CN112671543A - Public verifiable outsourcing attribute-based encryption method based on block chain - Google Patents

Abstract

The invention provides a block chain-based publicly verifiable outsourcing attribute-based encryption method, which not only tracks a secret key of a malicious user, but also cancels the malicious user, meanwhile, can update a ciphertext in time, can publicly verify outsourcing decryption, and provides forward security of a mechanism. The invention comprises the following steps: A. initializing a system; B. encrypting; C. generating a secret key; D. decrypting; E. outsourcing key generation; F. outsourcing conversion; G. outsourcing decryption; H. and tracing the identity of the user.

Description

Public verifiable outsourcing attribute-based encryption method based on block chain

Technical Field

The invention relates to a public verifiable outsourcing attribute-based encryption method based on a block chain.

Background

Over the past few decades, with the continued development of the internet of things (IoT), traditional internet of things systems may face challenges in efficiency and system security. First, since the amount of data transmitted between the internet of things device and the conventional cloud server is large, the cloud server suffers from transmission delay and service quality degradation. Second, sensitive data must be encrypted before uploading to the cloud server, and fine-grained access control must be supported when sharing sensitive data. Finally, a malicious cloud server may tamper with sensitive data, thereby preventing the internet of things device from accessing the data correctly.

With respect to the first problem, fog calculation is a suitable technique that can solve the problem well. The fog computing is located between the IoT devices and the traditional centralized cloud infrastructure, and the fog nodes are closer to the IoT devices than the cloud servers. Thus, IoT systems using fog computing may ensure that real-time web applications and devices are enabled with less delay and sufficient computing resources.

In addition, cipher text policy attribute based encryption (CP-ABE), which is a promising encryption primitive, can effectively solve the second problem, and is generally used for implementing fine-grained cryptographic access control of data in the cloud. However, due to the limited storage and computing capabilities of the internet of things devices, the CP-ABE with outsourced decryption function is more suitable for the internet of things scenario. Most existing CP-ABE schemes with outsourced decryption only allow the original decryptor to check if the third party agent has returned the correct translation ciphertext when verifying the decryption result. In this case, once dispute is made about the decryption result, the decryption key must be revealed to the arbiter. Thus, the CP-ABE with outsourced decryption functionality must achieve public verifiability of the decryption result. Also, the conventional CP-ABE still has a problem in that a malicious user may leak its own decryption key to others, and the malicious user does not bear the risk of being traced and revoked.

In view of the above, it is therefore necessary to design a CP-ABE scheme that supports the tracing and revocation of malicious users and that can publicly authenticate the decryption of outsources.

Disclosure of Invention

The invention aims to overcome the defects in the prior art, and provides a reasonably designed block chain-based publicly verifiable outsource attribute-based encryption method, which not only tracks the secret key of a malicious user, but also cancels the malicious user, meanwhile, can update the ciphertext in time, can publicly verify the decryption of the outsource, and provides the forward security of the mechanism.

The technical scheme adopted by the invention for solving the problems is as follows:

a block chain-based publicly verifiable outsourcing attribute-based encryption method is characterized by comprising the following steps: the method comprises the following steps:

A. initializing a system: the trusted authority generates a global public key and a master key according to the security parameters and the whole attribute set, and publishes the global public key and the unfamiliar master key;

B. encryption: the data owner encrypts the message and generates a ciphertext according to the global public key, the access structure and the overlay list;

C. and (3) key generation: the trusted authority generates a decryption key according to the global public key, the identity information of the user and the user attribute set, and sends the decryption key to the data user;

D. and (3) decryption: the user decrypts the ciphertext into a message by using the decryption key;

E. and (3) outsourcing key generation: the user converts the decryption key into a conversion key and a retrieval key according to the decryption key, sends the conversion key to the fog node and stores the retrieval key by the user;

F. and (3) outsourcing conversion: the fog node outsourcing the ciphertext into a conversion ciphertext according to the global public key, the ciphertext and the conversion key, and then sending the conversion ciphertext to a data user;

G. and (3) outsourcing decryption: the user generates a message according to the retrieval key, the ciphertext and the conversion ciphertext;

H. tracing the identity of the user: the trusted authority outputs user identity information or error information according to the global public key, the minimum coverage list and the decryption key;

I. and (3) ciphertext updating: the trusted authority generates an updated ciphertext according to the global public key, the ciphertext and the minimum coverage list; and the trusted authority sends the updated ciphertext to the fog node.

The step A of the invention specifically comprises the following steps:

a1, firstly, the trusted authority receives a whole attribute set U, and selects the order according to an implicit security parameter lambdaTwo multiplication cycle groups with prime number p and generator g

And

and a bilinear map

The trusted authority then initializes an empty user revocation list L and a full binary tree

After initialization, the trusted authority assigns the user's identity to the full binary tree

On leaf nodes of the binary tree

Numbering each node according to a breadth-first search method, wherein the numbering of the root node is 0, and d is used to represent a binary tree

So that the maximum number of users is | Num | ═ 2^dThe number of nodes of the binary tree is 2| Num | -2, so the number of the last leaf node of the binary tree is 2| Num | -2;

a2, the trusted authority selects two random numbers alpha,

wherein

Is a p-order integer ring; the trusted authority then likewise selects five random numbers g, u, v, d,

a3, for each attribute value i epsilon U, the trusted authority selects a random number

Wherein

Is a positive integer ring of order p and computes an attribute public key component associated with the attribute value

A4, the trusted authority randomly selects an anti-collision hash function

The hash function can map a message m or a random message m' to one

An element of (a);

a5 for binary tree

In each node, the trusted authority randomly selects a random number

Then generating a master key component

Also concurrently generating a binary tree public key component associated with the user identity

A6, selecting a probability encryption scheme (Enc, Dec) by the trusted authority, wherein Enc is an encryption function, and Dec is a decryption function;

a7, the trusted authority publishes the public key PK, and does not publish the master key MSK.

The step B of the invention specifically comprises the following steps:

b1 data owner selects an access structure

Where M is an access matrix of order l n, and p is an access matrix capable of converting M into M_iMapping algorithm to an attribute, where M_iIs the ith row of the access matrix M; the data owner then selects two random secret indices s,

and sets two random column vectors v ═ s, v₂，...，v_n) And v ═ s ', v'₂，...，v′_n) Wherein

Finally, for each M_iThe data owner calculates the effective share λ associated with the secret exponents s and s_i＝M_iX v and λ'_i＝M_i×v′；

B2, data owner selects information m to be encrypted and randomly selected information m', and calculates and accesses structure

Associated ciphertext component

C₁＝m·e(g，g)^αs，C′₁＝g^s，C″₁＝g^as，

C₂＝m′·e(g，g)^αs′，C′₂＝g^s′And C ″)₂＝g^as′，

B3、Upon receipt of the latest overlay list cover (L) sent by the trusted authority, the data owner generates the ciphertext component associated with the overlay list cover (L)

B4, and finally, the generated ciphertext CT is:

b5, once the fog node receives the data owner's ciphertext, the fog node will call an intelligent contract, and after the intelligent contract is generated, the fog node broadcasts the transaction to other fog nodes for consensus verification.

The step C of the invention specifically comprises the following steps:

c1, selecting a random number by credible organization

And generating a random number f ═ Enc using a probabilistic encryption scheme with a symmetric key of k_k(l_x) Wherein l is_xIs a leaf node associated with the user identity;

c2, the trusted authority first generates a key component associated with the user property set S: k₁＝f，

K₃＝g^bAnd K₄＝g^ab，

C3, selecting a random number by the trusted authority

And generating a key element associated with the user identity uid

And

where x ∈ path (uid) andgate (l), and path (uid) is the path number between the binary tree from the root node to the leaf node of the associated user uid, then the trusted authority generates the key component associated with the user identity uid:

K₆＝g^w，

c4, the trusted authority generates a key SK and sends the key SK to the data user, wherein:

SK＝{K₁，K₂，K₃，K₄，K_i，K₅，K₆，K₇，K₈}。

the step D of the invention specifically comprises the following steps:

d1, find two constants c_iAnd c'_iCan make two equations

The method comprises the following steps that (1) the attribute mapping set I is { I | rho (I) ∈ S };

d2, the data consumer first computes two decryption components:

d3, the data user then calculates two plaintext blocks m ═ C₁/Y′₁And m ═ C₂/Y′₂And determining the ciphertext component

And ciphertext verification parameter component u^H(m)v^H(m′)And d is equal or not, if equal, the message m is returned, and if not, the operation is interrupted.

Step E of the invention specifically comprises the following steps:

e1, selecting a random number z by a user, and generating a conversion key component K'₁＝K₁，

And

K′₇＝K₇，K′₈＝K₈；

e2, the user sends the generated transformation key TK to the cloud node, and the user saves the retrieval key RK, wherein:

TK＝{K′₁，K′₂，K′₃，K′₄，K′_i，K′₅，K′₆，K′₇，K′₈}，RK＝{z}。

in step F of the present invention, the fog node calculates two converted ciphertext components as follows:

the step G of the invention specifically comprises the following steps:

g1, the user first verifies the information received, if

Or W₁≠C₁Or W₂≠C₂If the verification is successful, the operation is interrupted, otherwise, the verification is passed;

g2, if the verification is passed, the user computes two plaintext messages:

g3, user calculating two verification plaintext components V₁＝u^H(m)，V₂＝v^H(m′)And will V₁And V₂Sending to the fog node, then the fog node calls the intelligent contract, and the intelligent contract is verified

And plaintext verification parameter component V₁V₂d are equal.

Step H of the present invention specifically comprises the following steps:

h1, firstly, the trusted authority firstly judges whether the format of the inputted public key SK is correct, if so, the operation is interrupted;

h2, if the format of the public key SK is correct, the trusted authority searches for l_xWhether the user identity uid exists in the minimal coverage list cover (L) or not is judged, if so, the user identity uid is returned, otherwise, a false user identity uid is returned;

h3, the trusted authority updates the latest revocation list L' ═ L utou { uid }.

The steps of the invention specifically comprise the following steps:

i1, selecting a random number by the trusted authority

And computing an updated binary tree public key component associated with the user identity

I2, the trusted authority calculates the updated ciphertext component:

and computes two ciphertext components associated with the overlay list (L) after updating

And

then an updated ciphertext is generated:

i3, the trusted authority then sends the updated ciphertext and the revocation list L' to the fog node, which recalls the intelligent contract to store the latest ciphertext hash.

Compared with the prior art, the invention has the following advantages and effects: 1. the invention combines outsourcing decryption with the block chain, realizes the public verifiability of the outsourcing decryption result on the premise of ensuring that the fog node can not obtain any information about the plaintext, and simultaneously can effectively prevent the cloud server from tampering the ciphertext and the user maliciousness of 35820; 2. the method has the advantages that the malicious users are tracked, revoked and updated in time, the identity information of the users is distributed to leaf nodes in the binary tree, and once the malicious users are tracked, the malicious users are added into a revocation list, so that the malicious users are tracked and revoked; 3. the outer package decryption information is disclosed through a block chain technology, so that the public verifiability of the outer package decryption attribute-based encryption is realized; 4. the delay problem of a traditional centralized cloud server architecture is solved based on a three-layer system architecture of 'Internet of things equipment-fog nodes-cloud servers'; 5. the method can provide higher privacy protection requirements for users, has higher efficiency, and is convenient for the use of mobile equipment with limited bandwidth and resources.

Drawings

FIG. 1 is a schematic diagram of an overview of a binary tree according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail below by way of examples with reference to the accompanying drawings, which are illustrative of the present invention and are not to be construed as limiting the present invention.

In this embodiment, a block chain-based encryption method for publicly verifiable outsourcing attribute bases specifically includes the following steps:

A. initializing a system: the trusted authority generates a global public key PK and a master key MSK according to the implicit security parameter lambda and the overall attribute set U; the method specifically comprises the following steps:

a1, firstly, the trusted authority receives a whole attribute set U, and selects two multiplication cycle groups with the order of prime number p and generation element g according to an implicit safety parameter lambda

And

and a bilinear map

The trusted authority then initializes an empty user revocation list L and a full binary tree

After initialization, the trusted authority assigns the user's identity to the full binary tree

On leaf nodes of the binary tree

Numbering each node according to a breadth-first search method, wherein the numbering of the root node is 0, and d is used to represent a binary tree

So that the maximum number of users is | Num | ═ 2^dNode of binary treeThe number of points is 2| Num | -2, so the number of the last leaf node of the binary tree is 2| Num | -2;

a2, the trusted authority selects two random numbers alpha,

wherein

Is a p-order integer ring. The trusted authority then likewise selects five random numbers g, u, v, d,

a3, for each attribute value i epsilon U, the trusted authority selects a random number

Wherein

Is a positive integer ring of order p and computes an attribute public key component associated with the attribute value

A4, the trusted authority randomly selects an anti-collision hash function

The hash function can map a message m or a random message m' to one

An element of (a);

a5 for binary tree

In each node, the trusted authority randomly selects a random number

Then generating a master key component

Also concurrently generating a binary tree public key component associated with the user identity

A6, selecting a probability encryption scheme (Enc, Dec) by the trusted authority, wherein Enc is an encryption function and Dec is a decryption function. The scheme is a symmetric encryption scheme, which can map the user identity uid to

And returns a different result each time encrypted using the symmetric key k;

a7, trusted authority publishes public key PK, and does not publish master key MSK:

B. encryption: the data owner accesses the structure according to the global public key PK, message m

And an overlay list cover (L), wherein overlay list cover (L) is a set of node numbers of a minimum overlay set associated with user revocation list L, and then encrypts message m and generates ciphertext CT; the method specifically comprises the following steps:

b1 data owner selects an access structure

Where M is an access matrix of order l n, and p is an access matrix capable of converting M into M_iMapping to a map of attributesRay algorithm, in which M_iIs the ith row of the access matrix M; the data owner then selects two random secret indices s,

and sets two random column vectors v ═ s, v₂，...，v_n) And v ═ s ', v'₂，...，v′_n) Wherein

And

the part is a selected random number; finally, for each M_iThe data owner calculates the effective share λ associated with the secret exponents s and s_i＝M_iX v and λ'_i＝M_i×v′；

B2, data owner selects information m to be encrypted and randomly selected information m', and calculates and accesses structure

Associated ciphertext component

C₁＝m·e(g，g)^αs，C′₁＝g^s，C″₁＝g^as，

C₂＝m′·e(g，g)^αs′，C′2＝g^s′And are and

b3, when the data owner receives the latest overlay list cover (L) sent by the trusted authority, the data owner generates the ciphertext component associated with the overlay list cover (L)

B4, and finally, the generated ciphertext CT is:

b5, once the fog node receives the data owner's ciphertext, the fog node will call an intelligent contract, and after the contract is generated, the fog node broadcasts the transaction to other fog nodes for consensus verification.

C. And (3) key generation: the trusted authority generates a decryption key SK according to the global public key PK, the identity information uid of the user and the user attribute set S; the method specifically comprises the following steps:

c1, selecting a random number by credible organization

And generating a random number f ═ Enc using a probabilistic encryption scheme with a symmetric key of k_k(l_x) Wherein l is_xIs a leaf node associated with the user identity;

c2, the trusted authority first generates a key component associated with the property set S: k₁＝f，

K₃＝g^bAnd K₄＝g^ab，

C3, selecting a random number by the trusted authority

And generating a key element associated with the user identity uid

And

where x ∈ path (uid) andgate (l), and path (uid) is the path number between the binary tree from the root node to the leaf node of the associated user uid, then the trusted authority generates the key component associated with the user identity uid:

K₆＝g^w，

c4, the trusted authority generates a key SK and sends the key SK to the data user:

SK＝{K₁，K₂，K₃，K₄，K_i，K₅，K₆，K₇，K₈}。

D. and (3) decryption: the user decrypts the ciphertext CT into a message m by using the decryption key SK; the method specifically comprises the following steps:

d1, find two constants c_iAnd c'_iCan make two equations

The method comprises the following steps that (1) the attribute mapping set I is { I | rho (I) ∈ S };

d2, the data consumer first computes two decryption components:

d3, the data user then calculates two plaintext blocks m ═ C₁/Y′₁And m ═ C₂/Y′₂And determining the ciphertext component

And ciphertext verification parameter component u^H(m)v^H(m′)And d is equal or not, if equal, the message m is returned, and if not, the operation is interrupted.

E. And (3) outsourcing key generation: the user converts the decryption key SK into a conversion key TK and a retrieval key RK according to the decryption key SK; the method specifically comprises the following steps:

e1, selecting a random number z by a user, and generating a conversion key component K'₁＝K₁，

And

K′₇＝K₇，K′₈＝K₈；

e2, the user sends the generated transformation key TK to the cloud node and the user saves the retrieval key RK:

TK＝{K′₁，K′₂，K′₃，K′₄，K′_i，K′₅，K′₆，K′₇，K′₈}，

RK＝{z}。

F. and (3) outsourcing conversion: the fog node converts the ciphertext CT outsourced into a conversion ciphertext CT' according to the public key PK, the ciphertext CT and the conversion key TK, and

the fog node then sends the converted ciphertext CT' to the data user.

Wherein the fog node computes two transformed ciphertext components:

G. and (3) outsourcing decryption: the user generates a message m according to the retrieval key RK, the ciphertext CT and the conversion ciphertext CT'; the method specifically comprises the following steps:

g1, the user first verifies the information received, if

Or W₁≠C₁Or W₂≠C₂If the verification is successful, the operation is interrupted, otherwise, the verification is passed;

g2, if the verification is passed, the user computes two plaintext messages:

g3, user calculating two verification plaintext components V₁＝u^H(m)，V₂＝v^H(m′)And will V₁And V₂Sending the information to a fog node, then calling an intelligent contract by the fog node, and verifying the intelligent contract

And plaintext verification parameter component V₁V₂d are equal to achieve public verifiability of the algorithm.

H. Tracing the identity of the user: the trusted authority outputs user identity information uid or error information according to the global public key PK, the minimum coverage list cover (L) and the decryption key SK; the method specifically comprises the following steps:

h1, firstly, the trusted authority firstly judges whether the format of the input key SK is correct, and if the format is wrong, the operation is interrupted;

h2, if SK format is correct, trusted authority searches for l_xWhether it is in the minimum coverage list cover (l), if it is, returning the user identity uid, otherwise, returning a false user identity uid, wherein the false user identity uid can never be returnedPresent in the system;

h3, the trusted authority updates the latest revocation list L' ═ L utou { uid }.

I. And (3) ciphertext updating: the trusted authority generates an updated ciphertext CT 'according to the global public key PK, the ciphertext CT and the minimum overlay list cover (L'); the method specifically comprises the following steps:

i1, selecting a random number by the trusted authority

And computing an updated binary tree public key component associated with the user identity

I2, the trusted authority calculates the updated ciphertext component:

and computes two ciphertext components associated with the overlay list (L) after updating

And

then an updated ciphertext is generated:

i3, the trusted authority then sends the updated ciphertext and the revocation list L' to the fog node, which recalls the intelligent contract to store the latest ciphertext hash.

The entities involved in the invention comprise a trusted authority, a data owner, a fog node, a cloud storage provider, a data user and a block chain.

A trusted authority, considered to be fully trusted, for generating a global public key PK and a master key MSK for a system, which also has a revocation list L of users and a binary tree

Meanwhile, the trusted authority only sends the revocation list L and the minimum coverage list cover (L') to the cloud node and the data owner respectively, but does not disclose the whole binary tree, which is beneficial to protecting the privacy of the data user.

And the data user sets an access structure for encrypting the message by himself, encrypts the message by using the system, and uploads the encrypted ciphertext to the fog node.

And the fog node is considered as semi-trusted, maintains a revocation list L of users, when a data user requests to access data, the data user sends the request to the fog node, and after receiving the request, if the data user is not in the revocation list L and the attribute set S is matched with the access structure, the fog node forwards the request to a trusted authority, and finally, the fog node also plays a role in packaging and sending some key information to the block chain.

The cloud storage provider, which is also considered semi-trusted, is responsible for storing the ciphertext from the fog node, and then also stores the ciphertext in the location Adress_CTAnd returning to the fog node.

And the data users, each of which has an identity mark uid, communicate data requests and data verification of the data users by sending data description information to the fog node.

And the block chain, wherein the fog node stores information on the block chain through an intelligent contract, such as: hash of the ciphertext, hash of the updated ciphertext, public key, etc.

In addition, it should be noted that the specific embodiments described in the present specification may be different in the components, the shapes of the components, the names of the components, and the like, and the above description is only an illustration of the structure of the present invention. Equivalent or simple changes in the structure, characteristics and principles of the invention are included in the protection scope of the patent. Various modifications, additions and substitutions for the specific embodiments described may be made by those skilled in the art without departing from the scope of the invention as defined in the accompanying claims.

Claims (10)

Translated fromChinese

1.一种基于区块链的公开可验证外包属性基加密方法，其特征在于：包括如下步骤：1. a publicly verifiable outsourcing attribute base encryption method based on block chain, is characterized in that: comprise the steps:A、系统初始化：可信机构根据安全参数和全体属性集合生成全局公共密钥和主密钥，并公布全局公共密钥和不公布主密钥；A. System initialization: The trusted authority generates the global public key and the master key according to the security parameters and the overall attribute set, and publishes the global public key and does not publish the master key;B、加密：数据拥有者根据全局公共密钥、访问结构以及覆盖列表，对消息进行加密并且产生密文；B. Encryption: The data owner encrypts the message and generates ciphertext according to the global public key, access structure and coverage list;C、密钥生成：可信机构根据全局公共密钥、用户的身份信息以及用户属性集，生成解密密钥，并将解密密钥发送给数据用户；C. Key generation: The trusted authority generates a decryption key according to the global public key, the user's identity information and the user attribute set, and sends the decryption key to the data user;D、解密：用户利用解密密钥将密文解密成消息；D. Decryption: The user uses the decryption key to decrypt the ciphertext into a message;E、外包密钥生成：用户根据解密密钥将其转化为转换密钥以及检索密钥，并将转换密钥发送给雾节点并且自己保存检索密钥；E. Outsourced key generation: The user converts the decryption key into a conversion key and a retrieval key according to the decryption key, sends the conversion key to the fog node and saves the retrieval key by himself;F、外包转换：雾节点根据全局公共密钥、密文以及转换密钥，将密文外包转换为转换密文，然后雾节点将转换密文发送给数据用户；F. Outsourced conversion: The fog node outsources the ciphertext to the converted ciphertext according to the global public key, the ciphertext and the conversion key, and then the fog node sends the converted ciphertext to the data user;G、外包解密：用户根据检索密钥、密文以及转换密文，生成消息；G. Outsourced decryption: The user generates a message according to the retrieval key, the ciphertext and the converted ciphertext;H、追溯用户身份：可信机构根据全局公共密钥、最小覆盖列表以及解密密钥，输出用户身份信息或者输出错误信息；H. Trace user identity: the trusted authority outputs user identity information or outputs error information according to the global public key, the minimum coverage list and the decryption key;I、密文更新：可信机构根据全局公共密钥、密文以及最小覆盖列表，生成更新密文；可信机构将更新密文发送给雾节点。I. Ciphertext update: The trusted authority generates the updated ciphertext according to the global public key, the ciphertext and the minimum coverage list; the trusted authority sends the updated ciphertext to the fog nodes.2.根据权利要求1所述的基于区块链的公开可验证外包属性基加密方法，其特征在于：步骤A具体包括如下步骤：2. the publicly verifiable outsourcing attribute base encryption method based on block chain according to claim 1, is characterized in that: step A specifically comprises the following steps:A1、首先可信机构接收一个全体属性集合U，并根据一个隐式的安全参数λ，选取阶为素数p、生成元为g的两个乘法循环群

和

和一个双线性映射

然后，可信机构初始化一个空的用户撤销列表L以及一个满二叉树

初始化完毕后，可信机构将用户的身份分配给满二叉树

的叶子节点上，该二叉树

按照广度优先搜索方法对每一个节点进行编号，其中根节点的编号为0，并且用d来表示二叉树

的深度，从而可知用户的最大数量为|Num|＝2^d，二叉树的节点数量为2|Num|-2，因此二叉树的最后一个叶子节点的编号为2|Num|-2；A1. First, the trusted authority receives a set of all attributes U, and according to an implicit security parameter λ, selects two multiplicative cyclic groups whose order is prime p and whose generator is g

and

and a bilinear map

Then, the trusted authority initializes an empty user revocation list L and a full binary tree

After initialization, the trusted authority assigns the user's identity to the full binary tree

on the leaf nodes of the binary tree

Each node is numbered according to the breadth-first search method, where the number of the root node is 0, and d is used to represent the binary tree

Therefore, the maximum number of users is |Num|=2^d , and the number of nodes of the binary tree is 2|Num|-2, so the number of the last leaf node of the binary tree is 2|Num|-2;A2、可信机构选择两个随机数

其中

是p阶整数环；随后，可信机构同样也选择五个随机数

A2. The trusted organization selects two random numbers

in

is a ring of p-order integers; then, the trusted authority also selects five random numbers

A3、对于每个属性值i∈U，可信机构都选取随机数

其中

是p阶正整数环，并且计算与属性值相关联的属性公钥组件

A3. For each attribute value i∈U, the trusted authority selects a random number

in

is a ring of positive integers of order p and computes the attribute public key component associated with the attribute value

A4、可信机构随机选取一个抗碰撞哈希函数

该哈希函数能够将消息m或者随机消息m′映射成一个在

内的元素；A4. The trusted agency randomly selects an anti-collision hash function

The hash function can map a message m or a random message m' into a

elements within;A5、对于二叉树

中的每一个节点，可信机构都随机选取一个随机数

然后生成主密钥组件

也同时生成与用户身份相关联的二叉树公钥组件

A5. For binary tree

For each node in , the trusted authority randomly selects a random number

Then generate the master key component

Also generate the public key component of the binary tree associated with the user identity

A6、可信机构选择一个概率加密方案(Enc，Dec)，其中Enc是加密函数，Dec是解密函数；A6. The trusted agency selects a probabilistic encryption scheme (Enc, Dec), where Enc is the encryption function and Dec is the decryption function;A7、可信机构公布公共密钥PK，以及不公布主密钥MSK。A7. The trusted authority publishes the public key PK, and does not publish the master key MSK.3.根据权利要求1所述的基于区块链的公开可验证外包属性基加密方法，其特征在于：步骤B具体包括如下步骤：3. the publicly verifiable outsourcing attribute base encryption method based on block chain according to claim 1, is characterized in that: step B specifically comprises the steps:B1、数据拥有者选择一个访问结构

其中M是一个l×n阶的访问矩阵，ρ是一个能够将M_i映射成一个属性的映射算法，其中M_i为访问矩阵M的第i行；然后，数据拥有者选择两个随机的秘密指数

并且设置两个随机列向量υ＝(s，υ₂，...，υ_n)和υ′＝(s′，υ′₂，...，υ′_n)，其中

最后，对于每个M_i，数据拥有者都计算与秘密指数s和s′相关的有效份额λ_i＝M_i×v和λ′_i＝M_i×v′；B1. The data owner chooses an access structure

where M is an access matrix of order l×n, ρ is a mapping algorithm capable of mapping Mi to an attribute, where_Mi is the_ith row of access matrix M; then, the data owner chooses two random secrets index

And set_two random column vectors υ=(s,υ2,...,_υn ) and υ'=(s',_υ'2 ,...,_υ'n ), where

Finally, for each M_i , the data owner computes the effective shares λ_i =M_i ×v and λ′_i =M_i ×v′ associated with the secret indices s and s′;B2、数据拥有者选择要加密的信息m和随机选择的信息m′，并且计算与访问结构

相关联的密文组件

C₁＝m·c(g，g)^αs，C′₁＝g^s，C″₁＝g^as，

C₂＝m′·e(g，g)^αs′，C′₂＝g^s′，和C″₂＝g^αs′，

B2. The data owner selects the information m to be encrypted and the randomly selected information m', and calculates and accesses the structure

associated ciphertext component

C₁ =m·c(g, g)^αs , C′₁ = g^s , C″₁ = g^as ,

C₂ =m'·e(g,g)^αs' , C'₂ =g^s' , and C″₂ =g^αs' ,

B3、数据拥有者一旦接收到由可信机构发送的最新覆盖列表cover(L)，数据拥有者就会生成与该覆盖列表cover(L)相关联的密文组件

B3. Once the data owner receives the latest cover list cover(L) sent by the trusted authority, the data owner will generate a ciphertext component associated with the cover list cover(L)

B4、最后，生成的密文CT为：B4. Finally, the generated ciphertext CT is:

B5、一旦雾节点接收到数据拥有者的密文时，雾节点将会调用一个智能合约，生成此智能合约后，雾节点将该交易广播到其他雾节点以进行共识验证。B5. Once the fog node receives the ciphertext of the data owner, the fog node will call a smart contract. After the smart contract is generated, the fog node broadcasts the transaction to other fog nodes for consensus verification.4.根据权利要求1所述的基于区块链的公开可验证外包属性基加密方法，其特征在于：步骤C具体包括如下步骤：4. the publicly verifiable outsourcing attribute base encryption method based on block chain according to claim 1, is characterized in that: step C specifically comprises the following steps:C1、可信机构随机选择一个随机数

并且用对称密钥为k的概率加密方案生成一个随机数f＝Enc_k(l_x)，其中l_x是与用户身份相关联的叶子节点；C1. The trusted institution randomly selects a random number

And generate a random number f=_Enck (l_x ) using a probabilistic encryption scheme with a symmetric key k, where l_x is a leaf node associated with the user identity;C2、可信机构首先生成与用户属性集S相关联的密钥组件：K₁＝f，

K₃＝g^b以及K₄＝g^ab，

C2. The trusted authority first generates a key component associated with the user attribute set S: K₁ =f,

K₃ =g^b and K₄ =g^ab ,

C3、可信机构选择一个随机数

并生成与用户身份uid相关联的密钥元素

以及

其中x∈path(uid)∩cover(L)，并且path(uid)是二叉树从根节点到相关联用户uid的叶子节点之间的路径编号，然后可信机构生成与用户身份uid相关联的密钥组件：

K₆＝g^w，

C3. The trusted agency selects a random number

and generate the key element associated with the user identity uid

as well as

where x ∈ path(uid)∩cover(L), and path(uid) is the path number of the binary tree from the root node to the leaf node of the associated user uid, and then the trusted authority generates the password associated with the user identity uid key component:

K₆ =g^w ,

C4、可信机构生成密钥SK，并发送给数据用户，其中：C4. The trusted authority generates the key SK and sends it to the data user, where:SK＝{K₁，K₂，K₃，K₄，Ki，K₅，K₆，K₇，K₈}。SK={K₁ , K₂ , K₃ , K₄ , Ki, K₅ , K₆ , K₇ , K₈ }.5.根据权利要求1所述的基于区块链的公开可验证外包属性基加密方法，其特征在于：步骤D具体包括如下步骤：5. The publicly verifiable outsourcing attribute base encryption method based on blockchain according to claim 1, wherein step D specifically comprises the following steps:D1、找到两个常数c_i和c′_i，能够使得两个等式

成立，其中属性映射集合

D1. Find two constants c_i and c′_i , which can make the two equations

holds, where the attribute map collection

D2、数据用户首先计算两个解密组件：D2. The data user first calculates two decryption components:

D3、数据用户接着计算两个明文组件m＝C₁/Y′₁和m′＝C₂/Y′₂，并且判断密文组件

与密文验证参数组件u^H(m)υ^H(m′)d是否相等，若相等则返回消息m，若不相等则中断操作。D3. The data user then calculates two plaintext components m=C₁ /Y′₁ and m′=C₂ /Y′₂ , and determines the ciphertext components

Verifies whether the parameter component u^H(m) υ^H(m') d is equal to the ciphertext, and returns the message m if it is equal, and terminates the operation if it is not equal.6.根据权利要求1所述的基于区块链的公开可验证外包属性基加密方法，其特征在于：步骤E具体包括如下步骤：6. The publicly verifiable outsourcing attribute base encryption method based on block chain according to claim 1, is characterized in that: step E specifically comprises the following steps:E1、用户选择一个随机数z，生成转换密钥组件K′₁＝K₁，

以及

K′₇＝K₇，K′₈＝K₈；E1. The user selects a random number z, and generates a conversion key component K′₁ =K₁ ,

as well as

K'₇ =K₇ , K'₈ =K₈ ;E2、用户将生成的转换密钥TK发送给雾节点，并且用户自己保存检索密钥RK，其中：E2. The user sends the generated conversion key TK to the fog node, and the user saves the retrieval key RK, where:TK＝{K′₁，K′₂，K′₃，K′₄，K′_i，K′₅，K′₆，K′₇，K′_s}，RK＝{z}。TK={K'₁ , K'₂ , K'₃ , K'₄ , K'_i , K'₅ , K'₆ , K'₇ , K'_s }, RK={z}.7.根据权利要求1所述的基于区块链的公开可验证外包属性基加密方法，其特征在于：步骤F中，雾节点计算两个转换密文组件为：7. The publicly verifiable outsourcing attribute base encryption method based on block chain according to claim 1, is characterized in that: in step F, the fog node calculates two converted ciphertext components as:

8.根据权利要求1所述的基于区块链的公开可验证外包属性基加密方法，其特征在于：步骤G具体包括如下步骤：8. The publicly verifiable outsourcing attribute base encryption method based on blockchain according to claim 1, wherein step G specifically comprises the following steps:G1、用户首先验证下收到的信息，如果

或W₁≠C₁或W₂≠C₂，则操作中断，反之验证通过；G1. The user first verifies the received information, if

Or W₁ ≠C₁ or W₂ ≠C₂ , the operation is interrupted, otherwise the verification is passed;G2、若验证通过，用户计算两个明文消息：G2. If the verification is passed, the user calculates two plaintext messages:

G3、用户计算两个验证明文组件V₁＝u^H(m)，V₂＝v^H(m′)，并且将V₁和V₂发送到雾节点，然后雾节点调用智能合约，智能合约验证

与明文验证参数组件V₁V₂d是否相等。G3. The user calculates two verification plaintext components V₁ =u^H(m) and V₂ =v^H(m') , and sends V₁ and V₂ to the fog node, and then the fog node calls the smart contract, and the smart contract verifies

Verifies whether the parameter components V₁ V₂ d are equal to the plaintext.9.根据权利要求1所述的基于区块链的公开可验证外包属性基加密方法，其特征在于：步骤H具体包括如下步骤：9. The publicly verifiable outsourcing attribute base encryption method based on block chain according to claim 1, is characterized in that: step H specifically comprises the following steps:H1、首先，可信机构先判断一下输入的公共密钥SK的格式是否正确，若错误则操作中断；H1. First of all, the trusted agency first judges whether the format of the input public key SK is correct, if it is wrong, the operation is interrupted;H2、若公共密钥SK格式正确，则可信机构搜索l_x是否在最小覆盖列表cover(L)中，若存在，则返回用户身份uid，反之，返回虚假的用户身份uid*；H2. If the format of the public key SK is correct, the trusted authority searches whether l_x is in the minimum coverage list cover(L). If it exists, the user identity uid is returned, otherwise, the false user identity uid* is returned;H3、可信机构更新最新的撤销列表L′＝L∪{uid}。H3. The trusted authority updates the latest revocation list L'=L∪{uid}.10.根据权利要求1所述的基于区块链的公开可验证外包属性基加密方法，其特征在于：步骤I具体包括如下步骤：10. the publicly verifiable outsourcing attribute base encryption method based on block chain according to claim 1, is characterized in that: step 1 specifically comprises the steps:I1、可信机构选择一个随机数

并计算更新后的与用户身份相关联的二叉树公钥组件

I1. The trusted authority selects a random number

and compute the updated public key component of the binary tree associated with the user identity

I2、可信机构计算更新后的密文组件：I2. The trusted authority calculates the updated ciphertext component:

并计算更新后的与覆盖列表cover(L)相关联的两个密文组件

以及

然后生成更新后的密文：

and compute the updated two ciphertext components associated with the cover list cover(L)

as well as

Then generate the updated ciphertext:

I3、随后，可信机构将更新后的密文以及撤销列表L′发送给雾节点，雾节点重新调用智能合约以存储最新的密文哈希。I3. Subsequently, the trusted authority sends the updated ciphertext and the revocation list L' to the fog node, and the fog node recalls the smart contract to store the latest ciphertext hash.

Images