CN105978696A - Revocable quick data outsourcing packaging method and device - Google Patents

Abstract

The invention discloses a revocable and fast data outsourcing encapsulation method and device, wherein, the method includes: first, a trusted authority performs initialization; then the data owner performs data encapsulation; an auditor performs encapsulation detection, and uses a chameleon hash function for calculation And check whether the three equations are true, and output the result; the trusted authority executes the generation of access rights, and outputs the access certificate; the trusted authority executes the update of the access rights, updates the access rights, and publishes the updated access certificate; the data user performs data decapsulation , detect whether the access certificate is revoked and calculate the decapsulation key and decapsulate; the trusted authority executes the access authority revocation module to withdraw the access authority. The method realizes effective access control, and protects the security of the electronic health case stored on the untrustworthy third-party server to the greatest extent, and saves the decryption cost of the mobile device.

Description

Reversible fast data outsourcing encapsulation method and device

technical field

The invention relates to the technical field of data processing, in particular to a revocable and fast data outsourcing encapsulation method and device.

Background technique

Electronic health record (EHR) system is a promising health record management system. Compared with the traditional paper-based health record (PBHR) system, the EHR system brings additional advantages, such as: more flexible EHR storage, simpler EHR data management, better storage and recovery efficiency and a wider range of availability. Cloud storage can provide users with almost unlimited resources on-demand and at low cost, especially on public clouds. In this way, EHR can be outsourced to the public cloud, and medical staff can be freed from the work of setting up a professional EHR storage system and managing the large-scale EHR data they have. Users can easily access and share their EHR data through the public cloud.

An important security consideration in EHR cloud storage is that dishonest cloud server providers may read and misuse users' digital information without the user's authorization. Cryptographic access control countermeasures are proposed to solve this problem. In these scenarios, an EHR data owner encapsulates the data to be outsourced with an access policy. Users of EHR data, each of whom is assigned an access credential associated with their attributes, can decapsulate the data only if their attributes meet specific access policies. Compared with traditional access control systems, cryptographic access control policies allow EHR users to implement access control policies when the database server is not trusted. There are still challenges in securing EHR cloud storage with cryptographic access controls. One challenge is that data encapsulation in existing protocols requires a large number of expensive symmetric encryption operations that scale linearly with the complexity of a specific access control policy. Experimental data shows that data encapsulation takes a lot of time, resulting in a decline in user experience. In addition, for applications that require real-time data updates, such as economic treatment and physical health detection, such long-term packaging consumption is unacceptable.

Another disadvantage is that the security model adopted by the existing cryptographic access control protocols is not enough to capture actual attacks in cloud storage. First, most of the existing protocols only consider passive attacks where attackers merely attempt to gain information about digital content by accessing encapsulated data. In practice, dishonest users may change their access credentials and conspire with cloud server providers to gain unauthorized access to EHR data. Additionally, an attacker may know data that a targeted legitimate user has inadvertently leaked. Such a dangerous real-world environment does not fully take into account all situations in the existing security model. And existing protocols do not provide any mechanism to filter out invalid encapsulations. Because the encapsulated data looks random, a malicious attacker can easily bury the user's cloud EHR account with junk data, such as continuously sending randomly generated junk data.

Contents of the invention

The object of the present invention is to solve one of the above-mentioned technical problems at least to a certain extent.

For this reason, the first object of the present invention is to propose a revocable fast data outsourcing encapsulation method. The method realizes effective access control, and protects the security of the electronic health case stored on the untrustworthy third-party server to the greatest extent, and saves the decryption cost of the mobile device.

The second object of the present invention is to propose a revocable fast data outsourcing packaging device.

In order to achieve the above purpose, the revocable fast data outsourcing encapsulation method of the embodiment of the first aspect of the present invention includes: S1, a feasible authority executes system initialization, including: S11, a trusted authority inputs security parameters and the maximum number of attribute sets run to obtain two prime groups of order p a bilinear map S12, the trusted authority selects a symmetric encryption scheme _εsym , and the symmetric encryption scheme _εsym adopts an encryption algorithm symEnc(key, data) and a decryption algorithm symDec(key, data), wherein key is a data decapsulation key, data is the user's HER data; S13, the trusted authority selects an anti-collision hash function H(·), the anti-collision hash function H(·) satisfies all the characteristics of the anti-collision hash function, and the input is A string of 0, 1 of any length, the output is mapped to an element of the group, S14, the trusted authority selects a domain with auxiliary parameters The secure chameleon hash function CH:{0,1} ^* →Z _p ; S15, the trusted authority runs the random number generation algorithm to obtain and integer S16, set the revocation list RL=0, and select a binary tree BT greater than or equal to N leaf nodes; S17, the trusted authority has a master key msk(α), and the public parameter is announced as S2, the data owner performs data encapsulation, including: S21, the data owner selects a random integer And calculate key=e(g,g) ^αs , c ₀ =g ^s ; S22, assuming that there is a maximum number of rows in any LSSS coding strategy, the data owner selects for each i∈[p] random integer and calculate S23, the data owner selects a random integer and set S24, the data owner runs (chk,td)←CHGen(1 ^λ ), selects a random auxiliary parameter and a random string Calculate V=Hash(chk||CHash(chk,m',r' _m )), output S25, the data owner selects a random integer and calculate The final output intermediate header is Stored by the data owner for use in real-time encapsulation; S26, the data owner has obtained data data, encapsulation time T, and corresponding access control policy (M, ρ), where ρ:[1]→μ1≤p, the data owner chooses a random integer output S27, the data owner calculates the sharing vector For i∈[I], the data owner calculates C _i,4 =λ _i -λ′ _i , C _i,5 =-t _i ·(ρ( _i )-xi ) for time T, the data The owner calculates C _R,2 =s·(T-T'); S28, the encapsulated data is en=SymEnc(key,data), and the data owner runs r _m =Coll(td,m',r' _m ,m), where m is set to:

m＝en||C _0,1 ||C _0,2 ||C _0,3 ||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _{1, 5} ||...||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _1,5 ||C _R,1 ||C _R,2 || The form of (M,ρ)||T header is expressed as: S29, the data owner outputs the data (hdr, en) to be stored, uploads and stores it; S3, the auditor performs encapsulation detection, including: S31, the auditor calculates V=CHash(chk,m,r _m ), where m=enC _0,1 C _0,2 C _0,3 C _1,1 C _1,2 C _1,3 C _1,4 C _1,5 ...C _l,1 C _l,2 C _l,3 C _{l, 4} C _{l, 5} C _{R, 1} C _{R, 2} (M, ρ)T; S32, for all i∈[l] detection is established to verify the relevant properties, detecting is established to verify the encapsulation time, to detect Whether it is established, if one of the equations is not established, then the algorithm output v=0, otherwise the output v=1; S4, trusted authority executes the access authority generation, including: S41, the data user attribute set is in The credible authority randomly selects an unassigned leaf node n from the binary tree BT, and stores the attribute set S in the node n; S42, for each node θ∈Path(η), an element g _θ stored in node θ, then the trusted authority retrieves the element g _θ from the node θ, and the one element g _θ is not stored in node θ, the trusted authority randomly selects an element and will stored in node θ; S43, the trusted authority selects a random integer calculate and for S44, the trusted authority for all θ∈Path(θ) sets And output the access certificate of the attribute set S as follows: S5. The trusted authority updates the access rights. For each node θ∈CUNode(BT, RL, T), the trusted authority takes out It has been predefined during the access certificate generation process, and an integer is randomly selected and calculate The trusted authority finally announced the updated certificate as: S6, the data user performs data decapsulation, including: S61, assuming that its access certificate is: The updated certificate published by the trusted authority is: The data consumer checks the set I∩J if Then the access certificate of the attribute set is revoked, and the program simply outputs ⊥, otherwise, the data user chooses θ∈I∩J and calculates S62, Data user settings and calculate the constant make in is the i-th row of the shared generation matrix M, for all constant All can be effectively found, and the data can finally be obtained by running data=SymDec(key,en). The decapsulation key key used is calculated as follows:

where j is The numbering of the attribute ρ(i) in the middle; S7, the trusted authority executes the revoking of access rights, including: denoting n as the leaf node of the binary tree BT, together with the attribute set Connected, the trusted authority revokes access rights through RL ← RL ∪ {(η, T)} and public.

The revocable fast data outsourcing encapsulation method of the embodiment of the present invention firstly provides virtual private storage and allows a user to perform fine-grained access control on the outsourced electronic health records, just as they are stored locally; secondly, in the encapsulation The process requires only a small amount of online modular addition/multiplication operations, and is very fast; and allows a public auditor to filter invalid electronic health record packages and prevent attackers from using spam to block users' electronic health record accounts; finally adopt There is an efficient withdrawal mechanism for revoking users. The method realizes effective access control, and protects the security of the electronic health case stored on the untrustworthy third-party server to the greatest extent, and saves the decryption cost of the mobile device.

In some examples, the Specifically includes: the trusted authority inputs the system security parameter λ, and according to the size of λ, the system selects the corresponding elliptic curve: Y ² =X ³ +aX+b, where a and b are coefficients, and then the elliptic curve Points on the curve form a group of two prime numbers of order p

In some examples, the collision-resistant hash function H(·) is executed by calling a library function from the Pairing-Based Cryptosystems function package.

In some examples, the random number generation algorithm randomly selects a value x ₁ of the independent variable X according to the Y ² =X ³ +aX+b, and calculates the value y ₁ of the corresponding dependent variable Y; if the point (x ₁ , y ₁ ) in the mapping group, the random elements are successfully generated. If the point (x ₁ , y ₁ ) is not in the mapping group, continue to choose the value of X until a point that appears in the group is found.

In order to achieve the above-mentioned purpose, the revocable fast data outsourcing packaging device of the second aspect of the present invention includes: a feasible authority execution system initialization module, which is used for the initialization of the feasible authority execution system, and further includes: S11, trusted authority input security parameters and the maximum number of attribute sets run to obtain two prime groups of order p a bilinear map S12, the trusted authority selects a symmetric encryption scheme _εsym , and the symmetric encryption scheme _εsym adopts an encryption algorithm symEnc(key, data) and a decryption algorithm symDec(key, data), wherein key is a data decapsulation key, data is the user's HER data; S13, the trusted authority selects an anti-collision hash function H(·), the anti-collision hash function H(·) satisfies all the characteristics of the anti-collision hash function, and the input is A string of 0, 1 of any length, the output is mapped to an element of the group, S14, the trusted authority selects a domain with auxiliary parameters The secure chameleon hash function CH:{0,1} ^* →Z _p ; S15, the trusted authority runs the random number generation algorithm to obtain and integer S16, set the revocation list RL=0, and select a binary tree BT greater than or equal to N leaf nodes; S17, the trusted authority has a master key msk(α), and the public parameter is announced as The data owner executes the data encapsulation module, which is used for the data owner to execute the data encapsulation, further comprising: S21, the data owner selects a random integer And calculate key=e(g,g) ^αs , c ₀ =g ^s ; S22, assuming that there is a maximum number of rows in any LSSS coding strategy, the data owner selects for each i∈[p] random integer and calculate S23, the data owner selects a random integer and set S24, the data owner runs (chk,td)←CHGen(1 ^λ ), selects a random auxiliary parameter and a random string Calculate V=Hash(chk||CHash(chk,m',r' _m )), output S25, the data owner selects a random integer and calculate The final output intermediate header is Stored by the data owner for use in real-time encapsulation; S26, the data owner has obtained data data, encapsulation time T, and corresponding access control policy (M, ρ), where ρ:[1]→μ1≤p, the data owner chooses a random integer output S27, the data owner calculates the sharing vector For i∈[I], the data owner calculates C _i,4 =λ _i -λ′ _i , C _i,5 =-t _i ·(ρ( _i )-xi ) for time T, the data The owner calculates C _R,2 =s·(T-T'); S28, the encapsulated data is en=SymEnc(key,data), and the data owner runs r _m =Coll(td,m',r' _m ,m), where m is set to:

m＝en||C _0,1 ||C _0,2 ||C _0,3 ||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _{1, 5} ||...||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _1,5 ||C _R,1 ||C _R,2 || The form of (M,ρ)||T header is expressed as: S29, the data owner outputs the data (hdr, en) to be stored, uploads and stores it; the auditor executes the encapsulation detection module, which is used for the auditor to perform encapsulation detection, further comprising: S31, the auditor calculates V=CHash (chk,m,r _m ), where m=enC _0,1 C _0,2 C _0,3 C _1,1 C _1,2 C _1,3 C _1,4 C _1,5 ...C _l,1 C _{l, 2} C _{l, 3} C _{l, 4} C _{l, 5} C _{R, 1} C _{R, 2} (M, ρ)T; S32, for all i∈[l] detection is established to verify the relevant properties, detecting is established to verify the encapsulation time, to detect Whether it is established, if one of the equations is not established, then the algorithm outputs v=0, otherwise it outputs v=1; the trusted authority executes the access authority generation module, and the trusted authority described by the user executes the access authority generation, further including: S41, data The collection of user properties is in The credible authority randomly selects an unassigned leaf node n from the binary tree BT, and stores the attribute set S in the node n; S42, for each node θ∈Path(η), an element g _θ stored in node θ, then the trusted authority retrieves the element g _θ from the node θ, and the one element g _θ is not stored in node θ, the trusted authority randomly selects an element and will stored in node θ; S43, the trusted authority selects a random integer calculate and for S44, the trusted authority for all θ∈Path(θ) sets And output the access certificate of the attribute set S as follows: The trusted authority executes the access authority update module, for each node θ∈CUNode(BT, RL, T), the trusted authority takes out It has been predefined during the access certificate generation process, and an integer is randomly selected and calculate The trusted authority finally announced the updated certificate as: The data user executes the data decapsulation module, which is used for the data user to execute the data decapsulation module, further comprising: S61, assuming that its access certificate is: The updated certificate published by the trusted authority is: The data consumer checks the set I∩J if Then the access certificate of the attribute set is revoked, and the program simply outputs ⊥, otherwise, the data user chooses θ∈I∩J and calculates S62, the data user setting and calculate the constant make in is the i-th row of the shared generation matrix M, for all constant All can be effectively found, and the data can finally be obtained by running data=SymDec(key,en). The decapsulation key key used is calculated as follows: where j is The numbering of the attribute ρ (i) in the middle; the trusted authority executes the access right revocation module, which is used for the trusted authority to execute the access right revocation, further comprising: denoting n as the leaf node of the binary tree BT, and the set of attributes Connected, the trusted authority revokes access rights through RL ← RL ∪ {(η, T)} and public.

The revocable fast data outsourcing encapsulation device of the embodiment of the present invention firstly provides virtual private storage and allows a user to perform fine-grained access control on the outsourced electronic health records, just as they are stored locally; secondly, in the encapsulation The process requires only a small amount of online modular addition/multiplication operations, and is very fast; and allows a public auditor to filter invalid electronic health record packages and prevent attackers from using spam to block users' electronic health record accounts; finally adopt There is an efficient withdrawal mechanism for revoking users. The device realizes effective access control, and maximizes the protection of the security of the electronic health records stored on the untrustworthy third-party server, and saves the decryption cost of the mobile device.

In some examples, the Specifically includes: the trusted authority inputs the system security parameter λ, and according to the size of λ, the system selects the corresponding elliptic curve: Y ² =X ³ +aX+b, where a and b are coefficients, and then the elliptic curve Points on the curve form a group of two prime numbers of order p

In some examples, the collision-resistant hash function H(·) is executed by calling a library function from the Pairing-Based Cryptosystems function package.

In some examples, the random number generation algorithm randomly selects a value x ₁ of the independent variable X according to the Y ² =X ³ +aX+b, and calculates the value y ₁ of the corresponding dependent variable Y; if the point (x ₁ , y ₁ ) in the mapping group, the random elements are successfully generated. If the point (x ₁ , y ₁ ) is not in the mapping group, continue to choose the value of X until a point that appears in the group is found.

Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

Description of drawings

The above and/or additional aspects and advantages of the present invention will become apparent and comprehensible from the description of the embodiments in conjunction with the following drawings, wherein:

Fig. 1 is a flow chart of a revocable fast data outsourcing encapsulation method according to an embodiment of the present invention;

2 is a schematic diagram of a system structure according to another embodiment of the present invention;

Fig. 3 is a schematic diagram of a file storage format according to another embodiment of the present invention;

Fig. 4 is a schematic diagram of a revocable fast data outsourcing encapsulation device according to an embodiment of the present invention.

detailed description

Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary and are intended to explain the present invention and should not be construed as limiting the present invention.

Public cloud storage of outsourced electronic health records has significant advantages over traditional local storage and is a promising storage paradigm. A secure data encapsulation mechanism is proposed to enforce access control on outsourced EHR data. However, the existing encapsulation methods require high-cost asymmetric cryptographic methods that are linearly related to the size expressed by the adopted access control strategy. In addition, the existing solutions cannot detect and filter illegal encapsulation, so they cannot prevent attackers from paralyzing users' accounts with fraudulent data. In addition, the existing scheme does not adopt an effective withdrawal mechanism to prevent the revoked user from continuing to unblock the EHR data. The advantages and effects of the present invention are:

First, a user only needs very lightweight real-time computations to securely encapsulate his EHR data. We use a new pre-packaged solution to achieve this goal. The preprocessing steps require no knowledge of the encapsulated data or the corresponding access policies. When both the data and the corresponding access policy are available, the data owner only needs a small number of modulo add/multiply operations to complete the encapsulation. By prepackaging during idle intervals or charging times, our scheme allows outsourcing of real-time data and provides an excellent user experience even for compute-constrained users.

Second, our RFODE employs semantically secure access control to counter adaptive active collusion attacks. Even in a very hostile environment where the attacker colludes with the cloud server provider and all other users except the target user, and adaptively knows the encapsulated data other than the target data, the attacker cannot get any information about the target. valid information for the data. Such strong security results show that RFODE can provide users with virtual private storage space in the insecure public as outsourced data are safely stored in their own local databases.

Third, our RFODE algorithm provides a common screening mechanism. EHR data users themselves, or loyal auditors hired by users, can run a common program to check and screen for invalid encapsulation. Random spam sent by an attacker can be easily detected and isolated from the system. And the cost of package verification will be much less than producing a well-formed package. Therefore, it is very expensive for an attacker to block the user's cloud account with well-structured meaningless data encapsulation, which will greatly reduce such threats.

Finally, our scheme employs an efficient withdrawal mechanism. Once an EHR data user has their access revoked, they will not be able to access the EHR. Our revocation mechanism is computationally and communicatively efficient, such as enabling real-time access revocation with infrequent access updates.

First of all, it is necessary to introduce the meanings of some characters in some algorithms: as shown in Table 1:

Table 1, character meaning table

Among them, for a<b, we define [a,b]={a,a+1,...,b}. In the absence of ambiguity, we abbreviate [1,a] as [a], It is abbreviated as [n ₁ ,n ₂ ,…,n _k ]. gather Shi Ji Zuo we say If s ₁ ,s ₂ ,…,s _n is from randomly selected from.

we define for the reason The elements in it form an m×n matrix. Two special subsets of matrices are row vectors and a column vector for two vectors and The i-th item of is v _i , and the inner product of two vectors is expressed as

Fig. 1 is a flowchart of a revocable fast data outsourcing encapsulation method according to an embodiment of the present invention.

First of all, in combination with Figure 2, we need to introduce: 1) Data Owner: Encapsulate data with the required access strategy, and store it on the cloud server to share with EHR data users who meet the access rights Data; 2) Data Consumer (Data Consumer): Request access rights related to its own attributes from the trusted authority, get the revocation information issued by the trusted authority, and restore the encapsulation information that the cloud storage server matches with the access policy; 3) Cloud Storage Server (Cloud Storage Serve): save the encapsulated EHR data and respond to the access request of EHR data users; 4) Trusted Authority (Trusted Authority): trusted by each entity, responsible for the initialization of the system and through the release , Manage data access rights to distinguish EHR data users; 5) Auditor (Auditor): Check whether the data is correctly packaged according to a specific access policy before storing the data in the cloud storage server. Because in FRODE, data auditing is performed publicly, for example, only public parameters and encapsulated data need to be requested, and anyone can act as an auditor to check the correctness of the encapsulated data. On the one hand, data users with strong computing power can act as auditors of their own accounts, and on the other hand, mobile users (with limited computing power) can also hire a trusted third party (such as a cloud computing server) as an auditor.

As shown in Figure 1, the revocable fast data outsourcing encapsulation method may include:

S1, system initialization is performed authoritatively.

Specifically, in some examples, feasible authoritative execution system initialization includes:

S11, trusted authority input security parameters and the maximum number of attribute sets run to obtain two prime groups of order p a bilinear map

in, Specifically includes: a trusted authority inputs the system security parameter λ, and according to the size of λ, the system selects the corresponding elliptic curve: Y ² =X ³ +aX+b, where a and b are coefficients, and then from the elliptic curve The points of form a group of two prime numbers of order p

More specifically, for bilinear pairings, define a function map e(.,.) that divides the group The elements in are mapped to groups go in, that is Which group and is the multiplicative cyclic group of two orders of prime p. The characteristics that the bilinear pair satisfies are: ① bilinear characteristics: for If e(g ^a ,h ^b )=e(g,h) ^ab is established; ②Non-degenerate: There is at least one element g in the group, so that the calculated e(g,g) is A certain generator of the group; ③ Computability: There is an effective algorithm that makes all The value of e(u,v) can be efficiently calculated; where Z _p represents the set {0,1,2,...,p-1}.

It should be noted that in the attribute-based encryption scheme, in order to achieve fine-grained access control for data users, it is necessary to formulate access control policies before encrypting data and express them through access control structures. {P ₁ ,P ₂ ,……,P _n } is a collection of entities, if for B ∈ A and Then C ∈ A, a set It is linear. An access control structure (monotonic access control structure) is a set (monotonic set) A, A is a non-empty subset of {P ₁ ,P ₂ ,...,P _n }, that is The collections in A are called authorized collections, and the collections not in A are called non-authorized collections.

S12. The trusted authority selects the symmetric encryption scheme _εsym , and the symmetric encryption scheme _εsym uses the encryption algorithm symEnc(key, data) and the decryption algorithm symDec(key, data), where key is the data decapsulation key, and data is the user's HER data.

S13, the trusted authority selects a collision-resistant hash function H( ), which satisfies all the characteristics of the collision-resistant hash function, the input is a string of 0 and 1 of any length, and the output is map to an element of the group,

Among them, the anti-collision hash function H( ) calls the library function from the Pairing-Based Cryptosystems function package to run.

It should be noted that the hash function used in the present invention has two basic characteristics: one-way and anti-collision; one-way means that the output can only be deduced from the input of the hash function, but not from the hash function The output of the input is calculated; anti-collision means that two different hash function inputs cannot be found so that the result after hashing is the same. The hash algorithm input in the present invention is any binary string.

S14, the trusted authority selects a field with auxiliary parameters The secure chameleon hash function CH:{0,1} ^* → Z _p .

S15, the trusted authority runs the random number generation algorithm to obtain and integer

Among them, the random number generation algorithm randomly selects a value x ₁ of the independent variable X according to Y ² =X ³ +aX+b, and calculates the value y ₁ of the corresponding dependent variable Y; if the point (x ₁ ,y ₁ ) is in the mapping In the group, random elements are successfully generated. If the point (x ₁ , y ₁ ) is not in the mapping group, continue to choose the value of X until a point that appears in the group is found.

in, Represents the set {1,2,...,p-1}, chosen randomly The random number generation function of the elements in can be run by calling library functions from the Pairing-Based Cryptosystems function package.

S16. Set the revocation list RL=0, and select a binary tree BT with more than or equal to N leaf nodes.

S17, the trusted authority has the master key msk(α), and the public parameter is publicized as

S2, the data owner performs data encapsulation. Specifically, including:

S21, the data owner selects a random integer And calculate key=e(g,g) ^αs , c ₀ =g ^s .

S22, assuming there is a maximum number of rows in any LSSS-encoded strategy, the data owner chooses random integers for each i∈[p] and calculate

It should be noted that the Linear Secret-Sharing Schemes (LSSS for short) P is a prime number _, is the attribute domain. A secret sharing scheme ∏ for a secret domain _Zp is realized if the following conditions are satisfied Linear access control structure on : The sharing of secret s ∈ Z _p forms a vector on Z _p for each attribute. for For each access control structure A on , there exists a matrix is called the shared generator matrix; there is also a function ρ, with attributes in to mark the rows of M (that is, ), satisfy the following conditions: In the process of sharing generation, consider the column vector where r ₂ ,...r _n are randomly selected elements in Z _p . Then according to ∏, the shared l-vector of secret s is equivalent to share as where j ∈ [l] belongs to the attribute ρ(j). Let (M, ρ) be the policy of access control structure A.

S23, the data owner chooses a random integer and set

S24, the data owner runs (chk,td)←CHGen(1 ^λ ), selects a random auxiliary parameter and a random string Calculate V=Hash(chk||CHash(chk,m',r' _m )), output

S25, the data owner chooses a random integer and calculate The final output intermediate header is Stored by the data owner for use in real-time encapsulation.

S26, the data owner has obtained the data data, the encapsulation time T, and the corresponding access control policy (M, ρ), where ρ:[1]→μ1≤p, the data owner chooses a random integer output

S27, the data owner calculates the sharing vector For i∈[I], the data owner calculates C _i,4 =λ _i -λ′ _i , C _i,5 =-t _i ·(ρ( _i )-xi ) For time T, the data owner calculates C _R,2 = s·(T-T').

S28, the encapsulated data is en=SymEnc(key, data), and the data owner runs r _m =Coll(td, m', r' _m , m), where m is set to:

m＝en||C _0,1 ||C _0,2 ||C _0,3 ||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _{1, 5} ||...||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _1,5 ||C _R,1 ||C _R,2 || (M,ρ)||T, the form of the header is expressed as:

S29, the data owner outputs the data (hdr, en) to be stored, uploads and stores it.

Among them, the storage is shown in Figure 3.

S3, the auditor performs package inspection. Specifically, including:

S31, the auditor calculates V=CHash(chk,m,r _m ), where

m=enC _0,1 C _0,2 C _0,3 C _1,1 C _1,2 C _1,3 C _1,4 C _1,5 ...C _l,1 C _l,2 C _l,3 C _{l, 4 Cl, 5} C _{R, 1} C _{R, 2} (M, ρ) T.

S32, for all i∈[l] detection is established to verify the relevant properties, detecting is established to verify the encapsulation time, to detect Whether it is true, if one of the equations is not true, then the algorithm outputs v=0, otherwise it outputs v=1.

S4, the trusted authority executes the generation of access rights. Specifically, including:

S41, the data user attribute set is in The trusted authority randomly selects an unassigned leaf node η from the binary tree BT, and stores the attribute set S in the node η.

S42, for each node θ∈Path(η), an element g _{θ is} stored in the node θ, then the credible authority retrieves the element g _θ from the node θ, and an element g _θ is not stored in the node θ, it can be Trust authority to randomly select an element and will stored in node θ.

S43, the trusted authority selects a random integer calculate and for

S44, trusted authority for all θ∈Path(θ) sets And the access certificate of the output attribute set S is as follows:

S5. The trusted authority updates the access rights. For each node θ∈CUNode(BT, RL, T), the trusted authority takes out It has been predefined during the access certificate generation process, and an integer is randomly selected and calculate The trusted authority finally announced the updated certificate as: ${\mathrm{cu}}_T={\left\{(\mathrm{\&theta;},{\tilde{K}}_{\mathrm{\&theta;},0},{\tilde{K}}_{\mathrm{\&theta;},1})\right\}}_{\mathrm{\&theta;}\&Element;CuNode(BT,RL,T)}.$

S6, the data user performs data decapsulation. Specifically, including:

S61, assuming its access credentials are: The updated certificate published by the trusted authority is: The data consumer checks the set I∩J if Then the access certificate of the attribute set is revoked, and the program simply outputs ⊥, otherwise, the data user chooses θ∈I∩J and calculates

S62, Data user settings and calculate the constant make in is the i-th row of the shared generation matrix M, for all constant All can be effectively found, and the data can finally be obtained by running data=SymDec(key,en). The decapsulation key key used is calculated as follows:

where j is The index of the attribute ρ(i) in .

S7, the trusted authority executes the revocation of the access right. Specifically, including:

Denote n as the leaf node of the binary tree BT, and attribute set Connected, trusted authorities revoke access through RL ← RL ∪ {(η, T)} and public.

Among them, the binary tree is denoted as BT, and its root node is denoted as root. For a leaf node n in a binary tree BT, Path(n) is recorded as the set of points on the path from the leaf node n to the root node root (including n and root). For a non-leaf node on a BT, its left and right nodes are denoted as η _l and η _r respectively.

The revocation mechanism consists of four components: binary tree BT, revocation list RL, time T, and algorithm CUNode. Each attribute set is associated with a leaf node on the binary tree BT. This is done when the trusted authority generates access credentials corresponding to the set of attributes. The revocation list is RL, which is initially empty and is used to store all nodes associated with revoked access credentials and their revocation time (η _i , T _i ). When an access certificate is to be revoked at time T, the system will add it to the revocation list RL, run the algorithm CUNode and update the certificate. The algorithm CUNode takes the binary tree BT, revocation list RL and time T as input, and the output is the minimum set of nodes required to publish the renewal certificate, so that only the access certificate whose corresponding attribute set is not in the revocation list RL can continue to encapsulate data. Algorithm CUNode runs as shown in Algorithm 1.

Algorithm 1 CUNode(BT,RL,T):

1:

2: for(η _i ,T _i )∈RL do

3: if T _i ≤ T then

4: add Path(η)to X

5: end if

6: end for

7: forx∈X do

8: if then

9: add x _l to Y

10: end if

11: if then

12: add x _r to Y

13: end if

14: end for

15:if then

16: add root to Y

17: end if

18: return Y

The revocable fast data outsourcing encapsulation method of the embodiment of the present invention firstly provides virtual private storage and allows a user to perform fine-grained access control on the outsourced electronic health records, just as they are stored locally; secondly, in the encapsulation The process requires only a small amount of online modular addition/multiplication operations, and is very fast; and allows a public auditor to filter invalid electronic health record packages and prevent attackers from using spam to block users' electronic health record accounts; finally adopt There is an efficient withdrawal mechanism for revoking users. The method realizes effective access control, and protects the security of the electronic health case stored on the untrustworthy third-party server to the greatest extent, and saves the decryption cost of the mobile device.

Corresponding to the revocable fast data outsourcing encapsulation method provided in the above embodiments, an embodiment of the present invention also provides a revocable fast data outsourcing encapsulation device, because the revocable fast data outsourcing encapsulation device provided in the embodiment of the present invention is compatible with The revocable fast data outsourcing encapsulation method provided in the above embodiment has the same or similar technical features, so the implementation of the aforementioned revocable fast data outsourcing encapsulation method is also applicable to the revocable fast data outsourcing encapsulation device provided in this embodiment. No more detailed description in this embodiment. As shown in Figure 4, the revocable fast data outsourcing packaging device may include: a feasible authority execution system initialization module 10, a data owner execution data packaging module 20, an auditor execution packaging detection module 30, and a trusted authority execution access authority generation module 40. The trusted authority executes the access authority update module 50 , the data user executes the data decapsulation module 60 and the trusted authority executes the access authority revocation module 70 .

Wherein, the feasible authority execution system initialization module 10 is used for the initialization of the feasible authority execution system.

The data owner performs data encapsulation module 20, which is used for the data owner to perform data encapsulation.

The auditor performs package inspection module 30 for auditors to perform package inspection.

The trusted authority executes the access authority generation module 40. The user's trusted authority executes the access authority generation.

The trusted authority executes the access rights update module 50 for access rights update.

The data user executes the data decapsulation module 60 for the data user to perform data decapsulation.

The trusted authority executes the access right revocation module 70, which is used for the trusted authority to execute the access right revocation.

The revocable fast data outsourcing encapsulation device of the embodiment of the present invention firstly provides virtual private storage and allows a user to perform fine-grained access control on the outsourced electronic health records, just as they are stored locally; secondly, in the encapsulation The process requires only a small amount of online modular addition/multiplication operations, and is very fast; and allows a public auditor to filter invalid electronic health record packages and prevent attackers from using spam to block users' electronic health record accounts; finally adopt There is an efficient withdrawal mechanism for revoking users. The device realizes effective access control, and maximizes the protection of the security of the electronic health records stored on the untrustworthy third-party server, and saves the decryption cost of the mobile device.

In the description of the present invention, it should be understood that the terms "first" and "second" are used for description purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Thus, the features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In the description of the present invention, "plurality" means at least two, such as two, three, etc., unless otherwise specifically defined.

In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structure, material or characteristic is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the described specific features, structures, materials or characteristics may be combined in any suitable manner in any one or more embodiments or examples. In addition, those skilled in the art can combine and combine different embodiments or examples and features of different embodiments or examples described in this specification without conflicting with each other.

Any process or method descriptions in flowcharts or otherwise described herein may be understood to represent modules, segments or portions of code comprising one or more executable instructions for implementing specific logical functions or steps of the process , and the scope of preferred embodiments of the invention includes alternative implementations in which functions may be performed out of the order shown or discussed, including substantially concurrently or in reverse order depending on the functions involved, which shall It is understood by those skilled in the art to which the embodiments of the present invention pertain.

Although the embodiments of the present invention have been shown and described above, it can be understood that the above embodiments are exemplary and should not be construed as limiting the present invention, those skilled in the art can make the above-mentioned The embodiments are subject to changes, modifications, substitutions and variations.

Claims (8)

1. A revocable fast data outsourcing encapsulation method, is characterized in that, comprises the following steps: S1, Feasible and authoritative execution system initialization, including: S11, trusted authority input security parameters and the maximum number of attribute sets run to obtain two prime groups of order p a bilinear map S12, the trusted authority selects a symmetric encryption scheme _εsym , and the symmetric encryption scheme _εsym adopts an encryption algorithm symEnc(key, data) and a decryption algorithm symDec(key, data), wherein key is a data decapsulation key, data is the user's HER data; S13, the trusted authority selects an anti-collision hash function H(·), the anti-collision hash function H(·) satisfies all the characteristics of the anti-collision hash function, and the input is 0, 1 characters of any length string, the output is mapped to an element of the group, S14, the trusted authority selects a domain with auxiliary parameters The secure chameleon hash function of CH:{0,1} ^* → Z _p ; S15, the trusted authority runs the random number generation algorithm to obtain g, h, u, v, w, h _r , and integer S16, set the withdrawal list RL=0, and select a binary tree BT with leaf nodes greater than or equal to N; S17, the trusted authority has a master key msk(α), and the public parameter is publicized as S2, the data owner performs data encapsulation, including: S21, the data owner selects a random integer And calculate key=e(g,g) ^αs ,c ₀ =g ^s ; S22, assuming that there is a maximum number of rows in any LSSS-encoded strategy, the data owner selects random integers λ′ _i , χ _i , for each i∈[p] and calculate S23, the data owner selects a random integer and set S24, the data owner runs (chk,td)←CHGen(1 ^λ ), selects a random auxiliary parameter and a random string Calculate V=Hash(chk||CHash(chk,m',r' _m )), output S25, the data owner selects a random integer and calculate The final output intermediate header is stored by said data owner for use in real-time encapsulation; S26, the data owner has obtained the data data, the encapsulation time T, and the corresponding access control policy (M, ρ), where ρ:[1]→μ1≤p, the data owner chooses a random integer output S27, the data owner calculates the sharing vector For i∈[I], the data owner calculates C _i,4 =λ _i -λ′ _i , C _i,5 =-t _i ·(ρ( _i )-xi ) for time T, the data The owner calculates C _R,2 = s·(T-T'); S28, the encapsulated data is en=SymEnc(key, data), and the data owner runs r _m =Coll(td, m', r' _m , m), wherein m is set to: m＝en||C _0,1 ||C _0,2 ||C _0,3 ||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _{1, 5} ||...||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _1,5 ||C _R,1 ||C _R,2 || The form of (M,ρ)||T header is expressed as: S29, the data owner outputs the data (hdr, en) to be stored, uploads and stores it; S3, the auditor performs packaging inspections, including: S31, the auditor calculates V=CHash(chk,m,r _m ), where m=enC _0,1 C _0,2 C _0,3 C _1,1 C _1,2 C _1,3 C _1,4 C _1,5 ...C _l,1 C _l,2 C _l,3 C _{l, 4} C _l,5 C _R,1 C _R,2 (M,ρ)T; S32, for all i∈[l] detection is established to verify the relevant properties, detecting is established to verify the encapsulation time, to detect Whether it is true, if one of the equations is not true, then the algorithm outputs v=0, otherwise the output v=1; S4, trusted authority executes the generation of access rights, including: S41, the data user attribute set is in The trusted authority randomly selects an unassigned leaf node n from the binary tree BT, and stores the attribute set S in the node n; S42, for each node θ∈Path(η), an element g _{θ is} stored in the node θ, then the trusted authority retrieves the element g _θ from the node θ, and the element g _θ is not stored Among nodes θ, the trusted authority randomly selects an element and will stored in node θ; S43, the trusted authority selects a random integer calculate and for S44, the trusted authority for all θ∈Path(θ) sets And output the access certificate of the attribute set S as follows: S5. The trusted authority updates the access rights. For each node θ∈CUNode(BT, RL, T), the trusted authority takes out It has been predefined during the access certificate generation process, and an integer is randomly selected and calculate The trusted authority finally announced the updated certificate as: S6, the data user performs data decapsulation, including: S61, assuming its access credentials are: The updated certificate published by the trusted authority is: The data consumer checks the set I∩J if Then the access certificate of the attribute set is revoked, and the program simply outputs ⊥, otherwise, the data user chooses θ∈I∩J and calculates S62, Data user settings and calculate the constant make in is the i-th row of the shared generation matrix M, for all constant All can be effectively found, and the data can finally be obtained by running data=SymDec(key,en). The decapsulation key key used is calculated as follows: where j is The number of the attribute ρ(i) in the middle; S7, the trusted authority performs the revocation of access rights, including: Denote n as the leaf node of the binary tree BT, and the set of attributes Connected, the trusted authority revokes access rights through RL ← RL ∪ {(η, T)} and public. 2. The method of claim 1, wherein the Specifically includes: the trusted authority inputs the system security parameter λ, and according to the size of λ, the system selects the corresponding elliptic curve: Y ² =X ³ +aX+b, where a and b are coefficients, and then the elliptic curve Points on the curve form a group of two prime numbers of order p 3. The method according to claim 1, wherein the anti-collision hash function H(·) calls a library function from the Pairing-BasedCryptosystems function package to run. 4. The method according to claim 2, wherein the random number generation algorithm randomly selects a value x ₁ of the independent variable X according to the Y ² =X ³ +aX+b, and calculates the corresponding dependent variable Y value y ₁ ; if the point (x ₁ , y ₁ ) is in the mapping group, then the random element is successfully generated. If the point (x ₁ , y ₁ ) is not in the mapping group, continue to choose the value of X until a point that appears in the group is found. 5. A revocable fast data outsourcing packaging device, characterized in that it comprises: The feasible authoritative execution system initialization module is used for the initialization of the feasible authoritative execution system, and further includes: S11, trusted authority input security parameters and the maximum number of attribute sets run to obtain two prime groups of order p a bilinear map S12, the trusted authority selects a symmetric encryption scheme _εsym , and the symmetric encryption scheme _εsym adopts an encryption algorithm symEnc(key, data) and a decryption algorithm symDec(key, data), wherein key is a data decapsulation key, data is the user's HER data; S13, the trusted authority selects an anti-collision hash function H(·), the anti-collision hash function H(·) satisfies all the characteristics of the anti-collision hash function, and the input is 0, 1 characters of any length string, the output is mapped to an element of the group, S14, the trusted authority selects a domain with auxiliary parameters The secure chameleon hash function of CH:{0,1} ^* → Z _p ; S15, the trusted authority runs the random number generation algorithm to obtain g, h, u, v, w, h _r , and integer S16, set the withdrawal list RL=0, and select a binary tree BT with leaf nodes greater than or equal to N; S17, the trusted authority has a master key msk(α), and the public parameter is publicized as The data owner executes the data encapsulation module, which is used for the data owner to execute data encapsulation, further including: S21, the data owner selects a random integer And calculate key=e(g,g) ^αs ,c ₀ =g ^s ; S22, assuming that there is a maximum number of rows in any LSSS-encoded strategy, the data owner selects random integers λ′ _i , χ _i , for each i∈[p] and calculate S23, the data owner selects a random integer and set S24, the data owner runs (chk,td)←CHGen(1 ^λ ), selects a random auxiliary parameter and a random string Calculate V=Hash(chk||CHash(chk,m',r' _m )), output S25, the data owner selects a random integer and calculate The final output intermediate header is stored by said data owner for use in real-time encapsulation; S26, the data owner has obtained the data data, the encapsulation time T, and the corresponding access control policy (M, ρ), where ρ:[1]→μ1≤p, the data owner chooses a random integer output S27, the data owner calculates the sharing vector For i∈[I], the data owner calculates C _i,4 =λ _i -λ′ _i , C _i,5 =-t _i ·(ρ( _i )-xi ) for time T, the data The owner calculates C _R,2 = s·(T-T'); S28, the encapsulated data is en=SymEnc(key, data), and the data owner runs r _m =Coll(td, m', r' _m , m), wherein m is set to: m＝en||C _0,1 ||C _0,2 ||C _0,3 ||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _{1, 5} ||...||C _1,1 ||C _1,2 ||C _1,3 ||C _1,4 ||C _1,5 ||C _R,1 ||C _R,2 || (M,ρ)||T The format of the header is expressed as: S29, the data owner outputs the data (hdr, en) to be stored, uploads and stores it; Auditor performs package inspection module, for auditor to perform package inspection, further includes: S31, the auditor calculates V=CHash(chk,m,r _m ), where m=enC _0,1 C _0,2 C _0,3 C _1,1 C _1,2 C _1,3 C _1,4 C _1,5 ...C _l,1 C _l,2 C _l,3 C _{l, 4} C _l,5 C _R,1 C _R,2 (M,ρ)T; S32, for all i∈[l] detection is established to verify the relevant properties, detecting is established to verify the encapsulation time, to detect Whether it is true, if one of the equations is not true, then the algorithm outputs v=0, otherwise the output v=1; The trusted authority executes the access authority generation module, and the trusted authority described by the user executes the access authority generation, which further includes: S41, the data user attribute set is in The trusted authority randomly selects an unassigned leaf node n from the binary tree BT, and stores the attribute set S in the node n; S42, for each node θ∈Path(η), an element g _{θ is} stored in the node θ, then the trusted authority retrieves the element g _θ from the node θ, and the element g _θ is not stored Among nodes θ, the trusted authority randomly selects an element and will Stored in node θ; S43, the trusted authority selects a random integer calculate and for S44, the trusted authority for all θ∈Path(θ) sets And output the access certificate of the attribute set S as follows: The trusted authority executes the access authority update module, for each node θ∈CUNode(BT, RL, T), the trusted authority takes out It has been predefined during the access certificate generation process, and an integer is randomly selected and calculate The trusted authority finally announced the updated certificate as: The data user executes the data decapsulation module, which is used for the data user to perform data decapsulation, further including: S61, assuming its access credentials are: The updated certificate published by the trusted authority is: The data consumer checks the set I∩J if Then the access certificate of the attribute set is revoked, and the program simply outputs ⊥, otherwise, the data user chooses θ∈I∩J and calculates S62, the data user setting and calculate the constant make in is the i-th row of the shared generation matrix M, for all constant All can be effectively found, and the data can finally be obtained by running data=SymDec(key,en). The decapsulation key key used is calculated as follows: where j is The number of the attribute ρ(i) in the middle; The trusted authority executes the access right revocation module, which is used for the trusted authority to execute the access right revocation, further comprising: Denote n as the leaf node of the binary tree BT, and the set of attributes Connected, the trusted authority revokes access rights through RL ← RL ∪ {(η, T)} and public. 6. The apparatus of claim 5, wherein the Specifically includes: the trusted authority inputs the system security parameter λ, and according to the size of λ, the system selects the corresponding elliptic curve: Y ² =X ³ +aX+b, where a and b are coefficients, and then the elliptic curve Points on the curve form a group of two prime numbers of order p 7. The device according to claim 5, wherein the anti-collision hash function H(·) calls a library function from the Pairing-BasedCryptosystems function package to run. 8. The device according to claim 6, wherein the random number generation algorithm randomly selects a value x ₁ of the independent variable X according to the Y ² =X ³ +aX+b, and calculates the corresponding dependent variable Y value y ₁ ; if the point (x ₁ , y ₁ ) is in the mapping group, then the random element is successfully generated. If the point (x ₁ , y ₁ ) is not in the mapping group, continue to choose the value of X until a point that appears in the group is found.