CN114710357A - Dynamic searchable encryption method supporting block verification in editable block chain - Google Patents

Abstract

The present invention provides a dynamic searchable encryption method supporting block verification in an editable block chain. The front-end-cloud-style data retrieval and verification method is replaced by a new method combining end-cloud and editable blockchain. The block index structure has good retrieval performance. The data owner transmits the block verification label to the editable blockchain, and the result verification function is implemented by the editable blockchain. Second, the result verification list generated according to the block index reduces the computational overhead for subsequent result verification. In addition, the editable blockchain technology realizes the rewritable storage of data under the premise of ensuring the fairness and security of the search service, avoiding the waste of the precious resource of the block. The present invention can realize the organic integration of the editability and security reliability of the blockchain. When the client or cloud server performs malicious behavior, the fairness and security of the query service can still be ensured.

Description

A Dynamic Searchable Encryption Method Supporting Block Verification in Editable Blockchains

technical field

The invention relates to the technical field of information security, in particular to a dynamic searchable encryption method supporting block verification in an editable block chain.

Background technique

Searchable Encryption (SE, Searchable Encryption) is a cryptographic primitive developed in recent years that supports users to search for keywords in ciphertext. It can save users a lot of computing and communication overhead and make full use of huge computing The resource performs a keyword lookup on the ciphertext. In practice, however, cloud servers and users are not all honest and trustworthy entities. Cloud servers may only return partial results to save computing resources. The user may lie about the return result of the cloud server is wrong in order to refuse to pay the fee. So there is a reliability problem.

In order to solve the problem that malicious servers return wrong results to users, a ciphertext retrieval scheme based on the verifiable results of the PPTrie tree index is proposed. Subsequently, Bitcoin was introduced into multi-party computation to solve the fairness problem, and the protocol in the scheme can be regarded as a smart contract. In order to realize the disclosure of verification, it is done by using pseudo-random function and one-way function. Combining Merkle Hash Tree with k-means clustering improves verification efficiency and security. These schemes assume that the user is trustworthy, will perform the verification process honestly and publish the verification result. But some users may falsely claim that the result is wrong and refuse to pay the service fee.

The Chinese patent application document (CN113949548A) discloses an attribute encryption method in which the private key is verifiable and multi-keyword searchable in cloud storage. It saves the waste of local load and computing resources and realizes fast search, and supports multi-keyword search, which can effectively realize fast search, and solve the problems of waste of network bandwidth and large computing cost in the prior art.

The Chinese patent application document (CN113282542A) discloses a verifiable and searchable encryption method with forward security. The security token corresponding to the keyword is sent to the server, which can prevent the relevant information of the keyword stored in the file from being exposed to the server, and improve the The security of file storage, enhance the resistance to illegal attacks such as file injection attacks; determine the verification information of the stored files, and verify the integrity of the searched files returned by the server through the verification information, which can ensure the integrity of the file storage. to prevent malicious changes to the stored files by the server; by generating a state corresponding to the update sequence of the verification information, it is conducive to the traceability of the verification information, and it is convenient to obtain an orderly matching set of file identifiers to be verified, so as to save the client Local storage operation of file identifiers; by means of XOR processing, the complexity of data processing can be reduced, the traffic during search can be reduced, and the search efficiency can be improved.

Currently, blockchain technology shows its potential to solve reliability problems. Store encrypted indexes and encrypted data on cloud servers for data storage and search functions. Blockchain and smart contracts are used to verify the correctness of search results. Since the verification operation is done by all nodes in the network, the correctness of the result can be guaranteed as long as the majority of nodes are honest. However, the efficiency of reaching consensus among various nodes in distributed sharing is very low, and a lot of computing overhead is incurred when smart contracts perform complex calculations. The immutability of the blockchain results in a large amount of storage overhead for each new transaction, which in turn affects the efficiency of result verification in the searchable encryption scheme, the performance of data update, and reduces the user's retrieval experience.

SUMMARY OF THE INVENTION

The purpose of the present invention is to provide a dynamic searchable encryption method that supports block verification in an editable block chain, which can avoid the storage and calculation limitations of blocks, and also solve the problem of dishonesty between users and cloud servers. This leads to the question of the reliability of the query results.

The present invention is realized as follows: a dynamic searchable encryption method supporting block verification in an editable block chain, comprising the following steps:

A. The data owner inputs the security parameter λ and outputs the system parameter Para;

B. The data owner generates a random number λ _r according to the system parameter Para as the data update state and stores it in the state set Map, and outputs the key pair (PK _D , SK _D ) required for encryption;

加密后的关键字集CW、加密文件集CD到云服务器中，将生成的结果验证列表L存储到可编辑区块链中；C. Initialize the file of the data owner, encrypt the query keyword/file set according to the encryption key pair (PK _D , SK _D ), and generate and output the encrypted index table

The encrypted keyword set CW and the encrypted file set are CD to the cloud server, and the generated result verification list L is stored in the editable blockchain;

D. When the data user initiates a search query, the search keyword w is sent to the data owner, and the data owner sends authorization information to the data user according to the search keyword w and the private key SK _D ; the data user generates the authorization information according to the search token ST;

执行搜索操作，并将输出的搜索结果集S_R和验证集P_R发送到可编辑区块链中；E. The cloud server receives the search token ST sent by the data user and performs the search operation: the cloud server first judges the correctness of the search token, and if it meets the conditions, then according to the encrypted index table

Execute the search operation, and send the output search result set S _R and verification set P _R to the editable blockchain;

F. After the editable block link receives the (S _R , P _R ) sent by the cloud server, it performs the verification operation and outputs the verification result identifier VR , and returns 1 if it passes the verification _. The editable block chain will set the search result set Send to the data user and charge the data user; otherwise, return 0 and the deposit will be returned to the data user.

Preferably, in step A, a security parameter λ is input, and a bilinear pair of cryptographic parameters (G ₁ , G ₂ , e, p, g ₁ ) is output; G ₁ and G ₂ are two multiplicative cyclic groups, and p is a large Prime number, e is the bilinear map e: G ₁ ×G ₁ →G ₂ , g ₁ is the generator number of G ₁ ;

Definition H ₁ : {0,1} ^* → G ₁ , H ₂ : {0,1} ^* → Z _p are two hash functions, Z _p is a finite field of order p, h ₀ and h ₁ are both ∈ G ₁ , the obtained system parameter Para is {G ₁ , G ₂ , e, p, g ₁ , H ₁ , H ₂ , h ₀ , h ₁ }.

Preferably, in step B, the data owner selects a random parameter λ _r ∈ {l,...,2 ^{λ } from the sequence {l,...,2 λ }} as the data update state and records it in the state set Map;

SK_D＝x；The data owner randomly selects an x∈Z _p and computes an asymmetric random number key pair (PK _D ,SK _D ), where

SK _D = x;

The data owner stores the private key SK _D , and randomly selects the parameter _θ∈Zp to keep it secret;

The data owner sends both Map and PK _D to the cloud server and editable blockchain.

Preferably, in step C, the data owner first constructs an index structure, and the constructed index structure consists of several perfect binary trees, except that the heights of the last two perfect binary trees may be the same, and the heights of other perfect binary trees are cascaded down;

The data owner divides the index structure into blocks according to the number of perfect binary trees, calculates the root node hash hr _i and block index hash h(hr _i ) of each block after dividing, and calculates σ _i ;

The data owner then calculates the local verification label β _j according to σ _i :

Among them, k is the number of blocks after division; j=1, 2, ..., m, m is the number of keywords;

The final generated result verification list is L={β ₁ ,β ₂ ,...,β _m }.

和

其中，r₀＝H₂(d₁)是Z_p的一个伪随机数，

d₀和d₁即为数据所有者向数据使用者所发送的授权信息；数据使用者根据d₀和d₁生成搜索令牌ST＝(d₀,d₁)。Preferably, in step D, the data user sends the search keyword w to the data owner, the data owner randomly selects γ ₁ ∈ Z _p , and calculates

and

Among them, r ₀ =H ₂ (d ₁ ) is a pseudo-random number of Z _p ,

d ₀ and d ₁ are the authorization information sent by the data owner to the data user; the data user generates a search token ST=(d ₀ , d ₁ ) according to d ₀ and d ₁ .

Preferably, in step E, the cloud server determines the correctness of the search token is specifically:

和

随后，根据v和T计算

并将y、T、Ω₀、Ω₁和Ω₂发送给云服务器；The data owner randomly selects x ₁ , x ₂ , y∈Z _p , calculates

and

Then, according to v and T, calculate

and send y, T, Ω ₀ , Ω ₁ and Ω ₂ to the cloud server;

其中

若满足条件，则表示搜索令牌正确。The cloud server receives y, T, Ω ₀ , Ω ₁ and Ω ₂ sent by the data owner, and then judges whether the search token ST satisfies

in

If the conditions are met, the search token is correct.

执行搜索操作，得到搜索结果集S_R，然后计算验证标签

hr_iCP为云服务器生成的根结点哈希，同时，云服务器还生成块哈希hr_1CP,hr_2CP,…,hr_kCP，随后将搜索结果集S_R和验证集P_R＝{h(hr_1CP),h(hr_2CP),…,h(hr_kCP),μ}发送给可编辑区块链。Preferably, in step E, when the search token is correct, the cloud server searches the encrypted index table according to the

Execute the search operation, get the search result set S _R , and then calculate the verification label

hr _iCP is the root node hash generated by the cloud server. At the same time, the cloud server also generates block hashes hr _1CP ,hr _2CP ,...,hr _kCP , and then the search result set S _R and the verification set P _R = {h(hr _1CP ),h(hr _2CP ),…,h(hr _kCP ),μ} are sent to the editable blockchain.

Preferably, in step F, the editable blockchain receives the update state λ _r sent by the data owner, and the editable blockchain receives the verification label P=(β, μ) and the search result set _SR , and then performs the result verification ,details as follows:

The editable blockchain calculates V _DO = e(β, g ₁ ) according to the verification label;

and calculate

Then the editable blockchain verifies whether V _CP = V _DO is established; if so, the search result set _SR will be sent to the data user; if not, the deposit will be returned to the data user.

加密关键字集CW′和加密文件集CD′上传到云服务器，更新后的结果验证列表L′使用可编辑技术上传到可编辑区块链。Preferably, the dynamic searchable encryption method supporting block verification in the editable blockchain provided by the present invention further includes step G: when the file is updated, the data owner generates a new λ _r ' and records it in the Map, and records it in the Map. Updated encrypted index table

The encrypted keyword set CW' and the encrypted file set CD' are uploaded to the cloud server, and the updated result verification list L' is uploaded to the editable blockchain using the editable technology.

The invention stores encrypted data and indexes in the cloud server, and the result verification list is stored in the editable block chain, which avoids the storage and calculation limitations of blocks, and solves the problem that the query results can be changed due to dishonesty between users and the cloud server. question of reliability. The main contributions of the present invention are as follows:

1) In order to ensure efficient query and verification, the index is dynamically divided, and the block index is used to achieve parallel search and update data only affect a constant amount of data. In addition, the query results are verified in blocks using the verification tags generated by the block index.

2) Introduce editable blockchain technology, so that entities with modification authority (data owners in the present invention) can modify block data, which is convenient for maintaining the uploading and updating of verification labels, improving the efficiency of result verification and reducing the storage of verification labels overhead.

3) The present invention can prevent the cloud server from guessing the specific information of the keyword through the search trapdoor, so as to realize the privacy protection of the search mode.

4) By deploying to the local private test network (Ganache-cli), and performing gradient experiments on the data. The analysis of the experimental results shows that the present invention has significant advantages in data query and verification performance compared with other result verification schemes under the premise of ensuring the low-speed growth of the number of blocks.

The invention constructs a dynamic searchable encryption method supporting block verification based on the editable block chain. This method has the following advantages: first, the block index structure has good retrieval performance; second, the result verification list generated according to the block index reduces the computational overhead for subsequent result verification; third, the editable blockchain technology is used in On the premise of ensuring the fairness and security of the search service, the rewritable storage of data is realized to avoid the waste of the precious resource of the block.

Description of drawings

FIG. 1 is a system model diagram of the present invention.

Figure 2 is a simplified flow chart of the method of the present invention.

FIG. 3 is a detailed flow chart of the method of the present invention.

FIG. 4 is a schematic diagram of data transmission between entities according to the present invention.

FIG. 5 is a schematic diagram of adding and deleting nodes in the index structure of the present invention.

FIG. 6 is a schematic diagram of dividing the index structure into blocks according to the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments.

In order to ensure the correctness and integrity of the search results, the present invention introduces an editable blockchain as a third-party trusted entity. At the same time, in order not to weaken the advantages of cloud storage, the overhead of result verification should be kept as small as possible. In order to realize the above functions, the present invention dynamically divides the index structure, and performs parallel computation among the block indexes to generate the verification label. Upload the result verification list L composed of verification tags to the editable blockchain to verify the results retrieved by the cloud server. This verification method can not only improve the efficiency of verification label generation, reduce the size of the list L, but also reduce the computational overhead during the verification process of the editable blockchain; in addition, using the editable technology to maintain the update of L can also minimize the area available Edit blockchain storage overhead.

As shown in FIG. 1 , the system model of the present invention includes a data owner (DO, Data Owner), a data user (DU, Data User), a cloud server (CSP, Cloud Server Platform) and an editable blockchain (Redactable Blockchain) four an entity. The editable blockchain is referred to as blockchain, the data user is the data user (referred to as the user), and the cloud server is also the cloud platform (CP, Cloud Platform). Data owners can build secure index and ciphertext files and upload to cloud servers. At the same time, the data owner can also upload the generated result verification list L to the editable blockchain. After the data user makes a search request, the data owner authorizes the legitimate user. Data consumers with search permissions can generate tokens and submit search queries to cloud servers, and can receive verified search result sets sent from the blockchain and decrypt them locally. Cloud servers are used to store secure indexes and ciphertext files, and can also provide search services for data users. Execute the search algorithm to get the search results and send them to the blockchain for verification of the correctness of the results. The user's operations on the data are all regarded as a transaction process, which is packaged into an editable blockchain through a smart contract (SC, Smart Contract). Smart contracts belong to the editable blockchain, and many operations in the editable blockchain are based on smart contracts. The smart contract verifies the search results obtained by the cloud server through the result verification list L, and then sends the verified search results to the data user. Use editable technology to complete the update operation of the result verification list L, realize fine-grained modification of blockchain data at the transaction level, and ensure that the number of blocks grows at a low rate.

Editable blockchain is an emerging hot spot in the blockchain field. It aims to realize the controllable editing operation of data on the chain under the premise of ensuring the security and credibility of the blockchain. The invention replaces the internal hash function of the block chain with the chameleon hash function, and realizes the editability of the block by utilizing the collision property of the chameleon hash.

The chameleon hash function is a one-way hash function with a trapdoor. If the trapdoor information is grasped, the hash collision of any input data can be easily calculated, so that the input of the hash function can be changed arbitrarily without changing the output of the hash function.

The chameleon hash function usually has the following four algorithms, namely the key generation algorithm HG, the hash generation algorithm CH, the hash verification algorithm HV and the hash collision algorithm HC. The four algorithms are as follows:

1) HG(1 ⁿ )=(hk, tk): the public key hk and the private key (trapdoor) tk for generating the chameleon hash, n is a security parameter.

2) CH(hk, x, r)=(h, ξ): Given public key hk, arbitrary data x and random number r, generate hash value h and random number ξ.

3) HV(hk, x, (h, ξ)): Given public key hk, arbitrary data x, hash value h and random number ξ, if (h, ξ) is the correct hash value, output 1 , otherwise output 0.

4) HC(tk, (h, x, ξ), x'): Given trapdoor tk, triplet (h, x, ξ) and data x', output a new random number ξ' such that HV(hk , x, (h, ξ))=HV(hk, x', (h, ξ'))=1.

Obviously, mastering the trapdoor key means having the right to modify the blockchain, so the management of the trapdoor key is crucial for the chameleon hash function.

As shown in Figure 2, the dynamic searchable encryption method supporting block verification in the editable blockchain of the present invention includes the following steps:

A. The data owner inputs the security parameter λ and outputs the public system parameter Para, and the public system parameter Para can be known by each entity.

B. The data owner generates a random number λ _r according to the public system parameter Para as the data update state identifier and stores it in the state set Map, and outputs the key pair (PK _D , SK _D ) required for encryption.

加密后的关键字集CW、加密文件集CD到云服务器中，将生成的结果验证列表L存储到可编辑区块链中。C. Initialize the file of the data owner, encrypt the query key/file set (W/F) according to the encryption key pair (PK _D , SK _D ), and generate and output the encrypted index table

The encrypted keyword set CW and the encrypted file set are CD to the cloud server, and the generated result verification list L is stored in the editable blockchain.

D. When the data user initiates a search query, the search keyword w is sent to the data owner, and the data owner sends authorization information to the data user according to the search keyword w and the private key SK _D ; the data user generates the authorization information according to the Search for token ST.

执行搜索操作，并将输出的搜索结果集S_R和验证集P_R发送到可编辑区块链中。E. The cloud server performs a search operation, and the cloud server receives the search token ST sent by the data user. First judge the correctness of the token, if it meets the conditions, then according to the encrypted index table

Execute the search operation and send the output search result set _SR and validation set _PR to the editable blockchain.

F. After the editable block link receives the ( _{S R} , P _R ) sent by the cloud server, it performs the verification operation and outputs the verification result identifier VR, and returns 1 if it passes the verification, and the editable block chain will send the search result To the data user, and charge the data user; otherwise, return 0, and the deposit will be returned to the data user.

The dynamic searchable encryption method provided by the present invention also includes an update step, as follows:

加密关键字集CW′和加密文件集CD′上传到云服务器，更新后的结果验证列表L′使用可编辑技术上传到可编辑区块链。G. When the file is updated, the data owner generates a new λ _r ' and records it in the Map, and records the updated encrypted index table

The encrypted keyword set CW' and the encrypted file set CD' are uploaded to the cloud server, and the updated result verification list L' is uploaded to the editable blockchain using the editable technology.

Each step will be described in detail below with reference to the accompanying drawings.

Combining Figure 2, Figure 3 and Figure 4, in step A, input the security parameter λ, let G ₁ and G ₂ be two multiplicative cyclic groups, p is a large prime number, e is a bilinear map e:G ₁ × G ₁ →G ₂ , where g ₁ is the generation number of G ₁ . Output the bilinear pair of cryptographic parameters (G ₁ , G ₂ , e, p, g ₁ ).

Definition H ₁ : {0,1} ^* → G ₁ , H ₂ : {0,1} ^* → Z _p are two hash functions, Z _p is a finite field of order p, h ₀ and h ₁ are both ∈ G ₁ , the public system parameters are obtained as Para={G ₁ ,G ₂ ,e,p,g ₁ ,H ₁ ,H ₂ ,h ₀ ,h ₁ }.

In step B, the data owner initializes the system locally, and the data owner selects a random parameter λ _r ∈{l,…,2 ^{λ} from the sequence {l,…,2 λ }} as the data update according to the public system parameter Para The state is recorded in the state collection Map. λ _r is used as a data update status identifier to indicate whether the data is updated.

SK_D＝x。数据所有者存储私钥SK_D，并随机选择参数θ∈Z_p秘密保存。此外，数据所有者将Map和PK_D均发送给云服务器和可编辑区块链。Randomly choose a x∈Z _p and compute the data owner’s asymmetric random number key pair (PK _D ,SK _D ), where

SK _D =x. The data owner stores the private key SK _D , and randomly selects the parameters _θ∈Zp and keeps it secret. In addition, the data owner sends both Map and PK _D to the cloud server and editable blockchain.

In step C, the data owner not only needs to encrypt the keyword/file set (W/F) to build the index, but also needs to use the block index to generate the list L for result verification.

“||”表示“或”，关键字w和θ取或，再计算哈希，得到加密后的关键字

The data owner takes the file key set W={w ₁ ,w ₂ ,...,w _m } and the file set F={f ₁ ,f ₂ ,...,f _n } as input, and selects a secure symmetric encryption algorithm Enc =(E _k , D _k ) encrypts the file, and the encrypted file is C _j =E _k (f _j ), j=1,2,...,n. Among them, m is the number of keywords; n is the number of files. Encrypting the keyword w specifically performs the following operations:

"||" means "or", the keyword w and θ are ORed, and then the hash is calculated to get the encrypted keyword

The present invention adopts index block to realize parallel operation, speed up retrieval rate through parallel traversal during execution, facilitate generation of check result verification list L and subsequent verification operations, so that the query and verification performance has significant advantages. The searchable encrypted result is verified in blocks through the block index structure, which effectively reduces the computing overhead, storage overhead and communication overhead of the client.

The index structure in the present invention is composed of a plurality of perfect binary trees (each node except the leaf node has two children, and each level is completely filled). In the process of index building, keyword/document identifier pairs (w, id) are added in sequence, so there is an order in the tree formation process. All binary trees are strictly reduced in height (cascading) except for the last two trees, which may be of equal height. This feature will be maintained in subsequent updates. For any keyword w, the set of file identifiers containing w is packed into multiple perfect binary trees (triangles), then the largest perfect binary tree is formed, and the file identifiers that have formed the binary tree are subtracted to continue to form the next largest perfect binary tree. Therefore, except for the last two perfect binary trees, which may have the same height, the remaining binary trees decrease in height sequentially. As shown in Figure 5, if a keyword/document identifier pair (w, id) is to be added, the newly added node will serve as the parent node of two perfect binary trees of the same height. Otherwise, the new node is a perfect binary tree of height 1. To remove (w, id), replace it with the root of the last perfect binary tree, and split the smallest perfect binary tree into two smaller binary trees. As you can see, the cascading properties after adding and removing have not changed. Finally, any (parallel) tree traversal algorithm can traverse this data structure, so this structure enables parallel queries and data updates, and has the property that updating data only affects a constant amount of data.

然后数据所有者针对根结点哈希，计算块索引哈希h(hr_i)以及σ_i。其中，

上面公式中，

表示异或，H(id_ri)表示第r_i个文档标识符的哈希值，hr_i表示第i个块的根结点哈希，h(hr_i)表示块索引哈希。对于某一个确定的块i，其上拥有r_i个结点，计算hr_i即计算该块上所有结点中文档标识符的哈希值，再进行异或。最后，数据所有者将密文以及加密索引

上传至云服务器。The above-mentioned process of establishing the index structure is performed for each keyword. Then, perform index block for the inverted index generated by each element w _j (1≤j≤m) in the keyword set W, 1≤i≤k (k is the number of index block blocks). As shown in Figure 6, each perfect binary tree in the index structure is divided into a block, so k is the number of perfect binary trees. In FIG. 6 , k=3, and the number of nodes in the index structure is 11; the index structure after partitioning is I={I ₁ , I ₂ , I ₃ }. If the result verification list generated by the divided block still exceeds the gas limit of Ethereum, then it is divided into three subtrees (blocks) on the basis of this block. As shown in the block index I ₁ in FIG. 6 , the subtrees divided again are the root node (Root ₀ ) and the left and right child nodes (the left child node Chd ₀₀ and the right child node Chd ₀₁ except the root node). ) regenerated index structure. The secondary division method divides itself inside the block, and it is still the overall block structure from the outside. As shown in FIG. 6 , I ₁ ={Root ₀ , Chd ₀₀ , Chd ₀₁ } after I ₁ is divided into two blocks. This block method can realize dynamic division and effectively avoid storage waste. Then calculate the encrypted root node hash according to the result of the block

The data owner then calculates the block index hash h(hr _i ) and σ _i for the root node hash. in,

In the above formula,

represents XOR, H(id _ri ) represents the hash value of the r _i th document identifier, hr _i represents the root node hash of the ith block, and h(hr _i ) represents the block index hash. For a certain block i, there are r _i nodes on it, and calculating hr _i is to calculate the hash value of the document identifiers in all the nodes on the block, and then perform XOR. Finally, the data owner will cipher the text along with the encrypted index

Upload to cloud server.

最终得到与所有关键字相对应的结果验证列表L＝{β₁,β₂,…,β_m}。数据所有者将结果验证列表L发送到可编辑区块链。可编辑区块链接收到数据所有者发送的结果验证列表L后，根据公钥hk、验证标签β_j和随机数r，计算CH(hk,β_j,r)＝(h,ξ)，并存储生成的哈希值h和随机数ξ。Next, the data owner calculates the verification label β _j locally according to σ _i , specifically

Finally, a result verification list L={β ₁ , β ₂ , . . . , β _m } corresponding to all keywords is obtained. The data owner sends the result verification list L to the editable blockchain. After receiving the result verification list L sent by the data owner, the editable block link calculates CH(hk, _βj ,r)=( _h ,ξ) according to the public key hk, verification label βj and random number r, and Store the generated hash value h and random number ξ.

和

其中，r₀＝H₂(d₁)是Z_p的一个伪随机数，

数据所有者将授权信息d₀和d₁发送给数据使用者，由数据使用者生成搜索令牌ST＝(d₀,d₁)。数据使用者将搜索令牌ST发送给云服务器。In step D, when a data user initiates a search query, it first needs to request a search permission from the data owner, that is, the data user sends the search keyword w to the data owner. The data owner randomly selects γ ₁ ∈ Z _p , and computes

and

Among them, r ₀ =H ₂ (d ₁ ) is a pseudo-random number of Z _p ,

The data owner sends the authorization information d ₀ and d ₁ to the data user, and the data user generates a search token ST=(d ₀ , d ₁ ). The data consumer sends the search token ST to the cloud server.

和

随后，根据v和T计算

并将y、T、Ω₀、Ω₁和Ω₂发送给云服务器，以便云服务器对数据使用者发送的搜索令牌的有效性进行校验。The data owner randomly selects x ₁ , x ₂ , y∈Z _p , calculates

and

Then, according to v and T, calculate

And send y, T, Ω ₀ , Ω ₁ and Ω ₂ to the cloud server, so that the cloud server can verify the validity of the search token sent by the data user.

和加密关键字集CW后进行如下计算，在搜索关键字之前，首先判断数据使用者发送的搜索令牌ST是否满足

其中

若满足条件，则表示搜索令牌正确。若搜索令牌不正确，则云服务器反馈给数据使用者。In step E, the cloud server obtains the encrypted index

After and the encrypted keyword set CW, the following calculation is performed. Before searching for keywords, first determine whether the search token ST sent by the data user satisfies the

in

If the conditions are met, the search token is correct. If the search token is incorrect, the cloud server will feed back to the data consumer.

执行搜索。若λ_r＝λ_rCP不成立，则表示关键字由更新后的新索引生成，此时需由云服务器根据更新后的加密索引

执行并行搜索算法。If the search token is correct, the cloud server next determines whether λ _r =λ _rCP is established, where λ _r represents the latest update identifier generated by the data owner, and λ _rCP represents the update identifier in the last query before this query , the two are equal, indicating that no updates have occurred between the two queries. Therefore, if λ _r =λ _rCP is established, it means that no update has occurred. At this time, the cloud server uses the unupdated encrypted index

Perform a search. If λ _r =λ _rCP does not hold, it means that the keyword is generated by the updated new index, and the cloud server needs to use the updated encrypted index

Execute a parallel search algorithm.

⊥代表空集，对于j＝1,2,…,k，若左右子树均不为空chd₀₀≠⊥(∨chd₀₁≠⊥)(“∨”为析取符号，表示“或”，chd₀₀表示左子树，chd₀₁表示右子树)，则对每棵完美二叉树执行中序遍历算法，计算

和

是满足搜索令牌的文件和文件标识符，

和

是满足搜索令牌的文件集和文件标识符集，

是搜索结果集。The cloud server executes the search algorithm according to the encrypted index (unupdated or updated encrypted index), specifically: when the number of index blocks k ≥ 1, initialize the

⊥ represents an empty set. For j=1,2,…,k, if the left and right subtrees are not empty, chd ₀₀ ≠⊥(∨chd ₀₁ ≠⊥) (“∨” is a disjunctive symbol, indicating “or”, chd ₀₀ represents the left subtree, chd ₀₁ represents the right subtree), then perform the in-order traversal algorithm for each perfect binary tree, and calculate

and

are the file and file identifiers that satisfy the search token,

and

is the set of files and file identifiers that satisfy the search token,

is the search result set.

hr_iCP为云服务器生成的根结点哈希，同时，云服务器还生成块哈希hr_1CP,hr_2CP,…,hr_kCP。随后将搜索结果集S_R和验证集P_R＝{h(hr_1CP),h(hr_2CP),…,h(hr_kCP),μ}发送给可编辑区块链。The cloud server calculates the verification label according to S _R , the index I={I ₁ , I ₂ ,...I _k }

hr _iCP is the root node hash generated by the cloud server. At the same time, the cloud server also generates block hashes hr _1CP ,hr _2CP ,…,hr _kCP . The search result set _SR and the validation set _PR = {h(hr _1CP ), h(hr _2CP ), . . . , h(hr _kCP ), μ} are then sent to the editable blockchain.

In step F: the editable blockchain receives the update state λ _r sent by the data owner, and after the editable blockchain receives the verification label P=(β, μ) and the search result set _SR , the result is verified as follows. :

The editable blockchain calculates V _DO = e(β, g ₁ ) according to the local verification label β;

And calculate according to the verification label μ generated by the cloud server

Then verify that V _CP =V _DO holds.

If V _CP =V _DO , that is

It means that the search results are correct, and the verification results output VR = 1. The editable _{blockchain records the search results and λ r ,} sends the search results to the data users, and charges the data users. The search results are decrypted locally (the data owner needs to send the symmetric encryption key to the data consumer). If the proof V _CP = V _DO is not established, output VR = 0, and the editable _blockchain will return the deposit to the data user (the data user pays the deposit after obtaining the authorization information).

In step G, the data owner obtains the update state corresponding to the keyword w, and if λ _r ′≠λ _r (λ _r ′ represents the new updated state), the following update operation is performed.

Let W', F' represent the updated keyword set and document set, choose a secure symmetric encryption algorithm Enc=(E _k , D _k ), and calculate the encrypted file CD'=E _k (F').

根据更新后的索引，并行执行相应计算过程，生成新的本地验证标签β_i′以及结果验证列表L′。For each element w _j ' (1≤j≤m) in the set W', execute the encryption algorithm to obtain the encryption index

According to the updated index, the corresponding calculation process is performed in parallel to generate a new local verification label β _i ' and a result verification list L'.

Upload the updated _λr ' and L' to the editable blockchain. First, given the security parameter λ, calculate

(hk, tk)=HG(1 ^λ )

Generate the public key hk and private key (trapdoor) tk of the chameleon hash.

Next, calculate a new random number

ξ′=HC(tk, (h, β _i , ξ), β _i ′)

Then, it is verified whether HV(hk, β _i , (h, ξ))=HV(hk, β _i ', (h, ξ'))=1 holds.

If true, then updating the local validation tag using editable technology succeeds.

In the present invention, a smart contract belonging to an editable blockchain is a "computer transaction protocol for executing contract terms". Specifically, each participant in a smart contract system runs a transaction-based state machine, starting from a genesis state and executing transactions on the blockchain to transform it into some final state. Since only valid transactions are included on the blockchain, the final state can be automatically agreed upon among all participants. The present invention is used for uploading and subsequent updating of the check list (ie, the result verification list) generated according to the block index, as well as the editable technology used for realizing the rewritable storage of data, all of which are implemented in smart contracts. There are four main smart contracts, namely: Editable Blockchain Contract, Checklist Update Contract, Fair Trade Contract and Result Verification Contract. Among them, the editable blockchain contract and the checklist update contract are used to upload and update the checklist, and the fair trade contract and the result verification contract ensure fairness and result verifiability.

The present invention can achieve the purpose of protecting user privacy and data security. The safety goal of the present invention is obtained by enforcing the following constraints:

1) Privacy. Documents and query keywords are kept secret throughout the search process. Neither the cloud server nor the editable blockchain can infer the client's private files and published search keywords.

2) Security. During program execution, ensure that no other information is disclosed other than the results of a series of search requests, update requests, and access patterns. The present invention also considers the result of the update operation as part of the search pattern.

3) Verification. It is necessary to perform two-way verification on malicious users and malicious cloud servers, and hand over the verification process to the editable blockchain to ensure the honest operation of each entity.

4) Fairness. In the event of disputes between users and cloud servers, the exact wrong actors can be fairly detected and a fair deal enforced. That is, if the cloud server is confirmed to have executed the requested search query in error, payment of the service fee for that query shall be refused. Conversely, if it is confirmed that the user has forged the verification result, the service fee for this query should be enforced.

The editable block chain architecture platform, operation function and fair payment mechanism proposed by the present invention are implemented using Python and Ethereum smart contracts. The present invention can still ensure the fairness and security of the query service when the user and the server perform malicious actions. The experimental results show that the invention has good query performance, verification performance and storage performance.

Claims (9)

1. A dynamic searchable encryption method that supports block verification in an editable block chain, is characterized in that, comprises the following steps: A. The data owner inputs the security parameter λ and outputs the system parameter Para; B. The data owner generates a random number λ _r according to the system parameter Para as the data update state and stores it in the state set Map, and outputs the key pair (PK _D , SK _D ) required for encryption; C. Initialize the file of the data owner, encrypt the query keyword/file set according to the encryption key pair (PK _D , SK _D ), and generate and output the encrypted index table

The encrypted keyword set CW and the encrypted file set are CD to the cloud server, and the generated result verification list L is stored in the editable blockchain; D. When the data user initiates a search query, the search keyword w is sent to the data owner, and the data owner sends authorization information to the data user according to the search keyword w and the private key SK _D ; the data user generates the authorization information according to the search token ST; E. The cloud server receives the search token ST sent by the data user and performs the search operation: the cloud server first judges the correctness of the search token, and if it meets the conditions, then according to the encrypted index table

Execute the search operation, and send the output search result set S _R and verification set P _R to the editable blockchain; F. After the editable block link receives the (S _R , P _R ) sent by the cloud server, it performs the verification operation and outputs the verification result identifier VR , and returns 1 if it passes the verification _. The editable block chain will set the search result set Send to the data user and charge the data user; otherwise, return 0 and the deposit will be returned to the data user. 2. The dynamic searchable encryption method supporting block verification in the editable block chain according to claim 1, is characterized in that, in step A, input security parameter λ, output bilinear pairing password parameter (G ₁ , G ₂ ,e,p,g ₁ ); G ₁ and G ₂ are two multiplicative cyclic groups, p is a large prime number, e is a bilinear map e:G ₁ ×G ₁ →G ₂ , g ₁ is G The number of generation of ₁ ; Definition H ₁ : {0,1} ^* → G ₁ , H ₂ : {0,1} ^* → Z _p are two hash functions, Z _p is a finite field of order p, h ₀ and h ₁ are both ∈ G ₁ , the obtained system parameter Para is {G ₁ , G ₂ , e, p, g ₁ , H ₁ , H ₂ , h ₀ , h ₁ }. 3. The dynamic searchable encryption method supporting block verification in an editable ^blockchain according to claim 2, wherein in step B, the data owner selects a random The parameter λ _r ∈ {l,…,2 ^λ } is used as data to update the state and record it in the state set Map; The data owner randomly selects an x∈Z _p and computes an asymmetric random number key pair (PK _D ,SK _D ), where

SK _D = x; The data owner stores the private key SK _D , and randomly selects the parameter _θ∈Zp to keep it secret; The data owner sends both Map and PK _D to the cloud server and editable blockchain. 4. The dynamic searchable encryption method supporting block verification in the editable block chain according to claim 3, is characterized in that, in step C, the data owner first builds an index structure, and the constructed index structure consists of several perfect It is composed of binary trees. Except that the height of the last two perfect binary trees may be the same, the heights of other perfect binary trees are cascaded down; The data owner divides the index structure into blocks according to the number of perfect binary trees, calculates the root node hash hr _i and block index hash h(hr _i ) of each block after dividing, and calculates σ _i ;

The data owner then calculates the local verification label β _j according to σ _i :

Among them, k is the number of blocks after division; j=1, 2, ..., m, m is the number of keywords; The final generated result verification list is L={β ₁ ,β ₂ ,...,β _m }. 5. The dynamic searchable encryption method that supports block verification in the editable block chain according to claim 4, wherein in step D, the data user sends the search keyword w to the data owner, and the data owner The player randomly selects γ ₁ ∈ Z _p , and computes

and

Among them, r ₀ =H ₂ (d ₁ ) is a pseudo-random number of Z _p ,

d ₀ and d ₁ are the authorization information sent by the data owner to the data user; the data user generates a search token ST=(d ₀ , d ₁ ) according to d ₀ and d ₁ . 6. The dynamic searchable encryption method supporting block verification in the editable block chain according to claim 5, is characterized in that, in step E, the correctness of the cloud server to judge the search token is specifically: The data owner randomly selects x ₁ , x ₂ , y∈Z _p , calculates

and

Then, according to v and T, calculate

and send y, T, Ω ₀ , Ω ₁ and Ω ₂ to the cloud server; The cloud server receives y, T, Ω ₀ , Ω ₁ and Ω ₂ sent by the data owner, and then judges whether the search token ST satisfies

in

If the conditions are met, the search token is correct. 7. The dynamic searchable encryption method supporting block verification in the editable block chain according to claim 6, is characterized in that, in step E, when the search token is correct, the cloud server according to the encrypted index table

Execute the search operation, get the search result set S _R , and then calculate the verification label

hr _iCP is the root node hash generated by the cloud server. At the same time, the cloud server also generates block hashes hr _1CP ,hr _2CP ,...,hr _kCP , and then the search result set S _R and the verification set P _R = {h(hr _1CP ),h(hr _2CP ),…,h(hr _kCP ),μ} are sent to the editable blockchain. 8. The dynamic searchable encryption method supporting block verification in the editable block chain according to claim 7, wherein in step F, the editable block chain receives the update state λ _r sent by the data owner, After the editable blockchain receives the verification label P=(β, μ) and the search result set _SR , the result verification is performed, as follows: The editable blockchain calculates V _DO = e(β, g ₁ ) according to the verification label; and calculate

Then the editable blockchain verifies whether V _CP = V _DO is established; if so, the search result set _SR will be sent to the data user; if not, the deposit will be returned to the data user. 9. The dynamic searchable encryption method supporting block verification in the editable block chain according to any one of claims 1-8, wherein the method further comprises step G: when the file is updated, the data owner Generate a new λ _r ' record in the Map, and update the encrypted index table

The encrypted keyword set CW' and the encrypted file set CD' are uploaded to the cloud server, and the updated result verification list L' is uploaded to the editable blockchain using the editable technology.

Images