CN112671543B - A publicly verifiable outsourced attribute-based encryption method based on blockchain - Google Patents

Abstract

The invention provides a block chain-based publicly verifiable outsourcing attribute-based encryption method, which not only tracks a secret key of a malicious user, but also cancels the malicious user, meanwhile, can update a ciphertext in time, can publicly verify outsourcing decryption, and provides forward security of a mechanism. The invention comprises the following steps: A. initializing a system; B. encrypting; C. generating a secret key; D. decrypting; E. outsourcing key generation; F. outsourcing conversion; G. outsourcing decryption; H. and tracing the identity of the user.

Description

Translated fromChinese

一种基于区块链的公开可验证外包属性基加密方法A publicly verifiable outsourced attribute-based encryption method based on blockchain

技术领域technical field

本发明涉及一种基于区块链的公开可验证外包属性基加密方法。The invention relates to a publicly verifiable outsourcing attribute base encryption method based on block chain.

背景技术Background technique

在过去的几十年中，随着物联网(IoT)的不断发展，传统物联网系统可能会面临着效率和系统安全性的挑战。首先，由于物联网设备与传统云服务器之间的传输的数据量很大，因此云服务器将遭受传输延迟和服务质量下降的困扰。其次，敏感数据在上传到云服务器之前必须对其进行加密，并且共享敏感数据时必须支持细粒度访问控制。最后，恶意云服务器可能会篡改敏感数据，从而使物联网设备无法正确地访问数据。As the Internet of Things (IoT) continues to evolve over the past few decades, traditional IoT systems may face challenges in efficiency and system security. First, due to the large amount of data transmitted between IoT devices and traditional cloud servers, cloud servers will suffer from transmission delays and service quality degradation. Second, sensitive data must be encrypted before being uploaded to the cloud server, and fine-grained access control must be supported when sharing sensitive data. Finally, a malicious cloud server may tamper with sensitive data so that IoT devices cannot properly access the data.

针对第一个问题，雾计算是一种可以较好地解决问题的合适技术。雾计算位于IoT设备和传统的集中式云基础架构之间，并且雾节点比云服务器更加接近IoT设备。因此，使用雾计算的IoT系统可确保在启用的实时网络应用程序和设备具有更少的延迟和足够的计算资源。For the first problem, fog computing is a suitable technology that can solve the problem well. Fog computing sits between IoT devices and traditional centralized cloud infrastructure, and fog nodes are closer to IoT devices than cloud servers. Therefore, IoT systems using fog computing ensure less latency and sufficient computing resources when enabling real-time network applications and devices.

此外，基于密文策略属性的加密(CP-ABE)作为一种有前途的加密原语可以有效地解决第二个问题，它通常用于在云中实现数据细粒度的密码访问控制。然而，由于物联网设备的存储和计算能力有限，因此具有外包解密功能的CP-ABE更加适用于物联网场景。大多数现有的具有外包解密的CP-ABE方案在验证解密结果时，只允许原始解密者检查第三方代理机构是否返回了正确的转换密文。在这种情况下，一旦对解密结果产生了争议，则必须向仲裁者泄露解密密钥。因此，具有外包解密功能的CP-ABE必须实现解密结果的公开可验证性。同样的，传统的CP-ABE仍然存在一个问题，即恶意的用户可能会将自己的解密密钥泄露给他人，并且该恶意用户不承担被追踪和撤销的风险。Furthermore, ciphertext-policy-attribute-based encryption (CP-ABE), as a promising cryptographic primitive, can effectively address the second problem, which is often used to implement fine-grained cryptographic access control of data in the cloud. However, due to the limited storage and computing power of IoT devices, CP-ABE with outsourced decryption is more suitable for IoT scenarios. Most existing CP-ABE schemes with outsourced decryption only allow the original decryptor to check whether the correct converted ciphertext is returned by the third-party agency when verifying the decryption result. In this case, once the decryption result is disputed, the decryption key must be disclosed to the arbitrator. Therefore, a CP-ABE with outsourced decryption must achieve public verifiability of decryption results. Similarly, the traditional CP-ABE still has a problem that a malicious user may leak his decryption key to others, and the malicious user does not bear the risk of being tracked and revoked.

综上所述，因此必须设计一个支持对恶意用户的追踪和撤销以及可公开验证外包解密的CP-ABE方案。To sum up, it is necessary to design a CP-ABE scheme that supports the tracking and revocation of malicious users as well as publicly verifiable outsourced decryption.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于克服现有技术中存在的上述不足，而提供一种设计合理的基于区块链的公开可验证外包属性基加密方法，不仅追踪恶意用户的秘密密钥，而且还撤销恶意用户，同时，还可以及时更新密文，可公开验证外包解密，提供了机制的前向安全性。The purpose of the present invention is to overcome the above-mentioned deficiencies in the prior art, and to provide a publicly verifiable outsourced attribute-based encryption method based on blockchain with reasonable design, which not only tracks the secret key of malicious users, but also revokes malicious users. , at the same time, the ciphertext can be updated in time, and the outsourced decryption can be publicly verified, which provides the forward security of the mechanism.

本发明解决上述问题所采用的技术方案是：The technical scheme adopted by the present invention to solve the above problems is:

一种基于区块链的公开可验证外包属性基加密方法，其特征在于：包括如下步骤：A publicly verifiable outsourcing attribute base encryption method based on blockchain, characterized in that it comprises the following steps:

A、系统初始化：可信机构根据安全参数和全体属性集合生成全局公共密钥和主密钥，并公布全局公共密钥和不公布主密钥；A. System initialization: The trusted authority generates the global public key and the master key according to the security parameters and the overall attribute set, and publishes the global public key and does not publish the master key;

B、加密：数据拥有者根据全局公共密钥、访问结构以及覆盖列表，对消息进行加密并且产生密文；B. Encryption: The data owner encrypts the message and generates ciphertext according to the global public key, access structure and coverage list;

C、密钥生成：可信机构根据全局公共密钥、用户的身份信息以及用户属性集，生成解密密钥，并将解密密钥发送给数据用户；C. Key generation: The trusted authority generates a decryption key according to the global public key, the user's identity information and the user attribute set, and sends the decryption key to the data user;

D、解密：用户利用解密密钥将密文解密成消息；D. Decryption: The user uses the decryption key to decrypt the ciphertext into a message;

E、外包密钥生成：用户根据解密密钥将其转化为转换密钥以及检索密钥，并将转换密钥发送给雾节点并且自己保存检索密钥；E. Outsourced key generation: The user converts the decryption key into a conversion key and a retrieval key according to the decryption key, sends the conversion key to the fog node and saves the retrieval key by himself;

F、外包转换：雾节点根据全局公共密钥、密文以及转换密钥，将密文外包转换为转换密文，然后雾节点将转换密文发送给数据用户；F. Outsourced conversion: The fog node outsources the ciphertext to the converted ciphertext according to the global public key, the ciphertext and the conversion key, and then the fog node sends the converted ciphertext to the data user;

G、外包解密：用户根据检索密钥、密文以及转换密文，生成消息；G. Outsourced decryption: The user generates a message according to the retrieval key, the ciphertext and the converted ciphertext;

H、追溯用户身份：可信机构根据全局公共密钥、最小覆盖列表以及解密密钥，输出用户身份信息或者输出错误信息；H. Trace user identity: the trusted authority outputs user identity information or outputs error information according to the global public key, the minimum coverage list and the decryption key;

I、密文更新：可信机构根据全局公共密钥、密文以及最小覆盖列表，生成更新密文；可信机构将更新密文发送给雾节点。I. Ciphertext update: The trusted authority generates the updated ciphertext according to the global public key, the ciphertext and the minimum coverage list; the trusted authority sends the updated ciphertext to the fog nodes.

本发明步骤A具体包括如下步骤：Step A of the present invention specifically includes the following steps:

A1、首先可信机构接收一个全体属性集合U，并根据一个隐式的安全参数λ，选取阶为素数p、生成元为g的两个乘法循环群

和

和一个双线性映射

然后，可信机构初始化一个空的用户撤销列表L以及一个满二叉树

初始化完毕后，可信机构将用户的身份分配给满二叉树

的叶子节点上，该二叉树

按照广度优先搜索方法对每一个节点进行编号，其中根节点的编号为0，并且用d来表示二叉树

的深度，从而可知用户的最大数量为|Num|＝2^d，二叉树的节点数量为2|Num|-2，因此二叉树的最后一个叶子节点的编号为2|Num|-2；A1. First, the trusted authority receives a set of all attributes U, and according to an implicit security parameter λ, selects two multiplicative cyclic groups whose order is prime p and whose generator is g

and

and a bilinear map

Then, the trusted authority initializes an empty user revocation list L and a full binary tree

After initialization, the trusted authority assigns the user's identity to the full binary tree

on the leaf nodes of the binary tree

Each node is numbered according to the breadth-first search method, where the number of the root node is 0, and d is used to represent the binary tree

Therefore, the maximum number of users is |Num|=2^d , and the number of nodes of the binary tree is 2|Num|-2, so the number of the last leaf node of the binary tree is 2|Num|-2;

A2、可信机构选择两个随机数α，

其中

是p阶整数环；随后，可信机构同样也选择五个随机数g，u，v，d，

A2. The trusted organization selects two random numbers α,

in

is a p-order integer ring; then, the trusted authority also selects five random numbers g, u, v, d,

A3、对于每个属性值i∈U，可信机构都选取随机数

其中

是p阶正整数环，并且计算与属性值相关联的属性公钥组件

A3. For each attribute value i∈U, the trusted authority selects a random number

in

is a ring of positive integers of order p and computes the attribute public key component associated with the attribute value

A4、可信机构随机选取一个抗碰撞哈希函数

该哈希函数能够将消息m或者随机消息m′映射成一个在

内的元素；A4. The trusted agency randomly selects an anti-collision hash function

The hash function can map a message m or a random message m' into a

elements within;

A5、对于二叉树

中的每一个节点，可信机构都随机选取一个随机数

然后生成主密钥组件

也同时生成与用户身份相关联的二叉树公钥组件

A5. For binary tree

For each node in , the trusted authority randomly selects a random number

Then generate the master key component

Also generate the public key component of the binary tree associated with the user identity

A6、可信机构选择一个概率加密方案(Enc，Dec)，其中Enc是加密函数，Dec是解密函数；A6. The trusted agency selects a probabilistic encryption scheme (Enc, Dec), where Enc is the encryption function and Dec is the decryption function;

A7、可信机构公布公共密钥PK，以及不公布主密钥MSK。A7. The trusted authority publishes the public key PK, and does not publish the master key MSK.

本发明步骤B具体包括如下步骤：Step B of the present invention specifically includes the following steps:

B1、数据拥有者选择一个访问结构

其中M是一个l×n阶的访问矩阵，ρ是一个能够将M_i映射成一个属性的映射算法，其中M_i为访问矩阵M的第i行；然后，数据拥有者选择两个随机的秘密指数s，

并且设置两个随机列向量v＝(s，v₂，...，v_n)和v′＝(s′，v′₂，...，v′_n)，其中

最后，对于每个M_i，数据拥有者都计算与秘密指数s和s′相关的有效份额λ_i＝M_i×v和λ′_i＝M_i×v′；B1. The data owner chooses an access structure

where M is an access matrix of order l×n, ρ is a mapping algorithm capable of mapping Mi to an attribute, where_Mi is the_ith row of access matrix M; then, the data owner chooses two random secrets index s,

and set_two random column vectors v=(s, v2,...,_vn ) and v'=(s',_v'2 ,...,_v'n ), where

Finally, for each M_i , the data owner computes the effective shares λ_i =M_i ×v and λ′_i =M_i ×v′ associated with the secret indices s and s′;

B2、数据拥有者选择要加密的信息m和随机选择的信息m′，并且计算与访问结构

相关联的密文组件

C₁＝m·e(g，g)^αs，C′₁＝g^s，C″₁＝g^as，

C₂＝m′·e(g，g)^αs′，C′₂＝g^s′，和C″₂＝g^as′，

B2. The data owner selects the information m to be encrypted and the randomly selected information m', and calculates and accesses the structure

associated ciphertext component

C₁ =m·e(g, g)^αs , C′₁ = g^s , C″₁ = g^as ,

C₂ =m′·e(g,g)^αs′ , C′₂ =g^s′ , and C″₂ =g^as′ ,

B3、数据拥有者一旦接收到由可信机构发送的最新覆盖列表cover(L)，数据拥有者就会生成与该覆盖列表cover(L)相关联的密文组件

B3. Once the data owner receives the latest cover list cover(L) sent by the trusted authority, the data owner will generate a ciphertext component associated with the cover list cover(L)

B4、最后，生成的密文CT为：B4. Finally, the generated ciphertext CT is:

B5、一旦雾节点接收到数据拥有者的密文时，雾节点将会调用一个智能合约，生成此智能合约后，雾节点将该交易广播到其他雾节点以进行共识验证。B5. Once the fog node receives the ciphertext of the data owner, the fog node will call a smart contract. After the smart contract is generated, the fog node broadcasts the transaction to other fog nodes for consensus verification.

本发明步骤C具体包括如下步骤：Step C of the present invention specifically includes the following steps:

C1、可信机构随机选择一个随机数

并且用对称密钥为k的概率加密方案生成一个随机数f＝Enc_k(l_x)，其中l_x是与用户身份相关联的叶子节点；C1. The trusted institution randomly selects a random number

And generate a random number f=_Enck (l_x ) using a probabilistic encryption scheme with a symmetric key k, where l_x is a leaf node associated with the user identity;

C2、可信机构首先生成与用户属性集S相关联的密钥组件：K₁＝f，

K₃＝g^b以及K₄＝g^ab，

C2. The trusted authority first generates a key component associated with the user attribute set S: K₁ =f,

K₃ =g^b and K₄ =g^ab ,

C3、可信机构选择一个随机数

并生成与用户身份uid相关联的密钥元素

以及

其中x∈path(uid)∩cover(L)，并且path(uid)是二叉树从根节点到相关联用户uid的叶子节点之间的路径编号，然后可信机构生成与用户身份uid相关联的密钥组件：

K₆＝g^w，

C3. The trusted agency selects a random number

and generate the key element associated with the user identity uid

as well as

where x ∈ path(uid)∩cover(L), and path(uid) is the path number of the binary tree from the root node to the leaf node of the associated user uid, and then the trusted authority generates the password associated with the user identity uid key component:

K₆ =g^w ,

C4、可信机构生成密钥SK，并发送给数据用户，其中：C4. The trusted authority generates the key SK and sends it to the data user, where:

SK＝{K₁，K₂，K₃，K₄，K_i，K₅，K₆，K₇，K₈}。SK={K₁ , K₂ , K₃ , K₄ , K_i , K₅ , K₆ , K₇ , K₈ }.

本发明步骤D具体包括如下步骤：Step D of the present invention specifically includes the following steps:

D1、找到两个常数c_i和c′_i，能够使得两个等式

成立，其中属性映射集合I＝{i|ρ(i)∈S}；D1. Find two constants c_i and c′_i , which can make the two equations

is established, where the attribute mapping set I={i|ρ(i)∈S};

D2、数据用户首先计算两个解密组件：D2. The data user first calculates two decryption components:

D3、数据用户接着计算两个明文组件m＝C₁/Y′₁和m′＝C₂/Y′₂，并且判断密文组件

与密文验证参数组件u^H(m)v^H(m′)d是否相等，若相等则返回消息m，若不相等则中断操作。D3. The data user then calculates two plaintext components m=C₁ /Y′₁ and m′=C₂ /Y′₂ , and determines the ciphertext components

Verifies whether the parameter component u^H(m) v^H(m') d is equal to the ciphertext, and returns the message m if it is equal, and interrupts the operation if it is not equal.

本发明步骤E具体包括如下步骤：Step E of the present invention specifically includes the following steps:

E1、用户选择一个随机数z，生成转换密钥组件K′₁＝K₁，

以及

K′₇＝K₇，K′₈＝K₈；E1. The user selects a random number z, and generates a conversion key component K′₁ =K₁ ,

as well as

K'₇ =K₇ , K'₈ =K₈ ;

E2、用户将生成的转换密钥TK发送给雾节点，并且用户自己保存检索密钥RK，其中：E2. The user sends the generated conversion key TK to the fog node, and the user saves the retrieval key RK, where:

TK＝{K′₁，K′₂，K′₃，K′₄，K′_i，K′₅，K′₆，K′₇，K′₈}，RK＝{z}。TK={K'₁ , K'₂ , K'₃ , K'₄ , K'_i , K'₅ , K'₆ , K'₇ , K'₈ }, RK={z}.

本发明步骤F中，雾节点计算两个转换密文组件为：In step F of the present invention, the fog node calculates two converted ciphertext components as:

本发明步骤G具体包括如下步骤：Step G of the present invention specifically includes the following steps:

G1、用户首先验证下收到的信息，如果

或W₁≠C₁或W₂≠C₂，则操作中断，反之验证通过；G1. The user first verifies the received information, if

Or W₁ ≠C₁ or W₂ ≠C₂ , the operation is interrupted, otherwise the verification is passed;

G2、若验证通过，用户计算两个明文消息：G2. If the verification is passed, the user calculates two plaintext messages:

G3、用户计算两个验证明文组件V₁＝u^H(m)，V₂＝v^H(m′)，并且将V₁和V₂发送到雾节点，然后雾节点调用智能合约，智能合约验证

与明文验证参数组件V₁V₂d是否相等。G3. The user calculates two verification plaintext components V₁ =u^H(m) and V₂ =v^H(m') , and sends V₁ and V₂ to the fog node, and then the fog node calls the smart contract, and the smart contract verifies

Verifies whether the parameter components V₁ V₂ d are equal to the plaintext.

本发明步骤H具体包括如下步骤：Step H of the present invention specifically comprises the following steps:

H1、首先，可信机构先判断一下输入的公共密钥SK的格式是否正确，若错误则操作中断；H1. First of all, the trusted agency first judges whether the format of the input public key SK is correct, if it is wrong, the operation is interrupted;

H2、若公共密钥SK格式正确，则可信机构搜索l_x是否在最小覆盖列表cover(L)中，若存在，则返回用户身份uid，反之，返回虚假的用户身份uid*；H2. If the format of the public key SK is correct, the trusted authority searches whether l_x is in the minimum coverage list cover(L). If it exists, the user identity uid is returned, otherwise, the false user identity uid* is returned;

H3、可信机构更新最新的撤销列表L′＝L∪{uid}。H3. The trusted authority updates the latest revocation list L'=L∪{uid}.

本发明步骤工具体包括如下步骤：The step tool body of the present invention comprises the following steps:

I1、可信机构选择一个随机数

并计算更新后的与用户身份相关联的二叉树公钥组件

I1. The trusted authority selects a random number

and compute the updated public key component of the binary tree associated with the user identity

I2、可信机构计算更新后的密文组件：I2. The trusted authority calculates the updated ciphertext component:

并计算更新后的与覆盖列表cover(L)相关联的两个密文组件

以及

然后生成更新后的密文：

and compute the updated two ciphertext components associated with the cover list cover(L)

as well as

Then generate the updated ciphertext:

I3、随后，可信机构将更新后的密文以及撤销列表L′发送给雾节点，雾节点重新调用智能合约以存储最新的密文哈希。I3. Subsequently, the trusted authority sends the updated ciphertext and the revocation list L' to the fog node, and the fog node recalls the smart contract to store the latest ciphertext hash.

本发明与现有技术相比，具有以下优点和效果：1、本发明将外包解密跟区块链相结合，在保证了雾节点得不到关于明文任何消息的情况前提下，实现了外包解密结果的公开可验证性，同时可有效地防止云服务器对密文的篡改以及用户恶意诬陷外包解密雾节点提供错误的解密服务；2、实现了对恶意用户的追踪，对恶意用户的撤销，及时更新密文的功能，将用户的身份信息分配给二叉树中的叶子结点，一旦追踪到恶意用户，就将恶意用户添加到撤销列表中，从而实现了对恶意用户的追踪和撤销；3、通过区块链技术将外包解密信息公开，实现了对外包解密属性基加密的公开可验证性；4、基于“物联网设备-雾节点-云服务器”的三层系统架构，解决了传统集中式云服务器架构的延迟问题；5、可以为用户提供更高的隐私保护需求，效率较高，便于带宽、资源受限的移动设备的使用。Compared with the prior art, the present invention has the following advantages and effects: 1. The present invention combines outsourced decryption with block chain, and realizes outsourced decryption under the premise that fog nodes cannot obtain any information about the plaintext. The public verifiability of the results can effectively prevent the cloud server from tampering with the ciphertext and users maliciously slandering outsourced decryption fog nodes to provide wrong decryption services; 2. It realizes the tracking of malicious users and the revocation of malicious users in a timely manner. The function of updating the ciphertext, assigning the user's identity information to the leaf nodes in the binary tree, once the malicious user is traced, the malicious user will be added to the revocation list, thus realizing the tracking and revocation of the malicious user; 3. Through Blockchain technology discloses outsourced decryption information and realizes the public verifiability of outsourced decryption attribute-based encryption; 4. Based on the three-tier system architecture of "Internet of Things device-fog node-cloud server", it solves the problem of traditional centralized cloud The delay problem of the server architecture; 5. It can provide users with higher privacy protection requirements, higher efficiency, and facilitate the use of mobile devices with limited bandwidth and resources.

附图说明Description of drawings

图1本发明实施例二叉树的概述示意图。FIG. 1 is a schematic overview of a binary tree according to an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图并通过实施例对本发明作进一步的详细说明，以下实施例是对本发明的解释而本发明并不局限于以下实施例。The present invention will be further described in detail below in conjunction with the accompanying drawings and through the examples. The following examples are to explain the present invention and the present invention is not limited to the following examples.

本实施例中的一种基于区块链的公开可验证外包属性基加密方法，具体包括如下步骤：A blockchain-based publicly verifiable outsourcing attribute base encryption method in this embodiment specifically includes the following steps:

A、系统初始化：可信机构根据隐式的安全参数λ和全体属性集合U生成全局公共密钥PK和主密钥MSK；具体包括如下步骤：A. System initialization: The trusted authority generates the global public key PK and the master key MSK according to the implicit security parameter λ and the overall attribute set U; it includes the following steps:

A1、首先可信机构接收一个全体属性集合U，并根据一个隐式的安全参数λ，选取阶为素数p、生成元为g的两个乘法循环群

和

和一个双线性映射

然后，可信机构初始化一个空的用户撤销列表L以及一个满二叉树

初始化完毕后，可信机构将用户的身份分配给满二叉树

的叶子节点上，该二叉树

按照广度优先搜索方法对每一个节点进行编号，其中根节点的编号为0，并且用d来表示二叉树

的深度，从而可知用户的最大数量为|Num|＝2^d，二叉树的节点数量为2|Num|-2，因此二叉树的最后一个叶子节点的编号为2|Num|-2；A1. First, the trusted authority receives a set of all attributes U, and according to an implicit security parameter λ, selects two multiplicative cyclic groups whose order is prime p and whose generator is g

and

and a bilinear map

Then, the trusted authority initializes an empty user revocation list L and a full binary tree

After initialization, the trusted authority assigns the user's identity to the full binary tree

on the leaf nodes of the binary tree

Each node is numbered according to the breadth-first search method, where the number of the root node is 0, and d is used to represent the binary tree

Therefore, the maximum number of users is |Num|=2^d , and the number of nodes of the binary tree is 2|Num|-2, so the number of the last leaf node of the binary tree is 2|Num|-2;

A2、可信机构选择两个随机数α，

其中

是p阶整数环。随后，可信机构同样也选择五个随机数g，u，v，d，

A2. The trusted organization selects two random numbers α,

in

is a ring of integers of order p. Subsequently, the trusted agency also selects five random numbers g, u, v, d,

A3、对于每个属性值i∈U，可信机构都选取随机数

其中

是p阶正整数环，并且计算与属性值相关联的属性公钥组件

A3. For each attribute value i∈U, the trusted authority selects a random number

in

is a ring of positive integers of order p and computes the attribute public key component associated with the attribute value

A4、可信机构随机选取一个抗碰撞哈希函数

该哈希函数能够将消息m或者随机消息m′映射成一个在

内的元素；A4. The trusted agency randomly selects an anti-collision hash function

The hash function can map a message m or a random message m' into a

elements within;

A5、对于二叉树

中的每一个节点，可信机构都随机选取一个随机数

然后生成主密钥组件

也同时生成与用户身份相关联的二叉树公钥组件

A5. For binary tree

For each node in , the trusted authority randomly selects a random number

Then generate the master key component

Also generate the public key component of the binary tree associated with the user identity

A6、可信机构选择一个概率加密方案(Enc，Dec)，其中Enc是加密函数，Dec是解密函数。该方案是对称加密方案，能够将用户身份uid映射成

中的元素，并且在每次使用对称密钥k加密时返回不同的结果；A6. The trusted authority selects a probabilistic encryption scheme (Enc, Dec), where Enc is an encryption function and Dec is a decryption function. This scheme is a symmetric encryption scheme that can map user identity uid to

, and returns a different result each time it is encrypted with a symmetric key k;

A7、可信机构公布公共密钥PK，以及不公布主密钥MSK：A7. The trusted authority publishes the public key PK, and does not publish the master key MSK:

B、加密：数据拥有者根据全局公共密钥PK，消息m，访问结构

以及覆盖列表cover(L)，其中覆盖列表cover(L)是与用户撤销列表L关联的最小覆盖集的节点编号的集合，然后对消息m进行加密并且产生密文CT；具体包括如下步骤：B. Encryption: The data owner accesses the structure according to the global public key PK, message m, and

And the cover list cover(L), wherein the cover list cover(L) is the set of node numbers of the minimum cover set associated with the user revocation list L, and then encrypts the message m and generates the ciphertext CT; specifically including the following steps:

B1、数据拥有者选择一个访问结构

其中M是一个l×n阶的访问矩阵，ρ是一个能够将M_i映射成一个属性的映射算法，其中M_i为访问矩阵M的第i行；然后，数据拥有者选择两个随机的秘密指数s，

并且设置两个随机列向量v＝(s，v₂，...，v_n)和v′＝(s′，v′₂，...，v′_n)，其中

以及

部是选取的随机数；最后，对于每个M_i，数据拥有者都计算与秘密指数s和s′相关的有效份额λ_i＝M_i×v和λ′_i＝M_i×v′；B1. The data owner chooses an access structure

where M is an access matrix of order l×n, ρ is a mapping algorithm capable of mapping Mi to an attribute, where_Mi is the_ith row of access matrix M; then, the data owner chooses two random secrets index s,

and set_two random column vectors v=(s, v2,...,_vn ) and v'=(s',_v'2 ,...,_v'n ), where

as well as

The part is the chosen random number; finally, for each M_i , the data owner calculates the effective shares λ_i =M_i ×v and λ′_i =M_i ×v′ related to the secret indices s and s′;

B2、数据拥有者选择要加密的信息m和随机选择的信息m′，并且计算与访问结构

相关联的密文组件

C₁＝m·e(g，g)^αs，C′₁＝g^s，C″₁＝g^as，

C₂＝m′·e(g，g)^αs′，C′2＝g^s′，和

B2. The data owner selects the information m to be encrypted and the randomly selected information m', and calculates and accesses the structure

associated ciphertext component

C₁ =m·e(g, g)^αs , C′₁ = g^s , C″₁ = g^as ,

C₂ =m'·e(g,g)^αs' , C'2=g^s' , and

B3、数据拥有者一旦接收到由可信机构发送的最新覆盖列表cover(L)，数据拥有者就会生成与覆盖列表cover(L)相关联的密文组件

B3. Once the data owner receives the latest cover list cover(L) sent by the trusted authority, the data owner will generate a ciphertext component associated with the cover list cover(L)

B4、最后，生成的密文CT为：B4. Finally, the generated ciphertext CT is:

B5、一旦雾节点接收到数据拥有者的密文时，雾节点将会调用一个智能合约，生成此合约后，雾节点将该交易广播到其他雾节点以进行共识验证。B5. Once the fog node receives the ciphertext of the data owner, the fog node will call a smart contract. After the contract is generated, the fog node broadcasts the transaction to other fog nodes for consensus verification.

C、密钥生成：可信机构根据全局公共密钥PK，用户的身份信息uid以及用户属性集S，生成解密密钥SK；具体包括如下步骤：C. Key generation: the trusted authority generates the decryption key SK according to the global public key PK, the user's identity information uid and the user attribute set S; the specific steps are as follows:

C1、可信机构随机选择一个随机数

并且用对称密钥为k的概率加密方案生成一个随机数f＝Enc_k(l_x)，其中l_x是与用户身份相关联的叶子节点；C1. The trusted institution randomly selects a random number

And generate a random number f=_Enck (l_x ) using a probabilistic encryption scheme with a symmetric key k, where l_x is a leaf node associated with the user identity;

C2、可信机构首先生成与属性集S相关联的密钥组件：K₁＝f，

K₃＝g^b以及K₄＝g^ab，

C2. The trusted authority first generates a key component associated with the attribute set S: K₁ =f,

K₃ =g^b and K₄ =g^ab ,

C3、可信机构选择一个随机数

并生成与用户身份uid相关联的密钥元素

以及

其中x∈path(uid)∩cover(L)，并且path(uid)是二叉树从根节点到相关联用户uid的叶子节点之间的路径编号，然后可信机构生成与用户身份uid相关联的密钥组件：

K₆＝g^w，

C3. The trusted agency selects a random number

and generate the key element associated with the user identity uid

as well as

where x ∈ path(uid)∩cover(L), and path(uid) is the path number of the binary tree from the root node to the leaf node of the associated user uid, and then the trusted authority generates the password associated with the user identity uid key component:

K₆ =g^w ,

C4、可信机构生成密钥SK，并发送给数据用户：C4. The trusted authority generates the key SK and sends it to the data user:

SK＝{K₁，K₂，K₃，K₄，K_i，K₅，K₆，K₇，K₈}。SK={K₁ , K₂ , K₃ , K₄ , K_i , K₅ , K₆ , K₇ , K₈ }.

D、解密：用户利用解密密钥SK将密文CT解密成消息m；具体包括如下步骤：D. Decryption: the user uses the decryption key SK to decrypt the ciphertext CT into a message m; specifically, the following steps are included:

D1、找到两个常数c_i和c′_i，能够使得两个等式

成立，其中属性映射集合I＝{i|ρ(i)∈S}；D1. Find two constants c_i and c′_i , which can make the two equations

is established, where the attribute mapping set I={i|ρ(i)∈S};

D2、数据用户首先计算两个解密组件：D2. The data user first calculates two decryption components:

D3、数据用户接着计算两个明文组件m＝C₁/Y′₁和m′＝C₂/Y′₂，并且判断密文组件

与密文验证参数组件u^H(m)v^H(m′)d是否相等，若相等则返回消息m，若不相等则中断操作。D3. The data user then calculates two plaintext components m=C₁ /Y′₁ and m′=C₂ /Y′₂ , and determines the ciphertext components

Verifies whether the parameter component u^H(m) v^H(m') d is equal to the ciphertext, and returns the message m if it is equal, and interrupts the operation if it is not equal.

E、外包密钥生成：用户根据解密密钥SK将其转化为转换密钥TK以及检索密钥RK；具体包括如下步骤：E. Outsourced key generation: the user converts the decryption key SK into a conversion key TK and a retrieval key RK according to the decryption key; the specific steps include the following:

E1、用户选择一个随机数z，生成转换密钥组件K′₁＝K₁，

以及

K′₇＝K₇，K′₈＝K₈；E1. The user selects a random number z, and generates a conversion key component K′₁ =K₁ ,

as well as

K'₇ =K₇ , K'₈ =K₈ ;

E2、用户将生成的转换密钥TK发送给雾节点并且用户自己保存检索密钥RK：E2. The user sends the generated conversion key TK to the fog node and the user saves the retrieval key RK:

TK＝{K′₁，K′₂，K′₃，K′₄，K′_i，K′₅，K′₆，K′₇，K′₈}，TK={K′₁ , K′₂ , K′₃ , K′₄ , K′_i , K′₅ , K′₆ , K′₇ , K′₈ },

RK＝{z}。RK={z}.

F、外包转换：雾节点根据公共密钥PK，密文CT以及转换密钥TK，将密文CT外包转换为转换密文CT′，且

然后雾节点将转换密文CT′发送给数据用户。F. Outsourced conversion: The fog node outsources the ciphertext CT to the converted ciphertext CT' according to the public key PK, the ciphertext CT and the conversion key TK, and

Then the fog node sends the converted ciphertext CT' to the data user.

其中雾节点计算两个转换密文组件：The fog node computes two transformed ciphertext components:

G、外包解密：用户根据检索密钥RK，密文CT以及转换密文CT′，生成消息m；具体包括如下步骤：G. Outsourced decryption: The user generates a message m according to the retrieval key RK, the ciphertext CT and the converted ciphertext CT'; the specific steps are as follows:

G1、用户首先验证下收到的信息，如果

或W₁≠C₁或W₂≠C₂，则操作中断，反之验证通过；G1. The user first verifies the received information, if

Or W₁ ≠C₁ or W₂ ≠C₂ , the operation is interrupted, otherwise the verification is passed;

G2、若验证通过，用户计算两个明文消息：G2. If the verification is passed, the user calculates two plaintext messages:

G3、用户计算两个验证明文组件V₁＝u^H(m)，V₂＝v^H(m′)，并且将V₁和V₂发送到雾节点，然后雾节点调用智能合约，智能合约通过验证

与明文验证参数组件V₁V₂d是否相等来实现算法的公开可验证性。G3. The user calculates two verification plaintext components V₁ =u^H(m) and V₂ =v^H(m') , and sends V₁ and V₂ to the fog node, then the fog node calls the smart contract, and the smart contract passes the verify

The public verifiability of the algorithm is achieved by verifying whether the parameter components V₁ V₂ d are equal to the plaintext.

H、追溯用户身份：可信机构根据全局公共密钥PK，最小覆盖列表cover(L)以及解密密钥SK，输出用户身份信息uid或者输出错误信息；具体包括如下步骤：H. Trace back the user identity: the trusted authority outputs the user identity information uid or outputs the error information according to the global public key PK, the minimum coverage list cover(L) and the decryption key SK; the specific steps are as follows:

H1、首先，可信机构先判断一下输入的密钥SK的格式是否正确，若错误则操作中断；H1. First, the trusted authority first judges whether the format of the input key SK is correct, if it is wrong, the operation is interrupted;

H2、若SK格式正确，则可信机构搜索l_x是否在最小覆盖列表cover(L)中，若存在，则返回用户身份uid，反之，返回虚假的用户身份uid*，其中该虚假用户身份uid*永远不会出现在系统中；H2. If the SK format is correct, the trusted agency searches whether l_x is in the minimum coverage list cover(L). If it exists, the user identity uid is returned, otherwise, the false user identity uid* is returned, where the false user identity uid * never appear in the system;

H3、可信机构更新最新的撤销列表L′＝L∪{uid}。H3. The trusted authority updates the latest revocation list L'=L∪{uid}.

I、密文更新：可信机构根据全局公共密钥PK，密文CT以及最小覆盖列表cover(L′)，生成更新密文CT″；具体包括如下步骤：1, ciphertext update: the trusted organization generates and updates the ciphertext CT according to the global public key PK, ciphertext CT and the minimum coverage list cover(L'); specifically includes the following steps:

I1、可信机构选择一个随机数

并计算更新后的与用户身份相关联的二叉树公钥组件

I1. The trusted authority selects a random number

and compute the updated public key component of the binary tree associated with the user identity

I2、可信机构计算更新后的密文组件：I2. The trusted authority calculates the updated ciphertext component:

并计算更新后的与覆盖列表cover(L)相关联的两个密文组件

以及

然后生成更新后的密文：

and compute the updated two ciphertext components associated with the cover list cover(L)

as well as

Then generate the updated ciphertext:

I3、随后，可信机构将更新后的密文以及撤销列表L′发送给雾节点，雾节点重新调用智能合约以存储最新的密文哈希。I3. Subsequently, the trusted authority sends the updated ciphertext and the revocation list L' to the fog node, and the fog node recalls the smart contract to store the latest ciphertext hash.

本发明涉及到的实体，包括可信机构、数据拥有者、雾节点、云存储提供商、数据用户、区块链。The entities involved in the present invention include trusted institutions, data owners, fog nodes, cloud storage providers, data users, and blockchains.

可信机构，它被认为是完全可信的，用于为系统生成全局公共密钥PK和主密钥MSK，它还拥有用户的撤销列表L以及二叉树

与此同时，可信机构仅仅是将撤销列表L和最小覆盖列表cover(L′)分别发送到雾节点和数据所有者，而不是将整个二叉树公开，这样做有利于保护数据用户的隐私，此外，可信机构可以生成一个解密密钥SK并且将该密钥发送给数据用户，还可以在用户添加到撤销列表L后及时更新密文。A trusted authority, which is considered to be fully trusted, is used to generate the global public key PK and master key MSK for the system, it also has the user's revocation list L and a binary tree

At the same time, the trusted authority only sends the revocation list L and the minimum coverage list cover(L′) to the fog node and the data owner respectively, instead of publishing the entire binary tree, which is beneficial to protect the privacy of data users. In addition, , the trusted authority can generate a decryption key SK and send the key to the data user, and can also update the ciphertext in time after the user is added to the revocation list L.

数据用户，自己设置加密消息的访问结构，并使用系统对消息进行加密，然后，将加密后的密文上传到雾节点。Data users set the access structure of encrypted messages by themselves, use the system to encrypt messages, and then upload the encrypted ciphertext to the fog node.

雾节点，它被认为是半可信的，雾节点维护用户的撤销列表L，当数据用户请求访问数据时，数据用户会将该请求发送到雾节点，雾节点在接收到请求后，若数据用户不在撤销列表L中，并且属性集S与访问结构相匹配，则雾节点将该请求转发给可信机构，最后，雾节点还起着将一些关键信息打包发送到区块链的作用。The fog node is considered semi-trusted. The fog node maintains the user's revocation list L. When the data user requests to access the data, the data user will send the request to the fog node. After the fog node receives the request, if the data If the user is not in the revocation list L, and the attribute set S matches the access structure, the fog node forwards the request to the trusted authority. Finally, the fog node also plays the role of packaging some key information and sending it to the blockchain.

云存储提供商，它也被认为是半可信的，它负责存储来自雾节点的密文，然后还将该密文存储位置Adress_CT返回给雾节点。The cloud storage provider, which is also considered semi-trusted, is responsible for storing the ciphertext from the fog node, and then also returning the ciphertext storage location Adress_CT to the fog node.

数据用户，每一个数据用户都有一个身份标志uid，数据用户通过向雾节点发送数据描述信息来传达自己的数据请求和数据验证。Data users, each data user has an identity symbol uid, and data users convey their data requests and data verification by sending data description information to fog nodes.

区块链，雾节点通过智能合约将信息存储在区块链上，例如：密文的哈希，更新密文的哈希，公钥等。Blockchain, fog nodes store information on the blockchain through smart contracts, such as: ciphertext hash, update ciphertext hash, public key, etc.

此外，需要说明的是，本说明书中所描述的具体实施例，其零、部件的形状、所取名称等可以不同，本说明书中所描述的以上内容仅仅是对本发明结构所作的举例说明。凡依据本发明专利构思所述的构造、特征及原理所做的等效变化或者简单变化，均包括于本发明专利的保护范围内。本发明所属技术领域的技术人员可以对所描述的具体实施例做各种各样的修改或补充或采用类似的方式替代，只要不偏离本发明的结构或者超越本权利要求书所定义的范围，均应属于本发明的保护范围。In addition, it should be noted that the specific embodiments described in this specification may have different shapes and names of parts and components, and the above content described in this specification is only an illustration of the structure of the present invention. All equivalent changes or simple changes made according to the structure, features and principles described in the patent concept of the present invention are included in the protection scope of the patent of the present invention. Those skilled in the art to which the present invention pertains can make various modifications or additions to the described specific embodiments or substitute in similar manners, as long as they do not deviate from the structure of the present invention or go beyond the scope defined by the claims, All should belong to the protection scope of the present invention.

Claims (10)

1. A block chain-based publicly verifiable outsourcing attribute-based encryption method is characterized by comprising the following steps: the method comprises the following steps:

A. initializing a system: the trusted authority generates a global public key and a master key according to the security parameters and the whole attribute set, and publishes the global public key and the unfamiliar master key;

B. encryption: the data owner encrypts the message and generates a ciphertext according to the global public key, the access structure and the overlay list;

C. and (3) key generation: the trusted authority generates a decryption key according to the global public key, the identity information of the user and the user attribute set, and sends the decryption key to the data user;

D. and (3) decryption: the user decrypts the ciphertext into a message by using the decryption key;

E. and (3) outsourcing key generation: the user converts the decryption key into a conversion key and a retrieval key according to the decryption key, sends the conversion key to the fog node and stores the retrieval key by the user;

F. and (3) outsourcing conversion: the fog node outsourcing the ciphertext into a conversion ciphertext according to the global public key, the ciphertext and the conversion key, and then sending the conversion ciphertext to a data user;

G. and (3) outsourcing decryption: the user generates a message according to the retrieval key, the ciphertext and the conversion ciphertext;

H. tracing the identity of the user: the trusted authority outputs user identity information or error information according to the global public key, the minimum coverage list and the decryption key;

I. and (3) ciphertext updating: the trusted authority generates an updated ciphertext according to the global public key, the ciphertext and the minimum coverage list; and the trusted authority sends the updated ciphertext to the fog node.

2. The blockchain-based publicly verifiable outsourcing property-based encryption method of claim 1, wherein: the step A specifically comprises the following steps:

a1, firstly, the trusted authority receives a whole attribute set U, and selects two multiplication circulation groups with the order of prime number p and generation element g according to an implicit safety parameter lambda

And

and a bilinear map

The trusted authority then initializes an empty user revocation list L and a full binary tree

After initialization, the trusted authority assigns the user's identity to a full binary tree

On leaf nodes of the binary tree

Numbering each node according to a breadth-first search method, wherein the numbering of the root node is 0, and d is used to represent a binary tree

So that the maximum number of users is | Num | ═ 2^dThe number of nodes of the binary tree is 2| Num | -2, so the number of the last leaf node of the binary tree is 2| Num | -2;

a2, the trusted authority selects two random numbers alpha,

wherein

Is a p-order integer ring; the trusted authority then likewise selects the five random numbers g, u, v, d,

a3, for each attribute value i epsilon U, the trusted authority selects a random number

Wherein

Is a positive integer ring of order p and computes an attribute public key component associated with the attribute value

A4, the trusted authority randomly selects an anti-collision hash function H:

the hash function can map a message m or a random message m' to one

An element of (a);

a5 for binary tree

In each node, the trusted authority randomly selects a random number

Then generating a master key component

Also concurrently generating a binary tree public key component associated with the user identity

A6, selecting a probability encryption scheme (Enc, Dec) by the trusted authority, wherein Enc is an encryption function, and Dec is a decryption function;

a7, the trusted authority publishes the public key PK, and does not publish the master key MSK.

3. The blockchain-based publicly verifiable outsourced attribute-based encryption method of claim 2, wherein: the step B specifically comprises the following steps:

b1 data owner selects an access structure

Where M is an access matrix of order l n, and p is an access matrix capable of converting M into M_iMapping algorithm to an attribute, where M_iIs the ith row of the access matrix M; the data owner then selects two random secret indices

And sets two random column vectors v ═ s, v₂，...，v_n) And v ═ s ', v'₂，...，v′_n) Wherein

Finally, for each M_iThe data owner calculates the effective share λ associated with the secret exponents s and s_i＝M_iX v and λ'_i＝M_i×v′；

B2, data owner selects information m to be encrypted and randomly selected information m', and calculates and accesses structure

Associated ciphertext component

C₁＝m·e(g，g)^αs，C′₁＝g^s，C″₁＝g^as，

C₂＝m′·e(g，g)^αs′，C′₂＝g^s′And C ″)₂＝g^as′，

B3, upon receipt of the latest overlay list cover (L) sent by the trusted authority, the data owner generates the ciphertext component associated with the overlay list cover (L)

B4, and finally, the generated ciphertext CT is:

b5, once the fog node receives the data owner's ciphertext, the fog node will call an intelligent contract, and after generating the intelligent contract, the fog node broadcasts the transaction to other fog nodes for consensus verification.

4. The blockchain-based publicly verifiable outsourced attribute-based encryption method of claim 3, wherein: the step C specifically comprises the following steps:

c1, the trusted authority randomly selects a random number

And generating a random number f ═ Enc using a probabilistic encryption scheme with a symmetric key of k_k(l_x) Wherein l is_xIs a leaf node associated with the user identity;

c2, the trusted authority first generates a key component associated with the user property set S: k₁＝f，

K₃＝g^bAnd K₄＝g^ab，

C3, selecting a random number by the trusted authority

And generating a key element associated with the user identity uid

And

where x ∈ path (uid) andgate (l), and path (uid) is the path number between the binary tree from the root node to the leaf node of the associated user uid, then the trusted authority generates the key component associated with the user identity uid:

K₆＝g^w，

c4, the trusted authority generates a key SK and sends the key SK to the data user, wherein:

SK＝{K₁，K₂，K₃，K₄，K_i，K₅，K₆，K₇，K₈}。

5. the blockchain-based publicly verifiable outsourced attribute-based encryption method of claim 4, wherein: the step D specifically comprises the following steps:

d1, find two constants c_iAnd c'_iCan make two equations

The method comprises the following steps that (1) the attribute mapping set I is { I | rho (I) ∈ s };

d2, the data consumer first calculates two decryption components:

d3, the data user then calculates two plaintext blocks m ═ C₁/Y′₁And m ═ C₂/Y′₂And determining the ciphertext component

And ciphertext verification parameter component u^H(m)v^H(m′)And d is equal or not, if equal, the message m is returned, and if not, the operation is interrupted.

6. The blockchain-based publicly verifiable outsourced attribute-based encryption method of claim 5, wherein: the step E specifically comprises the following steps:

e1, selecting a random number z by a user, and generating a conversion key component K'₁＝K₁，

And

K′₇＝K₇，K′₈＝K₈；

e2, the user sends the generated transformation key TK to the cloud node, and the user saves the retrieval key RK, wherein:

TKK＝{K′₁，K′₂，K′₃，K′₄，K′_i，K′₅，K′₆，K′₇，K′₈}，RK＝{z}。

7. the blockchain-based publicly verifiable outsourced attribute-based encryption method of claim 6, wherein: in step F, the fog node calculates two transform ciphertext components as:

8. the blockchain-based publicly verifiable outsourced attribute-based encryption method of claim 7, wherein: the step G specifically comprises the following steps:

g1, the user first verifies the information received, if

Or W₁≠C₁Or W₂≠C₂If the verification is successful, the operation is interrupted, otherwise, the verification is passed;

g2, if the verification is passed, the user computes two plaintext messages:

g3, user calculating two verification plaintext components V₁＝u^H(m)，V₂＝v^H(m′)And will V₁And V₂Sending to the fog node, then the fog node calls the intelligent contract, and the intelligent contract is verified

And plaintext verification parameter component V₁V₂d are equal.

9. The blockchain-based publicly verifiable outsourced attribute-based encryption method of claim 8, wherein: the step H specifically comprises the following steps:

h1, firstly, the trusted authority firstly judges whether the format of the inputted public key SK is correct, if so, the operation is interrupted;

h2, if the format of the public key SK is correct, the trusted authority searches for l_xWhether the user identity uid exists in the minimal coverage list cover (L) or not is judged, if so, the user identity uid is returned, otherwise, a false user identity uid is returned;

h3, the trusted authority updates the latest revocation list L' ═ L utou { uid }.

10. The blockchain-based publicly verifiable outsourced attribute-based encryption method of claim 9, wherein: the step I specifically comprises the following steps:

i1, selecting a random number by the trusted authority

And computing an updated binary tree public key component associated with the user identity

I2, the trusted authority calculates the updated ciphertext component:

and computes two ciphertext components associated with the overlay list (L) after updating

And

then an updated ciphertext is generated:

i3, the trusted authority then sends the updated ciphertext and the revocation list L' to the fog node, which recalls the intelligent contract to store the latest ciphertext hash.

Images