CN116708040B - Data security management and control method and system based on symmetric homomorphic encryption - Google Patents
Data security management and control method and system based on symmetric homomorphic encryption Download PDFInfo
- Publication number
- CN116708040B CN116708040B CN202310983085.9A CN202310983085A CN116708040B CN 116708040 B CN116708040 B CN 116708040B CN 202310983085 A CN202310983085 A CN 202310983085A CN 116708040 B CN116708040 B CN 116708040B
- Authority
- CN
- China
- Prior art keywords
- data
- query
- cloud server
- ciphertext
- entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012795 verification Methods 0.000 claims abstract description 40
- 238000001914 filtration Methods 0.000 claims description 45
- 238000013480 data collection Methods 0.000 claims description 5
- 238000012216 screening Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 abstract description 14
- 238000012545 processing Methods 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000178 monomer Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention belongs to the technical field of ciphertext processing. A data security management and control method and system based on symmetric homomorphic encryption are disclosed. The method comprises the following steps: generating a secret key and a public parameter; registering an entity; collecting user data; carrying out symmetrical homomorphic encryption to obtain corresponding ciphertext data; signing the ciphertext data; according to the collected signature data, carrying out batch signature verification, and storing ciphertext data to a cloud server; collecting corresponding query information; generating a query request; signing the query request; signature verification is carried out according to the query signature data; and carrying out ciphertext data query to obtain a data query result. The system comprises a trusted mechanism, a data source set, a control center, a cloud server and a data requester set. The invention solves the problems of high calculation cost, distortion of calculation results and low data utilization value in the prior art.
Description
Technical Field
The invention belongs to the technical field of ciphertext processing, and particularly relates to a data security management and control method and system based on symmetric homomorphic encryption.
Background
In modern digital society, the collection and sharing of data is becoming increasingly important. Many applications and services require data to be collected from users, sensors, or other sources. Such data may be used to improve quality of service, enhance security, improve decisions, and the like. However, data collection and sharing is often accompanied by privacy and security risks. Thus, protecting the security and privacy of data is an important challenge for data collection and sharing. At present, data is generally stored on a single cloud server, and privacy leakage is easy to occur in the data acquisition and sharing process. The reliability of the third-party cloud server cannot be guaranteed because of occurrence of cloud storage data leakage events caused by attacks, faults or configuration errors. Therefore, the method has important significance for safety control privacy protection research of data collection and sharing. Many schemes exist that incorporate differential privacy to enhance the privacy of the results, but users are often required to negotiate noise parameters, which requires additional communication overhead. Noise may be superimposed in the calculation process, resulting in distortion of the calculation result, and it is difficult to implement accurate query of various data results. Homomorphic encryption is also often used in combination to protect data privacy, however, the data in these schemes is mainly the sum of data within a specific range, and the data utilization value is low. Furthermore, most homomorphic encryption schemes are computationally expensive and are not suitable for resource-limited devices.
Disclosure of Invention
The invention aims to solve the problems of high calculation cost, distortion of calculation results and low data utilization value in the prior art, and provides a data security management and control method and system based on symmetric homomorphic encryption.
The technical scheme adopted by the invention is as follows:
a data security management and control method based on symmetric homomorphic encryption comprises the following steps:
generating a secret key and a public parameter by using a symmetrical homomorphic encryption algorithm, storing the secret key to a cloud server, and issuing the public parameter to all entities of a current data network;
registering all entities of the current data network to obtain registration information corresponding to all entities, and sending the registration information to the corresponding entities;
after the entity registration is successful, acquiring corresponding user data at each data acquisition time point by using the entity deployed at the user side of the current data network;
according to public parameters published in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on user data of a user side to obtain corresponding ciphertext data;
signing the corresponding ciphertext data according to the registration information of the entity at the user side to obtain collected signature data, and sending the ciphertext data and the collected signature data to a cloud server;
according to the acquired signature data of the entity at the user side, carrying out batch signature verification by using a digital signature algorithm based on identity, after the signature verification, receiving ciphertext data at the corresponding user side by using a cloud server, and storing the ciphertext data to the cloud server;
acquiring corresponding query information by using an entity deployed on a query side of a current data network;
according to public parameters issued in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on query information of a query side to obtain a corresponding query request;
signing the corresponding query request according to the registration information of the entity at the query side to obtain query signature data, and sending the query request and the query signature data to the cloud server;
according to the query signature data of the entity at the query side, carrying out signature verification by using an identity-based digital signature algorithm, and after the signature verification, receiving a query request at the corresponding query side by using a cloud server;
based on the cloud server, ciphertext data query is carried out on ciphertext data stored by the cloud server according to the query request, a corresponding data query result is obtained, and the data query result is returned to a corresponding query side.
Further, the query information includes querier location information, a time query range, a space query range, a numerical query range, and area query information.
Further, the query request includes encrypted querier location information, a time query range, an encrypted space query range, an encrypted numerical query range and regional query information, which are obtained by symmetrically homomorphic encrypting the query information.
Further, the entity registration is performed on the entity of the user side of the current data network, and the method further comprises the following steps:
acquiring position information and a space visible range of a data acquirer of an entity at a user side;
carrying out symmetrical homomorphic encryption on the position information of the data collector and the space visible range by using a symmetrical homomorphic encryption algorithm to obtain the position information of the data collector after encryption and the space visible range after encryption;
when entity registration is carried out on the entity of the user side of the current data network, carrying out symmetrical homomorphic decryption on the position information of all encrypted data collectors according to the public parameters issued on the current data network to obtain the position information of the decrypted data collectors of the entity of all the user side;
according to the decrypted position information of the data collector, carrying out region division on entities of all user sides of the current data network to obtain region division information of the entities of the user sides;
and transmitting the regional division information of the entity at the user side, the encrypted position information of the data collector and the encrypted space visible range to a cloud server.
Further, generating the key and the public parameter includes the following steps:
presetting security parameters of a symmetrical homomorphic encryption algorithm;
and generating a secret key and a public parameter by using a symmetrical homomorphic encryption algorithm according to the security parameter.
Further, the cloud server comprises a first cloud server and a second cloud server.
Further, based on the cloud server, according to the query request, ciphertext data query is performed on ciphertext data stored by the cloud server to obtain a corresponding data query result, and the data query result is returned to a corresponding query side, including the following steps:
receiving a query request of a query side passing signature verification by using a first cloud server;
according to the regional query information in the query request, matching corresponding regional division information by using a first cloud server to obtain a corresponding query target region;
according to the time query range in the query request, using a first cloud server to perform data screening on ciphertext data acquired by an entity at a user side in a query target area to obtain screened ciphertext data;
according to the encrypted inquirer position information, the encrypted space inquiry range and the encrypted numerical value inquiry range in the inquiry request, and the encrypted data collector position information and the encrypted space visible range of the entity at the user side, using a first cloud server to carry out data filtering on the screened ciphertext data to obtain an encrypted data filtering result;
signing the encrypted data filtering result according to the registration information of the first cloud server to obtain filtering result signing data, and sending the encrypted data filtering result and the filtering result signing data to the second cloud server;
according to the filtering result signature data sent by the first cloud server, carrying out signature verification by using an identity-based digital signature algorithm, and after the signature verification, receiving an encrypted data filtering result by using a second cloud server;
decrypting the encrypted data filtering result by using the second cloud server according to the secret key to obtain a decrypted data filtering result;
generating a corresponding random ciphertext value according to whether the decrypted data filtering result meets the requirement of the query request or not;
signing the random ciphertext value according to registration information of the second cloud server to obtain ciphertext value signature data, and sending the random ciphertext value and the ciphertext value signature data to the first cloud server;
according to the ciphertext value signature data sent by the second cloud server, carrying out signature verification by using an identity-based digital signature algorithm, and after the signature verification, receiving a random ciphertext value by using the first cloud server;
and renumbering the screened ciphertext data by using a first cloud server according to the random ciphertext value to obtain a corresponding data query result after adding noise, and returning the data query result after adding noise to a corresponding query side.
The system comprises a trusted mechanism, a data source set, a control center, a cloud server and a data requester set, wherein the trusted mechanism, the data source set, the control center, the cloud server and the data requester set are used as entities of the current data network, the trusted mechanism is respectively connected with the data source set, the control center, the cloud server and the data requester set, the data source set comprises a plurality of data acquisition terminals, the data acquisition terminals are used as entities deployed on a user side of the current data network, the data requester set comprises a plurality of data request terminals, the data request terminals are used as entities deployed on an inquiring side of the current data network, the control center is respectively connected with the data source set, the cloud server and the data requester set, the cloud server is connected with the data requester set, and the cloud server comprises a first cloud server and a second cloud server;
the trusted mechanism is used for generating a secret key and public parameters by using a symmetrical homomorphic encryption algorithm, storing the secret key to the cloud server and issuing the public parameters to all entities of the current data network; registering all entities of the current data network to obtain registration information corresponding to all entities, and sending the registration information to the corresponding entities;
the data source set is used for collecting corresponding user data at each data collection time point; according to public parameters published in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on user data of a user side to obtain corresponding ciphertext data; signing the corresponding ciphertext data according to the registration information of the entity at the user side to obtain collected signature data, and sending the ciphertext data and the collected signature data to a cloud server;
the control center is used for carrying out signature verification by using a digital signature algorithm based on identity according to the signature data of the entity; connecting a data acquisition terminal in the data source set with the cloud server, storing ciphertext data, and sending the ciphertext data to the cloud server;
the cloud server is used for receiving ciphertext data of a user side and a query request of a query side, which is sent by a data requester set, sent by the control center after signature verification, and storing the ciphertext data to the cloud server; according to the query request, ciphertext data query is carried out on ciphertext data stored by the cloud server, a corresponding data query result is obtained, and the data query result is returned to a corresponding query side;
the data requester set is used for collecting corresponding query information; according to public parameters issued in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on query information of a query side to obtain a corresponding query request; and signing the corresponding query request according to the registration information of the entity at the query side to obtain query signature data, and sending the query request and the query signature data to the cloud server.
Further, the cloud server comprises a first cloud server and a second cloud server, the first cloud server is respectively connected with the trusted authority, the second cloud server, the control center and all data request terminals in the data requester set, and the second cloud server is respectively connected with the trusted authority and all data request terminals in the data requester set.
The beneficial effects of the invention are as follows:
according to the data security management and control method and system based on the symmetrical homomorphic encryption, the symmetrical homomorphic encryption technology and the digital signature technology based on the identity are adopted, so that even if an external attacker eavesdrops data on a link, plaintext information cannot be obtained, the processing and analysis efficiency of the data is improved on the premise of meeting the differential privacy requirement, the expandability is enhanced, the symmetrical homomorphic encryption calculation cost is low, the operation efficiency is high, the calculation result is accurate, and the data utilization value is high; the query function is provided, and the practicability of data security management and control is improved; finally, confidentiality of the query request is guaranteed, in the process of filtering and sharing the encrypted data according to the query request, the query request is processed and calculated under ciphertext, and plaintext data and privacy information of the query request are not revealed to an attacker and a cloud server, so that query privacy of a data requester set is effectively guaranteed.
Other advantageous effects of the present invention will be further described in the detailed description.
Drawings
FIG. 1 is a flow chart of a data security management and control method based on symmetric homomorphic encryption in the present invention.
FIG. 2 is a block diagram of a data security management and control system based on symmetric homomorphic encryption in the present invention.
Detailed Description
The invention is further illustrated by the following description of specific embodiments in conjunction with the accompanying drawings.
Example 1:
as shown in fig. 1, the embodiment provides a data security management and control method based on symmetric homomorphic encryption, which includes the following steps:
the method for generating the secret key and the public parameter by using the symmetrical homomorphic encryption algorithm comprises the following steps:
presetting security parameters of symmetrical homomorphic encryption algorithm;
Generating a key according to the security parameters by using a symmetrical homomorphic encryption algorithmsk Public parameters, wherein ,skis a master key->All are->=/>=/>Prime number (F)>Is->=/>Is a random number of (a) and (b),is a common parameter->Is the basic point of the prime field,/-, and>is public key (L)>In prime order->Are hash functions;
the public parameters also include initial ciphertext values;
The calculation formula is as follows:
in the formula ,、/>all are->Random numbers of (a); />、/>All are->Random numbers of (a);
key is encryptedskStoring to cloud serverCSAnd to make the common parametersAll entities published to the current data network;
corresponding to entity transmissions of the current data networkIDEntity registration is carried out on all entities of the current data network, registration information corresponding to all entities is obtained, and the registration information is sent to the corresponding entities;
the formula for entity registration is:
in the formula ,is a random number; />Is registration information; />Is a registration parameter; />To register forID;
Entity for user of current data networkAn entity registration is performed, wherein,lfor the total number of the data source sets, the method further comprises the following steps:
data collector location information for collecting entities on the user sideAnd spatial visibility range->; wherein ,iindicating the quantity for the entity at the user side;
using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on the position information of the data acquirer and the space visible range to obtain the position information of the encrypted data acquirer and the space visible range after encryption, wherein ,/>The identity number of the entity at the user side is given;
when entity registration is carried out on the entity at the user side of the current data network, according to the public parameters published in the current data network, symmetrical homomorphic decryption is carried out on the position information of all encrypted data collectors, and the position information of the decrypted data collectors of the entity at all user sides is obtained;
According to the decrypted data collector position information, carrying out region division on the entities of all user sides of the current data network to obtain region division information of the entities of the user sides, wherein ,jindicating an amount for the region;
transmitting the regional division information of the entity of the user, the encrypted position information of the data collector and the encrypted space visible range to a cloud serverCS;
After the entity registration is successful, acquiring corresponding user data at each data acquisition time point by using the entity deployed at the user side of the current data network;
according to public parameters published in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on user data of a user side to obtain corresponding ciphertext data;
according to the registration information of the entity at the user sideSigning the corresponding ciphertext data to obtain collected signature data, and sending the ciphertext data and the collected signature data to a cloud server;
the formula of the signature is:
in the formula ,is a random number; />Is signature data; />Signature parameters; />Ciphertext data;
according to the acquired signature data of the entity at the user side, carrying out batch signature verification by using a digital signature algorithm based on identity, after the signature verification, receiving ciphertext data at the corresponding user side by using a cloud server, and storing the ciphertext data to the cloud server;
the formula for batch signature verification is:
in the formula ,indicating an amount for the signature verification entity;nis the total number of entities; />Parameters; />Signature parameters; />Is a registration parameter; />Ciphertext data; />Corresponding entityIDNumbering;
the formula for monomer signature verification is:
in the formula ,signature parameters; />Is a registration parameter; />Ciphertext data; />Corresponding entityIDNumbering;
using entities deployed on the query side of the current data networkCollecting corresponding query information; the query information includes querier location informationTime inquiry scope [ ]>]Spatial query scope->Value query rangeRegional query information->;
According to public parameters issued in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on query information of a query side to obtain a corresponding query request; the query request comprises encrypted querier position information, time query range, encrypted space query range, encrypted numerical value query range and regional query information which are obtained by symmetrically and homomorphically encrypting query information, namely;
Signing the corresponding query request according to the registration information of the entity at the query side to obtain query signature data, and sending the query request and the query signature data to the cloud server;
the formula for signing the query request is:
in the formula ,is a random number; />Signing data for the query; />Signature parameters; />Is a registration parameter; />To register forID;
According to the query signature data of the entity at the query side, carrying out signature verification by using an identity-based digital signature algorithm, and after the signature verification, receiving a query request at the corresponding query side by using a cloud server;
based on the cloud server, the cloud server comprises a first cloud server and a second cloud server, ciphertext data query is carried out on ciphertext data stored by the cloud server according to a query request to obtain a corresponding data query result, and the data query result is returned to a corresponding query side, and the method comprises the following steps:
receiving a query request of a query side passing signature verification by using a first cloud server;
according to the regional query information in the query request, matching corresponding regional division information by using the first cloud server to obtain a corresponding query target region;
According to the time query range in the query request, using a first cloud server to perform data screening on ciphertext data collected by an entity at a user side in a query target area to obtain screened ciphertext data, wherein ,/>For inquiring the target area +.>Is on the user side of the entitytCiphertext of data acquisition time pointData,/->Time point of starting data acquisition->A time point of ending data acquisition;
according to the encrypted inquirer position information, the encrypted space inquiry range and the encrypted numerical value inquiry range in the inquiry request, and the encrypted data collector position information and the encrypted space visible range of the entity at the user side, using a first cloud server to carry out data filtering on the screened ciphertext data to obtain an encrypted data filtering result;
the method comprises the following steps:
calculating the entity at the inquiring side according to the encrypted inquirer position information in the inquiring request and the encrypted data collector position information of the entity at the user sideEntity->The square of the spatial distance between the two is expressed as:
in the formula ,for entities on the query side->Entity->The square of the spatial distance between them;is the initial ciphertext value; />、/>、/> and />Are all intermediate parameters;
calculation ofSquare of space query range after encryption +.>First difference ∈>Encryption space inquiry range +.>And->Is +.>Second difference->And a third difference->;
Calculating an encrypted numeric query rangeRespectively->Fourth difference of (2)And a fifth difference->;
Integrating the screened ciphertext data by using a first cloud server to obtain an encrypted data filtering result;
According to the first cloud serverCS 1 Registration information of (a)Signing the encrypted data filtering result to obtain filtering result signing data +.>And sending the encrypted data filtering result and the filtering result signature data to a second cloud serverCS 2 ;
According to the first cloud serverCS 1 The transmitted filtering result signature data uses an identity-based digital signature algorithm to carry out signature verification, and after the signature verification, a second cloud server is usedCS 2 Receiving an encrypted data filtering result;
based on the key, using a second cloud serverCS 2 Decrypting the encrypted data filtering result to obtain a decrypted data filtering result;
Generating a corresponding random ciphertext value according to whether the decrypted data filtering result meets the requirement of the query request or not;
in the formula ,is a random ciphertext value; />An initial ciphertext value;
signing the random ciphertext value according to registration information of the second cloud server to obtain ciphertext value signature data, and sending the random ciphertext value and the ciphertext value signature data to the first cloud server;
according to the ciphertext value signature data sent by the second cloud server, carrying out signature verification by using an identity-based digital signature algorithm, and after the signature verification, receiving a random ciphertext value by using the first cloud server;
renumbering the screened ciphertext data by using a first cloud server according to the random ciphertext value to obtain|/>, wherein ,/>Data acquisition frequency +.>For renumbered random ciphertext values, +.>For renumbered ciphertext data, ++>Renumbered ciphertext data indicator, +.>Renumbered ciphertext data total +.>Target area information->The total number of entities at the deployed user side;
according to|/>Calculating to obtain->I.e. dataset +.>And obtaining a corresponding data query result after adding noise, and returning the data query result after adding noise to a corresponding query side.
First cloud serverCS 1 Due to lack of the secret key, plaintext data cannot be obtained, and the second cloud serverCS 2 Although the ciphertext data can be decrypted, the decrypted data is the first cloud serverCS 1 Data added with noise (random number) through homomorphic calculation, and a first cloud serverCS 1 It is impossible to correctly recover the information of the plaintext, and the processing and calculation under the ciphertext are ensured.
Example 2:
as shown in fig. 2, this embodiment provides a data security management and control system based on symmetric homomorphic encryption, which is used for implementing a data security management and control method, where the system is set in a current data network, and the system includes a trusted mechanismTAData source collectionSControl centerCCCloud serverCSData requestor collectionUTrusted authorityTAData source collectionSControl centerCCCloud serverCSData requestor collectionUTrusted authority as entity of current data networkTARespectively with data source setsSControl centerCCCloud serverCSData requestor collectionUThe connection, the data source set S comprises a plurality of data acquisition terminals, wherein ,/>Indicating quantity of data acquisition terminal and data acquisition terminal>Data requester set as entity deployed on users of current data networksUComprising several data requesting terminals->, wherein ,/>An indication amount for the data request terminal, the data request terminal +.>As entity deployed on the querying side of the current data network, the control centerCCRespectively with data source setsSCloud serverCSData requestor collectionUConnection, cloud serverCSWith data requestor collectionUThe cloud server comprises a first cloud server and a second cloud server;
trusted authorityTAThe system comprises a cloud server, a public data network and a public data network, wherein the cloud server is used for generating a secret key and public parameters by using a symmetric homomorphic encryption algorithm, storing the secret key into the cloud server and issuing the public parameters to all entities of the current data network; registering all entities of the current data network to obtain registration information corresponding to all entities, and sending the registration information to the corresponding entities;
data source collectionSThe data acquisition device is used for acquiring corresponding user data at each data acquisition time point; according to public parameters published in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on user data of a user side to obtain corresponding ciphertext data; signing the corresponding ciphertext data according to the registration information of the entity at the user side to obtain collected signature data, and sending the ciphertext data and the collected signature data to a cloud server;
control centerCCFor using identity-based numbers based on entity signature dataA word signature algorithm for signature verification; connecting a data acquisition terminal in the data source set with the cloud server, storing ciphertext data, and sending the ciphertext data to the cloud server;
cloud serverCSAfter signature verification, receiving ciphertext data of a user side and a query request of a query side, which is sent by a data requester set, sent by a control center, and storing the ciphertext data to a cloud server; according to the query request, ciphertext data query is carried out on ciphertext data stored by the cloud server, a corresponding data query result is obtained, and the data query result is returned to a corresponding query side;
data requestor collectionUThe method is used for collecting corresponding query information; according to public parameters issued in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on query information of a query side to obtain a corresponding query request; and signing the corresponding query request according to the registration information of the entity at the query side to obtain query signature data, and sending the query request and the query signature data to the cloud server.
Preferably, the cloud serverCSComprises a first cloud serverCS 1 And a second cloud serverCS 2 First cloud serverCS 1 Respectively with trusted institutionsTA、Second cloud serverCS 2 Control centerCCData requestor collectionUAll data request terminals in (a)Connection, second cloud serverCS 2 Respectively with trusted institutionsTAAnd data requestor collectionUAll data request terminals->Connecting;
first cloud serverCS 1 For receiving control centreCCThe transmitted ciphertext data is stored; receiving a set of data requestersUA transmitted query request; receiving a query request of a query side passing signature verification; according to the inquiryThe region query information in the request is matched with the corresponding region division information to obtain a corresponding query target region; according to the time query range in the query request, using a first cloud server to perform data screening on ciphertext data acquired by an entity at a user side in a query target area to obtain screened ciphertext data; according to the encrypted inquirer position information, the encrypted space inquiry range and the encrypted numerical value inquiry range in the inquiry request, and the encrypted data collector position information and the encrypted space visible range of the entity at the user side, carrying out data filtering on the screened ciphertext data to obtain an encrypted data filtering result; according to the first cloud serverCS 1 Signing the encrypted data filtering result to obtain filtering result signing data, and sending the encrypted data filtering result and the filtering result signing data to the second cloud serverCS 2 The method comprises the steps of carrying out a first treatment on the surface of the Receiving a random ciphertext value which passes the signature verification; renumbering the screened ciphertext data according to the random ciphertext value to obtain a corresponding data query result, and returning the data query result to a corresponding query side;
second cloud serverCS 2 For receiving trusted authoritiesTAA transmitted key; decrypting the encrypted data filtering result by using the second cloud server according to the secret key to obtain a decrypted data filtering result; generating a corresponding random ciphertext value by using the initial ciphertext value according to whether the decrypted data filtering result meets the requirement of the query request or not; according to using the second cloud serverCS 2 Signing the random ciphertext value to obtain ciphertext value signature data, and transmitting the random ciphertext value and ciphertext value signature data to the first cloud serverCS 1 。
According to the data security management and control method and system based on the symmetrical homomorphic encryption, the symmetrical homomorphic encryption technology and the digital signature technology based on the identity are adopted, so that even if an external attacker eavesdrops data on a link, plaintext information cannot be obtained, the processing and analysis efficiency of the data is improved on the premise of meeting the differential privacy requirement, the expandability is enhanced, the symmetrical homomorphic encryption calculation cost is low, the operation efficiency is high, the calculation result is accurate, and the data utilization value is high; the query function is provided, and the practicability of data security management and control is improved; finally, confidentiality of the query request is guaranteed, in the process of filtering and sharing the encrypted data according to the query request, the query request is processed and calculated under ciphertext, and plaintext data and privacy information of the query request are not revealed to an attacker and a cloud server, so that query privacy of a data requester set is effectively guaranteed.
The invention is not limited to the alternative embodiments described above, but any person may derive other various forms of products in the light of the present invention. The above detailed description should not be construed as limiting the scope of the invention, which is defined in the claims and the description may be used to interpret the claims.
Claims (8)
1. A data security management and control method based on symmetric homomorphic encryption is characterized in that: the method comprises the following steps:
generating a secret key and a public parameter by using a symmetrical homomorphic encryption algorithm, storing the secret key to a cloud server, and issuing the public parameter to all entities of a current data network;
registering all entities of the current data network to obtain registration information corresponding to all entities, and sending the registration information to the corresponding entities;
the formula for entity registration is:
in the formula ,is a random number; />Is registration information; />Is a registration parameter; />To register forID;
Entity for user of current data networkAn entity registration is performed, wherein,lfor the total number of the data source sets, the method further comprises the following steps:
data collector location information for collecting entities on the user sideAnd spatial visibility range->; wherein ,iindicating the quantity for the entity at the user side;
using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on the position information of the data acquirer and the space visible range to obtain the position information of the encrypted data acquirer and the space visible range after encryption, wherein ,/>The identity number of the entity at the user side is given;
when entity registration is carried out on the entity at the user side of the current data network, according to the public parameters published in the current data network, symmetrical homomorphic decryption is carried out on the position information of all encrypted data collectors, and the position information of the decrypted data collectors of the entity at all user sides is obtained;
All user sides of the current data network according to the decrypted data collector position informationThe entity of the user is subjected to regional division to obtain regional division information of the entity of the user, wherein ,jindicating an amount for the region;
transmitting the regional division information of the entity of the user, the encrypted position information of the data collector and the encrypted space visible range to a cloud serverCS;
After the entity registration is successful, acquiring corresponding user data at each data acquisition time point by using the entity deployed at the user side of the current data network;
according to public parameters published in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on user data of a user side to obtain corresponding ciphertext data;
signing the corresponding ciphertext data according to the registration information of the entity at the user side to obtain collected signature data, and sending the ciphertext data and the collected signature data to a cloud server;
according to the acquired signature data of the entity at the user side, carrying out batch signature verification by using a digital signature algorithm based on identity, after the signature verification, receiving ciphertext data at the corresponding user side by using a cloud server, and storing the ciphertext data to the cloud server;
acquiring corresponding query information by using an entity deployed on a query side of a current data network;
according to public parameters issued in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on query information of a query side to obtain a corresponding query request;
signing the corresponding query request according to the registration information of the entity at the query side to obtain query signature data, and sending the query request and the query signature data to the cloud server;
according to the query signature data of the entity at the query side, carrying out signature verification by using an identity-based digital signature algorithm, and after the signature verification, receiving a query request at the corresponding query side by using a cloud server;
based on the cloud server, ciphertext data query is carried out on ciphertext data stored by the cloud server according to the query request, a corresponding data query result is obtained, and the data query result is returned to a corresponding query side.
2. The data security management and control method based on symmetric homomorphic encryption according to claim 1, wherein: the query information comprises the position information of a querier, a time query range, a space query range, a numerical value query range and area query information.
3. The data security management and control method based on symmetric homomorphic encryption according to claim 2, wherein: the query request comprises encrypted querier position information, a time query range, an encrypted space query range, an encrypted numerical value query range and regional query information which are obtained by symmetrically and homomorphically encrypting query information.
4. A method for data security management and control based on symmetric homomorphic encryption according to claim 3, wherein: generating a key and a public parameter, comprising the following steps:
presetting security parameters of a symmetrical homomorphic encryption algorithm;
and generating a secret key and a public parameter by using a symmetrical homomorphic encryption algorithm according to the security parameter.
5. The data security management and control method based on symmetric homomorphic encryption according to claim 4, wherein: the cloud server comprises a first cloud server and a second cloud server.
6. The data security management and control method based on symmetric homomorphic encryption according to claim 5, wherein: based on a cloud server, performing ciphertext data query on ciphertext data stored by the cloud server according to a query request to obtain a corresponding data query result, and returning the data query result to a corresponding query side, wherein the method comprises the following steps:
receiving a query request of a query side passing signature verification by using a first cloud server;
according to the regional query information in the query request, matching corresponding regional division information by using a first cloud server to obtain a corresponding query target region;
according to the time query range in the query request, using a first cloud server to perform data screening on ciphertext data acquired by an entity at a user side in a query target area to obtain screened ciphertext data;
according to the encrypted inquirer position information, the encrypted space inquiry range and the encrypted numerical value inquiry range in the inquiry request, and the encrypted data collector position information and the encrypted space visible range of the entity at the user side, using a first cloud server to carry out data filtering on the screened ciphertext data to obtain an encrypted data filtering result;
signing the encrypted data filtering result according to the registration information of the first cloud server to obtain filtering result signing data, and sending the encrypted data filtering result and the filtering result signing data to the second cloud server;
according to the filtering result signature data sent by the first cloud server, carrying out signature verification by using an identity-based digital signature algorithm, and after the signature verification, receiving an encrypted data filtering result by using a second cloud server;
decrypting the encrypted data filtering result by using the second cloud server according to the secret key to obtain a decrypted data filtering result;
generating a corresponding random ciphertext value according to whether the decrypted data filtering result meets the requirement of the query request or not;
signing the random ciphertext value according to registration information of the second cloud server to obtain ciphertext value signature data, and sending the random ciphertext value and the ciphertext value signature data to the first cloud server;
according to the ciphertext value signature data sent by the second cloud server, carrying out signature verification by using an identity-based digital signature algorithm, and after the signature verification, receiving a random ciphertext value by using the first cloud server;
and renumbering the screened ciphertext data by using a first cloud server according to the random ciphertext value to obtain a corresponding data query result after adding noise, and returning the data query result after adding noise to a corresponding query side.
7. A data security management and control system based on symmetric homomorphic encryption, configured to implement the data security management and control method according to any one of claims 1 to 6, wherein: the system is arranged on a current data network and comprises a trusted mechanism, a data source set, a control center, a cloud server and a data requester set, wherein the trusted mechanism, the data source set, the control center, the cloud server and the data requester set are used as entities of the current data network, the trusted mechanism is respectively connected with the data source set, the control center, the cloud server and the data requester set, the data source set comprises a plurality of data acquisition terminals, the data acquisition terminals are used as entities deployed on a user side of the current data network, the data requester set comprises a plurality of data request terminals, the data request terminals are used as entities deployed on an inquiring side of the current data network, the control center is respectively connected with the data source set, the cloud server and the data requester set, and the cloud server comprises a first cloud server and a second cloud server;
the trusted mechanism is used for generating a secret key and public parameters by using a symmetrical homomorphic encryption algorithm, storing the secret key to the cloud server and issuing the public parameters to all entities of the current data network; registering all entities of the current data network to obtain registration information corresponding to all entities, and sending the registration information to the corresponding entities;
the data source set is used for collecting corresponding user data at each data collection time point; according to public parameters published in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on user data of a user side to obtain corresponding ciphertext data; signing the corresponding ciphertext data according to the registration information of the entity at the user side to obtain collected signature data, and sending the ciphertext data and the collected signature data to a cloud server;
the control center is used for carrying out signature verification by using a digital signature algorithm based on identity according to the signature data of the entity; connecting a data acquisition terminal in the data source set with the cloud server, storing ciphertext data, and sending the ciphertext data to the cloud server;
the cloud server is used for receiving ciphertext data of a user side and a query request of a query side, which is sent by a data requester set, sent by the control center after signature verification, and storing the ciphertext data to the cloud server; according to the query request, ciphertext data query is carried out on ciphertext data stored by the cloud server, a corresponding data query result is obtained, and the data query result is returned to a corresponding query side;
the data requester set is used for collecting corresponding query information; according to public parameters issued in the current data network, using a symmetrical homomorphic encryption algorithm to carry out symmetrical homomorphic encryption on query information of a query side to obtain a corresponding query request; and signing the corresponding query request according to the registration information of the entity at the query side to obtain query signature data, and sending the query request and the query signature data to the cloud server.
8. The data security management and control system based on symmetric homomorphic encryption of claim 7, wherein: the cloud server comprises a first cloud server and a second cloud server, the first cloud server is respectively connected with all data request terminals in the trusted institution, the second cloud server, the control center and the data requester set, and the second cloud server is respectively connected with all data request terminals in the trusted institution and the data requester set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310983085.9A CN116708040B (en) | 2023-08-07 | 2023-08-07 | Data security management and control method and system based on symmetric homomorphic encryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310983085.9A CN116708040B (en) | 2023-08-07 | 2023-08-07 | Data security management and control method and system based on symmetric homomorphic encryption |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116708040A CN116708040A (en) | 2023-09-05 |
| CN116708040B true CN116708040B (en) | 2023-10-24 |
Family
ID=87832598
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310983085.9A Active CN116708040B (en) | 2023-08-07 | 2023-08-07 | Data security management and control method and system based on symmetric homomorphic encryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116708040B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107294697A (en) * | 2017-07-21 | 2017-10-24 | 西安电子科技大学 | Symmetrical full homomorphic cryptography method based on plaintext similar matrix |
| CN107359979A (en) * | 2017-07-25 | 2017-11-17 | 西安电子科技大学 | Symmetrical full homomorphic cryptography method based on Representation theorem |
| CN107749865A (en) * | 2017-12-07 | 2018-03-02 | 安徽大学 | Location privacy query method based on homomorphic encryption |
| CN111478765A (en) * | 2020-04-03 | 2020-07-31 | 广西大学 | Homomorphic ciphertext range indexing method in cloud environment |
| CN113114451A (en) * | 2021-03-04 | 2021-07-13 | 西安交通大学 | Data statistical analysis method and system for enterprise cloud ERP system based on homomorphic encryption |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9031229B1 (en) * | 2012-03-26 | 2015-05-12 | Newline Software, Inc. | Computer-implemented system and method for providing data privacy in a cloud using discrete homomorphic encryption |
-
2023
- 2023-08-07 CN CN202310983085.9A patent/CN116708040B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107294697A (en) * | 2017-07-21 | 2017-10-24 | 西安电子科技大学 | Symmetrical full homomorphic cryptography method based on plaintext similar matrix |
| CN107359979A (en) * | 2017-07-25 | 2017-11-17 | 西安电子科技大学 | Symmetrical full homomorphic cryptography method based on Representation theorem |
| CN107749865A (en) * | 2017-12-07 | 2018-03-02 | 安徽大学 | Location privacy query method based on homomorphic encryption |
| CN111478765A (en) * | 2020-04-03 | 2020-07-31 | 广西大学 | Homomorphic ciphertext range indexing method in cloud environment |
| CN113114451A (en) * | 2021-03-04 | 2021-07-13 | 西安交通大学 | Data statistical analysis method and system for enterprise cloud ERP system based on homomorphic encryption |
Non-Patent Citations (2)
| Title |
|---|
| S. Hares ; R. Moskowitz ; Huawei ; D. Zhang ; .Analysis of Existing work for I2NSFdraft-ietf-i2nsf-gap-analysis-00.txt.IETF .2016,全文. * |
| 李宗育,桂小林,顾迎捷,李雪松,戴慧珺,张学军.同态加密技术及其在云计算隐私保护中的应用.软件学报.2018,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116708040A (en) | 2023-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111372243B (en) | Security distributed aggregation and access system and method based on fog alliance chain | |
| Chan et al. | Pact: Privacy sensitive protocols and mechanisms for mobile contact tracing | |
| Zhang et al. | Cryptographic solutions for cloud storage: Challenges and research opportunities | |
| WO2022082893A1 (en) | Privacy blockchain-based internet of vehicles protection method, and mobile terminal | |
| CN109286497B (en) | Anonymous voting and multi-condition vote counting method based on block chain | |
| Li et al. | Highly efficient privacy preserving location-based services with enhanced one-round blind filter | |
| US8667269B2 (en) | Efficient, secure, cloud-based identity services | |
| CN111797427B (en) | Blockchain user identity supervision method and system giving consideration to privacy protection | |
| CN112543187B (en) | Industrial Internet of things safety data sharing method based on edge block chain | |
| CN111797431B (en) | Encrypted data anomaly detection method and system based on symmetric key system | |
| EP2805298B1 (en) | Methods and apparatus for reliable and privacy protecting identification of parties' mutual friends and common interests | |
| CN113783683B (en) | Cloud platform privacy protection verifiable data aggregation method based on sensor network | |
| CN110121159B (en) | Lightweight RFID security authentication method and Internet of vehicles communication system in Internet of vehicles scene | |
| CN112329519A (en) | Safe online fingerprint matching method | |
| Rahman et al. | Mutual authentication security scheme in fog computing | |
| Zhu et al. | PTFA: A secure and privacy-preserving traffic flow analysis scheme for intelligent transportation system | |
| Lalle et al. | A privacy-protection scheme for smart water grid based on blockchain and machine learning | |
| CN116708040B (en) | Data security management and control method and system based on symmetric homomorphic encryption | |
| Lv et al. | A review of big data security and privacy protection technology | |
| Sultan et al. | PairVoting: A secure online voting scheme using Pairing-Based Cryptography and Fuzzy Extractor | |
| Yang et al. | A traceable privacy-preserving authentication protocol for VANETs based on proxy re-signature | |
| CN117454442A (en) | Anonymous security and traceable distributed digital evidence obtaining method and system | |
| CN116701494B (en) | Privacy-protecting ciphertext cloud data statistical analysis system and method | |
| De Lacerda Filho et al. | Improving Data Security, Privacy, and Interoperability for the IEEE Biometric Open Protocol Standard | |
| CN113922961A (en) | Data encryption and decryption transmission method in intelligent security community platform data issuing and gathering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |