CN104486315B - A kind of revocable key outsourcing decryption method based on contents attribute - Google Patents

Abstract

A kind of revocable key outsourcing decryption method based on contents attribute, trusted authority：1st, initialize, output system parameter；2nd, Generating Random Number is run；3rd, impact resistant hash function is selected, cryptographic Hash is calculated；4th, public key, master key are calculated；5th, random number is selected, exponentiation, multiplying is calculated；6th, operation impact resistant hash function, exponentiation, obtain decruption key.Data holder：7th, AES data encryptions；8th, access control matrix is generated；9th, random number is selected, inner product is calculated；10th, operation multiplication, exponentiation and XOR, obtain ciphertext；Decryption person：11st, decoding request and transition key are sent；Mobile cloud storage service device：12nd, by CT₂Deliver outsourcing decryption agent；Outsourcing decryption agent side：13rd, using transition key, conversion ciphertext is calculated；Decryption person：14th, session key is calculated；15th, AES data decipherings.

Description

A kind of revocable key outsourcing decryption method based on contents attribute

(1) technical field：

A kind of revocable key outsourcing decryption method based on contents attribute of present invention design, is capable of achieving mobile cloud storage ring Leakage user key under border is effectively cancelled, and can at utmost be protected privacy of user, be reduced mobile device decryption computing cost, Belong to technical field of cryptology in information security.

(2) technical background：

Along with the development and the popularization on a large scale of mobile device of the communication technology, people change and rely on desktop computer and pen in the past Remember the messaging model of this computer, then develop to the mobile cloud computing service of more convenient and efficient.For saving memory space Purpose, increasing mobile subscriber selection upload the data to the storage of third-party server end.In mobile cloud storage model In, by communication network and mobile device, user can anywhere or anytime enjoy seamless access high in the clouds data.People are enjoying shifting Dynamic cloud storage bring it is many convenient while, the worry of cloud data safe is also swarmed in mind.

When data upload to third-party server distributed storage, remote server is not controlled directly by data holder, But be managed collectively by server administrators.In view of complicated network environment, it is desirable to which it is not that third-party server is perfectly safe Reality；Once storage server is attacked, large-scale high in the clouds data are caused to leak or malice deletion, its consequence will can't bear Envision.How data permission control will be accessed between authorized, and solve data jurisdiction and separate what is brought with holder Safety problem, becomes a major challenge for moving data safety storage and shared aspect in cloud computing service now.In view of at present Existing leaking data case, we must take proper data protection measure, reduce data safety and storage server is pacified Full dependence.

In order to ensure security of the data when third-party server end stores, we can introduce data encryption skill Art --- clear data is stored in cloud server in the form of ciphertext, only authorized user can be real with successful decryption ciphertext Data safety between existing authorized user is shared.However, traditional cipher mode needs data holder bright before encryption data The in-depth identity of true all possible decryption person, the requirement is often not suitable for the applied environment of cloud service.However, a kind of new Encryption mechanism --- attribute base encryption (Attribute-based Encryption, ABE) but agrees with above-mentioned applied environment very much. In ABE encipherment schemes, the identity of each user is represented by attribute set, and data holder can be made according to corresponding demand for security Access control policy (access control policy is reached by the attribute list of user) is determined rather than detailed authorized user identities list, only There is attribute set to meet decryption person's ability successful decryption ciphertext of access control policy.

From above-mentioned introduction, the identity of user is represented by attribute set in the scheme of ABE, for example sex, occupation, year Age, work unit etc..These information are all virtually expose the individual privacy of user, if the mobile device of user is lost, deposit Storage decruption key wherein will directly disclose the identity of user.Some lawless persons can be by the sensitive attribute information learned The identity of user is locked, and implements criminal offence.The identity attribute for only having hidden user could further protect individual privacy Safety.

Existing ABE schemes employ " Bilinear map " this mathematical tool in decipherment algorithm, give decryption computing band Huge computing cost is carried out, thus there is requirement higher to the computing capability of decryption device to computing.In view of mobile logical How the weaker computing capability of news equipment and limited battery power supply performance, will mobile cloud storage service and ABE encipherment scheme knots Altogether, with certain technical difficulty.

Additionally, under mobile cloud storage environment, effective revocation mechanism is extremely important.In view of mobile device has gently Just the features such as, can carrying, more increases its possibility surprisingly lost and be stolen, and stores the decruption key in stolen device Also storage data beyond the clouds can be constituted and is greatly threatened.When there is the situation of Key Exposure in discovery system, to prevent The key of leakage decrypts the data in high in the clouds again, it is necessary first to which the remedial measure taken is that the ciphertext that will be stored in high in the clouds adds again Close, the other users private key in simultaneity factor is upgraded therewith.And from the angle of non-revocation user, in revocation leakage key During, it is ensured that it is non-that to cancel user without disturbance be very necessary.

At present, individual subscriber privacy is protected in ABE schemes, decryption computational burden is reduced and cancels the researchs such as leakage key Aspect has very successful achievement in research：1) by the way that original decrypted user identity attribute to be replaced into the contents attribute of file, The identity information of decryption person can be effectively hidden, the purpose of protection individual subscriber privacy is played.2) by outer packet technology, decryption is opened Pin divides by decrypted user and the outsourcing decryption agent shared with extremely strong computing capability.It is close that decrypted user possesses a pair of decryption Key --- transition key and decrypted private key；Transition key (sent by decrypted user and obtained) is held by outsourcing decryption agent side first, can By original cipher text be effectively converted into conversion ciphertext (have length it is short and small, and the fast advantage of the decipherment algorithm speed of service)；Then solve Close user, can the fast decryption conversion ciphertext using the decrypted private key in hand.3) after it there is Key Exposure, by re-encrypted The means such as ciphertext, the decruption key of the non-revocation user that upgrades, are capable of achieving the decrypted rights revocation of Key Exposure user.Although above-mentioned Research approach realizes the data safety and privacy protection function of brilliance in one aspect, but excellent without a kind of collection above three Point functional form ABE schemes can agree with mobile cloud storage applied environment perfection.

Achievement in research based on before, the present invention proposes a kind of revocable key outsourcing decryption side based on contents attribute Method, achievable effective key revocation, and the individual privacy of decrypted user is farthest protected, save mobile device Decryption expense.

(3) content of the invention：

1st, purpose：

The purpose of the present invention is to propose to a kind of revocable key outsourcing decryption method based on contents attribute.First, moving Under dynamic cloud storage environment, data holder using the contents attribute of file to be encrypted to file encryption, after upload to high in the clouds storage, Ensure that data security beyond the clouds；Secondly, on the premise of clear data is not revealed, with reference to outer packet technology, by means of outsourcing solution The powerful operational capability of close agency, accelerates decryption speed, reduces the decryption expense of mobile device.Finally, the present invention in ciphertext and Embedded version sequence number in the decruption key of decrypted user, when there is the situation of Key Exposure, upgrade in time decruption key and The version of ciphertext, realizes the decrypted rights revocation function of Key Exposure user.

2nd, technical scheme：

The present invention program includes five entities：1) data holder (Data Owner, DO)：Can be according to appropriate safety Demand formulates access control policy, according to access control policy to data encryption, and the data after encryption is uploaded into mobile cloud Storage server end stores；2) decryption person (Data Consumer, DC)：Transition key (Transformation can be sent Key, TA), and conversion ciphertext is decrypted according to the decrypted private key of oneself；3) mobile cloud storage service device (Mobile Storage Serve Provider, MSSP)：Encryption data of the storage from data holder, and send correspondence to outsourcing decryption agent side Ciphertext；4) outsourcing decryption agent side (Computation Service Proxy, CSP)：Can be changed using transition key close Text, and the ciphertext of re-encrypted legacy version is non-revocation user renewal decruption key；5) trusted authority mechanism (Trusted Authority, TA)：By each entity trusts, upgrade in time public key and master key information when there is Key Exposure, is responsible for system In all users key generation and distributed tasks.

2.1 rudimentary knowledge (about the explanation of technical terms and noun)：

2.1.1 Bilinear map

Due to having used the mathematical knowledge of bilinear map this respect in the algorithm designed by the present invention.It is special to make related herein Define explanation.

We define a kind of Function Mapping e (), and the element in group G is mapped into crowd G_TIn, i.e.,：e：G×G→G_T, Wherein group G and G_TIt is that two exponent numbers are the multiplication loop group of prime number p.

The characteristic that Bilinear map meets has：

1. bilinear characteristics：For g,

There are e (g^a,h^b)=e (g, h)^abSet up；Wherein, Z_pExpression set 0,1,2 ..., p-1 }.

2. non-degeneracy：At least there is an element g in G groups so that the e (g, g) after calculating is G_TCertain generation of group Unit；

3. computability：In the presence of effective algorithm so that all of u, v ∈ G, the value of e (u, v) can be effectively calculated；

2.1.2 access control structure

In attribute base encipherment scheme, in order to realize to data using the fine-grained access control of implementation, it is necessary in encryption Corresponding access control policy is formulated before data, and access control policy then passes through access control structure representation.Present invention side Access control structure used in case is access control matrix A, the i.e. matrix of l rows n row.Due to being visited in attribute base encipherment scheme Ask that control strategy is related to attribute, therefore when access control matrix is generated, we select a kind of " mapping one by one "：ρ (i), The rower i of every a line of matrix A is respectively mapped in access control policy on a certain attribute that is related to.

2.1.3 impact resistant hash function

The hash function used in the present invention possesses two fundamental characteristics：One-way and anti-collision；One-way refers to only Output can be derived from the input of hash function, and input must not be calculated from the output of hash function；Anti-collision refers to Two different hash function inputs can not be found makes the result after its Hash identical.Hash algorithm input in the present invention is to appoint The string of binary characters of length of anticipating.

2.2 plan contents

The present invention is a kind of revocable key outsourcing decryption method based on contents attribute, and the method is by system initialization mould Block, private key generation module, file encryption module, file decryption module and key revocation module, five modules totally 18 step realities Existing its function.Wherein system initialization module, private key generation module, file encryption module, file decryption module are to hold in order Capable, and three steps of key revocation module are only performed when the key of user is cancelled.Designed by the present invention based on content The system architecture diagram of the revocable key outsourcing decryption method of attribute as shown in figure 1, in conjunction with Fig. 1 by the method for the invention and The function introduction of each module is as follows.

A kind of revocable key outsourcing decryption method based on contents attribute of present invention design, its operating procedure is as follows：

Module one：Initialization algorithm calls in system initialization module trusted authority mechanism (TA), and generation public key and master are close Key.

Step 1：TA input system security parameter λ, run initialization algorithmTwo exponent numbers of output are the group of prime number p G、G_TWith a bilinear map computing e：G×G→GT；

Step 2：Next TA runs Generating Random Number, and certain in random selection G groups generates unit g, in G crowds two Individual random element u, f, and Z_pAn element α in domain.

Step 3：TA selects a kind of impact resistant hash function H (), and the function meets all spies of impact resistant hash function Property, 0,1 character string for random length is input into, it is output as being mapped to a certain element in G groups.

Step 4：If current system version number is v, v Z of the algorithms selection_pRandom element γ in domain₁,...,γ_v ∈Z_p, and calculate respectively

Finally, public key is expressed as：

Master key is represented For：MSK=(g^α,γ₁,...,γ_v)。

Wherein, " algorithm described in step 1", its operation method is as follows：TA input system security parameter λ, be The size united according to λ, selects corresponding elliptic curve：Y²=X³+ aX+b (a and b are coefficients), then by the point structure on elliptic curve Into two group G, G of prime number p ranks_T.Finally, a kind of Function Mapping e is selected, the element in group G is mapped to crowd G_TIn；Typically, Security parameter numerical value is bigger, and the point on selected elliptic curve is also more, and group is also bigger.

Wherein, " Generating Random Number " described in step 2, its way is as follows：It is bent according to ellipse selected in step 1 Line：Y²=X³+ aX+b, a value x of random selection independent variable X₁, calculate the value y of correspondence dependent variable Y₁；If point (x₁,y₁) at me Want mapping group in, then be successfully generated random element.If point (x₁,y₁) not in group, then continue to select the value of X, until Find the point appeared in group.Additionally, domainSet { 1,2 ..., p-1 } is represented, domain is randomly choosedMiddle element it is random Number generating function can call built-in function to run from Pairing-Based Cryptosystems function bags.Hereinafter mention Generating Random Number all run as stated above.

Wherein, impact resistant hash function H () described in step 3 equally can be from Pairing-Based Built-in function is called to run in Cryptosystems function bags.

Module two：Private key generation module

Trusted authority mechanism is whether the user identity that TA passes through to judge to ask addition system is legal, effective, is that it refers to Determine the key attribute set S of accessible file, and private key for user is generated based on set S.

Step 5：Two Z of random selection_pElement t, z ∈ Z in domain_p, and index and multiplying are done, obtain：

Step 6：Correspondence each key attribute x ∈ S in set S, be separately operable impact resistant hash function H () and Exponentiation, obtains：

{K_x|K_x=H (x)^t,x∈S}

Finally give, transition key is：The private key of user's decryption is： AC={ z }.

Module three：File encryption module

Step 7：In view of the short advantage of the encryption times of symmetric encipherment algorithm, for the weaker calculating of mobile communication equipment And storage capacity, the present invention is using " AES symmetric cryptographies " method, and what is used during data holder (DO) random selection encryption is symmetrical Session keyTo file encryption, ciphertext CT is obtained₁。

Step 8：DO formulates corresponding access control policy according to the demand for security of oneself, and the strategy is by encrypted file Key attribute and Bu Lin operators composition, such as " (keyword 1OR keywords 2) AND keywords 3 ".According to access control Strategy, system generates corresponding access control matrix (A, ρ), and A represents the matrix of l rows n row, and ρ is represented can be by a line of matrix A Correspond to the mapping of a certain keyword in access control policy.

DO runs attribute base AES Encapsulate, and session key M is encrypted.Encapsulate algorithms are by as follows Step 9,10 are carried out：

Step 9：N Z of random selection_pElement s, s in domain₂,s₃,...,s_n∈Z_p, composition of vectorWill Every a line of matrix A is used as row vectorWith vectorInner product operation is carried out, λ is obtained₁,λ₂,…,λ_l：

Step 10：Operation multiplication, exponentiation and XOR, obtain：

C₀=Me (g, g)^αs, C₁=g^s, C₂=(h₁…h_v·f)^sL Z of random selection_pElement in domain, for i= 1 ..., l, calculates：

With

The ciphertext obtained after session key M is encrypted is expressed as：CT₂And CT₁, common group Into storage cryptograph files beyond the clouds.

Wherein, " the AES data encryptions " described in step 7, is applied by downloading MySQL (relational database management system) Software, can be by call function " SELECT AES_ENCRYPT () " to file encryption.

Wherein, " the corresponding access control matrix (A, ρ) of generation " described in step 8, the selection of each element is former in matrix A It is then that can effectively recover " the index s " mentioned in step 11.Here our definition set I (I={ i | ρ (i) ∈ S }), table All properties element ρ (i) ∈ S correspond to the rower i of access control matrix A by mapping ρ () in showing user property set S Set.If the attribute in the attribute set S of decrypted user meets the access control policy formulated during DO encryption M, necessarily may be used To find constant w_i∈Z_p, according to the following formula：

Effectively recover index s.

Module four：File decryption module is want to download ciphertext and decrypt from high in the clouds to obtain clear text file as a certain decryption person (DC) When, propose to download file request first to mobile cloud storage service device (MSSP), and transition key TC is sent into outsourcing decryption Agent (CSP)；MSSP is after receiving the request by the CT of correspondence encryption file₂Deliver CSP；CSP is close using the conversion for receiving Key TC is to CT₂Decryption, if the attribute set S of the DC meets the access control policy of DO formulations, CSP can succeed and be turned by TC Change ciphertextAnd it is returned to DC；If not meeting, ⊥ is returned.DC obtains changing ciphertextAfterwards, by once simple Decrypting process, session key M can be obtained, eventually through AES decipherment algorithms, obtain final clear text file.

Step 11：DC is proposed to download file request to MSSP, and transition key TC is sent into CSP.

Step 12：MSSP will encrypt the CT of file after receiving the request₂Deliver CSP in part.

Step 13：CSP is using the transition key TC for receiving to CT₂Decryption, amphicheirality is to computing, exponentiation and Lian Chengyun for operation Calculate：

Obtain changing ciphertext：Send it to DC.

Step 14：DC receives conversion ciphertextUsing the decrypted private key AC being locally stored of oneself, to conversion ciphertextDecryption, obtains session key M.It is calculated according to equation below respectively：

Step 15：After DC decryption obtains session key M, the ciphertext CT that will be obtained by AES symmetric cryptographies₁, run AES numbers According to decipherment algorithm, initial clear text file is finally just can obtain.

Wherein, " the operation AES data decipherings algorithm " described in step 15, downloads MySQL (RDBM Relational Data Base Management systems System) application software, call function " SELECT AES_DECRYPT (AES_ENCRYPT () " can be passed through and be decrypted.

Module five：Once there is Key Exposure event in key revocation module system, timely key revocation is that one kind has The remedial measure of power, thus key revocation module is a critically important part of the present invention.The module is walked by following three Rapid operation：

Step 1*：When TA discoveries have the situation of Key Exposure, the public key and master key pair of current system can be updated first (PK,MSK).Way is as follows：Newest version number v numbers are increased into 1 (1 is set to when initial), in Z_pRandom element is selected in domain γ_v+1∈Z_p；An exponentiation is calculated, is obtainedIt is after key updating：

PK=(G, u, f, e (g, g)^α,h₁,...,h_v+1,H₀,H₁,H₂) and

MSK=(g^α,γ₁,...,γ_v)。

Step 2*：TA downloads from MSSP obtain C₁=g^s, calculate h_v+1 ^s=(g^s)^v+1Afterwards, by h_v+1 ^sIt is returned to MSSP. MSSP is according to the h for receiving_v+1 ^sUpdate ciphertext CT₂.By running multiplication operation：

C₂'=C₂·h_v+1 ^s=(h₁…h_v·f)^s·h_v+1 ^s=(h₁…h_v+1·f)^s

Ciphertext after renewal is：

Step 3*：TA runs an exponentiation h_v+1 ^t=(g^t)^v+1=L^v+1With multiplication operation K'=Kh_v+1 ^t, and K' is returned into CSP keepings.CSP is after the transition key TC from DC is received, if the user is not cancelling the row of user, certainly Move as it updates transition key, new cipher key content is：If the user is in revocation user Row, then return ⊥ (⊥ is defined as invalid).

3rd, advantage and effect：

The present invention provides a kind of revocable key outsourcing decryption method based on contents attribute, under mobile cloud storage environment Using the method to data Encrypt and Decrypt, safety of the data when not exclusively believable mobile cloud storage service device is stored can be protected The individual privacy safety of property and decrypted user.By outsourcing decryption technology, meter when mobile device end is decrypted is significantly reduced Calculate expense；Additionally, after it there is private key for user leakage, system can in time cancel the decruption key of the user that divulges a secret, and prevent The unauthorized access of data.The advantage and effect of the method be：

1) the inventive method first encrypts the file of data holder in " AES symmetric cryptographies " method, uses be based on afterwards The public key encryption method of contents attribute is encrypted to " AES session keys ".While enciphering rate is improved, eliminate cumbersome Key agreement step, and implement more preferably data access control policy.The public affairs based on contents attribute used in the present invention Key encryption method, the key attribute according to accessible file can effectively hide the identity attribute of decryption person, i.e., to data encryption Making the Key Exposure of user will not also harm the individual privacy safety of decryption person.

2) heavy task of decryption is licensed to outsourcing decryption agent by the inventive method, and the key of decrypting ciphertext is divided into two Point：Transition key and decrypted private key.Outsourcing decryption agent utilizes transition key, runs the fortune such as more complicated Bilinear map, exponentiation Calculate, and return to the conversion ciphertext of decrypted user El-Gamal types.Decrypted user only needs the decrypted private key using tight keeping, Simple solution procedure is run, clear text file is just can obtain.The method relieves the heavy decryption burden of mobile decryption device, section Calculating time and storage overhead are saved, has been particularly suitable for the mobile terminal device of limited battery power.

3) the inventive method adds key revocation mechanism, and the version number of system is embedded into the close of ciphertext and decrypted user In key, there is the key that leakage can be in time cancelled when private key is revealed；Traditional encryption method based on attribute, once user Key Exposure, even if the file storage that the key can be decrypted is beyond the clouds, its security can also be on the hazard.Therefore, lack necessary The encryption method of key revocation mechanism is existing defects for the security protection of data.The inventive method adds in attribute base On the basis of close scheme, effective key revocation algorithm is devised, when there is Key Exposure in system, generation is decrypted in TA and outsourcing Reason then automatically to high in the clouds file re-encrypted and not cancel customer upgrade decruption key, accomplishes do not influenceing not cancelling user just Often use；And whole revocation mechanism, in running background, not cancelling user will not therefore suffer from bothering.

(4) illustrate：

Fig. 1 is the system architecture diagram of the method for the invention.

Fig. 2 is the FB(flow block) of the method for the invention.

(5) specific embodiment

If Fig. 1-2, the present invention are a kind of revocable key outsourcing decryption method based on contents attribute, the method is by system Initialization module, private key generation module, file encryption module, file decryption module and key revocation module, five modules are realized. The system flow that the revocable key outsourcing decryption method for being based on contents attribute is run is shown in Fig. 2, with reference to FB(flow block), by this The step that implements of method is described below：

Module one：System initialization module:

Step 1：Trusted authority mechanism (TA, Trusted Authority) input system security parameter λ, runs algorithmTwo exponent numbers of output are group G, G of prime number p_TWith a bilinear map computing e：G×G→G_T；

Step 2：Next Generating Random Number is run, certain in random selection G groups generates unit g, two in G crowds Random element u, f, and Z_pAn element α in domain.

Step 3：Trusted authority mechanism selects a kind of impact resistant hash function H (), and the function meets impact resistant Hash All characteristics of function, are input into 0,1 character string for random length, are output as being mapped to a certain element in G groups.

Step 4：If current system version number is v, v Z of the algorithms selection_pRandom element γ in domain₁,...,γ_v ∈Z_p, and calculate

Public key is expressed as：

Master key is expressed as：MSK=(g^α,γ₁,...,γ_v)。

Wherein, " algorithm described in step 1", its operation method is as follows：Trusted authority mechanism input system Security parameter λ, according to the size of λ, the corresponding elliptic curve of Systematic selection：Y²=X³+ aX+b (a and b are coefficients), then by ellipse Point on curve constitutes two group G, G of prime number p ranks_T.A kind of Function Mapping e is selected, the element in group G is mapped to crowd G_TIn Go；Security parameter numerical value is bigger, and the point on selected elliptic curve is also more, and group is also bigger.

Wherein, " Generating Random Number " described in step 2, its way is as follows：It is bent according to ellipse selected in step 1 Line：Y²=X³+ aX+b, a value x of random selection independent variable X₁, calculate the value y of correspondence dependent variable Y₁；If point (x₁,y₁) at me Want mapping group in, then be successfully generated random element.If point (x₁,y₁) not in group, then continue to select the value of X, until Find the point appeared in group.Additionally, domainSet { 1,2 ..., p-1 } is represented, domain is randomly choosedThe random number of middle element Generating function can call built-in function to run from Pairing-Based Cryptosystems function bags.Hereinafter mention Generating Random Number all runs as stated above.

Wherein, impact resistant hash function H () described in step 3 equally can be from Pairing-Based Built-in function is called to run in Cryptosystems function bags.

Module two：Private key generation module

Step 5：Two Z of selection_pRandom element t, z ∈ Z in domain_p, and index and multiplying are done, obtain：

Step 6：Correspondence each key attribute x ∈ S in set S, be separately operable impact resistant hash function H () and Exponentiation, obtains：

{K_x|K_x=H (x)^t,x∈S}

Wherein, transition key is：The private key of user's decryption is：AC= {z,TC}。

Module three：File encryption module

Step 7：In view of the short advantage of the encryption times of symmetric encipherment algorithm, for the weaker calculating of mobile communication equipment And storage capacity, the present invention is using " AES symmetric cryptographies " method, symmetric session keys during data holder random selection encryptionTo file encryption, ciphertext CT1 is obtained.

Step 8：Document holder formulates corresponding access control policy according to the demand for security of oneself, and the strategy is by institute Encrypt file key attribute represent, such as " (the OR keywords 2 of keyword 1) AND keywords 3 ".According to access control plan Slightly, corresponding access control matrix (A, ρ) is generated, A represents the matrix of l rows n row, and ρ is represented can be corresponded to a line of matrix A The mapping of a certain keyword in access control policy.

Operation attribute base AES Encapsulate, encrypts to session key M.The operation of Encapsulate algorithms is such as Under：

Step 9：N Z of selection_pRandom element s, s in domain₂,s₃,...,s_n∈Z_p, composition of vector Using every a line of matrix A as row vectorWith vectorInner product operation is carried out, λ is obtained₁,λ₂,…,λ_l：

Step 10：Operation multiplication, exponentiation and XOR, obtain：

C₀=Me (g, g)^αs, C₁=g^s, C₂=(h₁…h_v·f)^s

L Z of random selection_pElement in domain, for i=1 ..., l, calculates：

With

The ciphertext obtained after session key M is encrypted is expressed as：CT₂With through AES The ciphertext CT that symmetric cryptography is obtained₁, collectively constituted storage cryptograph files beyond the clouds.

Wherein, " the AES data encryptions " described in step 7, is applied by downloading MySQL (relational database management system) Software, can be encrypted by call function " SELECT AES_ENCRYPT () ".

Wherein, " the corresponding access control matrix (A, ρ) of generation " described in step 8, the selection of each element is former in matrix A It is then that can effectively recover " the index s " mentioned in step 11.Here our definition set I (I={ i | ρ (i) ∈ S }), table All properties ρ (i) ∈ S correspond to the collection of the rower i of access control matrix A by mapping ρ () in showing user property set S Close.If the attribute in the attribute set S of user meets the access control policy formulated during data holder encryption M, necessarily may be used To find constant w_i∈Z_p, according to the following formula：

Effectively recover index s.

Module four：File decryption module

Step 11：Decryption person is proposed to download file request to mobile cloud storage service device, and transition key TC is sent to Outsourcing decryption agent side.

Step 12：Mobile cloud storage service device will encrypt the CT of file after receiving the request₂Deliver outsourcing decryption in part Agent.

Step 13：Outsourcing decryption agent side is using the transition key TC for receiving to CT₂Decryption, operation amphicheirality to computing, Exponentiation and even multiplication：

Obtain changing ciphertext：Send it to the decryption person of request decryption.

Step 14：Receive conversion ciphertextDecryption person, using the decrypted private key AC being locally stored of oneself, to conversion CiphertextDecryption, obtains session key M.It is calculated according to equation below respectively：

Step 15：After decryption person's decryption obtains session key M, the ciphertext CT that will be obtained by AES symmetric cryptographies₁, operation AES data deciphering algorithms, finally just can obtain initial clear text file.

Wherein, " the operation AES data decipherings algorithm " described in step 15, downloads MySQL (RDBM Relational Data Base Management systems System) application software, call function " SELECT AES_DECRYPT (AES_ENCRYPT () " can be passed through and be decrypted.

Module five：Key revocation module

Step 1*：When the discovery of trusted authority mechanism has the situation of Key Exposure, the public affairs of current system can be updated first Key and master key are to (PK, MSK), and way is as follows：Newest version number v numbers are increased into 1 (1 is set to when initial), in Z_pSelected in domain Select random element γ_v+1∈Z_p；An exponentiation is calculated, is obtainedIt is after key updating：

PK=(G, u, f, e (g, g)^α,h₁,...,h_v+1,H₀,H₁,H₂) and

MSK=(g^α,γ₁,...,γ_v)。

Step 2*：Trusted authority mechanism downloads from mobile cloud storage service device and obtains C₁=g^s, calculate h_v+1 ^s=(g^s )^v+1Afterwards, by h_v+1 ^sIt is returned to mobile cloud storage service device.Mobile cloud storage service device is according to the h for receiving_v+1 ^sUpdate ciphertext CT₂。 By running multiplication operation：

C₂'=C₂·h_v+1 ^s=(h₁…h_v·f)^s·h_v+1 ^s=(h₁…h_v+1·f)^s

Ciphertext after renewal is：

Step 3*：Trusted authority mechanism runs an exponentiation h_v+1 ^t=(g^t)^v+1=L^v+1With multiplication operation K' =Kh_v+1 ^t, and K' is returned into the keeping of outsourcing decryption agent side.Outsourcing decryption agent side is receiving the conversion from decryption person Automatically it is its renewal transition key if the user is not in the row of revocation user after cipher key T C, new cipher key content is：If the user returns to ⊥ in the row of revocation user.

Claims (7)

1. a kind of revocable key outsourcing decryption method based on contents attribute, it is characterised in that：Operating procedure is as follows：

Trusted authority mechanism is that TA calls initialization algorithm, generates public key and master key；

Step 1：TA input system security parameter λ, run initialization algorithmTwo exponent numbers of output are group G, G of prime number p_T With a bilinear map computing e：G×G→G_T；

Step 2：Next TA runs Generating Random Number, and certain in random selection G group generates unit g, two in G crowds with Machine element u, f, and Z_pAn element α in domain；Z_pSet { 1,2 ..., p-1 } is represented, Z is randomly choosed_pMiddle element it is random Number generating function can call built-in function to run from Pairing-Based Cryptosystems function bags；

Step 3：TA selects a kind of impact resistant hash function H (), and the function meets all characteristics of impact resistant hash function, defeated Enter 0,1 character string for random length, be output as being mapped to a certain element in G groups；

Step 4：If current system version number is v, initialization algorithm selects v Z_pRandom element γ in domain₁,...,γ_v ∈Z_p, and calculate respectively

Finally, public key is expressed as：It is main Key is expressed as：MSK=(g^α,γ₁,...,γ_v)；

Trusted authority mechanism is whether the user identity that TA passes through to judge to ask addition system legal, effective, be its it is specified can The key attribute set S of file is accessed, and private key for user is generated based on set S；

Step 5：Two Z of random selection_pElement t, z ∈ Z in domain_p, and index and multiplying are done, obtain：

$K=g^{\frac{\mathrm{\α}}{z}}{u}^t{(h_1\mathrm{...}{h}_v\·f)}^t,L=g^t;$

Step 6：Each key attribute x ∈ S in set S of correspondence, is separately operable impact resistant hash function H () and exponentiation Computing, obtains：

{K_x|K_x=H (x)^t,x∈S}；

Finally give, transition key is：The private key of user's decryption is：AC={ z }；

Step 7：In view of the short advantage of the encryption times of symmetric encipherment algorithm, for the weaker calculating of mobile communication equipment and deposit Energy storage power, using " AES symmetric cryptographies " method, the symmetric session keys M that data holder is used when being DO random selection encryptions ∈ G obtain ciphertext CT to file encryption₁；

Step 8：DO formulates corresponding access control policy according to the demand for security of oneself, the strategy by encrypted file pass Key word attribute and Bu Lin operators are constituted；According to access control policy, system generates corresponding access control matrix (A, ρ), A tables Show the matrix of l rows n row, ρ represents the mapping that a line of matrix A can be corresponded to a certain keyword in access control policy；

DO runs attribute base AES Encapsulate, and session key M is encrypted, and the operation of Encapsulate algorithms is by step Rapid 9,10 are carried out：

Step 9：N Z of random selection_pElement s, s in domain₂,s₃,...,s_n∈Z_p,

Composition of vectorUsing every a line of matrix A as row vectorWith vectorCarry out inner product operation, Obtain λ₁,λ₂,…,λ_l：

${\mathrm{\λ}}_i=\stackrel{\→}{A_i}\·\stackrel{\→}{\mathrm{\υ}},(i=1,\mathrm{...},l);$

Step 10：Operation multiplication, exponentiation and XOR, obtain：

C₀=Me (g, g)^αs, C₁=g^s, C₂=(h₁…h_v·f)^s

L Z of random selection_pElement in domain, for i=1 ..., l, calculates：

With

The ciphertext obtained after session key M is encrypted is expressed as：CT₂And CT₁, altogether It is same to constitute storage cryptograph files beyond the clouds；

When a certain decryption person is that DC wants to download ciphertext from high in the clouds and decryption obtains clear text file, first to mobile cloud storage service Device is that MSSP proposes to download file request, and transition key TC is sent into outsourcing decryption agent side i.e. CSP；The MSSP is being received By the CT of correspondence encryption file after the request₂Deliver CSP；CSP is using the transition key TC for receiving to CT₂Decryption, if the category of the DC Property set S meet the access control policy of DO formulations, then CSP can succeed and be obtained changing ciphertext by TCAnd be returned to DC；If not meeting, it is ⊥ to return to unblind；DC obtains changing ciphertextAfterwards, by once simple decrypting process, energy Session key M is obtained, eventually through AES decipherment algorithms, final clear text file is obtained；

Step 11：DC is proposed to download file request to MSSP, and transition key TC is sent into CSP；

Step 12：MSSP will encrypt the CT of file after receiving the request₂Deliver CSP in part；

Step 13：CSP is using the transition key TC for receiving to CT₂Decryption, operation amphicheirality is to computing, exponentiation and connects multiplication：

$\begin{array}{c}=\frac{e(g^s,g^{\frac{\mathrm{\α}}{z}})\·e(g^s,u^t)\·e(g^s,{(h_1\mathrm{...}{h}_v\·f)}^t)}{e({(h_1\mathrm{...}{h}_v\·f)}^s,g^t)\·e{(u,g^t)}^{{\Σ}_{\mathrm{\ρ}\left(i\right)\∈S}{\mathrm{\ω}}_i{\mathrm{\λ}}_i}}\\ =e{(g,g)}^{\frac{\mathrm{\α}s}{z}}\end{array}$

Obtain changing ciphertext：Send it to DC；Constant w_i∈Z_p；

Step 14：DC receives conversion ciphertextUsing the decrypted private key AC being locally stored of oneself, to conversion ciphertextSolution It is close, session key M is obtained, it is calculated according to equation below respectively：

$M=C_0/{\left(e{\left(g,g\right)}^{\frac{\mathrm{\α}s}{z}}\right)}^z=M\·e{(g,g)}^{\mathrm{\α}s}/e{(g,g)}^{\mathrm{\α}s};$

Step 15：After DC decryption obtains session key M, the ciphertext CT that will be obtained by AES symmetric cryptographies₁, run AES data solutions Close algorithm, finally just obtains initial clear text file；

Once occurring Key Exposure event in system, timely key revocation is a kind of strong remedial measure, thus key is removed Pin module is a critically important part, and the module is run by following three step：

Step 1*：When TA discoveries have the situation of Key Exposure, the public key and master key of current system can be updated first to i.e. (PK, MSK), way is as follows：Newest version number v numbers are increased 1,1 is set to when initial, in Z_pRandom element γ is selected in domain_v+1 ∈Z_p；An exponentiation is calculated, is obtainedIt is after key updating：

PK=(G, u, f, e (g, g)^α,h₁,...,h_v+1,H₀,H₁,H₂) and MSK=(g^α,γ₁,...,γ_v)；

Step 2*：TA downloads from MSSP obtain C₁=g^s, calculate h_v+1 ^s=(g^s)^v+1Afterwards, by h_v+1 ^sIt is returned to MSSP；MSSP roots According to the h for receiving_v+1 ^sUpdate ciphertext CT₂, by running multiplication operation：

C₂'=C₂·h_v+1 ^s=(h₁…h_v·f)^s·h_v+1 ^s=(h₁…h_v+1·f)^s

Ciphertext after renewal is：

Step 3*：TA runs an exponentiation h_v+1 ^t=(g^t)^v+1=L^v+1With multiplication operation K'=Kh_v+1 ^t, and by K' Return to CSP keepings；CSP is after the transition key TC from DC is received, if the user is automatically not in the row of revocation user It updates transition key, and new cipher key content is：If the user is in revocation user Row, then return unblind be ⊥.

2. a kind of revocable key outsourcing decryption method based on contents attribute according to claim 1, it is characterised in that： Described " algorithm in step 1", its operation method is as follows：TA input system security parameter λ, system is according to the big of λ It is small, select corresponding elliptic curve：Y²=X³+ aX+b (a and b are coefficients), then two prime number ps are constituted by the point on elliptic curve Group G, G of rank_T；Finally, a kind of Function Mapping e is selected, the element in group G is mapped to crowd G_TIn；Typically, security parameter number Value is bigger, and the point on selected elliptic curve is also more, and group is also bigger.

3. a kind of revocable key outsourcing decryption method based on contents attribute according to claim 2, it is characterised in that： In step 2 described " Generating Random Number ", its way is as follows：According to elliptic curve selected in step 1：Y²=X³+aX + b, a value x of random selection independent variable X₁, calculate the value y of correspondence dependent variable Y₁；If point (x₁,y₁) wanting the group of mapping In, then it has been successfully generated random element；If point (x₁,y₁) not in group, then continue to select the value of X, in finding and appearing in group Point.

4. a kind of revocable key outsourcing decryption method based on contents attribute according to claim 1, it is characterised in that： Impact resistant hash function H () described in step 3 equally can be from Pairing-Based Cryptosystems function bags Built-in function is called to run.

5. a kind of revocable key outsourcing decryption method based on contents attribute according to claim 1, it is characterised in that： Described " AES data encryptions ", by downloading MySQL i.e. relational database management system application software, can pass through in step 7 Call function " SELECT AES_ENCRYPT () " is to file encryption.

6. a kind of revocable key outsourcing decryption method based on contents attribute according to claim 1, it is characterised in that： In step 8 described " the corresponding access control matrix (A, ρ) of generation ", the selection principle of each element is that to have in matrix A Effect recovers " the index s " mentioned in step 11；Definition set I (I=i | ρ (i) ∈ S }), represent institute in user property set S There are property element ρ (i) ∈ S by mapping ρ (), correspond to the set of the rower i of access control matrix A；If decrypted user Attribute in attribute set S meets the access control policy formulated during DO encryption M, then one surely find constant w_i∈Z_p, under Formula：

$\underset{i\∈I}{\Σ}{w}_i{\mathrm{\λ}}_i=s$

Effectively recover index s.

7. a kind of revocable key outsourcing decryption method based on contents attribute according to claim 1, it is characterised in that： In step 15 described " operation AES data decipherings algorithm ", it is relational database management system application software to download MySQL, Can be decrypted by call function " SELECT AES_DECRYPT (AES_ENCRYPT () ".