CN114741711A - Multi-keyword searchable encryption method based on block chain - Google Patents

Abstract

The invention discloses a block chain-based multi-keyword searchable encryption method, which comprises the following steps: initializing; constructing an index; generating a trap door; distributing; retrieving; verifying; decrypting; and (6) arbitration. According to the method, the retrieval tasks are decomposed by using a distribution algorithm and then run by using a plurality of search servers, so that the dependence on a single cloud server is reduced, and the decentralization degree is higher. In the method, the arbitration algorithm and the verification algorithm are used for detecting the malicious behaviors of the cloud server, and the retrieval result is verified, so that fair transaction between the user and the cloud server is ensured. A keyword weight mechanism is designed in a retrieval algorithm, and fuzzy results can be provided based on weights when retrieval results are empty. Experimental analysis and comparison show that the method has high execution efficiency.

Description

Blockchain-based multi-keyword searchable encryption method

technical field

The invention relates to the technical field of blockchain, in particular to a multi-keyword searchable encryption method based on blockchain.

Background technique

Cloud computing has been booming in recent years, and a large number of companies have begun to provide cloud services to the society. Cloud service categories include platform-as-a-service, infrastructure-as-a-service, and software-as-a-service. Users can choose to buy or rent different cloud services according to their own needs. More and more organizations are also moving data and applications to cloud servers.

While cloud services bring more convenience, the risks of security and privacy leakage cannot be ignored. The most commonly used by individual users is to rent cloud storage servers to store personal data. For example, Apple's iCloud. Users can store photos, videos and other types of files on their phones in the iCloud cloud server. This saves local storage space, and users can view files in iCloud anytime, anywhere without restrictions on devices.

However, since these information are stored in the cloud server in clear text, once the data is leaked, it will cause serious damage to the privacy of users. The data security can be protected by encrypting the data and uploading it to the cloud server, but it brings inconvenience to the management and use of the data, especially the retrieval operations that users use more frequently.

In order to realize keyword search on ciphertext, scholars have proposed searchable encryption. In the existing research on searchable encryption schemes, the improvement of the expressive ability of the algorithm is an important research direction. Among them, multi-keyword retrieval is a research hotspot. Scholars have explored keyword retrieval schemes that support logical connections, or use technologies such as kNN (K-Nearest Neighbor) and Word2vec to calculate and evaluate the similarity between keywords and ciphertext documents. Keyword search. Scholars have also proposed more convenient fuzzy retrieval schemes.

However, except for fuzzy retrieval, the existing multi-keyword searchable encryption schemes can only provide accurate results and can sort retrieval results on this basis. When multiple keywords retrieved by the user do not have corresponding documents, the retrieval result is empty, and the user experience is poor.

A large number of searchable encryption schemes assume that cloud servers are honest. In practical applications, cloud services may be dishonest or malicious, and the retrieval results provided by them are unreliable. Therefore, the introduction of a verification mechanism for retrieval results to prevent malicious behavior of cloud servers is also an important research direction of searchable encryption schemes, among which the searchable encryption scheme based on blockchain is a research hotspot. However, in these searchable encryption schemes, the cloud server is a logically single node, with a high degree of centralization, and cannot prevent malicious behavior of the cloud server. For example, when the cloud server maliciously returns empty results, the final retrieval result may be empty.

At present, a large number of searchable encryption schemes assume that the server is honest, but in practical applications, the cloud server may behave dishonestly during the operation of the scheme due to cost considerations. For example, incomplete search results are returned to reduce traffic consumption, and random results or empty results may be returned to save computing resources. This greatly damages the fairness of transactions between users and cloud servers, and a verification mechanism for retrieval results needs to be introduced.

The application of blockchain technology can effectively solve this problem. The data in the blockchain cannot be tampered with and can be verified and traced. The blockchain can act as a trusted party to verify the retrieval results, thus ensuring fair transactions.

The verification mechanism established by the blockchain in the existing schemes ensures the fairness of the transaction to a certain extent, but the cloud server in these schemes is still a single logical node, and the degree of decentralization is not high enough. When a cloud server behaves maliciously, it can only be punished by deducting the deposit. In the operation of the scheme, it is still necessary to rely on the cloud server with malicious behavior.

SUMMARY OF THE INVENTION

The technical problem to be solved by the present invention is how to provide a blockchain-based multi-keyword searchable encryption method that can improve retrieval efficiency, ensure transaction fairness and have higher flexibility.

In order to solve the above-mentioned technical problems, the technical scheme adopted by the present invention is: a multi-keyword searchable encryption method based on blockchain, which is characterized in that:

Initialization: The data owner generates public parameters and keys, and creates a smart contract, making public parameters and public keys public, and keeping private keys secret;

Index construction: The data owner generates the ciphertext file, index, shared key and other parameters, sends the generated ciphertext file to the storage server, sends the index to the search server, sends the shared key to other users, and sends the generated ciphertext file to the storage server. Other parameters are kept secret;

Trapdoor generation: The user generates retrieval trapdoors from multiple keywords that need to be retrieved, and initiates retrieval requests;

Distribution: The smart contract decomposes the user's retrieval request and sends it to each search server;

Retrieval: The search server processes the retrieval request and sends the retrieved results to the user and the smart contract;

Verification: The smart contract verifies the retrieval results, and initiates an arbitration request for the results that fail to verify;

Decryption: The user calculates according to the retrieval result, requests the corresponding ciphertext file from the storage server according to the calculation result, decrypts the ciphertext file to obtain the corresponding plaintext file, and initiates an arbitration request if the calculation or decryption fails;

Arbitration: The data owner processes the arbitration request and verifies the retrieval results.

The beneficial effects of adopting the above technical solutions are: 1) The method described in this application uses a decentralized multi-server architecture, and transfers data storage and data retrieval to multiple cloud servers respectively. On this basis, a distribution algorithm is designed, which can decompose the retrieval tasks containing multiple keywords and distribute them to multiple search servers for execution, which improves the retrieval efficiency and achieves load balancing.

2) A verification algorithm and an arbitration algorithm are designed in the method described in this application, which can verify the retrieval result, prevent malicious behavior of the cloud server, and ensure fair transaction. The keyword weight mechanism is introduced into the retrieval algorithm, which can return the fuzzy result with the highest weight to the user when the retrieval result is empty, which is more flexible.

3) Comparative experiments are carried out on the application on the real data set, which proves that the application has high efficiency.

Description of drawings

The present invention will be described in further detail below with reference to the accompanying drawings and specific embodiments.

1 is a model diagram of the method according to an embodiment of the present invention;

Fig. 2 is the flow chart of the method described in the embodiment of the present invention;

3 is a time-consuming comparison diagram of an index construction stage in an embodiment of the present invention;

4 is a time-consuming comparison diagram of a trapdoor generation stage in an embodiment of the present invention;

5 is a time-consuming comparison diagram of a keyword retrieval stage in an embodiment of the present invention;

FIG. 6 is a graph showing the influence of the number of search servers on the total time consumption of the method in an embodiment of the present invention.

Detailed ways

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

Many specific details are set forth in the following description to facilitate a full understanding of the present invention, but the present invention can also be implemented in other ways different from those described herein, and those skilled in the art can do so without departing from the connotation of the present invention. Similar promotion, therefore, the present invention is not limited by the specific embodiments disclosed below.

The embodiment of this application discloses a blockchain-based multi-keyword searchable encryption method, as shown in Figure 1:

The participants in the embodiments of the present application include a data owner (DO), a storage server (S_Store), a search server (S_Search), and a user (DU), all of which serve as blockchain nodes. The data owner is responsible for encrypting documents to generate ciphertext data and indexing. The storage server is responsible for storing ciphertext data generated by the data owner. The search server is responsible for storing the index data, and calculating and retrieving the corresponding index data according to the retrieval trapdoor uploaded by the user. Users calculate and generate retrieval trapdoors according to their own retrieval needs, and send them to the search server through the blockchain to obtain the corresponding index data. The user requests the corresponding ciphertext data from the storage server according to the index data.

This application includes the following 8 polynomial time algorithms:

1) Initialization algorithm Setup(λ)→(pub, P _DO , S _DO , P _u , S _u ). The algorithm takes the security parameter λ as input, the data owner generates the public parameter pub, and deploys the smart contract on the blockchain. The data owner and other users generate a public-private key pair, keep the private keys S _DO and S _u secret, and make public the public keys P _DO and P _u ;

2) Index building algorithm Buildindex(pub, W, M, S _DO )→(C, I, Key, VC, VRs, VRu). The algorithm takes the public parameter pub, the set of plaintext keywords W, the set of plaintext files M and the private key SDO of the data owner as input, and _outputs the set of ciphertext files C, the ciphertext index I, the shared key Key, and the key used for result verification. Collection VC, VRs, VRu. The algorithm is executed by the data owner. The set C and index I are sent to the storage server and the search server respectively, the search key Key is sent to other users, the generated set VC is published on the blockchain, and the sets VRs and VRu are kept secret.

3) Trapdoor generation algorithm GenTrapdoor(Key,W',S _u ,P _DO )→Tw. The algorithm takes the search key Key, the set of keywords to be retrieved W', the user's private key S _u and the data owner's public key P _DO as input, generates the trapdoor set Tw and sends it to the smart contract. The algorithm is executed by the user, where each keyword can be assigned a weight.

4) Distribution algorithm Distribute(Tw)→({TS ₁ , TS ₂ , TS ₃ ,...}). The algorithm takes the trapdoor set Tw sent by the user as input, and the smart contract executes the algorithm to output the decomposed trapdoor set {TS ₁ , TS ₂ , TS ₃ ,…}, where

5) Search algorithm Search(TS _i ,I,P _u )→(RS _i ,R_TS _i ). The algorithm takes trapdoor set TS _i , ciphertext index I, and user public key Pu as input, and each search server executes the algorithm to output retrieval results RS _i and _{R_TS i .}

6) Verify algorithm Verify(RS _i )→{0,1}. The algorithm is executed by the smart contract. The algorithm takes the retrieval result RS _i sent by each search server as input, outputs the verification result, and sends the deposit and service fee according to the verification result.

7) Decryption algorithm Dec(R_TS _i , P _DO , Key)→M. The algorithm is executed by the user to obtain the plaintext file M corresponding to the retrieval result by taking the retrieval result R_TS _i , the data owner public key P _DO , and the search key Key as input.

8) Arbitration algorithm Arbitrate(w",Nw",x)→{0,1}. The algorithm is executed by the data owner, and takes the retrieval result Nw" to be arbitrated, the keyword w" to be arbitrated (optional), the secret information x as input, and outputs the verification result.

As shown in FIG. 2 , an embodiment of the present invention discloses a blockchain-based multi-keyword searchable encryption method. The specific content and execution flow of the eight polynomial time algorithms included in the method are as follows:

Initialization algorithm: Setup(λ)→(pub,P _DO ,S _Do ,P _u ,S _u ).

This application first needs to execute the initialization algorithm Setup( ), which corresponds to step ① in FIG. 2 . The execution of the algorithm is as follows:

1) The data owner generates two multiplicative cyclic groups G ₁ and G ₂ whose order is prime p, and g is the generator of G ₁ . Generate a bilinear map e: G ₁ ×G ₁ →G ₂ . Choose a pseudorandom function F: {0,1} ^* →{0,1} ^k . Choose two cryptographic hash functions H ₁ :{0,1} ^* →G ₁ and H ₂ :G ₂ →{0,1} ^k , where k is an integer. The collision-resistant hash functions H ₃ :{0,1} ^* →{0,1} ^k , H ₄ :{0,1} ^* →{0,1} ^k are chosen. Select a symmetric encryption algorithm (Enc, Dec). The data owner publishes the system public parameters pub={p, G ₁ , G ₂ , e, F, H ₁ , H ₂ , H ₃ , H ₄ , (Enc, Dec)}, and publishes them to the blockchain.

用户随机选取u∈Z_p，计算

作为私钥，计算用户公钥P_u＝g^u。数据所有者和用户将私钥保存，将公钥作为公开信息发布至区块链。The data owner randomly selects s ∈ Z _p to calculate S _DO = g ^s as the private key, and calculates the public key

The user randomly selects _u∈Zp and calculates

As the private key, the user public key P _u = ^gu is calculated. Data owners and users save the private key and publish the public key to the blockchain as public information.

2) The data owner creates a smart contract and publishes it to the blockchain. The user and the search server need to call the smart contract during the execution of the solution to complete the entire retrieval process. The functions of the smart contract include: temporarily storing the user service fee and the deposit of the search server; decomposing and sending retrieval tasks; and verifying the retrieval results. After each retrieval is completed, the user can withdraw the deposit held in the smart contract.

Index building algorithm: Buildindex(pub,W,M,S _DO )→(C,I,Key,VC,VRs,VRu).

After the initialization is completed, the data owner needs to execute the Buildindex() algorithm, which corresponds to step ② in Figure 2. The algorithm execution process is as follows:

1) The data owner splits the plaintext file by keywords to obtain a keyword set W={w ₁ , w ₂ , w ₃ ,...}. The data owner uses a symmetric algorithm to encrypt the plaintext file to obtain the ciphertext file. Randomly select x∈Z _p , for the plaintext file M _i , the ciphertext file C _i =Enc(M _i ,k), k is the symmetric key, k=H ₂ (e(g,g ^x )). The set of cipher text files is C={C ₁ , C ₂ , C ₃ ,...}, for the files C _i , after sorting the cipher text files, assign the file number FN _i =2 ^i-1 according to the sequence number i, and calculate H ₄ ( C _i ), the set VC={[FN ₁ , H ₄ (C ₁ )], [FN ₂ , H ₄ (C ₂ )], . . . , [FN _i , H ₄ (C _i )]} is obtained. The data owner sends all ciphertext files C and their numbers to the storage server, and publishes VC to the blockchain. At this time, the hash value of the ciphertext file is anchored on the blockchain and can be used to verify the retrieval result.

2) The data owner utilizes the ciphertext file number and its corresponding keyword to construct the keyword-document number file index I, and the calculation process is as follows:

Let the set of ciphertext file numbers containing the keyword w be {FN ₁ , FN ₂ , FN ₃ ,…}.

2-1) Using the keyword w, calculate y=H ₃ (w).

2-2) Calculate C _w =e(g ^x , ^gy )=e(g,g) ^xy .

2-3) Let Key=g ^sx and calculate b=F(Key).

2-4) Calculate verify_bit=e(H ₁ (w), Key) mod 2.

2-5) Calculate the aggregated file number Nw=FN ₁ &FN ₂ &FN ₃ &..., and insert the verify_bit into the b-th bit of Nw, and & represents an AND operation.

The index corresponding to the keyword w is Iw=[Cw, Nw]. The data owner performs the above operations on each keyword in the keyword set W, generates an index I={Iw ₁ , Iw ₂ , ...}, and then uploads the index to each search server. At the same time, the data owner calculates VN=H ₄ (Nw||x), Vw=H ₄ (w||Nw||x) to generate the set VRs={VN ₁ , VN ₂ , VN ₃ ,…} and VRu={ Vw ₁ , Vw ₂ , Vw ₃ ,…} for arbitration of disputed search results.

3) The data owner sends the shared key Key=g ^sx to each user, and the user must use this key to construct a legal retrieval trapdoor. Data owners keep x, VRs, VRu, S _DO as secret information.

Trapdoor generation algorithm: GenTrapdoor(Key,W',S _u ,P _DO )→Tw.

The user needs to execute the GenTrapdoor() algorithm to generate a search trapdoor for the keywords to be searched, which corresponds to step ③ in Figure 2. The execution of the algorithm is as follows:

1) Set the set of keywords to be retrieved as W′={w ₁ ,w ₂ ,w ₃ ,…}, the user needs to specify the weight p for each keyword at the same time, and obtain the set W _p ={[w ₁ ,p ₁ ] ,[w ₂ ,p ₂ ],[w ₃ ,p ₃ ],…}. The weight represents the retrieval priority of each keyword, and is mainly used to calculate fuzzy results when the retrieval result is empty. Keywords with higher weights are more likely to be included in the retrieval results. If the user does not specify the weight, it will be assigned in order by default, p _i =2 ⁱ , and i is the keyword sequence number.

For the keyword w∈W′, the calculation process of the trapdoor is as follows:

1-1) Calculate y=H ₃ (w).

t2＝e(Key·g^y·g^r,P_DO)＝e(g^rsxy,P_DO)＝e(g,g)^rxy。1-2) Randomly select r∈Z _p , calculate

t2=e(Key· ^gy ·g ^r , P _DO )=e(g ^rsxy , P _DO )=e(g,g) ^rxy .

1-3) Search trapdoor for keyword w

2) After performing the above operations on each keyword to be retrieved, the trapdoor set Tw={[tw ₁ ,p ₁ ],[tw ₂ ,p ₂ ],[tw ₃ ,p ₃ ],…} is obtained, and then the user will The trapdoor collection Tw and the service fee are sent to the smart contract. Since the smart contract may require the data owner to arbitrate when verifying the retrieval result, the service fee sent by the user needs to include a part of the arbitration fee. When the arbitration fee is insufficient, the verification function of the contract will be affected to a certain extent.

Distribution algorithm: Distribute(Tw)→({TS ₁ ,TS ₂ ,TS ₃ ,…}).

The user sends the trapdoor and service fee to the smart contract, and the smart contract executes the Distribute() algorithm to decompose the retrieval task, and sends the subtasks to each search server node, corresponding to step ④ in Figure 2. The execution of the algorithm is as follows:

1) Within time t after the contract account receives the trapdoor set and service fee sent by the user, the search server participating in the retrieval sends the deposit to the contract account. After the contract account receives the deposit, the search servers that successfully paid the deposit within time t will be sorted in the order of payment, and user trapdoors will be distributed to these servers, and the overtime deposit payment transaction will be returned to the original account. Finally, a set S of search servers participating in the retrieval is obtained.

2) In order to ensure the reliability of the retrieval results, each trapdoor must be retrieved by two or more search servers; taking two search servers as an example, the smart contract uses the search server set S and the received retrieval trapdoor Tw. Execute the following algorithm Algorithm 1, where n represents the number of cloud servers, m represents the number of trapdoors in Tw, TS _i represents the set of trapdoors received by cloud server Si _,

After the smart contract is executed, TS _i is distributed to the corresponding search server.

Retrieval algorithm: Search(TS _i ,I,P _u )→(RS _i ,R_TS _i ).

The search server executes the Search() algorithm after receiving the retrieval task sent by the smart contract, and sends the result of the algorithm execution to the smart contract and the user, corresponding to step ⑤ in Figure 2. The execution of the algorithm is as follows:

1) After each search server receives the trapdoor set TS _i sent by the smart contract, it performs local retrieval on each trapdoor in the set, and obtains the retrieval result set RS _i ={Nw ₁ ,Nw ₂ ,...,Nw _j ,j∈ (1,m)}, j represents the trapdoor number, Nw _j represents the retrieval result of the trapdoor number j.

利用本地存储的索引Iw’＝[Cw’,Nw’]，计算等式t1’·Cw’＝t2’是否成立，若成立则输出1，将对应的Nw’加入集合RS_i中。若不成立则输出0，将0加入集合RS_i中，表明该陷门对应的检索结果为空。2) For each trapdoor when the search server performs local retrieval

Using the locally stored index Iw'=[Cw', Nw'], calculate whether the equation t1'·Cw'=t2' holds, if so, output 1, and add the corresponding Nw' to the set RS _i . If not, output 0 and add 0 to the set RS _i , indicating that the retrieval result corresponding to the trapdoor is empty.

3) The search server sends the retrieval result set RS _i to the smart contract for verification. If the retrieval results in the set RS _i are all 0, it indicates that the retrieval results are empty this time, and the retrieval process ends. If there is a non-zero result in the retrieval results in the set RS _i , the calculation is continued.

4) For the trapdoor set TS _i , the retrieval result corresponding to all the keywords in the set is R_TS _i =Nw ₁ &Nw ₂ &...&Nw _j . The server participating in the retrieval first calculates R_TS _i , and if R_TS _i >0, it indicates that the retrieval result is not empty, and sends the retrieval result R_TS _i to the user. If R_TS _i =0, the weight of the retrieval result of the subset of trapdoor TS _i is calculated according to the keyword weight, and the result R_SubTS _i with the largest weight is returned to the user as a fuzzy result. The calculation process of R_SubTS _i is shown in Algorithm 2 and Algorithm 3 below.

Verification algorithm: Verify(RS _i )→{0,1}.

The smart contract executes the Verify() algorithm to cross-verify the retrieval result RS _i sent by the search server, which corresponds to step ⑥ in Figure 2. The execution of the algorithm is as follows:

1) Assuming that the retrieval results of two search servers for a certain keyword are _Nwi and _Nwi ', the smart contract verifies whether _Nwi = _Nwi ' holds, that is, whether the retrieval results corresponding to each trapdoor with the same number are the same, If true, output 1. If not established, output 0, and initiate an arbitration request to the data owner, and the request includes _Nwi and _Nwi '. After all the results are verified, the smart contract returns the deposit of each search server, and distributes the service fee to the search server according to the number of trapdoors retrieved. If the verification fails, the smart contract retains the deposit and refuses to pay the service fee of the corresponding search server.

2) After the verification of the smart contract is completed, the verification result is sent to the user, and a transaction is initiated to return the deposit to the search server. After the elapse of time t, the service fee is sent to the search server. Within time t, if the user has doubts about the retrieval result, he can initiate an arbitration request to the data owner, and the transaction for paying the service fee will be suspended.

Decryption algorithm: Dec(R_TS _i ,P _DO ,Key)→M.

After the user receives the retrieval result sent by the search server, the user needs to execute the Dec() algorithm to obtain the corresponding plaintext file, which corresponds to step ⑦ in Figure 2. The execution of the algorithm is as follows:

1) When there are n search servers participating in the retrieval, the user receives n retrieval results {R_TS ₁ , R_TS ₂ , R_TS ₃ ,..., R_TS _n }, and the retrieval results represent the set of ciphertext file numbers containing the corresponding keywords. R_Tw' can be obtained by taking the intersection of the retrieval results, R_Tw'=R_TS ₁ &R_TS ₂ &R_TS ₃ &...&R_TS _n .

The user calculates b=F(Key), and then deletes the bth bit of R_Tw' to obtain the final result R_Tw. The user sends the result R_Tw to the storage server to request the corresponding file. The storage server splits the file number from the R_Tw bit by bit, finds the corresponding file, and sends it to the user.

之后执行对称解密算法即可获取对应的明文文件M＝Dec(C,k)。根据密文文件C还可以计算H₄(C)’并将其与区块链中存储的H₄(C)进行比较，从而判断密文文件是否被篡改。2) After the user obtains the ciphertext file C, first calculate the symmetric key

Then, the symmetric decryption algorithm is executed to obtain the corresponding plaintext file M=Dec(C,k). According to the ciphertext file C, H ₄ (C)' can also be calculated and compared with the H ₄ (C) stored in the blockchain, so as to determine whether the ciphertext file has been tampered with.

The above is the normal decryption process. In addition, users can also perform further logical operations on the retrieval results. For example, when the search key is {a,b,c,d} and the search result r=ra&rb&rc&rd, the result r'=(r)&( !rc). These logical operation conditions can also be included in the retrieval request.

If R_Tw=0 occurs when the retrieval result R_Tw is calculated, it means that there is no file containing all keywords at the same time, and the result with the largest weight among the n retrieval results can be taken as the fuzzy result, or it can be further based on this as needed Use the single-keyword search result RS _i in the blockchain to perform logical operations to calculate the corresponding search results.

Arbitration algorithm: Arbitrate(w",Nw",x)→{0,1}.

The data owner executes the Arbitrate() algorithm to process the arbitration request initiated by the smart contract or the user, corresponding to step ⑧ in Figure 2. The execution of the algorithm is as follows:

1) For the arbitration request from the smart contract, the data owner uses the retrieval result Nw” to be arbitrated to calculate whether H ₄ (Nw”||x)∈VRs is established. If established, output 1, indicating that the search result is valid. Otherwise, 0 is output, indicating that the retrieval result is invalid. At this time, the smart contract withholds the deposit and refuses to pay the service fee to the search server.

2) For the arbitration request from the user, the data owner uses the retrieval result Nw” to be arbitrated and the original keyword w” submitted by the user to calculate whether H ₄ (w”||Nw”||x)∈VRu is established. If established, output 1, indicating that the retrieval result is accurate. Otherwise, output 0, indicating that the retrieval result is inaccurate. The data owner broadcasts the information corresponding to the search server to the blockchain, and the smart contract no longer pays the service fee to the server.

This application introduces blockchain technology into searchable encryption, and proposes a multi-keyword searchable encryption method based on blockchain. Through the distribution algorithm and retrieval algorithm designed in the method, multiple search servers participate in the retrieval process at the same time, multi-keyword retrieval is realized, and the dependence on a single cloud server node is reduced.

In terms of security, this application is compared with Document 1 [Xu P, Tang S, Xu P, et al. Practical multi-keyword and boolean search over encrypted e-mail in cloud server [J]. IEEE Transactions on Services Computing, 2019, 14 (6): 1877-1889.] and document 2 [Yang X, Chen G, Wang M, et al. Multi-keyword certificateless searchable public key authenticated encryption scheme based on blockchain [J]. IEEE Access, 2020, 8: 158765- 158777] were compared, as shown in Table 1.

This application and the literature [1] and literature [2] both construct an asymmetric searchable encryption scheme based on bilinear pairing, and realize multi-keyword retrieval. The solutions of this application and document [2] both introduce blockchain, and at the same time use smart contracts to verify the retrieval results and ensure fair transactions. Both schemes can guarantee the indistinguishability of trapdoor security against keyword guessing attacks by internal and external users. The scheme of literature [2] stores the index in the blockchain, and because the data in the blockchain is transparent, the index has certain security risks. This application only needs to disclose the trapdoor in the blockchain during the running process, which is more secure.

The solution in [1] is based on the traditional cloud server architecture, which only includes the interaction process between the user and the cloud server. The scheme is constructed based on an honest cloud server model, lacks the verification of the retrieval results by trusted parties, cannot guarantee fair transactions, and cannot defend against internal keyword guessing attacks.

Table 1 Safety comparison

From the aspect of calculation amount, this application is compared with the schemes of literature [1] [2], and the calculation amount of each algorithm in the index construction stage, trapdoor generation stage and retrieval stage is analyzed, as shown in Table 2.

n represents the number of plaintext files, m represents the number of keywords, k represents the number of keywords in the query, and r represents the number of files corresponding to the query result (r<<n).

T _M represents the computation amount of a multiplication operation, _TH represents the computation amount of a hash operation, TE represents the computation amount of an exponentiation operation, and _{T P} represents the computation amount of a bilinear pairing operation, where T _H < T _M <T _E <T _P .

In the index construction stage, due to the difference in index structure, the calculation amount of the scheme in [1] is mainly affected by the number of files. The schemes of the present application and document [2] are greatly affected by the number of keywords, and the calculation amount is similar.

In the trapdoor generation stage, the solutions of this application and literature [1][2] are related to the number of keywords to be retrieved, and literature [2] uses the least exponentiation operation and the least amount of calculation. The present application involves bilinear pairing operations at this stage, which is the most computationally intensive.

In the retrieval stage, the scheme of the literature [1] is affected by the number of keywords and the number of documents, and the amount of computation is the highest. Reference [2] is not affected by other parameters, and the calculation amount is minimal. The amount of computation for this application is moderate.

To sum up, the total calculation amount of the application in the above three stages is moderate, but the application is more flexible while ensuring security.

Table 2 Comparison of calculation amount

experiment analysis:

The execution efficiency of this application is analyzed by building an experimental environment. The experimental environment is 64-bit Windows 10 operating system, the CPU is AMD Ryzen7 4800H 2.90GHz, and the memory is 16GB. The experiment is carried out in the local virtual machine VMwareUbuntu16.04 virtual machine, the programming language is python, and the version is python 3.5.

The SHA256 algorithm is used as the hash function in this application, and the plaintext file is encrypted using the AES symmetric encryption algorithm. The dataset used in this paper is the public Enron Email dataset. In the experiment, 3000 files were selected as original plaintext documents, and 1200 keywords were extracted for experimental analysis. The time-consuming of the three stages of index construction, trapdoor generation, and search is compared with the solutions in the literature [1][2]. During the experiment, the number of keywords was increased from 200 to 1200 with a step size of 200. Each experiment was repeated 50 times and the average value was taken as the experimental result.

The time-consuming in the index building phase is shown in Figure 3 below. The abscissa represents the number of keywords, and the ordinate represents the time-consuming index calculation for 3000 plaintext documents based on the corresponding number of keywords. The scheme of [1] is mainly affected by the number of documents in the index construction stage, and is hardly affected by the number of keywords. The time-consuming of the solution in this application and the document [2] is similar at this stage, as shown in Figure 3.

The time-consuming in the trapdoor generation stage is shown in Figure 4. The abscissa represents the number of keywords, and the ordinate represents the time consumed to calculate the retrieval trapdoor of the corresponding number of keywords. All three scenarios are affected by the number of keywords. Reference [2] involves the least amount of computation and the least time-consuming. The time consumption of this scheme is similar to that of the document [1] at this stage, but because this scheme involves bilinear pairing operations, the time consumption is slightly higher than that of the document [1] when the number of keywords is large.

The time-consuming in the retrieval stage is shown in Figure 5, the abscissa is the number of keywords contained in the retrieval request, and the ordinate is the time-consuming to complete the corresponding retrieval request. Since the present application supports the use of multiple search servers to perform the retrieval process, the time consumption of the present application in the case of S_Search=1 and S_Search=4 is respectively given in FIG. 5 . Where S_Search represents the cloud server. The time-consuming of this scheme and the scheme of literature [1] is linearly related to the number of keywords. The time-consuming of literature [1] is hardly affected by the number of keywords. Compared with the schemes of literature [1][2], the time-consuming of this scheme is moderate at this stage.

Finally, the influence of the number of search servers on the total time-consuming of this scheme is tested, as shown in Figure 6 below. The total time spent counts the total time spent in the index construction stage, trapdoor generation stage and retrieval stage of the present application under the condition of 200 keywords and 3000 plaintext documents. In each retrieval, 20 keywords were randomly selected to construct retrieval trapdoors and distributed to the search servers participating in retrieval. It can be seen that the operation efficiency of the present application can be improved by increasing the number of search servers.

This application proposes a blockchain-based multi-keyword searchable encryption method, which stores ciphertext data in a storage server and an index in a search server. On this basis, the multi-keyword task distribution algorithm and retrieval algorithm are designed, so that multiple search servers participate in the method operation at the same time, which improves the decentralization degree of the method. An arbitration mechanism and a verification mechanism based on smart contracts are designed to prevent malicious behavior of cloud servers and ensure fair transactions between users and cloud servers. At the same time, a keyword weight mechanism is also designed, which can return fuzzy results to users when the multi-keyword search results are empty, with higher flexibility. Through experimental analysis, it is proved that this method has high efficiency.

Claims (9)

1. A blockchain-based multi-keyword searchable encryption method, characterized in that: Initialization: The data owner generates public parameters and keys, and creates a smart contract, making public parameters and public keys public, and keeping private keys secret; Index construction: The data owner generates the ciphertext file, index, shared key and other parameters, sends the generated ciphertext file to the storage server, sends the index to the search server, sends the shared key to other users, and sends the generated ciphertext file to the storage server. Other parameters are kept secret; Trapdoor generation: The user generates retrieval trapdoors from multiple keywords that need to be retrieved, and initiates retrieval requests; Distribution: The smart contract decomposes the user's retrieval request and sends it to each search server; Retrieval: The search server processes the retrieval request and sends the retrieved results to the user and the smart contract; Verification: The smart contract verifies the retrieval results, and initiates an arbitration request for the results that fail to verify; Decryption: The user calculates according to the retrieval result, requests the corresponding ciphertext file from the storage server according to the calculation result, decrypts the ciphertext file to obtain the corresponding plaintext file, and initiates an arbitration request if the calculation or decryption fails; Arbitration: The data owner processes the arbitration request and verifies the retrieval results. 2. The blockchain-based multi-keyword searchable encryption method as claimed in claim 1, wherein the initialization comprises the following steps: 1) The data owner generates two multiplicative cyclic groups G ₁ and G ₂ whose order is prime p, and g is the generator of G ₁ ; generates a bilinear map e: G ₁ ×G ₁ →G ₂ ; selects pseudo-random Function F: {0,1} ^* →{0,1} ^k ; choose two cryptographic hash functions H1: {0,1 _} ^* → _G1 and _H2 : G2 _→ {0,1} ^k , k is an integer; choose the collision-resistant hash function H ₃ : {0, 1} ^* → {0, 1} ^k , H ₄ : {0, 1} ^* → {0, 1} ^k ; choose a symmetric encryption algorithm (Enc , Dec); the data owner publishes the system public parameters pub={p, G ₁ , G ₂ , e, F, H ₁ , H ₂ , H ₃ , H ₄ , (Enc, Dec)}, and publishes it to blockchain; The data owner randomly selects s ∈ Z _p to calculate S _DO = g ^s as the private key, and calculates the public key

The user randomly selects _u∈Zp and calculates

As the private key, calculate the user's public key P _u = ^gu ; the data owner and the user save the private key, and publish the public key to the blockchain as public information; 2) The data owner creates a smart contract and publishes it to the blockchain; the user and the search server need to call the smart contract during the execution of the solution to complete the entire retrieval process; after each retrieval is completed, the user can extract the data retained in the smart contract The functions of the smart contract include: temporarily storing the user service fee and the deposit of the search server, decomposing and sending retrieval tasks, and verifying the retrieval results. 3. The blockchain-based multi-keyword searchable encryption method as claimed in claim 1, wherein the index construction comprises the steps: 1) The data owner splits the plaintext file by keywords to obtain a keyword set W _{= {} W1, w2, _w3 , ...}; the data owner encrypts the plaintext file with a symmetric algorithm to obtain the ciphertext file, random Select x∈Z _p , for the plaintext file M _i , the corresponding ciphertext file C _i =Enc(M _i , k), k is the symmetric key, k=H ₂ (e(g, g ^x )); The set of text files is C={C ₁ , C ₂ , C ₃ , ...}. For the file C _i , after sorting the cipher text files, assign the file number FN _i =2 ^i-1 according to the sequence number i, and calculate H ₄ (C _i ), obtain VC={[FN ₁ , H ₄ (C ₁ )], [FN ₂ , H ₄ (C ₂ )], . . . , [FN _i , H ₄ (C _i )]}; The data owner sends all ciphertext files C and their numbers to the storage server, and publishes VC to the blockchain. 2) The data owner utilizes the ciphertext file number and its corresponding keyword to construct the keyword-document number file index I, and the calculation process is as follows: Let the set of ciphertext file numbers containing the keyword w be {FN ₁ , FN ₂ , FN ₃ , ...}; 2-1) Using the keyword w, calculate y=H ₃ (w); 2-2) Calculate C _w =e(g ^x , g ^y )=e(g, g) ^xy ; 2-3) Let Key=g ^sx , calculate b=F(Key); 2-4) Calculate verify_bit=e(H ₁ (w), Key) mod 2; 2-5) Calculate the aggregated file number Nw=FN ₁ &FN ₂ &FN ₃ &..., and insert verify_bit into the b-th bit of Nw, & represents AND operation; The index corresponding to the keyword w is Iw=[Cw, Nw], the data owner performs the above operations on each keyword in the keyword set W, and generates an index I={Iw ₁ , Iw ₂ ,...}, Then upload the index to each search server; at the same time, the data owner calculates VN=H ₄ (Nw||x), Vw=H ₄ (w||Nw||x) to generate a set VRs={VN ₁ , VN ₂ , VN ₃ ,...} and VRu={Vw ₁ , Vw ₂ , Vw ₃ ,...} for arbitration of disputed search results; 3) The data owner sends the shared key Key=g ^sx to each user, and the user must use this key to construct a legal retrieval trapdoor; the data owner keeps x, VRs, _VRu , SDO as secret information. 4. The multi-keyword searchable encryption method based on blockchain as claimed in claim 1, wherein the trapdoor generation comprises the steps: 1) Set the set of keywords to be retrieved as W′={w ₁ , w ₂ , w ₃ , ...}, the user needs to specify the weight p for each keyword at the same time, and obtain the set W _p = {[w ₁ , p ₁ ], [w ₂ , p ₂ ], [w ₃ , p ₃ ], ....}; the weight represents the retrieval priority of each keyword, and is mainly used to calculate the fuzzy result when the retrieval result is empty. High keywords are more likely to be included in the search results; if the user does not specify the weight, it will be assigned in order by default, p _i =2 ⁱ , i is the keyword sequence number; For the keyword w∈W′, the calculation process of the trapdoor is as follows: 1-1) Calculate y=H ₃ (w); 1-2) Randomly select r∈Z _p , calculate

t2=e(Key· ^gy ·g ^r , P _DO )=e(g ^rsxy , P _DO )=e(g, g) ^rxy ; 1-3) Search trapdoor for keyword w

2) After performing the above operations on each keyword to be retrieved, a trapdoor set Tw={[tw ₁ , p ₁ ], [tw ₂ , p ₂ ], [tw ₃ , p ₃ ], ...} is obtained, and then The user sends the trapdoor set Tw and the service fee to the smart contract; since the smart contract may require arbitration from the data owner when verifying the retrieval results, the service fee sent by the user needs to include a part of the arbitration fee. 5. The blockchain-based multi-keyword searchable encryption method of claim 1, wherein the distribution comprises the steps of: 1) Within time t after the contract account receives the trapdoor set and service fee sent by the user, the search server participating in the retrieval sends the deposit to the contract account; after the contract account receives the deposit, the search server that successfully pays the deposit within time t Sort by the payment order, distribute retrieval trapdoors to these servers, and the overtime deposit payment transaction will be returned to the original account; finally get the search server set S participating in the retrieval; 2) In order to ensure the reliability of the retrieval results, each trapdoor must be retrieved by 2 or more search servers; the smart contract decomposes the received trapdoor set Tw into multiple subsets, and then distributes the obtained subsets For the search server, each trapdoor in Tw is included in at least two subsets; the subset received by the search server Si is TS _{i .} 6. The multi-keyword searchable encryption method based on blockchain as claimed in claim 1, wherein the retrieval comprises the following steps: 1) After each search server receives the trapdoor set TS _i sent by the smart contract, it performs local retrieval on each trapdoor in the set, and obtains the retrieval result set RS _i ={Nw ₁ , Nw ₂ ,...,Nw _j , j∈(1, m)}, j represents the trapdoor number, Nw _j represents the retrieval result of the trapdoor number j; 2) For each trapdoor when the search server performs local retrieval

Using the locally stored index Iw'=[Cw', Nw'], calculate whether the equation t1'·Cw'=t2' holds, if so, output 1, and add the corresponding Nw' to the set RS _i ; if not, then Output 0, add 0 to the set RS _i , indicating that the retrieval result corresponding to the trapdoor is empty; 3) The search server sends the retrieval result set RS _i to the smart contract for verification; if the retrieval results in the set RS _i are all 0, it means that the retrieval result is empty this time _, and the retrieval process ends; If there is a non-zero result, continue the calculation; 4) For the trapdoor set TS _i , the retrieval result corresponding to all the keywords in the set is R_TS _i =Nw ₁ &Nw ₂ &...&Nw _j , the server participating in the retrieval first calculates R_TS _i , if R_TS _i >0, Indicates that the retrieval result is not empty, then the retrieval result R_TS _i is sent to the user; if R_TS _i =0, the weight of the retrieval result of the subset of trapdoor TS _i is calculated according to the keyword weight, and the result with the largest weight R_SubTS _i is taken as Fuzzy results are returned to the user. 7. The blockchain-based multi-keyword searchable encryption method as claimed in claim 1, wherein the verification comprises the following steps: 1) Assuming that the retrieval results of two search servers for a certain keyword are _Nwi and _Nwi ', the smart contract verifies whether _Nwi = _Nwi ' holds, that is, whether the retrieval results corresponding to each trapdoor with the same number are the same, If it is established, output 1; if not, output 0, and initiate an arbitration request to the data owner, the request includes _Nwi and _Nwi '; after all results are verified, the smart contract returns the deposit of each search server, and according to the retrieved The number of trapdoors distributes the service fee to the search server; if the verification fails, the smart contract retains the deposit and refuses to pay the service fee for the corresponding search server; 2) After the verification of the smart contract is completed, the verification result will be sent to the user, and a transaction will be initiated to return the deposit to the search server; after time t, the service fee will be sent to the search server; In case of doubt, a request for arbitration can be initiated against the data owner, and the transaction for the payment of the service fee will be suspended. 8. The multi-keyword searchable encryption method based on blockchain as claimed in claim 1, wherein the decryption comprises the following steps: 1) When there are n search servers participating in the retrieval, the user receives n retrieval results {R_TS ₁ , R_TS ₂ , R_TS ₃ , ..., R_TS _n }, the retrieval results represent the set of ciphertext file numbers containing the corresponding keywords ; The intersection of the retrieval results can be obtained to obtain R_Tw', R_Tw'=R_TS ₁ &R_TS ₂ &R_TS ₃ &...&R_TS _n ; The user calculates b=F(Key), and then deletes the bth bit of R_Tw' to obtain the final result R_Tw; the user sends the result R_Tw to the storage server to request the corresponding file; the storage server splits R_Tw by bits File number, find the corresponding file and send it to the user; 2) After the user obtains the ciphertext file C, first calculate the symmetric key

Then execute the symmetric decryption algorithm to obtain the corresponding plaintext file M=Dec(C, k); according to the ciphertext file C, you can also calculate H ₄ (C)' and compare it with the H ₄ (C) stored in the blockchain Compare to determine whether the ciphertext file has been tampered with. 9. The blockchain-based multi-keyword searchable encryption method of claim 1, wherein the arbitration comprises the steps of: 1) For the arbitration request from the smart contract, the data owner uses the retrieval result Nw” to be arbitrated to calculate whether H ₄ (Nw”||x)∈VRs is established; if so, output 1, indicating that the retrieval result is legal; otherwise, output 0, indicating that the search result is illegal, at this time the smart contract withholds the deposit and refuses to pay the service fee to the search server; 2) For the arbitration request from the user, the data owner uses the retrieval result Nw" to be arbitrated and the original keyword w" submitted by the user to calculate whether H ₄ (w"||Nw"||x)∈VRu is established; if so Then output 1, indicating that the retrieval result is accurate; otherwise, output 0, indicating that the retrieval result is inaccurate; the data owner broadcasts the information of the corresponding search server to the blockchain, and the smart contract will no longer pay the service fee to the server.

Images