CN104038349A

CN104038349A - Effective and verifiable public key searching encryption method based on KP-ABE

Info

Publication number: CN104038349A
Application number: CN201410316818.4A
Authority: CN
Inventors: 马华; 刘鹏亮; 王剑锋; 聂海新
Original assignee: Xidian University
Current assignee: Xidian University
Priority date: 2014-07-03
Filing date: 2014-07-03
Publication date: 2014-09-10
Anticipated expiration: 2034-07-03
Also published as: CN104038349B

Abstract

The invention discloses an effective and verifiable public key searchable encryption method based on KP-ABE. The method includes a trusted authority center, a data owner, a cloud server, and a data user; the trusted authority center generates certificates for all cloud users ; The data owner outsources data files and keywords to the cloud server; the cloud server provides storage services and executes the search operation after receiving the search request sent by the user; the data user generates a search password and sends it to the cloud server to find the target file. The present invention firstly generates a public-private key pair for the data owner and the cloud server, and when sending the cipher text keywords and search passwords, first uses the public key of the cloud server to re-encrypt them, thus effectively preventing offline guessing by external attackers The attack behavior improves the security of information and data, and the complexity is reduced, which greatly reduces the user's calculation load and greatly improves the efficiency.

Description

An Effectively Verifiable Public Key Searchable Encryption Method Based on KP-ABE

技术领域technical field

本发明属于数据加密领域，尤其涉及一种基于KP-ABE的有效可验证的公钥可搜索加密方法。The invention belongs to the field of data encryption, in particular to an effective and verifiable public key searchable encryption method based on KP-ABE.

背景技术Background technique

公钥可搜索加密是一个非常具有吸引力的密码学原语，它实现了基于密文的信息检索，特别适用于云计算环境。公钥可搜索加密方案(PEKS)使得用户凭借关键词在不泄露任何信息的情况下搜索加密数据。PEKS的概念是由Boneh等提出的，Baek等人提出了一种去除安全通道的PEKS，使得方案更加实用。在此之后，Hu等人和Zhao等人提出了可抵抗外部攻击者离线关键词猜测的新方案。简而言之，PEKS的概念是提供一种用户凭借关键词去搜索加密数据且不向包括服务器在内的其他方泄露任何信息的机制。随着云计算的快速发展，使得用户可以以低廉的价格使用云服务器的大量存储和计算的能力。这使得PEKS变得更加流行。尽管目前现存的PEKS可以安全有效地完成搜索操作，然而大多数方案却没有对服务器返回的搜索结果进行验证，同时也没有对搜索用户进行限制。在一个半诚实但可信的服务器的模型下，服务器可能只执行部分搜索操作或者只返回部分搜索结果。针对这一问题，Zheng等人首次针对此问题提出了一个新的密码学原语——基于属性加密的可验证的关键词搜索方案。该方案允许数据拥有者去控制搜索操作。访问控制策略的合法用户可以把费时的搜索操作外包给云服务器并且可以有效地验证服务器是否真实地执行了搜索操作。这意味着，具备满足数据拥有者的访问策略的条件的用户才可以进行搜索云服务器上的加密数据。此外，用户还可以对服务器返回的搜索结果进行正确性和完整性的验证。该方案运用模指数，属性加密，布隆过滤器，数字签名和基于属性加密的关键词搜索构造而成。然而该方案在正确性验证的时候所做的操作和云服务器的做法相同，然而对于用户自己来说，这需要很大的计算量。另外，该方案疏忽了离线猜测攻击。因为关键词密文、搜索口令和算法很容易被敌手获取，这样敌手便可执行搜索操作，从而打破关键词密文的不可区分性。Public-key searchable encryption is a very attractive cryptographic primitive, which implements information retrieval based on ciphertext, and is especially suitable for cloud computing environments. Public Key Searchable Encryption Scheme (PEKS) enables users to search encrypted data by keywords without revealing any information. The concept of PEKS was proposed by Boneh et al. Baek et al. proposed a PEKS that removes the security channel, making the solution more practical. Following this, Hu et al. and Zhao et al. proposed new schemes that are resistant to offline keyword guessing by external attackers. In short, the concept of PEKS is to provide a mechanism for users to search encrypted data by keywords without disclosing any information to other parties including the server. With the rapid development of cloud computing, users can use the massive storage and computing capabilities of cloud servers at low prices. This has made PEKS even more popular. Although the existing PEKS can safely and effectively complete the search operation, most of the solutions do not verify the search results returned by the server, and do not restrict the search users. Under a model of semi-honest but trusted servers, the server may only perform part of the search operation or return only part of the search results. In response to this problem, Zheng et al. proposed a new cryptographic primitive for this problem for the first time—a verifiable keyword search scheme based on attribute encryption. This scheme allows data owners to control search operations. Legitimate users of access control policies can outsource time-consuming search operations to cloud servers and can effectively verify that the server actually performed the search operation. This means that users who meet the conditions of the data owner's access policy can search the encrypted data on the cloud server. In addition, users can also verify the correctness and completeness of the search results returned by the server. The scheme is constructed by using modular exponent, attribute encryption, Bloom filter, digital signature and keyword search based on attribute encryption. However, this solution performs the same operation as the cloud server when verifying the correctness, but for the user itself, this requires a large amount of calculation. In addition, the scheme ignores the offline guessing attack. Because the keyword ciphertext, search password and algorithm are easily obtained by the adversary, the adversary can perform the search operation, thus breaking the indistinguishability of the keyword ciphertext.

发明内容Contents of the invention

本发明的目的在于提供一种基于KP-ABE的有效可验证的公钥可搜索加密方法，旨在在正确性验证方面大大减少用户的运算量，利用服务器的公钥对关键词密文进行再加密，防止外部攻击者的离线猜测攻击，提高方案的安全性。The purpose of the present invention is to provide an effective and verifiable public key searchable encryption method based on KP-ABE, which aims to greatly reduce the user's calculation load in terms of correctness verification, and use the server's public key to re-encrypt the keyword ciphertext. Encryption prevents offline guessing attacks by external attackers and improves the security of the solution.

符号说明：Symbol Description:

F＝{F₁}||{F₂}||…||{F_n}:加密文件的集合；F＝{F ₁ }||{F ₂ }||...||{F _n }: collection of encrypted files;

ID{F_i}:文件{F_i}的地址；ID{F _i }: address of file {F _i };

ID_w:包含关键词w的文件的地址；ID _w : the address of the file containing the keyword w;

W_E:W的密文；W _E : W's ciphertext;

BF：包含所有关键词的布隆过滤器；BF: Bloom filter containing all keywords;

SYM_Enc()：对称加密算法；SYM _Enc (): Symmetric encryption algorithm;

ABE()：基于密钥策略的属性加密算法。ABE(): Key policy-based attribute encryption algorithm.

本发明是这样实现的，一种基于KP-ABE的有效可验证的公钥可搜索加密方法，所述的基于KP-ABE的有效可验证的公钥可搜索加密方法包括可信权威中心、数据拥有者、云服务器、数据用户；可信权威中心选取双线性对和哈希函数，为系统生成公参pm和主密钥mk；通过运行RSA算法，为数据拥有者和云服务器生成公私钥对；通过访问结构中的Share(T,ac)算法，为用户生成私钥sk；数据拥有者从外包的数据文件F中提取关键词w；外包F，并生成关键词w密文cph并发送给云服务器；云服务器对数据拥有者发送来的数据提供存储服务并在收到用户发送的搜索口令tk后执行搜索，并将搜索结果和搜索证据返回给用户；数据用户用私钥sk生成搜索口令tk并发送给云服务器；在收到云服务器返回的搜索结果后，对结果的正确性和完整性进行验证；The present invention is achieved in this way, an effective and verifiable public key searchable encryption method based on KP-ABE, and the effective and verifiable public key searchable encryption method based on KP-ABE includes a trusted authority center, data Owner, cloud server, data user; the trusted authority center selects bilinear pairing and hash function to generate public parameter pm and master key mk for the system; generates public and private keys for data owner and cloud server by running RSA algorithm Yes; through the Share(T,ac) algorithm in the access structure, generate a private key sk for the user; the data owner extracts the keyword w from the outsourced data file F; outsource F, and generate the keyword w ciphertext cph and send it To the cloud server; the cloud server provides storage services for the data sent by the data owner and executes the search after receiving the search password tk sent by the user, and returns the search results and search evidence to the user; the data user uses the private key sk to generate a search The password tk is sent to the cloud server; after receiving the search result returned by the cloud server, the correctness and completeness of the result are verified;

所述的基于KP-ABE的有效可验证的公钥可搜索加密方法包括六个算法，l为安全参数，可信权威中心运行RSA算法为云服务器和数据拥有者生成公私钥对：{(n₁,e₁),d₁}和{(n₂,e₂),d₂}；数据拥有者通过数字签名来保证数据文件的完整性，用云服务器的公钥对密文关键词进行再加密来防止外部攻击者的离线猜测攻击，当数据拥有者用SYM_Enc()加密算法对数据文件加密后外包给云服务器，服务器返回加密文件的地址，记为ID{F_i}，这样包含关键词w的数据文件即可表示为ID_w＝ID{F₁}||ID{F₂}…||ID{F_i}。The described effective and verifiable public key searchable encryption method based on KP-ABE comprises six algorithms, l is a security parameter, and the credible authority center runs the RSA algorithm to generate a public-private key pair for the cloud server and the data owner: {(n ₁ ,e ₁ ),d ₁ } and {(n ₂ ,e ₂ ),d ₂ }; the data owner guarantees the integrity of the data file through digital signature, and uses the public key of the cloud server to reconstruct the ciphertext keywords. Encryption to prevent offline guessing attacks by external attackers. When the data owner encrypts the data file with the SYM _Enc () encryption algorithm and outsources it to the cloud server, the server returns the address of the encrypted file, which is recorded as ID{F _i }, which contains the key The data file of word w can be expressed as ID _w =ID{F ₁ }||ID{F ₂ }...||ID{F _i }.

进一步，所述公钥可搜索加密方法具体包括:Further, the public key searchable encryption method specifically includes:

可信权威中心选取双线性对和哈希函数，为可搜索加密系统：可信授权中心管理数据拥有者、用户和云服务器；The trusted authority center selects bilinear pairing and hash function as a searchable encryption system: the trusted authority center manages data owners, users and cloud servers;

数据拥有者将数据文件传送至云服务器；The data owner sends the data file to the cloud server;

云服务器提供存储和检索服务；Cloud servers provide storage and retrieval services;

用户通过云服务器搜索存储在其上的数据文件；The user searches the data files stored on the cloud server through the cloud server;

可信权威中心生成公参pm和主密钥mk；通过运行如下RSA算法：The trusted authority center generates the public parameter pm and the master key mk; by running the following RSA algorithm:

按以下3个步骤：Follow these 3 steps:

i)选择不同的大素数p和q,计算n＝p*q；i) select different large prime numbers p and q, and calculate n=p*q;

ii)选择e与互素，(n,e)作为公钥；ii) Choose e with Mutually prime, (n, e) as the public key;

iii)通过计算d，(n,d)作为私钥；iii) pass Calculate d, (n,d) as the private key;

这里数n,e,d分别为模数，加密指数和解密指数；here The numbers n, e, and d are modulus, encryption index and decryption index respectively;

按照此算法，选取不同的大素数p₁和q₁，p₂和q₂，为数据拥有者和服务器生成公私钥对{(n₁,e₁),d₁}和{(n₂,e₂),d₂}；According to this algorithm, select different large prime numbers p ₁ and q ₁ , p ₂ and q ₂ to generate public-private key pairs {(n ₁ ,e ₁ ),d ₁ } and {(n ₂ ,e ₂ ),d ₂ };

通过访问结构中的Share(T,ac)算法，按如下步骤：By accessing the Share(T,ac) algorithm in the structure, follow the steps below:

访问树T的每一个叶子节点都关联着秘密ac的部分分享q_v(0)，对每一个叶子节点v∈lvs(T)，选取t←Z_p，计算和B_v＝g^t，记sk＝(T,A_v,B_v)|v∈lvs(T))为用户的私钥。Each leaf node of the access tree T is associated with the partial share q _v (0) of the secret ac. For each leaf node v∈lvs(T), select t←Z _p and calculate and B _v =g ^t , record sk=(T,A _v ,B _v )|v∈lvs(T)) as the user's private key.

进一步，所述的基于KP-ABE的有效可验证的公钥可搜索加密方法包括六个算法，l为安全参数，可信权威中心运行RSA算法为云服务器和数据拥有者生成公私钥对：{(n₁,e₁),d₁}和{(n₂,e₂),d₂}。数据拥有者通过数字签名来保证数据文件的完整性，用云服务器的公钥对密文关键词进行再加密来防止外部攻击者的离线猜测攻击，当数据拥有者用SYM_Enc()加密算法对数据文件加密后外包给云服务器，服务器返回加密文件的地址，记为ID{F_i}，这样包含关键词w的数据文件即可表示为ID_w＝ID{F₁}||ID{F₂}…||ID{F_i}。Further, the effective and verifiable public key searchable encryption method based on KP-ABE includes six algorithms, l is a security parameter, and the trusted authority center runs the RSA algorithm to generate a public-private key pair for the cloud server and the data owner:{ (n ₁ ,e ₁ ),d ₁ } and {(n ₂ ,e ₂ ),d ₂ }. The data owner guarantees the integrity of the data file through a digital signature, and re-encrypts the ciphertext keywords with the public key of the cloud server to prevent offline guessing attacks by external attackers. When the data owner uses the SYM _Enc () encryption algorithm to encrypt After the data file is encrypted, it is outsourced to the cloud server, and the server returns the address of the encrypted file, which is recorded as ID{F _i }, so that the data file containing the keyword w can be expressed as ID _w = ID{F ₁ }||ID{F ₂ }...||ID{F _i }.

进一步，所述的基于KP-ABE的有效可验证的公钥可搜索加密方法的具体方案为：Further, the specific scheme of the effective and verifiable public key searchable encryption method based on KP-ABE is:

步骤一、初始化(1^l)：可信权威中心选择双线性对：e:G×G→G_T，G和G_T是阶为p的循环群，p为l比特长的素元，选择随机预言机模型下的哈希函数H₁:{0,1}^*→G；H₂:{0,1}^*→Z_p是单向哈希函数，选择a,b,c←Z_p，g←G，pm＝(H₁,H₂,e,g,p,g^a,g^b,g^c,G,G_T),mk＝(a,b,c)Step 1. Initialization (1 ^l ): The trusted authority center selects a bilinear pairing: e:G×G→G _T , where G and G _T are cyclic groups of order p, and p is a prime element with a length of l bits. Select The hash function H ₁ :{0,1} ^* →G under the random oracle model; H ₂ :{0,1} ^* →Z _p is a one-way hash function, choose a,b,c←Z _p , g←G, pm=(H ₁ ,H ₂ ,e,g,p,g ^a ,g ^b ,g ^c ,G,G _T ),mk=(a,b,c)

接着选取k个独立的哈希函数H₁',…,H'_k，用来m比特的构造m比特的布隆过滤器BF发送给数据拥有者，为数据拥有者和云服务器生成公私钥对{(n₁,e₁),d₁}和{(n₂,e₂),d₂}；Then select k independent hash functions H ₁ ',...,H' _k , use m bits to construct m bits Bloom filter BF and send it to the data owner to generate a public-private key pair for the data owner and the cloud server {(n ₁ ,e ₁ ),d ₁ } and {(n ₂ ,e ₂ ),d ₂ };

步骤二、密钥生成(mk,T)：可信权威中心执行Share(T,ac)算法，访问树T的每一个叶子节点都会得到有关秘密ac的部分分享q_v(0)，对每一个叶子节点v∈lvs(T)，选取t←Z_p，计算和B_v＝g^t，记私钥sk＝(T,A_v,B_v)|v∈lvs(T))；Step 2, key generation (mk, T): the trusted authority center executes the Share(T, ac) algorithm, and each leaf node of the access tree T will get the partial share q _v (0) of the secret ac, for each For leaf node v∈lvs(T), select t←Z _p and calculate Sum B _v ＝g ^t , remember the private key sk＝(T,A _v ,B _v )|v∈lvs(T));

步骤三、对关键词和文件地址的加密:(w,atts,ID(w))数据拥有者通过可信权威中心发送的哈希函数生成布隆过滤器，BF←BFGen({H₁',…,H'_k},{w₁,…,w_l})，对含有关键词w数据文件地址ID_w和布隆过滤器，SYM_Enc()加密算法加密，对称密钥为sk₁：Step 3. Encryption of keywords and file addresses: (w,atts,ID(w)) The data owner generates a Bloom filter through the hash function sent by the trusted authority center, BF←BFGen({H ₁ ', …,H' _k },{w ₁ ,…,w _l }), for data file address ID w containing keyword _w and Bloom filter, SYM _Enc () encryption algorithm encryption, symmetric key is sk ₁ :

BF_Enc＝SYM(BF),(ID_w)_Enc＝SYM(ID_w)；BF _Enc =SYM(BF),(ID _w ) _Enc =SYM(ID _w );

用户数据拥有者对ABF_Enc和(ID_w)_Enc进行签名： $A = {BF}_{Enc} | | sig ({BF}_{Enc}) = {BF}_{Enc} | | {({BF}_{Enc})}^{d_{1}}, B = {({ID}_{w})}_{Enc} | | sig {({ID}_{w})}_{Enc} = {({ID}_{w})}_{Enc} | | {({({ID}_{w})}_{Enc})}^{d_{1}}$ 对sk₁用ABE()加密算法进行加密：C＝ABE(sk₁)；User data owner signs ABF _Enc and (ID _w ) _Enc : $A = {BF}_{Enc} | | sig ({BF}_{Enc}) = {BF}_{Enc} | | {({BF}_{Enc})}^{d_{1}}, B = {({ID}_{w})}_{Enc} | | sig {({ID}_{w})}_{Enc} = {({ID}_{w})}_{Enc} | | {({({ID}_{w})}_{Enc})}^{d_{1}}$ Encrypt sk ₁ with the ABE () encryption algorithm: C=ABE(sk ₁ );

在搜索结束后，属性满足访问策略的合法用户就可以解密C得到sk₁，进而解密获取目标文件；After the search is over, legitimate users whose attributes meet the access policy can decrypt C to obtain sk ₁ , and then decrypt to obtain the target file;

选择r₁,r₂←Z_p，计算 $W^{'} = g^{{cr}_{1}}, W = g^{a (r_{1} + r_{2})} g^{b H_{2} (w) r_{1}};$ F＝(f₁,f₂)其中 $f_{1} = g^{a (r_{1} + r_{2})}, f_{2} = g^{{br}_{1}}, W_{0} = g^{r_{2}},$ 对每一个at_j∈Atts，计算 $W_{j} = H_{1} {({at}_{j})}^{r_{2}},$ 用服务器的公钥对W加密得到 $W_{E} = W^{e_{2}} = {(g^{a (r_{1} + r_{2})} g^{{bH}_{2} (w) r_{1}})}^{e_{2}},$ 这样可记密文关键词为：cph＝(Atts,W',W_E,W₀,W_j,F,A,B,C)；Choose r ₁ ,r ₂ ←Z _p , calculate $W^{'} = g^{{cr}_{1}}, W = g^{a (r_{1} + r_{2})} g^{b h_{2} (w) r_{1}};$ F=(f ₁ ,f ₂ ) where $f_{1} = g^{a (r_{1} + r_{2})}, f_{2} = g^{{br}_{1}}, W_{0} = g^{r_{2}},$ For each at _j ∈ Atts, compute $W_{j} = h_{1} {({at}_{j})}^{r_{2}},$ Encrypt W with the server's public key to get $W_{E.} = W^{e_{2}} = {(g^{a (r_{1} + r_{2})} g^{{bH}_{2} (w) r_{1}})}^{e_{2}},$ In this way, the ciphertext keywords can be recorded as: cph=(Atts, W', W _E , W ₀ , W _j , F, A, B, C);

步骤四、生成搜索口令(sk,w):选择s←Z_p，对每个叶子节点v∈lvs(T)计算 $A_{v}^{'} = A_{v}^{s}, B_{v}^{'} = B_{v}^{s},$ 搜索口令为 ${tok}_{1} = {(g^{a} g^{{bH}_{2} (w)})}^{s},$ tok₂＝g^cs，用服务器的公钥对tok₂进行加密：记tk＝(tok₁,(tok₂)_Enc,T,(A'_v,B'_v)|v∈lvs(T))；Step 4. Generate search password (sk,w): select s←Z _p , calculate for each leaf node v∈lvs(T) $A_{v}^{'} = A_{v}^{the s}, B_{v}^{'} = B_{v}^{the s},$ The search password is ${tok}_{1} = {(g^{a} g^{{bH}_{2} (w)})}^{the s},$ tok ₂ = g ^cs , encrypt tok ₂ with the server's public key: Remember tk＝(tok ₁ ,(tok ₂ ) _Enc ,T,(A' _v ,B' _v )|v∈lvs(T));

步骤五、搜索(tk,cph)：服务器从cph中选取属性集S来满足搜索口令中指定的访问树，如果这样的集合S不存在，返回0；反之，对每一个at_j∈S,计算 $E_{v} = e (A_{v}^{'}, W_{0}) / e (B_{v}^{'}, W_{j}) = e {(g, g)}^{{sr}_{2} q_{v} (0)} att (v) = {at}_{j}, v &Element; lvs (T),$ 结合(T,E_v|att(v)∈S)，计算出 $e {(g, g)}^{{sr}_{2} q_{v} (0)} = e {(g, g)}^{{sr}_{2} q_{root} (0)},$ 进而 $E_{root} = e {(g, g)}^{{acsr}_{2}}$ 服务器用自己的私钥解密W_E,(tok₂)_Enc得到W和tok₂，如果e(W',tok₁)E_root＝e(W,tok₂)，返回{W,F,A,B,C}给用户；否则，只返回A；Step 5. Search (tk,cph): The server selects the attribute set S from cph to satisfy the access tree specified in the search password. If such a set S does not exist, return 0; otherwise, for each at _j ∈ S, calculate ${E.}_{v} = e (A_{v}^{'}, W_{0}) / e (B_{v}^{'}, W_{j}) = e {(g, g)}^{{sr}_{2} q_{v} (0)} att (v) = {at}_{j}, v &Element; lvs (T),$ Combining (T,E _v |att(v)∈S), calculate $e {(g, g)}^{{sr}_{2} q_{v} (0)} = e {(g, g)}^{{sr}_{2} q_{root} (0)},$ and then ${E.}_{root} = e {(g, g)}^{{acsr}_{2}}$ The server decrypts W _E with its own private key, (tok ₂ ) _Enc to get W and tok ₂ , if e(W',tok ₁ )E _root ＝e(W,tok ₂ ), return {W,F,A,B ,C} to the user; otherwise, just return A;

步骤六、验证{W,F,A,B,C}数据用户接收到云服务器返回的搜索结果后，进行验证操作。Step 6. Verification {W, F, A, B, C} data The user performs verification operation after receiving the search result returned by the cloud server.

进一步，所述的验证操作的具体方法为：Further, the specific method of the verification operation is:

步骤一、搜索关键词的存在性：当数据用户仅仅收到云服务器返回的A时，首先用数据拥有者的公钥A进行验证若则通过验证；对C进行解密操作获取对称密钥sk₁，解密A获取布隆过滤器BF，若BF(w)＝0，意味着云服务器上不存在用户所搜索的关键词，反之，拒收返回结果；Step 1. Search for the existence of keywords: When the data user only receives A returned by the cloud server, first use the public key A of the data owner to verify if Then the verification is passed; decrypt C to obtain the symmetric key sk ₁ , decrypt A to obtain the Bloom filter BF, if BF(w)=0, it means that the keyword searched by the user does not exist on the cloud server, otherwise, reject Return the result;

步骤二、搜索关键词的正确性：数据用户收到{W,F,A,B,C}时，计算W/f₁和如果说明正确，反之，说明是错误结果；Step 2. The correctness of the search keywords: when the data user receives {W, F, A, B, C}, calculate W/f ₁ and if The explanation is correct, otherwise, the explanation is a wrong result;

步骤三、包含关键词w的数据文件地址的完整性：当数据用户验证了关键词的正确性后，接着对B进行验证，若则通过解密C获取sk₁，进而获取目标数据文件。Step 3. Integrity of the address of the data file containing the keyword w: After the data user verifies the correctness of the keyword, then verify B, if Then obtain sk ₁ by decrypting C, and then obtain the target data file.

进一步，所述的基于KP-ABE的有效可验证的公钥可搜索加密方法的正确性的分析如下：Further, the analysis of the correctness of the effective and verifiable public key searchable encryption method based on KP-ABE is as follows:

步骤一、搜索匹配正确性：Step 1. Search for matching correctness:

云服务器在收到数据用户的搜索请求后，执行搜索操作，首先用自己的私钥对密文关键词和搜索口令进行解密，用RSA算法，然后，执行如下匹配操作：After the cloud server receives the search request from the data user, it executes the search operation. First, it uses its own private key to decrypt the ciphertext keyword and the search password, uses the RSA algorithm, and then performs the following matching operations:

$\begin{matrix} e e (({W W}^{' '},, {tok tok}_{11})) {E E.}_{root root} = = {e e (({g g}^{{cr cr}_{11}},, (({g g}^{a a} {g g}^{{bH bH}_{22} ((w w))}))))}^{s the s} = = \\ e e {((g g,, g g))}^{acs acs (({r r}_{11} + + {r r}_{22}))} e e {((g g,, g g))}^{{bcsH wxya}_{22} ((w w)) {r r}_{11}};; \end{matrix}$

$\begin{matrix} e e ((W W,, {tok tok}_{22})) = = {e e (({g g}^{a a (({r r}_{11} + + {r r}_{22}))} {g g}^{{bH bH}_{22} (({w w}_{11})) {r r}_{11}},, {g g}^{cs cs}))))}^{s the s} = = \\ e e {((g g,, g g))}^{acs acs (({r r}_{11} + + {r r}_{22}))} e e {((g g,, g g))}^{{bcsH wxya}_{22} (({w w}_{11})) {r r}_{11}} . . \end{matrix}$

如果w和w₁是同一个关键词的话，那么e(W',tok₁)E_root和e(W,tok₂)就是相等的，说明搜索成功；If w and w ₁ are the same keyword, then e(W',tok ₁ )E _root and e(W,tok ₂ ) are equal, indicating that the search is successful;

步骤二、验证正确性：Step 2. Verify correctness:

当数据用户收到云服务器返回的搜索结果{W,F,A,B,C}时，首先要对关键词的正确性进行验证，由F中找到f₁,f₂，作如下计算：When the data user receives the search result {W,F,A,B,C} returned by the cloud server, he must first verify the correctness of the keywords, find f ₁ and f ₂ from F, and perform the following calculation:

$W W / / {f f}_{11} = = {g g}^{a a (({r r}_{11} + + {r r}_{22}))} {g g}^{b b {H h}_{22} ((w w)) {r r}_{11}} / / {g g}^{a a (({r r}_{11} + + {r r}_{22}))} = = {g g}^{{bH bH}_{22} ((w w)) {r r}_{11}}$

用户对自己搜索的关键词的哈希值H₂(w₁)计算如下：The hash value H ₂ (w ₁ ) of the keyword that the user searches for is calculated as follows:

${f f}_{22}^{{H h}_{22} (({w w}_{11}))} = = {g g}^{{bH bH}_{22} (({w w}_{11})) {r r}_{11}}$

若w和w₁是同一个关键词时，相等，说明，搜索结果是正确的，在此之后，通过签名来验证数据文件地址的正确性和完整性。If w and w ₁ are the same keyword, Equal, it means that the search result is correct. After that, verify the correctness and integrity of the address of the data file through the signature.

效果汇总Effect summary

本发明的基于KP-ABE的有效可验证的公钥可搜索加密方法，首先为数据拥有者和云服务器生成了公私钥对，在发送密文关键词和搜索口令时，首先使用云服务器的公钥对其再加密，这样有效地防止了外部攻击者的离线猜测攻击行为，提高了方案的安全性，而且，复杂度降低，大大减少了用户的运算量，效率得到了很大提高。The effective and verifiable public-key searchable encryption method based on KP-ABE of the present invention first generates a public-private key pair for the data owner and the cloud server, and first uses the public-private key pair of the cloud server when sending ciphertext keywords and search passwords. It is re-encrypted with the key, which effectively prevents offline guessing attacks by external attackers, improves the security of the scheme, and reduces the complexity, greatly reduces the amount of calculation for users, and greatly improves the efficiency.

附图说明Description of drawings

图1是本发明实施例提供的基于KP-ABE的有效可验证的公钥可搜索加密方法的模型示意图；Fig. 1 is a model schematic diagram of an effective and verifiable public key searchable encryption method based on KP-ABE provided by an embodiment of the present invention;

图2是本发明实施例提供的本发明和对比方案执行正确性验证的运行时间的对比图。Fig. 2 is a comparison chart of the execution time of the correctness verification of the present invention and the comparison scheme provided by the embodiment of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白，以下结合附图及实施例，对本发明进行进一步详细说明。应当理解，此处所描述的具体实施例仅仅用以解释本发明，并不用于限定本发明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

本发明是这样实现的，如图1所示，一种基于KP-ABE的有效可验证的公钥可搜索加密方法包括可信权威中心、数据拥有者、云服务器、数据用户；可信权威中心为所有云用户生成证书；数据拥有者外包数据文件和关键词给云服务器；云服务器是提供存储服务并在收到用户发送的搜索请求后执行搜索操作；数据用户生成搜索口令发送给云服务器寻找目标文件。The present invention is realized in this way, as shown in Figure 1, a kind of effective and verifiable public key searchable encryption method based on KP-ABE comprises trusted authority center, data owner, cloud server, data user; Trusted authority center Generate certificates for all cloud users; data owners outsource data files and keywords to cloud servers; cloud servers provide storage services and perform search operations after receiving search requests from users; data users generate search passwords and send them to cloud servers to find Target file.

按以下3个步骤：Follow these 3 steps:

进一步，所述的基于KP-ABE的有效可验证的公钥可搜索加密方法包括六个算法，l为安全参数，可信权威中心运行RSA算法为云服务器和数据拥有者生成公私钥对：{(n₁,e₁),d₁}和{(n₂,e₂),d₂}，数据拥有者通过数字签名来保证数据文件的完整性，用云服务器的公钥对密文关键词进行再加密来防止外部攻击者的离线猜测攻击，当数据拥有者用SYM_Enc()加密算法对数据文件加密后外包给云服务器，服务器返回加密文件的地址，记为ID{F_i}，这样包含关键词w的数据文件即可表示为ID_w＝ID{F₁}||ID{F₂}…||ID{F_i}。Further, the effective and verifiable public key searchable encryption method based on KP-ABE includes six algorithms, l is a security parameter, and the trusted authority center runs the RSA algorithm to generate a public-private key pair for the cloud server and the data owner:{ (n ₁ ,e ₁ ),d ₁ } and {(n ₂ ,e ₂ ),d ₂ }, the data owner guarantees the integrity of the data file through digital signature, and uses the public key of the cloud server to pair the ciphertext keywords Perform re-encryption to prevent offline guessing attacks by external attackers. When the data owner encrypts the data file with the SYM _Enc () encryption algorithm and outsources it to the cloud server, the server returns the address of the encrypted file, which is recorded as ID{F _i }, so A data file containing the keyword w can be expressed as ID _w =ID{F ₁ }||ID{F ₂ }...||ID{F _i }.

选择r₁,r₂←Z_p，计算 $W^{'} = g^{{cr}_{1}}, W = g^{a (r_{1} + r_{2})} g^{b H_{2} (w) r_{1}};$ F＝(f₁,f₂)其中 $f_{1} = g^{a (r_{1} + r_{2})}, f_{2} = g^{{br}_{1}}, W_{0} = g^{r_{2}},$ 对每一个at_j∈Atts，计算 $W_{j} = H_{1} {({at}_{j})}^{r_{2}},$ 用服务器的公钥对W加密得到 $W_{E} = W^{e_{2}} = {(g^{a (r_{1} + r_{2})} g^{{bH}_{2} (w) r_{1}})}^{e_{2}},$ 这样可记密文关键词为：cph＝(Atts,W',W_E,W₀,W_j,F,A,B,C)；Choose r ₁ ,r ₂ ←Z _p , calculate $W^{'} = g^{{cr}_{1}}, W = g^{a (r_{1} + r_{2})} g^{b h_{2} (w) r_{1}};$ F=(f ₁ ,f ₂ ) where $f_{1} = g^{a (r_{1} + r_{2})}, f_{2} = g^{{br}_{1}}, W_{0} = g^{r_{2}},$ For each at _j ∈ Atts, compute $W_{j} = h_{1} {({at}_{j})}^{r_{2}},$ Encrypt W with the server's public key to get $W_{E.} = W^{e_{2}} = {(g^{a (r_{1} + r_{2})} g^{{bH}_{2} (w) r_{1}})}^{e_{2}},$ In this way, the ciphertext keyword can be remembered as: cph=(Atts, W', W _E , W ₀ , W _j , F, A, B, C);

步骤一、搜索匹配正确性：Step 1. Search for matching correctness:

步骤二、验证正确性：Step 2. Verify correctness:

若w和w₁是同一个关键词时，W/f₁和相等，说明，搜索结果是正确的，在此之后，通过签名来验证数据文件地址的正确性和完整性。If w and w ₁ are the same keyword, W/f ₁ and Equal, it means that the search result is correct. After that, verify the correctness and integrity of the address of the data file through the signature.

将本发明与文献“Verifiable attribute-based keyword search overoutsourced encrypted data”(Q.Zheng,Xu,S.Ateniese,G.:Vabks，IACR Cryptology ePrint Archive2013(2013))中的方案进行对比，在本发明的方案中，首先为数据拥有者和云服务器生成了公私钥对，在发送密文关键词和搜索口令时，首先使用云服务器的公钥对其再加密，这样有效地防止了外部攻击者的离线猜测攻击行为。这在对比中是没有涉及到的。另外，与对比方案对比，对比方案在验证正确性时所进行的操作和云服务器是相同的，而本发明所用方法具有明显的优势，如表1所示：The present invention is compared with the scheme in the document "Verifiable attribute-based keyword search overoutsourced encrypted data" (Q. Zheng, Xu, S. Ateniese, G.: Vabks, IACR Cryptology ePrint Archive2013 (2013)), in the present invention In the scheme, firstly, a public-private key pair is generated for the data owner and the cloud server. When sending the ciphertext keywords and search passwords, firstly use the public key of the cloud server to re-encrypt them, which effectively prevents offline attacks by external attackers. Guess the attack. This is not covered in the comparison. In addition, compared with the comparison scheme, the operation performed by the comparison scheme when verifying correctness is the same as that of the cloud server, while the method used in the present invention has obvious advantages, as shown in Table 1:

表1Table 1

BF代表布隆过滤器；这里复杂度考虑的是渐近复杂度，主要是Pair和E_T。Pair代表双线性对运算；E_T代表群G_T中的指数运算；S代表用户的属性的数量。和对比方案一样，因为乘法运算和哈希运算比起对运算和指数运算起来，复杂度较低。所以在讨论复杂度时，忽略了乘法运算和哈希运算。BF stands for Bloom filter; here the complexity considers the asymptotic complexity, mainly Pair and E _T . Pair represents bilinear pairing operation; E _T represents the exponential operation in group G _T ; S represents the number of attributes of the user. As in the comparison scheme, because the multiplication and hashing operations are less complex than the pairing and exponentiation operations. So when discussing complexity, multiplication and hash operations are ignored.

用户对服务器返回的搜索结果的正确性进行验证：The user verifies the correctness of the search results returned by the server:

C语言编程，采用Ubuntu Linux12.04系统。电脑配置为：Intel(R)Core(TM)i3-3240Cpu,2GBRAM。基于对运算的密码算法(PBC)实验室0.514版本。所有实验结果取的是50次的实验平均值。分别选取了512比特长和1024比特长的模长度，属性数量范围10到50个。最终，如图2所示，实验结果显示，本发明的验证方法效率高，具有更强的实用性。C language programming, using Ubuntu Linux12.04 system. Computer configuration: Intel(R) Core(TM) i3-3240Cpu, 2GB RAM. Pairwise-Based Cryptography (PBC) Lab Version 0.514. All experimental results are the average value of 50 experiments. The modulus lengths of 512 bits and 1024 bits are respectively selected, and the number of attributes ranges from 10 to 50. Finally, as shown in Figure 2, the experimental results show that the verification method of the present invention has high efficiency and stronger practicability.

图2示出了本发明的方案和对比方案执行正确性验证的运行时间。相比对比方案，本发明方案的运行时间不会随着属性数量的增加而变化，进一步说明了本发明的实用性。图中的双斜线代表着在垂直方向的中断，这里使用的是ORIGIN8.0软件进行数据分析并作图。Fig. 2 shows the execution time of correctness verification for the scheme of the present invention and the comparison scheme. Compared with the comparison scheme, the running time of the scheme of the present invention does not change with the increase of the number of attributes, which further illustrates the practicability of the present invention. The double slashes in the figure represent interruptions in the vertical direction, and ORIGIN8.0 software was used here for data analysis and graphing.

上述虽然结合附图对本发明的具体实施方式进行了描述，但并非对本发明保护范围的限制，所属领域技术人员应该明白，在本发明的技术方案的基础上，本领域技术人员不需要付出创造性的劳动即可做出的各种修改或变形仍在本发明的保护范围之内。Although the specific implementation of the present invention has been described above in conjunction with the accompanying drawings, it is not a limitation to the protection scope of the present invention. Those skilled in the art should understand that on the basis of the technical solution of the present invention, those skilled in the art do not need to pay any creative effort. Various modifications or deformations that can be made by labor are still within the protection scope of the present invention.

Claims

1. the PKI that effectively can verify based on KP-ABE can be searched for an encryption method, it is characterized in that, the described PKI that effectively can verify based on KP-ABE can be searched for encryption method and comprise the following steps:

Data owner extracts keyword w from the data file F of outsourcing; Outsourcing F, and generate keyword w ciphertext cph and send to Cloud Server;

The data that Cloud Server sends data owner provide stores service and after receiving the search password tk that user sends, carry out search, and Search Results and search evidence are returned to user;

Data user generates search password tk and sends to Cloud Server with private key sk; After receiving the Search Results that Cloud Server returns, the correctness of result and integrality are verified.

2. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, described PKI can be searched for encryption method and specifically comprise:

Can search for encryption system: trusted authorization centre management data owner, user and Cloud Server;

Data owner is sent to Cloud Server by data file;

Cloud Server provides storage and retrieval service;

User searches for data file stored thereon by Cloud Server;

Trusted authority center choose bilinearity to and hash function, and generate public ginseng pm and master key mk; By moving following RSA Algorithm:

Press following 3 steps:

I) select different large prime number p and q, calculate n=p*q;

Ii) select e with coprime, (n, e) is as PKI;

Iii) pass through calculate d, (n, d) is as private key;

Here number n, e, d is respectively modulus, encryption exponent and decryption exponent;

According to this algorithm, choose different large prime number p ₁and q ₁, p ₂and q ₂, be data owner and server generation public private key pair { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂;

By Share (T, the ac) algorithm in access structure, as follows:

Each leaf node of access tree T associated the part of secret ac share q _v(0),, to each leaf node v ∈ lvs (T), choose t ← Z _p, calculate and B _v=g ^t, note sk=(T, A _v, B _v) | v ∈ lvs (T)) be user's private key.

3. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, the described PKI that effectively can verify based on KP-ABE can be searched for encryption method and comprise: initialization, key generate, the encryption of keyword and file address, generation are searched for to password, search, checking; The method is mainly used in the search to a large amount of enciphered datas in cloud computing.

4. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, the concrete scheme that the described PKI that effectively can verify based on KP-ABE can be searched for encryption method is:

Trusted authority center operation RSA Algorithm is that Cloud Server and data owner generate public private key pair: { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂; Data owner guarantees the integrality of data file by digital signature; With the PKI of Cloud Server, ciphertext keyword is encrypted to prevent again the off-line guessing attack of external attacker, as data owner SYM _enc() cryptographic algorithm is contracted out to Cloud Server after to data file encryption, and server returns to the address of encrypt file, is designated as ID{F _i, the data file that comprises like this keyword w can be expressed as ID _w=ID{F ₁|| ID{F ₂... || ID{F _i; Specifically comprise:

Step 1, initialization (1 ^l): bilinearity pair: e:G * G → G is selected at trusted authority center _t, G and G _tbe that rank are the cyclic group of p, p is the primitive element of l bit long, selects the hash function H under random oracle ₁: { 0,1} ^*→ G; H ₂: { 0,1} ^*→ Z _pbe one-way Hash function, select a, b, c ← Z _p, g ← G,

pm＝(H ₁,H ₂,e,g,p,g ^a,g ^b,g ^c,G,G _T),

mk＝(a,b,c)

Then choose k independently hash function H ₁' ..., H' _k, be used for the Bloom filter BF of structure m bit of m bit to send to data owner, be that data owner and Cloud Server generate public private key pair { (n ₁, e ₁), d ₁and { (n ₂, e ₂), d ₂;

Step 2, key generate (mk, T): Share (T, ac) algorithm is carried out at trusted authority center, and each leaf node of access tree T can obtain the part of relevant secret ac and share q _v(0),, to each leaf node v ∈ lvs (T), choose t ← Z _p, calculate and B _v=g ^t, note private key sk=(T, A _v, B _v) | v ∈ lvs (T));

Step 3, the encryption to keyword and file address: the hash function that (w, atts, ID (w)) data owner sends by trusted authority center generates Bloom filter, BF ← BFGen ({ H ₁' ..., H' _k, { w ₁..., w _l), to containing keyword w data file address ID _wand Bloom filter, SYM _enc() cryptographic algorithm is encrypted, and symmetric key is sk ₁:

BF _Enc＝SYM(BF),(ID _w) _Enc＝SYM(ID _w)；

User data owner is to BF _enc(ID _w) _encsign:

A = {BF}_{Enc} | | sig ({BF}_{Enc}) = {BF}_{Enc} | | {({BF}_{Enc})}^{d_{1}}, B = {({ID}_{w})}_{Enc} | | sig {({ID}_{w})}_{Enc} = {({ID}_{w})}_{Enc} | | {({({ID}_{w})}_{Enc})}^{d_{1}}

To sk ₁by ABE () cryptographic algorithm, be encrypted: C=ABE (sk ₁);

After search finishes, the validated user that attribute meets access strategy just can be deciphered C and obtain sk ₁, and then file destination is obtained in deciphering;

Select r ₁, r ₂← Z _p, calculate

W^{'} = g^{{cr}_{1}}, W = g^{a (r_{1} + r_{2})} g^{b H_{2} (w) r_{1}};

F=(f ₁, f ₂) wherein

f_{1} = g^{a (r_{1} + r_{2})}, f_{2} = g^{{br}_{1}}, W_{0} = g^{r_{2}},

To each at _j∈ Atts, calculates

W_{j} = H_{1} {({at}_{j})}^{r_{2}},

With the PKI of server, W is encrypted and obtained

W_{E} = W^{e_{2}} = {(g^{a (r_{1} + r_{2})} g^{{bH}_{2} (w) r_{1}})}^{e_{2}},

Can remember that like this ciphertext keyword is:

cph＝(Atts,W',W _E,W ₀,W _j,F,A,B,C)；

Step 4, generation search password (sk, w): select s ← Z _p, each leaf node v ∈ lvs (T) is calculated

A_{v}^{'} = A_{v}^{s}, B_{v}^{'} = B_{v}^{s},

Search password is

{tok}_{1} = {(g^{a} g^{{bH}_{2} (w)})}^{s},

Tok ₂=g ^cs, use the PKI of server to tok ₂be encrypted: note tk=(tok ₁, (tok ₂) _enc, T, (A' _v, B' _v) | v ∈ lvs (T));

Step 5, search (tk, cph): server is chosen the access tree that property set S meets appointment in search password from cph, if such S set does not exist, returns to 0; Otherwise, to each at _j∈ S, calculates

E_{v} = e (A_{v}^{'}, W_{0}) / e (B_{v}^{'}, W_{j}) = e {(g, g)}^{{sr}_{2} q_{v} (0)} att (v) = {at}_{j}, v &Element; lvs (T),

In conjunction with (T, E _v| att (v) ∈ S), calculate

e {(g, g)}^{{sr}_{2} q_{v} (0)} = e {(g, g)}^{{sr}_{2} q_{root} (0)},

And then

E_{root} = e {(g, g)}^{{acsr}_{2}}

The private key deciphering W of oneself for server _e, (tok ₂) _encobtain W and tok ₂if, e (W', tok ₁) E _root=e (W, tok ₂), return W, F, A, B, C} is to user; Otherwise, only return to A;

Step 6, checking { W, F, A, B, C}: data user receives after the Search Results that Cloud Server returns, and carries out verification operation.

5. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, the concrete grammar of described verification operation is:

The existence of step 1, searched key word: when data user only receives the A that Cloud Server returns, first with data owner's PKI, A is verified; If by checking; C is decrypted to operation and obtains symmetric key sk ₁, deciphering A obtains Bloom filter BF, if BFverify (w)=0 means the keyword that does not exist user to search on Cloud Server, otherwise rejection returns results;

The correctness of step 2, searched key word: data user receive W, F, A, B, during C}, calculates W/f ₁with if illustrate correctly, otherwise explanation is error result;

Step 3, the integrality of data file address that comprises keyword w: when data user has verified after the correctness of keyword, then B is verified, if by deciphering C, obtain sk ₁, and then obtain target data file.

6. the PKI that effectively can verify based on KP-ABE as claimed in claim 1 can be searched for encryption method, it is characterized in that, the described PKI that effectively can verify based on KP-ABE can be searched for being analyzed as follows of correctness of encryption method:

Step 1, search coupling correctness:

Cloud Server, after receiving data user's searching request, is carried out search operation.First by with RSA Algorithm, with the private key of oneself, ciphertext keyword and search password are decrypted, then, carry out following matching operation:

\begin{matrix} e (W^{'}, {tok}_{1}) E_{root} = {e (g^{{cr}_{1}}, (g^{a} g^{{bH}_{2} (w)}))}^{s} = \\ e {(g, g)}^{acs (r_{1} + r_{2})} e {(g, g)}^{{bcsH}_{2} (w) r_{1}}; \end{matrix}

\begin{matrix} e (W, {tok}_{2}) = {e (g^{a (r_{1} + r_{2})} g^{{bH}_{2} (w_{1}) r_{1}}, g^{cs}))}^{s} = \\ e {(g, g)}^{acs (r_{1} + r_{2})} e {(g, g)}^{{bcsH}_{2} (w_{1}) r_{1}} . \end{matrix}

If w and w ₁same keyword, e (W', tok so ₁) E _rootand e (W, tok ₂) be exactly what equate, illustrate and search for successfully;

Step 2, proving correctness:

When data user receive the Search Results that Cloud Server returns W, F, A, B, during C}, first will verify the correctness of keyword, finds f in F ₁, f ₂, do to calculate as follows:

W / f_{1} = g^{a (r_{1} + r_{2})} g^{b H_{2} (w) r_{1}} / g^{a (r_{1} + r_{2})} = g^{{bH}_{2} (w) r_{1}}

The cryptographic Hash H of the keyword that user searches for oneself ₂(w ₁) be calculated as follows:

f_{2}^{H_{2} (w_{1})} = g^{{bH}_{2} (w_{1}) r_{1}}

If w and w ₁while being same keyword, W/f ₁with equate, illustrate, Search Results is correct, after this, carrys out correctness and the integrality of verification msg file address by signature.