each row of the random block in the random matrix M, u[j'] represents the j'th element of the random block, and s represents the starting position of the random block. 6.根据权利要求2所述的不经意动态可搜索加密方法,其特征在于,所述步骤S104包括以下步骤:6. The inadvertent dynamic searchable encryption method according to claim 2, wherein step S104 comprises the following steps: D1、为构建Labeled PSI协议,由发送方处理器和接收方处理器双方调用VOLE协议,其中,接收方处理器基于OKVS对所有键进行编码,并利用VOLE协议封装编码结果;D1. To build the Labeled PSI protocol, the sending processor and the receiving processor both call the VOLE protocol, where the receiving processor encodes all keys based on OKVS and encapsulates the encoding results using the VOLE protocol; D2、在VOLE协议运行结束后,由发送方处理器接收并得到参数Δ,B,由接收方处理器接收并得到参数A,C,其中,Δ表示VOLE协议功能模块生成的随机标量,A,B,C均表示VOLE协议功能模块生成的随机矢量,并且满足C=ΔA+B;D2. After the VOLE protocol runs, the sending processor receives and obtains the parameter Δ,B, and the receiving processor receives and obtains the parameter A,C, where Δ represents the random scalar generated by the VOLE protocol function module, and A, B, and C all represent the random vector generated by the VOLE protocol function module, and satisfy C = ΔA + B; D3、由接收方处理器,利用下式进行对A'进行封装,并将A'发送至发送方处理器:D3. The receiving processor uses the following formula to encapsulate A' and sends A' to the sending processor: A'=A+PA'=A+P 其中,P表示接收方进行OKVS的编码结果,A'表示对信息进行封装后的掩码;Wherein, P represents the encoding result of OKVS performed by the receiver, and A' represents the mask after encapsulating the information; D4、根据A',由发送方处理器,利用下式计算K:D4. Based on A', the sending processor calculates K using the following formula: K=ΔA'+B=Δ(A+P)+B=ΔA+B+ΔP=C+ΔPK=ΔA'+B=Δ(A+P)+B=ΔA+B+ΔP=C+ΔP 其中,K表示发送方处理器的中间计算矢量,P表示接收方处理器数据集经OKVS编码之后的编码结果。Wherein, K represents the intermediate calculation vector of the sending processor, and P represents the encoding result of the receiving processor data set after OKVS encoding. 7.根据权利要求2所述的不经意动态可搜索加密方法,其特征在于,所述步骤S105包括以下步骤:7. The inadvertent dynamic searchable encryption method according to claim 2, wherein step S105 comprises the following steps: E1、根据封装结果,基于S103的OKVS解码算法,由发送方处理器分别利用下式计算得到X'和L':E1. According to the encapsulation result, based on the OKVS decoding algorithm of S103, the sending processor calculates X' and L' using the following formulas: X'={H°(Decode(K,x)-ΔHF(x))|x∈X}X'={H°(Decode(K,x)-ΔH F (x))|x∈X} L'={Sym_En(Kdoc,l)|l∈L[x]}L'={Sym_En(K doc ,l)|l∈L[x]} 其中,H°和HF均表示随机哈希函数,Decode(K,x)表示OKVS的解码操作,K表示发送方处理器的中间计算矢量,x表示集合X中的元素,Sym_En表示安全对称加密算法,Kdoc表示文档加密密钥,L[x]表示元素x对应的文档标识符集合,l表示文档标识符集合L[x]中的一个元素,X表示服务器用于Labeled PSI协议的集合;Where H° and H F both represent random hash functions, Decode(K,x) represents the decoding operation of OKVS, K represents the intermediate calculation vector of the sender processor, x represents an element in the set X, Sym_En represents a secure symmetric encryption algorithm, K doc represents a document encryption key, L[x] represents the document identifier set corresponding to the element x, l represents an element in the document identifier set L[x], and X represents the set used by the server for the Labeled PSI protocol; E2、由接入方处理器,利用下式计算得到Y',并发送至发送方处理器;E2. The access-side processor calculates Y' using the following formula and sends it to the sender processor; Y'={H°(Decode(C,y),y)|y∈Y}Y'={H°(Decode(C,y),y)|y∈Y} 其中,Decode(C,y)表示OKVS的解码操作,y表示集合Y中的元素,C表示由VOLE协议生成的随机矢量;Where Decode(C,y) represents the decoding operation of OKVS, y represents the element in the set Y, and C represents the random vector generated by the VOLE protocol; E3、根据X'和Y',利用下式,计算得到Z,即得到原始数据集X∩Y的结果:E3. According to X' and Y', use the following formula to calculate Z, that is, the result of the original data set X∩Y: Z=X'∩Y'Z=X'∩Y' E4、根据Z,得到对应的标签{L[z]|z∈Z},完成对Labeled PSI协议的构建,其中,L[z]表示交集集合元素z对应的文档标识符集合。E4. According to Z, the corresponding label {L[z]|z∈Z} is obtained to complete the construction of the Labeled PSI protocol, where L[z] represents the set of document identifiers corresponding to the intersection set element z. 8.根据权利要求1所述的不经意动态可搜索加密方法,其特征在于,所述步骤S2包括以下步骤:8. The inadvertent dynamic searchable encryption method according to claim 1, wherein step S2 comprises the following steps: S201、在客户端分别生成密钥、一个空的关键词状态表以及一个空的加密数据库;S201, generating a key, an empty keyword status table and an empty encryption database on the client; S202、由客户端和服务器共同协商一数据库更新方法,对明文文档进行加密处理,并完成密文数据库更新操作;S202, the client and the server jointly negotiate a database update method, encrypt the plaintext document, and complete the ciphertext database update operation; S203、根据更新结果,由客户端和服务器共同协商一数据库搜索方法,基于LabeledPSI协议完成多关键词的不经意动态可搜索,由客户端得到搜索结果后对文档进行解密。S203. According to the update result, the client and the server jointly negotiate a database search method, and perform multi-keyword dynamic search based on the LabeledPSI protocol. After the client obtains the search result, it decrypts the document. 9.根据权利要求8所述的不经意动态可搜索加密方法,其特征在于,所述步骤S202包括以下步骤:9. The inadvertent dynamic searchable encryption method according to claim 8, wherein step S202 comprises the following steps: F1、由客户端生成一系列空列表Tw,Tkw,Tdic,Tcount,Tupdate,其中,表Tw用于保存本次更新过程中的关键词信息,表Tkw用于保存关键词w到关键词令牌ktw的映射,表Tdic用于保存文档索引链DIC上的密文信息,表Tcount用于保存关键词w对应文档的数量,表Tupdate用于保存本次更新过程中所有的密文信息;F1. The client generates a series of empty lists T w ,T kw ,T dic ,T count ,T update , where table T w is used to store keyword information in this update process, table T kw is used to store the mapping of keyword w to keyword token kt w , table T dic is used to store ciphertext information on the document index chain DIC, table T count is used to store the number of documents corresponding to keyword w, and table T update is used to store all ciphertext information in this update process; F2、由客户端在文档数据库DB中逐个提取文档,对于任意关键词w,由客户端计算表Tw,并从本地关键词状态表中查找该关键词σ[w];F2. The client extracts documents one by one from the document database DB. For any keyword w, the client calculates the table T w and searches for the keyword σ[w] from the local keyword state table. F3、响应于未找到关键词σ[w],则令σ[w]←0,并计算得到关键词w的最新更新次数nupdate←σ[w]+1;F3. In response to the keyword σ[w] not being found, σ[w]←0 is set, and the latest update number of the keyword w is calculated n update ←σ[w]+1; F4、根据步骤F3的计算结果,由客户端从表Tkw中查找(ktw,stw)←Tkw[w],响应于未找到,则计算ktw←F(Ks,w)、以及Tkw←Tkw∪{w,(ktw,stw)},其中,Tkw[w]表示关键词w到关键词令牌ktw和搜索令牌stw的映射,F(Ks,w)表示伪随机函数,H()表示哈希函数,表示关键词w的最新更新次数;F4. According to the calculation result of step F3, the client searches for (kt w ,st w )←T kw [w] in the table T kw . If it is not found, kt w ←F(K s ,w) is calculated. and T kw ←T kw ∪{w,(kt w ,st w )}, where T kw [w] represents the mapping of keyword w to keyword token kt w and search token st w , F(K s ,w) represents a pseudo-random function, H() represents a hash function, Indicates the latest update times of keyword w; F5、根据步骤F4的计算结果,由客户端从表Tcount中查找Tcount[w],响应于未找到,则令Tcount[w]←0,并得到cw←Tcount[w]+1,其中,Tcount[w]中表示保存有关键词w对应的文档标识符数量的列表,cw表示此次更新操作过程中关键词w对应的文档数量;F5. According to the calculation result of step F4, the client searches for T count [w] from table T count . If it is not found, T count [w] is set to ← 0, and c w ← T count [w] + 1 is obtained, where T count [w] represents a list of document identifiers corresponding to keyword w, and c w represents the number of documents corresponding to keyword w during this update operation. F6、根据步骤F5的计算结果,计算得到计算文档加密信息loc←H(stw,cw)、eid←Sym_En(Kdoc,id)以及Tdic[stw]←Tdic[stw]∪{(loc,eid)},其中,loc表示文档索引链DIC各个节点的地址,eid表示文档标识符id加密后的密文,Sym_En表示对称加密操作,Kdoc表示文档加密密钥,Tdic[stw]表示搜索令牌stw对应的文档索引链;F6. According to the calculation result of step F5, the document encryption information loc←H(st w ,c w ), eid←Sym_En(K doc ,id) and T dic [st w ]←T dic [st w ]∪{(loc,eid)} are calculated, where loc represents the address of each node of the document index chain DIC, eid represents the encrypted ciphertext of the document identifier id, Sym_En represents the symmetric encryption operation, K doc represents the document encryption key, and T dic [st w ] represents the document index chain corresponding to the search token st w ; F7、对于任意关键词w∈Tw,由客户端计算σ[w]←σ[w]+1、(ktw,stw)←Tkw[w]、cw←Tcount[w]以及value←G(stw,1λ)⊕(op||cw),并将(ktw,(value,Tdic[stw]))保存至表Tupdate中,并由客户端将表Tupdate发送至服务器,其中,表Tw中保存有本次更新过程中所涉及的所有关键词集合,σ[w]表示客户端本地关键词状态表,cw表示此次更新操作过程中关键词w对应的文档数量,Tcount[w]表示关键词w对应文档的数量,value表示本次更新过程的操作信息掩码,G()表示哈希函数,op表示操作类型,op=0表示文档添加操作,op=1表示文档删除操作,λ表示计算安全参数;F7. For any keyword w∈T w , the client calculates σ[w]←σ[w]+1, (kt w ,st w )←T kw [w], c w ←T count [w], and value←G(st w ,1 λ )⊕(op||c w ), and saves (kt w ,(value,T dic [st w ])) to table T update , and the client sends table T update to the server, where table T w stores all keyword sets involved in this update process, σ[w] represents the client local keyword status table, c w represents the number of documents corresponding to keyword w during this update operation, T count [w] represents the number of documents corresponding to keyword w, value represents the operation information mask of this update process, G() represents the hash function, op represents the operation type, op=0 represents the document addition operation, op=1 represents the document deletion operation, and λ represents the calculation security parameter; F8、由服务器将表Tupdate与加密数据库EDB合并,完成对密文数据库的更新操作。F8. The server merges table T update with the encrypted database EDB to complete the update operation on the ciphertext database. 10.根据权利要求8所述的不经意动态可搜索加密方法,其特征在于,所述步骤S203包括以下步骤:10. The inadvertent dynamic searchable encryption method according to claim 8, wherein step S203 comprises the following steps: G1、根据更新结果,由客户端生成Y”,R←{},对于任意关键词w,计算ktw←F(Ks,w)、stw←H(ktw,σ[w]),并将搜索令牌stw保存至Y”,其中,Y”表示客户端用于Labeled PSI协议的集合,R表示最终结果集合,ktw表示关键词令牌,F(Ks,w)表示伪随机函数,stw表示搜索令牌,H()表示哈希函数,σ[w]表示关键词,ktw表示关键词令牌;G1. According to the update result, the client generates Y”, R←{}, and for any keyword w, calculates kt w ←F(K s ,w), st w ←H(kt w ,σ[w]), and saves the search token st w to Y”, where Y” represents the set used by the client for the Labeled PSI protocol, R represents the final result set, kt w represents the keyword token, F(K s ,w) represents the pseudo-random function, st w represents the search token, H() represents the hash function, σ[w] represents the keyword, and kt w represents the keyword token; G2、由服务器生成X”,L[x]←{},对于加密数据库EDB,计算stw←H(ktw,ci),其中,X”表示服务器用于Labeled PSI协议的集合,L[x]表示对应元素x的文档标识符集合,ci表示第ci个节点;G2. The server generates X”, L[x]←{}, and for the encrypted database EDB, calculates st w ←H(kt w , ci ), where X” represents the set used by the server for the Labeled PSI protocol, L[x] represents the document identifier set corresponding to the element x, and ci represents the ci - th node; G3、根据生成的搜索令牌stw,利用下式计算得到op以及cwG3. According to the generated search token st w , op and c w are calculated using the following formula: (op||cw)←value⊕G(stw,1λ)(op||c w )←value⊕G(st w ,1 λ ) 其中,cw表示此次更新操作过程中关键词w对应的文档数量,value表示对应更新过程的操作信息掩码,G()表示哈希函数,op表示操作类型,op=0表示文档添加操作,op=1表示文档删除操作,λ表示计算安全参数;Where c w represents the number of documents corresponding to keyword w during this update operation, value represents the operation information mask of the corresponding update process, G() represents the hash function, op represents the operation type, op=0 represents the document adding operation, op=1 represents the document deleting operation, and λ represents the calculation security parameter; G4、从1到cw,计算得到loc←H(stw,j)和Eid←EDB[loc],其中,loc表示文档索引链DIC第j个节点的地址,Eid文档标识符id加密后的密文,EDB表示加密数据库;G4. From 1 to c w , loc←H(st w ,j) and Eid←EDB[loc] are calculated, where loc represents the address of the j-th node in the document index chain DIC, Eid is the encrypted ciphertext of the document identifier id, and EDB represents the encrypted database; G5、由服务器将搜索令牌stw保存至X”,并将op=0的加密文档标识符加入L[x],将op=1的文档加密标识符从L[x]中移除;G5. The server saves the search token st w to X", adds the encrypted document identifier of op=0 to L[x], and removes the encrypted document identifier of op=1 from L[x]; G6、由客户端和服务器共同调用Labeled PSI协议,在Labeled PSI协议运行后,由客户端收到最终的结果交集I=X”∩Y”以及交集元素对应的{L[y']|y'∈I},其中,L[y']表示客户端所要搜索的加密文档,y'表示交集集合元素;G6. The client and the server jointly call the Labeled PSI protocol. After the Labeled PSI protocol runs, the client receives the final result intersection I = X”∩Y” and {L[y']|y'∈I} corresponding to the intersection element, where L[y'] represents the encrypted document to be searched by the client, and y' represents the intersection set element; G7、由客户端将L[y']保存至集合R中,并利用密钥对文档进行解密,完成对不经意动态可搜索的加密处理。G7. The client saves L[y'] to the set R and uses the key to decrypt the document, completing the encryption processing of the inadvertent dynamic searchable document.
CN202411242931.2A 2024-09-05 2024-09-05 An oblivious dynamically searchable encryption method Active CN119203220B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411242931.2A CN119203220B (en) 2024-09-05 2024-09-05 An oblivious dynamically searchable encryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411242931.2A CN119203220B (en) 2024-09-05 2024-09-05 An oblivious dynamically searchable encryption method

Publications (2)

Publication Number Publication Date
CN119203220A true CN119203220A (en) 2024-12-27
CN119203220B CN119203220B (en) 2025-04-15

Family

ID=94062913

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411242931.2A Active CN119203220B (en) 2024-09-05 2024-09-05 An oblivious dynamically searchable encryption method

Country Status (1)

Country Link
CN (1) CN119203220B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120415724A (en) * 2025-07-01 2025-08-01 湖南天河国云科技有限公司 Secret transmission method, storage medium and system based on oblivious key-value pair storage
CN120408699A (en) * 2025-04-16 2025-08-01 中国传媒大学 Multi-user dynamic searchable encryption method based on LabeledPSI

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150149763A1 (en) * 2013-11-27 2015-05-28 Microsoft Corporation Server-Aided Private Set Intersection (PSI) with Data Transfer
US20160371684A1 (en) * 2015-06-22 2016-12-22 Bank Of America Corporation System of anonymous user creation based on oblivious transfer
CN109766314A (en) * 2019-01-07 2019-05-17 西安电子科技大学 Multi-keyword search method for ciphertext data based on probability trapdoor
US20190340381A1 (en) * 2016-12-30 2019-11-07 Robert Bosch Gmbh Method and System for Search Pattern Oblivious Dynamic Symmetric Searchable Encryption
CN114374518A (en) * 2021-12-08 2022-04-19 神州融安数字科技(北京)有限公司 PSI intersection information acquisition method and device with intersection counting function
CN116090009A (en) * 2023-01-18 2023-05-09 维沃移动通信有限公司 Data processing method, device, electronic equipment and readable storage medium
CN116305273A (en) * 2023-03-13 2023-06-23 北京航空航天大学 Verifiable joint keyword efficient search method, device, client and server
CN116915383A (en) * 2023-07-14 2023-10-20 中国传媒大学 Coding and decoding method, system, device and medium for inadvertent key value storage

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150149763A1 (en) * 2013-11-27 2015-05-28 Microsoft Corporation Server-Aided Private Set Intersection (PSI) with Data Transfer
US20160371684A1 (en) * 2015-06-22 2016-12-22 Bank Of America Corporation System of anonymous user creation based on oblivious transfer
US20190340381A1 (en) * 2016-12-30 2019-11-07 Robert Bosch Gmbh Method and System for Search Pattern Oblivious Dynamic Symmetric Searchable Encryption
CN109766314A (en) * 2019-01-07 2019-05-17 西安电子科技大学 Multi-keyword search method for ciphertext data based on probability trapdoor
CN114374518A (en) * 2021-12-08 2022-04-19 神州融安数字科技(北京)有限公司 PSI intersection information acquisition method and device with intersection counting function
CN116090009A (en) * 2023-01-18 2023-05-09 维沃移动通信有限公司 Data processing method, device, electronic equipment and readable storage medium
CN116305273A (en) * 2023-03-13 2023-06-23 北京航空航天大学 Verifiable joint keyword efficient search method, device, client and server
CN116915383A (en) * 2023-07-14 2023-10-20 中国传媒大学 Coding and decoding method, system, device and medium for inadvertent key value storage

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ZHENGTAO JIANG: "Private Set Intersection Based on Lightweight Oblivious Key-Value Storage Structure", 《SYMMETRY》, vol. 15, no. 11, 31 December 2023 (2023-12-31) *
袁承昊: "多关键词动态可搜索加密方案", 《网络与信息安全学报》, vol. 9, no. 2, 30 April 2023 (2023-04-30) *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120408699A (en) * 2025-04-16 2025-08-01 中国传媒大学 Multi-user dynamic searchable encryption method based on LabeledPSI
CN120408699B (en) * 2025-04-16 2025-11-11 中国传媒大学 LabeledPSI-based multi-user dynamic searchable encryption method
CN120415724A (en) * 2025-07-01 2025-08-01 湖南天河国云科技有限公司 Secret transmission method, storage medium and system based on oblivious key-value pair storage
CN120415724B (en) * 2025-07-01 2025-09-02 湖南天河国云科技有限公司 Secret transmission method, storage medium and system based on inadvertent key value pair storage

Also Published As

Publication number Publication date
CN119203220B (en) 2025-04-15

Similar Documents

Publication Publication Date Title
CN119203220B (en) An oblivious dynamically searchable encryption method
He et al. Secure dynamic searchable symmetric encryption with constant client storage cost
Zhang et al. A Covert Communication Method Using Special Bitcoin Addresses Generated by Vanitygen.
US8457304B2 (en) Efficient encoding processes and apparatus
CN109660555A (en) Content safety sharing method and system based on proxy re-encryption
EP3342090A1 (en) Method for providing encrypted data in a database and method for searching on encrypted data
CN115378693B (en) A hidden set intersection method for longitudinal federated learning data alignment
CN110413652A (en) A Big Data Privacy Retrieval Method Based on Edge Computing
Garg et al. TWORAM: round-optimal oblivious RAM with applications to searchable encryption
CN101394268A (en) Advanced Encryption System and Method Based on Generalized Information Domain
CN113300840B (en) Data random encryption communication method combining Hamming codes
CN117857028B (en) Efficient and extensible collusion-resistant multiparty privacy set intersection method and device
CN115396148A (en) List query method, system, medium, equipment and terminal for privacy protection
CN109495446B (en) Order-preserving encryption algorithm based on balanced sorting tree storage structure
Mainardi et al. Privacy preserving substring search protocol with polylogarithmic communication cost
CN118337381A (en) Interval-containing function-oriented function secret sharing construction method
CN115442024B (en) Chaos-based MapReduce data compression information protection method
CN116915383A (en) Coding and decoding method, system, device and medium for inadvertent key value storage
CN119652487B (en) Fuzzy privacy set intersection method, system, medium and electronic device
Kamara et al. Garbled circuits via structured encryption
Moataz et al. Chf-oram: a constant communication oram without homomorphic encryption
CN116155619B (en) Data processing method, data requester, data owner and data processing device
CN117478330A (en) Three-party privacy set intersection cardinality solving method based on bilinear mapping and bloom filter
Wu et al. Impossible differential cryptanalysis on ESF algorithm with simplified MILP model
CN116226876A (en) A security query method, system, electronic equipment, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20260104

Address after: 100160 No. 219, 2nd Floor, Building C, Xin Hua International Center, Gao Li Zhuang, Huaxiang, Fengtai District, Beijing

Patentee after: BEIJING ZHIHENG NETWORK SECURITY TECHNOLOGY Co.,Ltd.

Country or region after: China

Address before: 100020 Beijing City Chaoyang District Changying Beichen Fudi Central Area Building 3 Unit 1 301

Patentee before: COMMUNICATION University OF CHINA

Country or region before: China