CN103023637A - Encryption and search method for revocable keyword search public keys in cloud storage - Google Patents

Abstract

The invention discloses an encryption and search method for revocable keyword search public keys in cloud storage and belongs to the technical field of network security. The method includes: setting system public parameters and dividing system time into z time segments, and creating a public-private key pair at a client; when data storage requests occurs, selecting a keyword collection of a data file, selecting optional symmetrical encryption algorithm to encrypt the data file, utilizing the public key and the current time segment to encrypt the keyword collection, and transmitting the encrypted keyword collection to the cloud server; when the next time segment arrives, generating keyword collection cipher again, and updating the cloud server on a server; when a keyword search request occurs, by the client, utilizing the private key and the current time segment to calculate trap door information of the keywords, transmitting the trap door information to the cloud server, and by the cloud server, obtaining the search results and sending back file cipher containing the search keywords to users. The encryption and search method is suitable for cloud storage with high safety requirements, safe, and efficient, and has the capability of revoking server search.

Description

A revocable keyword search public key encryption and search method in cloud storage

technical field

The invention belongs to the technical field of network security, and in particular relates to a revocable keyword search public key encryption method and a search method in secure cloud storage.

Background technique

Cloud storage is a new concept extended and developed from the concept of cloud computing. Cloud computing is the development of distributed processing, parallel processing and grid computing. The huge computing processing program is automatically split into countless smaller subroutines through the network, and then submitted to the huge system composed of multiple servers for calculation and analysis. Afterwards, the processing result is passed back to the user. Through cloud computing technology, network service providers can process tens of millions or even billions of information in a few seconds, and achieve network services as powerful as "supercomputers".

Cloud storage refers to a system that integrates a large number of different types of storage devices in the network through application software to work together through functions such as cluster applications, grid technology, or distributed file systems, and jointly provide data storage and business access functions to the outside world. . Cloud storage services allow users to store data of any size, and cloud service providers are responsible for ensuring data security, reliability, and accessibility. With the help of cloud storage services, users don't have to worry about data storage related issues such as how to prevent data loss, how to ensure data security, and how much space needs to be purchased in advance, so that they can focus more on their own business development.

The advantages of cloud storage are obvious, but security issues have become an important factor restricting its development, because there are a lot of sensitive information in user data, if users store their data on cloud servers, they will worry about data leakage . Encryption technology is an effective means to prevent information leakage and protect sensitive data. Through data encryption, only the owner of the data is allowed to decrypt the data. Even if the data stored on the cloud server is leaked, it will not Anything that exfiltrates data. Although the possibility of data leakage can be eliminated by encrypting cloud data, remote data access has become a major problem at the same time, and data search and query has become an almost unattainable goal. The cloud data mentioned in this manual refers to the user data stored in the cloud server. A cloud server refers to a server that provides cloud storage services and stores user data.

Keyword search Public key encryption is one of the basic applications of public key cryptography. Using public key cryptography, users can realize the search and retrieval functions of encrypted cloud data without revealing the data content.

Currently, keyword search encryption mainly includes single-key mode and public-key mode. The single-key mode is based on the symmetric cryptosystem, and is suitable for the case where the owner and user of the cloud data are the same user, but for the case where the two are different users, the single-key mode needs to share the session key through a secure channel in advance. The so-called secure channel means that information is transmitted through the network in an encrypted form. Although a network attacker can intercept all data transmitted on the network, he cannot obtain the real information contained in the data. A session key is an encryption and decryption key randomly generated to ensure a secure communication session between a user and another computer or between two computers. The public key mode allows the data owner to use the data user's public key to encrypt the data before sending the data to the cloud server, realizing data sharing and avoiding the process of negotiating session keys. Based on this advantage, keyword search public key encryption is more suitable for secure cloud storage. It can not only meet the search and retrieval needs of cloud storage users for encrypted cloud data, but also realize the privacy protection of cloud data, and the search process will not leak data. any content.

At present, the research on keyword search public key encryption mainly focuses on the keyword search public key encryption of designated searchers, the public key encryption of multi-keyword search, and the keyword search public key encryption against offline keyword guessing attacks, etc. Applying keyword search public key encryption directly to secure cloud storage still has the following problems in terms of function and performance:

(1) Failure to resolve the issue of revocation of search capabilities;

(2) The search capability of the server is not limited;

(3) The search speed is slow, and the search request response time is long;

(4) The search efficiency is low, and there are many bilinear pairing operations.

Among them, the first two problems pose a great threat to the safe storage of user cloud data, while the latter two problems greatly consume the computing resources of the cloud server, making it impossible to respond to a large number of user search requests at the same time, causing users to wait too long, so All are to be avoided.

Contents of the invention

The purpose of the present invention is to: aim at the above existing problems, to provide a revocable keyword search public key encryption method in cloud storage, to meet the requirements of cloud storage environment with high security requirements, the user can revoke the method when necessary The search capability of the cloud server reduces system computing overhead, shortens search request response time, and ensures secure search and retrieval of encrypted cloud data in the cloud storage environment without leaking cloud data content.

The revocable keyword search public key encryption method in the cloud storage of the present invention comprises the following steps:

Step a. system initialization:

Select security parameter k, set system public parameters, and divide system time into integer z time segments: t ₁ , t ₂ ,..., t _z ;

Step b. Generate user public-private key pair:

Generate the corresponding public key P _Pub according to the private key s selected by the client;

Step c. Generate file ciphertext and keyword set ciphertext:

(c1) When the user has a data storage request, the client selects the keyword set W={w _i |i=1,...,n} of the data file M, and encrypts the data file M to obtain the file of the data file M ciphertext C;

并把所述文件密文C和关键字集合密文

发送给服务器存储；(c2) Based on the public parameters, the public key P _Pub , the keyword set W and the current time segment t _i , the client generates the keyword set ciphertext corresponding to the keyword set W

And put the file ciphertext C and keyword set ciphertext

sent to the server for storage;

发送给服务器，服务器更新保存的关键字集合密文。(c3) When a new time segment t _i+1 arrives, the client generates a new keyword set ciphertext based on public parameters, public key P _Pub , keyword set W and the current time segment t _i+1 And put the keyword set ciphertext

Send it to the server, and the server updates the stored keyword set ciphertext.

Further, in the step a, setting system public parameters p, q, GF(p), E, G ₁ , G ₂ , P, e, H ₁ , H ₂ , Q is specifically:

Select large prime numbers p and q according to the safety parameter k, take GF(p) as a p-order finite field, E is an elliptic curve on GF(p), and E(GF(p)) is q formed by points on E Additive cyclic group of order, denoted as G ₁ ;

P is the generator of the additive cyclic group G ₁ ;

The multiplicative cyclic group G ₂ is a q-factorial cyclic group formed by mapping points on the additive cyclic group G ₁ through the bilinear pair e, and the bilinear pair e is the mapping from the additive cyclic group G ₁ to the multiplicative cyclic group G ₂ , e: G ₁ ×G ₁ →G ₂ ;

H ₁ and H ₂ are anti-collision hash functions, the H ₁ is mapped from a set of bit sequences composed of 0 and 1 to the multiplicative cyclic group Z _q ^* ; H ₂ is mapped from a set of bit sequences composed of 0 and 1 to Additive cyclic group G ₁ ;

Q is a random point on the additive cyclic group _G1 .

Based on the encryption method of the present invention, the present invention also provides a revocable keyword search method in cloud storage, comprising the following steps:

The cloud data file M pre-stored by the user is encrypted by the encryption method of the present invention, and the server stores the file ciphertext and the keyword set ciphertext, and when receiving the user's search request, the search process of the present invention is started:

并把所述陷门

发送给服务器；According to the public parameters, private key s, public key P _Pub , keyword w of the search request and current time segment t _i , the client generates a trapdoor corresponding to the keyword w

and put the trapdoor

send to the server;

后，根据公开参数、公钥P_Pub，陷门

和存储的关键字集合密文

进行验证，若验证成功，则返回对应的数据文件M的密文C；否则不返回任何数据。server received trapdoor

Finally, according to the public parameters and the public key P _Pub , the trapdoor

and stored keyword set ciphertext

Verification is performed, and if the verification is successful, the ciphertext C of the corresponding data file M is returned; otherwise, no data is returned.

In summary, owing to adopting above-mentioned technical scheme, the beneficial effect of the present invention is:

(1) The present invention is based on the public key cryptography mode, so there is no need to transfer the session key or negotiate the session key through a secure channel, thereby reducing the storage, communication and computing overhead of the network, and is more suitable for data sharing and high-security cloud storage environment;

(2) Based on the z time segments divided by the present invention, the regular update of the keyword set ciphertext stored on the server side is realized, which solves the problem of revocation of the search ability, limits the search ability of the server, and provides cloud data better security assurance;

(3) In the present invention, each keyword w _i in the keyword set W corresponds to the same keyword set ciphertext in a fixed period of time, so that during the search process, the server of the present invention does not need to pair keywords one by one The ciphertext of each keyword w _i in the set W is verified, and the number of operations of the verification formula during the search is reduced from n times to 1 time, which significantly improves the keyword search efficiency of keyword search public key encryption;

(4) In the present invention, each keyword w _i in the keyword set W corresponds to the same keyword set ciphertext in a fixed period of time, so that the bilinearity required in the search verification process of the present invention Fewer calculations speed up the search speed of the server and greatly shorten the response time of user search requests.

Description of drawings

The invention will be illustrated by way of example with reference to the accompanying drawings, in which:

Fig. 1 is a schematic diagram of a public key encryption process of a specific embodiment of the present invention;

Fig. 2 is a schematic diagram of the file ciphertext and keyword set ciphertext generation process of the specific embodiment of the present invention;

Fig. 3 is a schematic diagram of a search process in a specific embodiment of the present invention.

Detailed ways

All features disclosed in this specification, or steps in all methods or processes disclosed, may be combined in any manner, except for mutually exclusive features and/or steps.

Any feature disclosed in this specification (including any appended claims, abstract and drawings), unless expressly stated otherwise, may be replaced by alternative features which are equivalent or serve a similar purpose. That is, unless expressly stated otherwise, each feature is one example only of a series of equivalent or similar features.

The present invention is based on the theory of elliptic curve cryptography, and proposes a revocable keyword search public key encryption method in secure cloud storage, which is applied to the cloud storage environment with high security requirements, and the user can revoke the search ability of the cloud server when necessary , reducing computing overhead, shortening the response time of search requests, and realizing secure search and retrieval of encrypted cloud data in cloud storage environments without leaking cloud data content.

At first the applied mathematical theory of the present invention is briefly introduced:

(1) Elliptic Curve Cryptosystem ECC

Let p and q be large prime numbers, GF(p) is a p-order finite field, E is an elliptic curve on GF(p), E(GF(p)) is a q-order cyclic group composed of points on E, P∈ E(GF(p)) is the generator. For the definition of elliptic curve and the selection of security parameters, please refer to the literature: Don Johnson, Alfred Menezes and Scott Vanstone, The Elliptic Curve Digital Signature Algorithm (ECDSA), IJLS, vol.1issue1(2001), 36-63.

(2) Hash function

The Hash function is a function that transforms an input message of arbitrary length into an output message of fixed length, and this output is called the Hash value of the message. A secure Hash function should at least meet the following conditions: ①The input length is arbitrary; ②The output length is fixed, at least 128 bits long, so as to resist birthday attacks; ③For each given input, it can be easily Calculate its output, that is, the Hash value; ④Given the description of the Hash function, it is computationally infeasible to find two different input messages Hash to the same value, or given the description of the Hash function and a randomly selected message, find Another message that is different from this message, making it computationally infeasible for them to hash to the same value. The Hash function is mainly used for integrity verification and improving the validity of digital signatures.

In the present invention, the Hash function H ₁ : {0,1} ^* →Z _q ^* is mapped from the bit sequence set composed of 0 and 1 to the multiplicative cyclic group Z _q ^* . H ₂ :{0,1} ^* →G ₁ is an additive cyclic group G ₁ mapped from a bit sequence set composed of 0 and 1 to an elliptic curve.

(3) Finite fields

A finite field is a set containing a finite number of elements, which satisfies the properties of being closed to addition and multiplication. The order of a finite field is the number of elements in the field. A finite field whose order is a prime number p is generally denoted as GF(p). In finite fields, there are two groups, one is the group formed by GF(p) for addition, and the other is the group formed by GF(p)-0 for multiplication. In a multiplicative cyclic group, all powers of the generators give all elements of the group. In the present invention, Z _q ^* represents the group formed by removing zero elements in the group Z _q , G ₁ is the additive cyclic group on the elliptic curve, and G ₂ is the multiplicative cyclic group on the elliptic curve.

(4) Prime numbers and mutual primes

The so-called prime number refers to any integer p greater than 1, if it can only be divisible by ±1 and ±p, it is called a prime number;

The so-called mutual prime refers to two integers, if their greatest common divisor is 1, then they are called mutual prime.

(5) point scalar multiplication operation

Let E be an elliptic curve defined on the field GF(p). According to the "chord and tangent" law, two points P and Q on E(GF(p)) are added to obtain E(GF(p)) The third point R of . The point set E(GF(p)) and its addition operation constitute an additive commutative group, and O is its point at infinity.

Let P=(x ₁ , y ₁ ) and Q=(x ₂ , y ₂ ) be two different points on the elliptic curve E, then the sum of P and Q R=(x ₃ , y ₃ ) is defined as follows: First draw a straight line connecting P and Q, and this straight line intersects the elliptic curve at the third point, then the symmetric point of this intersection point with respect to the x-axis is point R.

If P=(x ₁ , y ₁ ) and Q=(x ₂ , y ₂ ) are two identical points on the elliptic curve E, then finding the sum of P and Q is equivalent to finding the double point R=( x ₃ , y ₃ ): First, draw the tangent line of the elliptic curve at point P. This tangent line intersects the elliptic curve at the second point. The symmetric point of this intersection point with respect to the x-axis is the doubling point.

Point scalar multiplication is the most basic and important link in elliptic curve public key cryptosystem. The point scalar multiplication operation Q=kP on the elliptic curve is defined as follows: Given an elliptic curve E and a point P on the curve, the point multiplication kP of point P on the curve E is defined as adding k times to the point P and itself And, kP=P+P+...+P, a total of k Ps are added. The point scalar multiplication operation is also called the point multiplication operation. It is a multiple point addition operation of the same basic point on the elliptic curve. Its running time determines the realization time of the elliptic curve cryptosystem, so it determines the elliptic curve cryptosystem. operating speed. For the specific calculation method of point-scalar multiplication, please refer to the literature: Stinson A.R., translated by Feng Dengguo, etc. Cryptography Principles and Practice. Third Edition, Beijing: Electronic Industry Press, 2009.201-208.

(6) Bilinear pairing

Suppose G ₁ is an additive cyclic group, G ₂ is a multiplicative cyclic group, the order of the groups is q, and P is the generator of the group G ₁ . Mapping e: G ₁ ×G ₁ →G ₂ satisfies the following three conditions, it is called bilinear pairing.

e(aP，bP)=e(P，P)^ab成立；(1) Bilinear, that is, for any

e(aP, bP)=e(P, P) ^ab is established;

(2) Non-degenerate, ie

(3) e can be efficiently calculated.

Such bilinear pairs can be constructed by supersingular elliptic curves over finite fields and Tate pairs or Weil pairs of supersingular hyperelliptic curves. For the construction and application of bilinear pairing operations, refer to: Boneh D., Franklin M., 2001. Identity-based encryption from the Weil pairings, in: Advances in Cryptology-Crypto, in: LNCS, vol.3494, Springer-Verlag, Berlin, 2001:213-229.

With reference to Fig. 1, concrete realization of the present invention is as follows:

Step S100. System initialization:

Step S101: Select security parameter k, set system public parameters (p, q, GF(p), E, G ₁ , G ₂ , P, e, H ₁ , H ₂ , Q) as follows: select large Prime numbers p and q, GF(p) is a finite field of order p, E is an elliptic curve on GF(p), E(GF(p)) is an additive cyclic group of order q formed by points on E, denoted as group G ₁ , P∈G ₁ is the generator. Group G ₂ is a q-factorial cyclic group formed by mapping points on group G ₁ through bilinear pair e, and bilinear pair e is the mapping e from group G ₁ to group G ₂ : G ₁ ×G ₁ →G ₂ . H ₁ and H ₂ are anti-collision Hash functions, and Q is a random point on the group G ₁ .

Step S102: Divide the system time into z time segments t ₁ , t ₂ , ..., t _z according to the security parameter k, and denote the current i-th time segment of the system as t _i .

Step S200. Generate user public-private key pair:

作为私钥，计算相应的公钥P_Pub＝sP。The client randomly selects the secret integer

As a private key, the corresponding public key P _Pub =sP is calculated.

Step S300. Generate file ciphertext and keyword set ciphertext:

When the user has a storage request for the data file M, the client first selects the keyword set W={w ₁ ,…,w _n } of the data file M, and selects any symmetric encryption algorithm (such as the Advanced Encryption Standard Algorithm AES) to encrypt the data File M, get file ciphertext C. In the present invention, the encryption of the data file M can adopt either a symmetric encryption algorithm or an asymmetric encryption algorithm. When an asymmetric encryption algorithm is used, the user terminal public key P _Pub is used to encrypt the data, and the private key s is used for decryption. .

并把

与文件密文C一起发送服务器保存。当下一时间片段t_i+1到达时，用户端计算新的关键字集合密文并把服务器存储的更新为

参照图2，本过程的具体实现如下：Then use the system public parameters, the public key P _Pub and the current time segment t _i to encrypt the keyword set {w ₁ ,…,w _n }, and generate the keyword set ciphertext for the t _i period

and put

Send the server with the file ciphertext C for storage. When the next time segment t _i+1 arrives, the client calculates a new key set ciphertext and store the server update to

Referring to Figure 2, the specific implementation of this process is as follows:

Step S301: When the user has a data storage request, the user first selects W={w _i |i=1,...,n} of the data file M, and then selects a symmetric encryption algorithm to encrypt the data file to obtain the file of the data file M ciphertext C;

Step S302: The client encrypts {w ₁ ,...,w _n } according to the public parameters and the public key P _Pub to generate the keyword set ciphertext of the current time segment t _i

计算C₁=γP和C₂=e(P_pub,Q)^γ；Step S302-a: Random selection

Calculate C ₁ =γP and C ₂ =e(P _pub ,Q) ^γ ;

Step S302-b: For each i=1,...,n, calculate x _i =H ₁ (w _i ), use {x ₁ ,...,x _n } to construct a Lagrangian difference polynomial, and obtain every n polynomial f _i (x),

${\mathrm{<span\; class="notranslate">\; f</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; x</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; =</span>\underset{\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; \&le;</span>\mathrm{<span\; class="notranslate">\; j</span>}<span\; class="notranslate">\; \&NotEqual;</span>\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; \&le;</span>\mathrm{<span\; class="notranslate">\; no</span>}}{\mathrm{<span\; class="notranslate">\; \&Pi;</span>}}\frac{\mathrm{<span\; class="notranslate">\; x</span>}<span\; class="notranslate">\; -</span>{\mathrm{<span\; class="notranslate">\; x</span>}}_{\mathrm{<span\; class="notranslate">\; j</span>}}}{{\mathrm{<span\; class="notranslate">\; x</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; -</span>{\mathrm{<span\; class="notranslate">\; x</span>}}_{\mathrm{<span\; class="notranslate">\; j</span>}}}<span\; class="notranslate">\; =</span>{\mathrm{<span\; class="notranslate">\; a</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; 1</span>}}<span\; class="notranslate">\; +</span>{\mathrm{<span\; class="notranslate">\; a</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; 2</span>}}\mathrm{<span\; class="notranslate">\; x</span>}<span\; class="notranslate">\; +</span><span\; class="notranslate">\; .</span><span\; class="notranslate">\; .</span><span\; class="notranslate">\; .</span><span\; class="notranslate">\; +</span>{\mathrm{<span\; class="notranslate">\; a</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; ,</span>\mathrm{<span\; class="notranslate">\; no</span>}}{\mathrm{<span\; class="notranslate">\; x</span>}}^{\mathrm{<span\; class="notranslate">\; no</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; 1</span>}}<span\; class="notranslate">\; ,</span>$

n is the number of elements in the selected keyword set, the coefficients a _i,1 ,a _i,2 ,…, of the polynomial f _i (x)

Step S302-c: For each i=1,...,n, the UE selects a random number _Calculate y _i ⁼ α _{i -1 γ and}

其中符号“||”表示追加操作，即把t_i追加在w_i之后；Step S302-d: For each i=1,...,n, calculate x _i ′=H ₂ (w _i ||t _i ), t _i is the current time segment, according to a _i,1 , a _i,2 ,...,a _i,n calculate

The symbol "||" represents an additional operation, that is, append t _i after w _i ;

给服务器；Step S302-e: Send file ciphertext C and keyword set ciphertext

to the server;

并发送给服务器，服务器收到

后，将存储关键字集合密文

更新为

Step S303: When the next time segment t _i+1 arrives, the client uses the system public parameters, public key P _Pub and the next time segment t _i+1 to recalculate steps (S302-c) and (S302-d), Get the new keyword set ciphertext

and sent to the server, the server receives

After that, the key set ciphertext will be stored

update to

根据（S302-b）中时间片段t_i的多项式系数a_i,1,a_i,2,…,a_i，n，计算和

其中γ的值与时间片段t_i的值相同；Step S303-a: For each i=1,...,n, select a random number

According to the polynomial coefficients a _i,1 ,a _i,2 ,...,a _i,n of the time segment t _i in (S302-b), calculate and

where the value of γ is the same as the value of time segment t _i ;

t_i+1是时间片段t_i的下一个时间片段，根据多项式f_i(x)的系数a_i，1，a_i,2,…,a_i,n计算

和

Step S303-b: For each i=1,...,n, calculate

t _i+1 is the next time segment of time segment t _i , calculated according to the coefficients a _{i, 1} , a _i,2 ,...,a _i,n of the polynomial f _i (x)

and

其中C₁,C₂与时间片段t_i中计算的值相同。用户端把发送给服务器，服务器收到

后，将

更新为

Step S303-c: Generate keyword set ciphertext

Where C ₁ , C ₂ are the same as the values calculated in the time segment t _i . The client puts sent to the server, the server receives

after that will

update to

Step S400. The user conducts a keyword search process:

并发送给服务器，服务器根据陷门判断关键字集合密文与陷门是否满足验证公式，若是，则返回相应的数据文件M的文件密文C，否则不返回任何信息。参照图3，本过程的具体实现如下：When the user has a keyword search request, the client generates a trapdoor corresponding to the keyword w according to the private key s and the current time segment t _i

And send it to the server, the server judges whether the keyword set ciphertext and the trapdoor satisfy the verification formula according to the trapdoor, and if so, returns the file ciphertext C of the corresponding data file M, otherwise no information is returned. Referring to Figure 3, the specific implementation of this process is as follows:

信息：Step S401: When the user has a search request for a keyword w, the client generates a trapdoor corresponding to the keyword w according to the public parameters, the private key s, the keyword w of the search request and the current time segment t _i

information:

信息中的分量T₁=H₁(w)，根据Hash函数H₂计算T＝H₂(w||t_i)，所述t_i是系统当前的时间片段；Step S401-a: Calculate according to the Hash function H ₁

The component T ₁ =H ₁ (w) in the information, calculate T=H ₂ (w||t _i ) according to the Hash function H ₂ , the t _i is the current time segment of the system;

信息中的分量T₂s(Q+T)；Step S401-b: Calculate the trapdoor according to the random point Q in the public parameters and the private key s

The component T ₂ s(Q+T) in the message;

发送给服务器；The trapdoor corresponding to keyword w in time segment t _i is Keyword trapdoor

send to the server;

后，根据公开参数，公钥P_Pub，陷门

和存储的关键字集合密文

搜索

中是否包含陷门对应的关键字，并返回搜索结果。Step S402: The server receives the trapdoor

Finally, according to the public parameters, public key P _Pub , trapdoor

and stored keyword set ciphertext

search

Is there a trapdoor in corresponding keywords and return the search results.

中的T₁和密文中的(R₁,…，R_n,U₁,…U_n)分别计算λ＝R₁+R₂T₁+…+R_nT₁ ^n-1(modq)，v=U₁+U₂T₁+…+U_nT₁ ^n-1(modq)；Step S402-a: The server according to the trapdoor

T ₁ and ciphertext in (R ₁ ,…,R _n ,U ₁ ,…U _n ) in the calculation respectively λ=R ₁ +R ₂ T ₁ +…+R _n T ₁ ^n-1 (modq), v=U ₁ +U ₂ T ₁ +...+U _n T ₁ ^n-1 (modq);

则不返回任何数据。Step S402-b: The server checks whether the formula C ₂ =e(C ₁ ,T ₂ )/e(v,λ) is established according to the obtained values of v and λ; if so, it indicates that the keyword w∈{w ₁ ,w ₂ ,...,w _n }, the server returns the file ciphertext C of the data file M that satisfies the conditions to the user; otherwise, that is

then no data is returned.

The present invention is not limited to the foregoing specific embodiments. The present invention extends to any new feature or any new combination disclosed in this specification, and any new method or process step or any new combination disclosed.

Claims (10)

1. voidable keyword search key encrypt method during a cloud is stored is characterized in that, comprises the following steps:

Step a. system initialization:

Select security parameter k, openly parameter of system is set, and system time is divided into an integer z time slice: t ₁, t ₂..., t _z

Step b. generates user's public private key pair:

Private key s according to user side is selected generates corresponding PKI P _Pub

Step c spanned file ciphertext and set of keywords ciphertext:

(c1) when the user has data storage request, user side is chosen the set of keywords W={w of data file M _i| i=1 ..., n}, and data file M is encrypted, the file cipher text C of data file M obtained;

(c2) user side is based on described open parameter, PKI P _Pub, set of keywords W and current time slice t _i, generate set of keywords ciphertext corresponding to described set of keywords W

And described file cipher text C and set of keywords ciphertext

Send to server stores;

(c3) as new time slice t _I+1During arrival, user side is based on open parameter, PKI P _Pub, set of keywords W and current time slice t _I+1, generate new set of keywords ciphertext

And described set of keywords ciphertext Send to server, the set of keywords ciphertext that server update is preserved.

2. the method for claim 1 is characterized in that, among the described step a, and the open parameter p of the system that arranges, q, GF (p), E, G ₁, G ₂, P, e, H ₁, H ₂, Q is specially:

Select large prime number p, q according to described security parameter k, get GF (p) and be p rank finite field, E is the elliptic curve on the GF (p), and E (GF (p)) is the q rank addition cyclic group that the point on the E consists of, and is designated as G ₁

P is addition cyclic group G ₁Generator;

Multiplication loop group G ₂Addition cyclic group G ₁On the q factorial method cyclic group that e mapping consisted of through bilinearity of point, bilinearity is from addition cyclic group G to e ₁To multiplication loop group G ₂Mapping, e:G ₁* G ₁→ G ₂

H ₁And H ₂The crash-resistant hash function, described H ₁To multiplication loop group Z from the 0 and 1 bit sequence compound mapping that forms _q ^*H ₂To addition cyclic group G from the 0 and 1 bit sequence compound mapping that forms ₁

Q is addition cyclic group G ₁On a random point.

3. method as claimed in claim 2 is characterized in that, in the described step (c2), generates set of keywords ciphertext corresponding to set of keywords W Be specially:

(c2.1) select at random

Calculate C ₁=γ P, C ₂=e (P _Pub, Q) ^γ

(c2.2) to each i=1 ..., n calculates x _i=H ₁(w _i), according to { the x that obtains ₁..., x _nThe Lagrangian difference multinomial of structure, every n polynomial f obtained _i(x):

$f_i\left(x\right)=\underset{1\&le;j\&NotEqual;i\&le;n}{\mathrm{\&Pi;}}\frac{x-x_j}{x_i-x_j}=a_{i,1}+a_{i,2}x+...+a_{i,n}{x}^{n-1},$

N is the number of element in the set of keywords of selecting, polynomial f _i(x) coefficient a _{I, 1}, a _{I, 2}...,

(c2.3) to each i=1 ..., n selects a random number

Based on polynomial f _i(x) coefficient a _{I, 1}, a _{I, 2}..., a _{I, n}Calculate y _i=α _i ^-1γ,

(c2.4) to each i=1 ..., n calculates x _i'=H ₂(w _i|| t _i), described t _iBe current time slice, operation is appended in symbol " || " expression, namely t _iAppend at w _iAfterwards; Based on polynomial f _i(x) coefficient a _{I, 1}, a _{I, 2}..., a _{I, n}, calculate $R_i=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{y}_j{x}_j^{\&prime;};$

(c2.5) generate set of keywords ciphertext corresponding to set of keywords W

4. method as claimed in claim 3 is characterized in that, in the described step (c3), generates new set of keywords ciphertext

Be specially:

(c3.1) to each i=1 ..., n selects a random number

Based on the polynomial f in the step (c2.2) _i(x) coefficient a _{I, 1}, a _{I, 2}..., a _{I, n}Calculate ${y_i}^{*}={\left({{\mathrm{\&alpha;}}_i}^{*}\right)}^{-1}\mathrm{\&gamma;},$ ${U_i}^{*}=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{{\mathrm{\&alpha;}}_j}^{*}{P}_{\mathrm{pub}};$

(c3.2) to each i=1 ..., n calculates Based on described polynomial f _i(x) coefficient a _{I, 1}, a _{I, 2}..., a _{I, n}Calculate ${R_i}^{*}=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{y_j}^{*}{x_j^{\&prime;}}^{*},$ $U_i^{*}=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{a}_{j,i}{\mathrm{\&alpha;}}_j^{*}{P}_{\mathrm{pub}}.$

(c3.3) generate set of keywords ciphertext corresponding to set of keywords W

5. such as claim 1,2,3 or 4 described methods, it is characterized in that, in the step (c1), based on symmetric encipherment algorithm data file M is encrypted.

6. one kind based on voidable keyword search method in the cloud storage of claim 1,2 or 3 encryption method, it is characterized in that, comprises the following steps:

User side is according to described open parameter, and private key s generates corresponding PKI P _Pub, the keyword w of searching request and current time slice t _i, generate trapdoor corresponding to described keyword w

And described trapdoor

Send to server;

Server is received trapdoor

After, according to open parameter, PKI P _Pub, trapdoor

Set of keywords ciphertext with storage

Verify, if be proved to be successful, then return the ciphertext C of corresponding data file M; Otherwise do not return any data.

7. method as claimed in claim 6 is characterized in that, user side generates trapdoor corresponding to keyword w Comprise two part (T ₁, T ₂), described T ₁Based on crash-resistant hash function H ₁Calculate T ₁=H ₁(w) obtain T ₂Based on crash-resistant hash function H ₂Calculate T ₂=s (Q+H ₂(w||t _i)) obtain, wherein, Q is addition cyclic group G ₁On a random point, described G ₁For: select large prime number p, q according to described security parameter k, get GF (p) and be p rank finite field, E is the elliptic curve on the GF (p), and E (GF (p)) is the q rank addition cyclic group that the point on the E consists of.

8. voidable keyword search method during the cloud based on the encryption method of claim 4 is stored is characterized in that, comprises the following steps:

User side is according to described open parameter, private key s, PKI P _Pub, the keyword w of searching request and current time slice t _i, generate trapdoor corresponding to described keyword w And described trapdoor Send to server;

Server is received trapdoor After, according to open parameter, PKI P _Pub, trapdoor

Set of keywords ciphertext with storage Verify, if be proved to be successful, then return the ciphertext C of corresponding data file M; Otherwise do not return any data.

9. method as claimed in claim 8 is characterized in that, user side generates trapdoor corresponding to keyword w

Comprise two part (T ₁, T ₂), described T ₁Based on crash-resistant hash function H ₁Calculate T ₁=H ₁(w) obtain T ₂Based on crash-resistant hash function H ₂Calculate T ₂=s (Q+H ₂(w||t _i)) obtain.

10. method as claimed in claim 9 is characterized in that, server is received trapdoor

After, according to open parameter, PKI P _Pub, trapdoor Set of keywords ciphertext with storage

The process of verifying is:

According to trapdoor

In T ₁With the set of keywords ciphertext In (R ₁..., R _n, U ₁... U _n) calculate respectively $\mathrm{\&lambda;}=R_1+R_2{T}_1+...+R_n{T}_1^{n-1}\left(\mathrm{mod}q\right),$ $v=U_1+U_2{T}_1+...+U_n{T}_1^{n-1}\left(\mathrm{mod}q\right);$

Judge check formula C based on the value of described v and λ ₂=e (C ₁, T ₂Whether)/e (v, λ) sets up, if set up, then checks successfully.

Images