CN116383877A - Keyword retrieval and verification method and device for hidden mode - Google Patents

Abstract

The invention provides a keyword retrieval and verification method and equipment of a hidden mode, wherein the retrieval method comprises the steps of obtaining an encrypted source file and a keyword index I from a data owner; acquiring a keyword trapdoor Tr from a data user; collecting a search request of a data user, obtaining a search result, and feeding back the search result to the data user; the search result is obtained through calculation with a keyword trapdoor Tr and a keyword index I; the keyword trapdoor Tr is obtained by homomorphic encryption operation of a data user according to authorization information; the authorization information is returned by the data owner according to the application access request of the data user; the authorization information includes: the first set of keywords W and common parameters. The keyword trapdoor is provided by the data user, and the encrypted source file in the cloud server is searched in an access mode or a search mode without displaying, so that keyword retrieval in a hidden mode is realized.

Description

Keyword retrieval and verification method and device for hidden mode

Technical Field

The invention belongs to the technical field of retrieving encrypted data, and particularly relates to a keyword retrieval and verification method and equipment for a hidden mode.

Background

Searchable encryption enables a data user to securely retrieve an encrypted database hosted on a semi-trusted cloud server. Existing searchable encryption makes different trade-offs between security, efficiency and functionality in order to apply different scenarios. In order to make the scheme more efficient and functional, most of the searchable encryption that exists allows revealing the access pattern and search pattern when searching. However, some existing attacks suggest that in the case of an adversary having a priori information about the database, the adversary can exploit the leakage of access patterns and search patterns to recover keywords in the keyword trapdoors with great probability and accuracy, which would violate the privacy requirements in searchable encryption. To combat this attack, a searchable encryption scheme with pattern hiding is proposed.

The cloud server may return erroneous or incomplete results for reasons of saving computational effort, etc. Most current searchable encryption schemes that support both search mode and access mode hiding either require the introduction of redundant information for confusion or require interaction between multiple servers. The privacy set intersection enables both pattern hiding and conjunctive keyword searching. However, techniques for solving keyword searches using private collection intersections are not well established. Existing schemes using private collection intersection techniques require two servers to interact to complete homomorphic multiplication operations, which delays the search time.

Disclosure of Invention

In order to overcome the defects of the prior art, the invention provides a keyword searching and verifying method and equipment in a hidden mode, which are used for solving the problem of efficiently realizing multi-keyword searching on a single server in the prior art.

One embodiment of the present invention provides a keyword retrieval method in a hidden mode, the method including:

acquiring an encrypted source file and a keyword index I from a data owner;

acquiring a keyword trapdoor Tr from a data user;

collecting a search request of a data user, obtaining a search result, and feeding back the search result to the data user;

the search result is obtained through calculation with a keyword trapdoor Tr and a keyword index I;

the key trapdoor Tr is obtained by homomorphic encryption of the data user according to the authorization information provided by the data owner; the authorization information is returned by the data owner according to the application access request of the data user;

the authorization information includes: a first keyword set W extracted from an encrypted source file by a data owner; and

public parameters preset by a data owner; the common parameters also include a security parameter lambda.

The data owner only needs to provide the encrypted source file and the keyword index in the encrypted source file, the data user obtains the keyword trapdoor through encryption calculation according to the authorization information and uploads the keyword trapdoor to the cloud server, and the server stores the encrypted source file, the keyword index and the keyword trapdoor. The keyword trapdoor is provided by the data user, the self-defined keyword function is realized, the encrypted source file in the cloud server is not required to be searched in an access mode or a search mode, the mode is hidden, and the keyword retrieval in the hidden mode is realized. When the data user needs to decrypt and verify the search result, the user can verify the embedded random number beta selected by the user to obtain a file identification set DB #_i ) The method and the device can realize direct interaction between a single server of the data user and the cloud service without verification feedback of the data owner, and shorten search time for requiring multiple servers to access feedback. Secondly, due to the fact that the key trapdoors defined by each different data user are different, the unique key trapdoor provided by the data owner does not exist, namely, the adversary cannot recover the key in the key trapdoor with great probability and precision by utilizing the leakage of the access mode and the search mode.

Due to each key k_z Essentially, it isIs a random number, i.e. the key index obtained is also a random one. Further encryption encrypts the file identification set, and the possibility of data leakage is reduced.

In one embodiment, the encrypted source file is obtained by encrypting the source file by the data owner.

One embodiment comprises:

the data owner extracts keywords from several encrypted source files, each encrypted file id_i The corresponding keyword set is W_i The method comprises the steps of carrying out a first treatment on the surface of the Obtaining a keyword w= n Wi of the first keyword W; and

arrange the reverse order index of the encrypted source file, each keyword w_i Is a file identification set DB (w_i ) The file identification dictionary ID of the first keyword W is obtained.

And keyword extraction is carried out on the encrypted source file, and a primary division basis is provided for generating a keyword index for a data owner by dividing the keyword dictionary W and the file identification dictionary ID.

In one embodiment, the common parameters further comprise an n-row m-column matrix X_n×m A pseudo-random function f; wherein the n rows and m columns of matrix X_n×m The data owner selects n multiplied by m from the real numbers R;

the authorization information also includes a key k_z For generating pseudo-functions { f (k)_z ，i，j)}_{1≤i≤m，1≤j≤n} ；

When the data user obtains a keyword trapdoor Tr through homomorphic encryption operation according to the authorization information:

the key trapdoor Tr is a public key pk obtained by initializing a homomorphic encryption algorithm by a data user with a security parameter lambda_u The method comprises the steps of carrying out a first treatment on the surface of the Selecting a first random number r from a first set of keywords W_i The method comprises the steps of carrying out a first treatment on the surface of the With public key pk_u For the first random number r_i The Tr is obtained by encrypting the first encryption formula_i Integrate all Tr_i Obtaining; wherein the first encryption formula is derived by the data user from the common parameters.

The data user can pass through the public key pk_u Encryption to obtain key word trapThe gate Tr is uploaded to a server for searching in the cloud server; the data user in the same way can also obtain the private key sk by initializing the homomorphic encryption algorithm for the security parameter lambda_u And decrypting the search result fed back by the cloud server, and completing encryption and decryption in the same server, so that information interaction with other servers is reduced.

The data user can formulate a keyword set according to own preference, generate a keyword trapdoor and provide a search request for the cloud server. Because the data users are formulated according to their own liking, the data users have randomness, and the adversaries can only recover the keywords in the keyword trapdoors defined by the adversaries, and can not directly invade and acquire the encrypted files.

One embodiment of the method comprises selecting a first random number r according to a first keyword set W_i Comprising:

the data user selects a plurality of keywords to form a second keyword set Q;

if keyword w_i Belonging to the second keyword set Q, the first random number r_i Configured as real numbers;

if keyword w_i Not belonging to the second keyword set Q, the first random number r_i Configured to be zero.

By defining a first random number r_i When the second keyword set Q belongs to the first keyword set W, the searched keyword W_i Only meaningful search results are available.

In one embodiment, the first encryption formula is configured to

Wherein xi_j For matrix X_n×m The number of i rows and j columns in the row, i is less than or equal to n, and j is less than or equal to m; beta is an embedded random number, and is obtained by data user selection;

is a pseudo function { f (k)_z ，i，j)}_{1≤i≤m，1≤j≤n} The inverse of (c) and (d).

Combining first addition by simple lightweight Paillier addition homomorphic encryptionSecret formula and first random number r_i Encryption to obtain

Wherein (1)>

Is f (k)_z The inverse sum of i, j), σ (x)_ij )＝x_ij -β。

In one embodiment, the key index includes:

the key index I is based on the secret key k by the data owner_z Is { T (k)_z ，i，j)}_{1≤i≤m，1≤j≤n} Generating a set of random numbers { z_ij }_{1≤i≤m，1≤j≤n} A set of key identifications DB (w_i ) Generated polynomial

Is obtained from the values of the point-value polynomials of (2);

extracting key w from the encrypted source file by data owner_i Will contain the corresponding keyword w_i Is obtained from the file id set of (a) the file identification set DB (w_i )；

Set of file identifications DB (w_i ) The elements in (a) are encoded by a hash function so that the file identification set DB (w_i ) The element in (2) has id' an =id||h (id) structure;

by blinding polynomials

Generating a Point value polynomial I_i ，

Wherein the polynomial is

Set DB (w_i ) Is generated;

calculating a point value polynomial I_i Is included in the key index I.

For each keyword w_i Is a file identification set DB (w_i ) Is based on the encryption of source fileObtained by taking a file identification set DB (w_i ) Contains elements of different numbers, and the file identification set DB (w_i ) The data length of the key index is uniform, and the key index is convenient for the data owner to generate the calculation of the key index.

In one embodiment, the search result is obtained by calculating with the keyword trapdoor fr and the keyword index I, and includes:

generating a polynomial psi, and enabling the polynomial psi, a keyword trapdoor Tr and a keyword index I to pass through a public key pk_u Homomorphic encryption calculation to obtain point value polynomial T_i ；

Point-to-point value polynomial T_i Polynomial interpolation is carried out to obtain polynomial P_i ；

Polynomial P_i Adding homomorphic encryption to obtain a search result;

the search result is a polynomial P (x) of the intersection of the file identification sets corresponding to the keyword sets;

wherein the polynomial interpolation is a polynomial coefficient L using Lagrange interpolation_i 。

One embodiment provides a verification method for keyword retrieval in a hidden mode, and the verification method comprises the steps of obtaining authorization information of a data owner, wherein the authorization information is returned by the data owner according to an application access request of a data user; the authorization information comprises a first keyword set W, and the first keyword set W is extracted from an encrypted source file by a data owner; and a security parameter lambda preset by the data owner; key k_z For generating pseudo-functions { f (k)_z ，i，j)}_{1≤i≤m，1≤j≤n} For the data owner to generate a set of random numbers { z ]_ij }_{1≤i≤m，1≤j≤n} A set of key identifications DB (w_i ) Generated polynomial

Obtaining the key index I by the value of the point value polynomial of (2);

selecting a first random number r_i Generating a keyword trapdoor Tr; public key pk obtained by initializing homomorphic encryption by security parameter lambda_u For the first random number r_i The Tr is obtained by encrypting the first encryption formula_i Integrate all Tr_i Obtaining a keyword trapdoor Tr; wherein the first encryption formula includes an embedded random number β;

uploading the keyword trapdoor Tr to a cloud server for uploading to an encrypted source file and a keyword index of the cloud server by a search data owner;

sending a search request to a cloud server to obtain search results fed back by the cloud server; the search result is a polynomial P (x) of an intersection set of file identification corresponding to the keyword set; polynomial P (x) is used for data user verification whether a set of file identifications DB (w_i )。

The data user can pass through the public key pk_u The keyword trapdoor Tr obtained through encryption is uploaded to a server for searching in the cloud server; the data user in the same way can also obtain the private key sk by initializing the homomorphic encryption algorithm for the security parameter lambda_u And decrypting the search result fed back by the cloud server, and completing encryption and decryption in the same server, so that information interaction with other servers is reduced.

The data user can formulate a keyword set according to own preference, generate a keyword trapdoor and provide a search request for the cloud server. Because the data users are formulated according to their own liking, the data users have randomness, and the adversaries can only recover the keywords in the keyword trapdoors defined by the adversaries, and can not directly invade and acquire the encrypted files.

Next, decrypting the polynomial P (x) verifies whether the file identification set DB (w_i ) Thereby obtaining a meaningful key index. The data user unilaterally and automatically verifies the search result, and the verification result is obtained without feedback of the data owner, so that efficient multi-keyword search with verifiable calculation process is realized.

In one embodiment, the polynomial P (x) is used for data user verification as to whether the file identification set DB (w_i ) Comprising;

the security parameter lambda is used for initializing and encrypting to obtain a private key sk_u ；

By using the private key sk_u Decrypting the polynomial P (x) to obtain a polynomial P' (x);

substituting the embedded random number beta into a polynomial P' (x) for calculation;

if the embedded random number β is a solution of a polynomial P' (x), a file identification set DB (w_i ) Recovering the key index;

if the embedded random number β is not a solution of the polynomial P' (x), rejection is displayed, and the file identification set DB (w_i )。

By judging the embedded random number beta for verification, the data user can confirm whether to obtain the meaningful keyword index, and the file identification set DB (w_i )。

One embodiment comprises:

the data owner extracts keywords from several encrypted source files, each encrypted file id_i The corresponding keyword set is W_i The method comprises the steps of carrying out a first treatment on the surface of the Obtaining a keyword w= n Wi of the first keyword W; and

arrange the reverse order index of the encrypted source file, each keyword w_i Is a file identification set DB (w_i ) The file identification dictionary ID of the first keyword w= n Wi is obtained.

And keyword extraction is carried out on the encrypted source file, and a primary division basis is provided for generating a keyword index for a data owner by dividing the keyword dictionary W and the file identification dictionary ID.

The key word retrieval device of the hidden mode comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the key word retrieval method of the hidden mode when executing the computer program;

or the processor executes the computer program to realize the verification method of the keyword retrieval of the hidden mode.

A computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the keyword retrieval method of hidden mode described above;

or the processor executes the computer program to realize the verification method of the keyword retrieval of the hidden mode.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to the structures shown in these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a data flow diagram of a keyword retrieval method in hidden mode according to an embodiment of the present invention;

FIG. 2 is a logic diagram of an encryption algorithm according to an embodiment of the present invention;

FIG. 3 is a logic diagram of a verification process of a verification method for keyword retrieval in hidden mode according to another embodiment of the present invention;

FIG. 4 is a diagram of a key index according to one embodiment of the present invention;

fig. 5 is a schematic diagram of a hardware module of a hidden mode keyword retrieval device according to another embodiment of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

It should be noted that, if a directional indication (such as up, down, left, right, front, and rear … …) is involved in the embodiment of the present invention, the directional indication is merely used to explain the relative positional relationship, movement condition, etc. between the components in a specific posture, and if the specific posture is changed, the directional indication is correspondingly changed.

In addition, if there is a description of "first", "second", etc. in the embodiments of the present invention, the description of "first", "second", etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, if "and/or" and/or "are used throughout, the meaning includes three parallel schemes, for example," a and/or B "including a scheme, or B scheme, or a scheme where a and B are satisfied simultaneously. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present invention.

In order to find a valid root from the random root at decryption, the file identity needs to be encoded using a hash function H. File identification set

I.e. the set of file identifications is from subset U in the ring R. Bit length L of element in R_R Bit length L of element in U_U And bit length L of hash function output_H Satisfy the relation L between_R ＝L_U +L_H 。

In the embodiment of the invention, the Paillier encryption algorithm, the pseudo-random function f and the hash function H are common cryptographic primitives, and the application principle is introduced as follows:

paillier encryption algorithm: the Paillier encryption algorithm is a common addition homomorphic encryption algorithm and consists of a key generation algorithm Keygen, an encryption algorithm Enc and a decryption algorithm Dec. The key generation algorithm is capable of outputting the public-private key (pk, sk) of the Paillier cryptosystem after inputting the security parameter λ. Using public key pk, message m can be encrypted to obtain ciphertext Enc_pk (m). Using private key sk energyThe ciphertext Enc (m) can be decrypted to yield plaintext m=dec_sk (Enc_pk (m)). Paillier encryption systems have the property of being homomorphic, i.e. for m₁ And m₁ Ciphertext Enc of_pk (m₁ ) And Enc_pk (m₂ )。m₁ +m₂ Ciphertext Enc of_pk (m₁ +m₂ ) Can pass through Enc_pk (m₁ ) And Enc_pk (m₂ ) Homomorphism addition, i.e. Enc_pk (m₁ +m₂ )＝Enc_pk (m₁ )+_h Enc_pk (m₂ ). Random number and ciphertext Enc_pk (m) enables homomorphic scalar multiplication, i.e. Enc_pk (r·m)＝r*_h Enc_pk (m)。

Pseudo-random function f: (k, x) →y: when having the key k, x can be mapped to y. And y and a true random number are computationally indistinguishable.

Hash function H: the hash function is capable of mapping bit strings of arbitrary length to bit strings of fixed length. Where the input to the hash function is L_U Length of must, output is L_H Length of must.

Coefficient representation f (x) =a for a polynomial of degree L₀ x⁰ +a₁ x¹ +…+a_L x^L And a disclosed vector X_i ＝(x_i0 ，x_i1 ，...，x_iL ). The point value polynomial of f (x) is expressed as f (x) = { (x)_i0 ，f(x_i0 ))，(x_i1 ，f(x_i1 ))，…，(x_iL ，f(x_iL ))}。

Referring to fig. 1, fig. 1 is a schematic data flow diagram provided in this embodiment.

A keyword retrieval method of a hidden mode, the method comprising:

acquiring an encrypted source file and a keyword index I from a data owner;

acquiring a keyword trapdoor Tr provided by a data user;

the key trapdoor Tr is obtained by homomorphic encryption of the data user according to the authorization information provided by the data owner;

the authorization information comprises a first keyword set W, and the first keyword set W is extracted from an encrypted source file by a data owner; and

public parameters preset by a data owner; the public parameters also comprise a security parameter lambda, and an n-row m-column matrix X obtained by selecting n multiplied by m from real numbers R by a data owner_n×m A pseudo-random function f;

key k_z For generating pseudo-functions { f (k)_z ，i，j)}_{1≤i≤m，1≤j≤n} For the data owner to generate a set of random numbers { z ]_ij }_{1≤i≤m，1≤j≤n} A set of key identifications DB (w_i ) Generated polynomial

Obtaining the key index I by the value of the point value polynomial of (2);

and acquiring a search request of the data user based on the key trapdoor Tr, calculating to obtain a search result according to the search request, and feeding back the search result to the data user.

The data owner only needs to provide the encrypted source file and the keyword index in the encrypted source file, the data user obtains the keyword trapdoor through encryption calculation according to the authorization information and uploads the keyword trapdoor to the cloud server, and the server stores the encrypted source file, the keyword index and the keyword trapdoor. The keyword trapdoor is provided by the data user, the self-defined keyword function is realized, the encrypted source file in the cloud server is not required to be searched in an access mode or a search mode, the mode is hidden, and the keyword retrieval in the hidden mode is realized. When the data user needs to decrypt and verify the search result, the user can verify the embedded random number beta selected by the user to obtain a file identification set DB #_i ) The method and the device can realize direct interaction between a single server of the data user and the cloud service without verification feedback of the data owner, and shorten search time for requiring multiple servers to access feedback.

Second, the key k obtained for each different data user_z Different, the obtained keyword trapdoorsTr is also different, there is no data owner providing a unique keyword trapdoor Tr, i.e. adversaries cannot exploit the leakage of access and search modes, avoiding a great probability and accuracy of recovering the keywords in the keyword trapdoor Tr.

A data owner who owns a series of source files and is able to extract a corresponding set of keywords from the files. To reduce the cost of local storage and management, the data owner encrypts the source file and then uploads the encrypted source file and the encrypted key index to the cloud server.

Data users, which are consumers of data. When a data user wants to use an encrypted source file of a data owner, access rights should be applied to and obtained from the data owner. After obtaining the rights, the data user can generate a keyword trapdoor Tr according to the second keyword set Q and the authorization information which are interested by the data user. Meanwhile, the data user can further obtain a file identification set DB from search results returned by the cloud server_i )。

The cloud server is responsible for storing the encrypted source file and the keyword index I. The search results can be returned to the data users in response to the search requests of the data users.

Specifically, the data owner randomly selects n×m random numbers from the ring R and then forms a matrix X of n rows and m columns_n×m At the same time, the data owner selects a secret key k according to the security parameter lambda_z In addition, the data user also selects a hash function H. Then lambda, X_n×m And f and H as common parameters. The data owner extracts a plurality of keywords from each source file, and, assuming that there are m keywords in total in the source file, finds the files containing each keyword to identify, and groups the identified files, wherein the number of the most elements in the groups is denoted as L. And then generating an L-degree coefficient polynomial from the file identification set corresponding to each keyword, and representing the L-degree coefficient polynomial as a point value polynomial form of length n. The data owner randomly selects a random number as the key k of the pseudo-random function f_z Generating n×m random numbers and then blindingValues of the point-value polynomials in the system are quantized. Finally, the values of the blinded point-value polynomials form the key index I.

When a data user wants to access an encrypted source file of a data owner, the data user is first authorized by the data owner. The authorization information is fed back to the data user from the data owner, and the data user obtains the security parameter lambda and initializes the Paillier addition homomorphism algorithm according to the feedback information; and then combining calculation to embed the random number beta to generate the keyword trapdoor Tr. The data user uploads the keyword trapdoor Tr to the cloud server.

And the cloud server acquires the keyword trapdoor Tr and provides a search entrance for the data user. After receiving a search request of a data user, the cloud server firstly selects n times of polynomials, and then combines a keyword trapdoor Tr, a keyword index I, a selected random polynomial ψ and system public parameters, and the cloud server can calculate in parallel to obtain a search result and return the search result to the data user.

In one embodiment, the encrypted source file is obtained by encrypting the source file by the data owner.

One embodiment comprises:

the data owner extracts keywords from several encrypted source files, each encrypted file id_i The corresponding keyword set is W_i The method comprises the steps of carrying out a first treatment on the surface of the Obtaining a keyword w= n Wi of the first keyword W; and

arrange the reverse order index of the encrypted source file, each keyword w_i Is a file identification set DB (w_i ) The file identification dictionary ID of the first keyword W is obtained.

And keyword extraction is carried out on the encrypted source file, and a primary division basis is provided for generating a keyword index for a data owner by dividing the keyword dictionary W and the file identification dictionary ID.

In one embodiment, the data user initializes the security parameter λ to a homomorphic encryption algorithm to obtain the public key pk_u ；

Selecting a first random number r from a first set of keywords W_i ；

With public key pk_u For the first random number r_i The Tr is obtained by encrypting the first encryption formula_i Integrate all Tr_i Obtaining a keyword trapdoor Tr; wherein the first encryption formula is derived by the data user from the common parameters.

Referring to fig. 2, fig. 2 is a logic diagram of an encryption operation process according to the present embodiment.

One embodiment of the method comprises selecting a first random number r according to a first keyword set W_i Comprising:

the data user selects a plurality of keywords to form a second keyword set Q;

if keyword w_i Belonging to the second keyword set Q, the first random number r_i Configured as real numbers;

if keyword w_i Not belonging to the second keyword set Q, the first random number r_i Configured to be zero.

By defining a first random number r_i When the second keyword set Q belongs to the first keyword set W, the searched keyword W_i Only meaningful search results are available.

In one embodiment, the first encryption formula is configured to

Wherein x is_ij For matrix X_n×m The number of i rows and j columns in the row, i is less than or equal to n, and j is less than or equal to m; beta is an embedded random number, and is obtained by data user selection;

is a pseudo function { f (k)_z ，i，j)}_{1≤i≤m，1≤j≤n} The inverse of (c) and (d).

Specifically, the data user selects the query keyword set q= (w₁ ′，w₂ ′，...，w_q ') and a random number beta epsilon R; the data user randomly selects a first random number r_i The method comprises the steps of carrying out a first treatment on the surface of the Encrypting the first random number r using a Paillier encryption algorithm_i First encryption formula

Obtain->

Wherein->

Is f (k)_z The inverse sum of i, j), σ (x)_ij )＝x_ij -beta. When w is_i ∈W，/>

At the time, a first random number r_i =0; when w is_i ∈W，w_i When E Q, the first random number r_i E R. Integration of all Tr_i Obtaining a keyword trapdoor Tr= (Tr)₁ ，Tr₂ ，...，Tr_m )。

In one embodiment, the key index includes:

extracting key w from the encrypted source file by data owner_i Will contain the corresponding keyword w_i Is obtained from the file id set of (a) the file identification set DB (w_i )；

Set of file identifications DB (w_i ) The elements in (a) are encoded by a hash function so that the file identification set DB (w_i ) The element in (2) has id' an =id||h (id) structure;

by blinding polynomials

Generating a Point value polynomial I_i ，

Wherein the polynomial is

Set DB (w_i ) Is generated;

calculating a point value polynomial I_i Is included in the key index I.

For each keyword w_i Is a file identification set DB (w_i ) Is based on encryptionExtracted from source files, wherein the file identification set DB (w_i ) Contains elements of different numbers, and the file identification set DB (w_i ) The data length of the key index is uniform, and the key index is convenient for the data owner to generate the calculation of the key index.

Specifically, the data owner randomly selects n×m random numbers from the ring R and then forms a first matrix X of n rows and m columns_n×m ＝{(x₁₁ ，x₁₂ ，...，x_1m )，…，(x_n1 ，x_n2 ，...，x_nm ) -and selecting a tape key k based on the system security parameter lambda_z Is a pseudo-random function f of: (k)_z X) to y, and the data user also selects a hash function H: R.fwdarw.R. Will (lambda, X)_n×m F, H) as a common parameter of the system. Extracting multiple keywords from each source file, assuming that there are m keywords w= (W)₁ ，w₂ ，...，w_m ) Find the keyword w_i Is identified, and the identified source file set is obtained into a file identification set DB (w_i ). Wherein the number of the most elements contained in the file identification set is denoted as L and defined as

Then generating L-degree coefficient polynomials from the file identification sets corresponding to each keyword

And polynomial +.>

Dot-value polynomial form expressed as length n +.>

Wherein the coefficient representation for a polynomial of degree L is f (x) =a₀ x⁰ +a₁ x¹ +…+a_L x^L And a disclosed vector X_i ＝(x_i0 ，x_i1 ，...，x_iL ). The data owner then randomly selects a random number as the pseudo-random numberKey k of function f_z The method comprises the steps of carrying out a first treatment on the surface of the The pseudo-random function is expressed as { f (k)_z ，i，j)}_{1≤i≤m，1≤j≤n} From a random function { f (k)_z ，i，j)}_{1≤i≤m，1≤j≤n} Generates n×m random numbers { z }, respectively_ij }_{1≤i≤m，1≤j≤n} The point value polynomial is then blinded

Is->

Form key index->

In one embodiment, the collecting the search request of the data user, calculating the search result according to the search request, and feeding back the search result to the data user includes:

generating a polynomial psi, and enabling the polynomial psi, a keyword trapdoor Tr and a keyword index I to pass through a public key pk_u Homomorphic encryption calculation to obtain point value polynomial T_i ；

Point-to-point value polynomial T_i Polynomial interpolation is carried out to obtain polynomial P_i ；

Homomorphic encryption is carried out on the polynomial Pi addition to obtain a search result;

the search result is a polynomial P (x) of the intersection of the file identification sets corresponding to the keyword sets;

wherein the polynomial interpolation is a polynomial coefficient L using Lagrange interpolation_i 。

Specifically, the cloud server first randomly selects m polynomials ψ= (ψ) of n times₁ ,Ψ₂ ,…,Ψ_m ) Then, the key trapdoor Tr and the key index I are parallel passed through the public key pk_u Homomorphic encryption calculation to obtain point value polynomial

Where homomorphic encryption scalar multiplication is defined.

Cloud server calculates Lagrange interpolation polynomial coefficient L_i ＝(l_i1 ，l_i2 ，…，l_in ) Wherein

Then calculate polynomial P_i ＝l_i1 *T_i1 +l_i2 *T_i2 +…+l_in *T_in 。

Cloud server re-pairs polynomial P_i Homomorphic addition is carried out to obtain a polynomial P (x) =P of the intersection of the file identification sets corresponding to the keyword sets₁ +_h P₂ +_h …+_h P_m Wherein +_h Is an addition operation of homomorphic encryption. The cloud server returns P (x) to the data user.

Conventionally, since a keyword trapdoor is generated by a data owner, the data owner can know a keyword of a data search. The data user also requires the assistance of the data owner in the final decryption stage. Moreover, existing mode-hidden searchable encryption schemes also fail to verify the correctness of the calculation results.

Referring to fig. 1, another embodiment provides a verification method for keyword retrieval in a hidden mode, including:

acquiring authorization information of a data owner, wherein the authorization information comprises a first keyword set W, and the first keyword set W is extracted from an encrypted source file by the data owner; and a security parameter lambda preset by the data owner; key k_z For generating pseudo-functions { f (k)_z ，i，j)}_{1≤i≤m，1≤j≤n} For the data owner to generate a set of random numbers { z ]_ij }_{1≤i≤m，1≤j≤n} A set of key identifications DB (w_i ) Generated polynomial

Obtaining the key index I by the value of the point value polynomial of (2);

selecting a first random number r_i Generating a keyword trapdoor Tr; public key pk obtained by initializing homomorphic encryption by security parameter lambda_u For the first random number r_i The Tr is obtained by encrypting the first encryption formula_i Integrate all Tr_i Obtaining a keyword trapdoor Tr; wherein the first encryption formula includes an embedded random number β;

uploading the keyword trapdoor Tr to a cloud server for uploading to an encrypted source file and a keyword index of the cloud server by a search data owner;

sending a search request to a cloud server to obtain search results fed back by the cloud server; the search result is a polynomial P (x) of an intersection set of file identification corresponding to the keyword set; polynomial P (x) is used for data user verification whether a set of file identifications DB (w_i )。。

The data user can decrypt and crack the obtained polynomial P (x) by self through the keyword trapdoor defined by the data user, the obtained authorization information, the public parameters and the Paillier decryption algorithm, and whether the search result fed back by the cloud server is a meaningful keyword index is judged.

Referring to fig. 3, fig. 3 is a logic diagram of a verification process provided in this embodiment.

In one embodiment, the polynomial P (x) is used for data user verification as to whether the file identification set DB (w_i ) Comprising;

the security parameter lambda is used for initializing and encrypting to obtain a private key sk_u ；

By using the private key sk_u Decrypting the polynomial P (x) to obtain a polynomial P' (x);

substituting the embedded random number beta into a polynomial P' (x) for calculation;

if the embedded random number β is a solution of a polynomial P' (x), a file identification set DB (w_i ) Recovering the key index;

if the embedded random number β is not a solution to the polynomial P' (x), then rejection is indicatedCannot provide the file identification set DB (w_i )。

Specifically, after obtaining a search result returned by the cloud server, the data user firstly obtains a polynomial by using a Paillier decryption algorithm

The data user then verifies whether the embedded random number β is the root of the polynomial P' (x), and if not, refuses the erroneous result; if so, recovering the id H (id) root with the form from the multi-form P' (x), and then obtaining the corresponding key index. Since the data owner encodes the file identification set DB (w_i ) The element in the file has a structure of id' =id||h (id).

Referring to fig. 4, fig. 4 is a mapping chart of a keyword index provided in the present embodiment.

One embodiment comprises:

the data owner extracts keywords from several encrypted source files, each encrypted file id_i The corresponding keyword set is W_i The method comprises the steps of carrying out a first treatment on the surface of the Obtaining a keyword w= n Wi of the first keyword W; and

arrange the reverse order index of the encrypted source file, each keyword w_i Is a file identification set DB (w_i ) The file identification dictionary ID of the first keyword W is obtained.

The method is to extract keywords from an encrypted source file, divide a keyword dictionary W and a file identification dictionary ID, and provide a preliminary division basis for generating a keyword index for a data owner. The method is also used for inquiring in order to restore the id I H (id) root with the form from the multi-form P' (x) for the data user.

Specifically, the data owner extracts keywords in N subfiles in the encrypted source file, and the set of keywords corresponding to idi of each file is W_i Wherein the dictionary of related keywords is generated as

The data owner arranges the files by creating an inverted index. So that each keyword corresponds to oneFile identification set dictionary for generating file identification set containing the keyword>

Further, the file identification set and the keyword dictionary are respectively corresponding to ID and W. The two dictionaries can be associated so that the data user can verify himself, for polynomial ++>

The embedded random number beta is substituted into the calculation, when the embedded random number beta is confirmed to be polynomial + ->

And recovering the root with the form ID H (ID), found in the file identification set dictionary ID.

Referring to fig. 5, one embodiment of the present invention further provides akeyword searching apparatus 200 in a hidden mode, which includes amemory 220 and aprocessor 210, where thememory 220 stores acomputer program 240, and theprocessor 210 implements the keyword searching method in a hidden mode according to any one of the above embodiments when executing thecomputer program 240. In this embodiment,processor 210,memory 220, andcomputer program 240 transmit data overdata bus 230.

An embodiment of the present invention further provides akeyword retrieval apparatus 200 in hidden mode, including amemory 220 and aprocessor 210, where thememory 220 stores acomputer program 240, and theprocessor 210 implements the keyword retrieval method in hidden mode according to any one of the above embodiments when executing thecomputer program 240. In this embodiment,processor 210,memory 220, andcomputer program 240 transmit data overdata bus 230.

One embodiment of the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a verification method for keyword retrieval of a hidden mode as described in any one of the above embodiments.

One embodiment of the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a verification method for keyword retrieval of a hidden mode as described in any one of the above embodiments.

The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the invention, and all equivalent structural changes made by the description of the present invention and the accompanying drawings or direct/indirect application in other related technical fields are included in the scope of the invention.

Claims (10)

1. A keyword retrieval method of a hidden mode, the method comprising:

acquiring an encrypted source file and a keyword index I from a data owner;

acquiring a keyword trapdoor Tr from a data user;

collecting a search request of a data user, obtaining a search result, and feeding back the search result to the data user;

the search result is obtained through calculation with a keyword trapdoor Tr and a keyword index I;

the keyword trapdoor Tr is obtained by homomorphic encryption operation of a data user according to authorization information; the authorization information is returned by the data owner according to the application access request of the data user;

the authorization information includes: the first keyword set W is extracted from an encrypted source file by a data owner; and

public parameters are preset by a data owner; the common parameter comprises a security parameter lambda.

2. The hidden mode keyword retrieval method of claim 1, wherein the common parameters further comprise an n-row m-column matrix X_n×m A pseudo-random function f; wherein the n rows and m columns of matrix X_n×m The data owner selects n multiplied by m from the real numbers R;

the authorization information also includes a key k_z For generating pseudo-functions { f (k)_z ,i,j)}_{1≤i≤m,1≤j≤n} ；

When the data user obtains a keyword trapdoor Tr through homomorphic encryption operation according to the authorization information:

the key trapdoor Tr is a public key pk obtained by initializing a homomorphic encryption algorithm by a data user with a security parameter lambda_u The method comprises the steps of carrying out a first treatment on the surface of the Selecting a first random number r from a first set of keywords W_i The method comprises the steps of carrying out a first treatment on the surface of the With public key pk_u For the first random number r_i The Tr is obtained by encrypting the first encryption formula_i Integrate all Tr_i Obtaining; wherein the first encryption formula is obtained by a data user according to the public parameters.

3. The hidden mode keyword retrieval method as recited in claim 2, wherein the first random number r is selected based on a first keyword set W_i Comprising:

the data user selects a plurality of keywords to form a second keyword set Q;

if keyword w_i Belonging to the second keyword set Q, the first random number r_i Configured as real numbers;

if keyword w_i Not belonging to the second keyword set Q, the first random number r_i Configured to be zero.

4. A hidden mode keyword retrieval method as claimed in claim 2 or 3, further comprising: the first encryption formula is configured as

Wherein x is_ij For matrix X_n×m The number of i rows and j columns in the row, i is less than or equal to n, and j is less than or equal to m; beta is an embedded random number, and is obtained by data user selection;

is a pseudo function { f (k)_z ,i,j)}_{1≤i≤m,1≤j≤n} The inverse of (c) and (d).

5. The hidden-mode keyword retrieval method of claim 4, comprising:

the key index I is based on the secret key k by the data owner_z Is a pseudo function { f (k)_z ,i,j)}_{1≤i≤m,1≤j≤n} Generating a set of random numbers { z_ij }_{1≤i≤m,1≤j≤n} A set of key identifications DB (w_i ) Generated polynomial

Is obtained from the values of the point-value polynomials of (2);

extracting key w from the encrypted source file by data owner_i Will contain the corresponding keyword w_i Is obtained from the file id set of (a) the file identification set DB (w_i )；

By blinding polynomials

Generating a Point value polynomial I_i ；

Wherein the polynomial is

Set DB (w_i ) Is generated;

calculating a point value polynomial I_i Is included in the key index I.

6. The hidden mode keyword retrieval method as claimed in claim 5, wherein the search result is calculated from a keyword trapdoor Tr and a keyword index I, comprising:

generating a polynomial psi, and indexing the polynomial psi with a keyword trapdoor Tr and a keywordLeading I, namely initializing a public key pk obtained by a homomorphic encryption algorithm by a security parameter lambda_u Homomorphic encryption calculation to obtain point value polynomial T_i ；

Point-to-point value polynomial T_i Polynomial interpolation is carried out to obtain polynomial P_i ；

Polynomial P_i Adding homomorphic encryption to obtain a search result;

the search result is a polynomial P (x) of the intersection of the file identification sets corresponding to the keyword sets;

wherein the polynomial interpolation is a polynomial coefficient L using Lagrange interpolation_i 。

7. A verification method for keyword retrieval in hidden mode, comprising:

acquiring authorization information of a data owner, wherein the authorization information is returned by the data owner according to an application access request of a data user; the authorization information comprises a first keyword set W, and the first keyword set W is extracted from an encrypted source file by a data owner; and a security parameter lambda preset by the data owner; key k_z For generating pseudo-functions { f (k)_z ,i,j)}_{1≤i≤m,1≤j≤n} For the data owner to generate a set of random numbers { z ]_ij }_{1≤i≤m,1≤j≤n} A set of key identifications DB (w_i ) Generated polynomial

Obtaining the key index I by the value of the point value polynomial of (2);

selecting a first random number r_i Generating a keyword trapdoor Tr; public key pk obtained by initializing homomorphic encryption by security parameter lambda_u For the first random number r_i The Tr is obtained by encrypting the first encryption formula_i Integrate all Tr_i Obtaining a keyword trapdoor Tr; wherein the first encryption formula includes an embedded random number β;

uploading the keyword trapdoor Tr to a cloud server for uploading to an encrypted source file and a keyword index I of the cloud server by a search data owner;

sending a search request to a cloud server to obtain search results fed back by the cloud server; the search result is a polynomial P (x) of an intersection set of file identification corresponding to the keyword set; polynomial P (x) is used for data user verification whether a set of file identifications DB (w_i )。

8. A verification method for key retrieval of hidden modes as recited in claim 7, wherein said polynomial P (x) is used for data user verification as to whether a file identification set DB (w_i ) Comprising;

the security parameter lambda is used for initializing and encrypting to obtain a private key sk_u ；

By using the private key sk_u Decrypting the polynomial P (x) to obtain the polynomial P^′ (x)；

Substituting the embedded random number beta into the polynomial P^′ (x) Calculating;

if the embedded random number beta is a polynomial P^′ (x) Is to obtain a file identification set DB (w_i ) Recovering the key index;

if the embedded random number beta is not a polynomial P^′ (x) If the solution of (a) shows rejection, the file identification set DB (w_i )。

9. The authentication method for keyword retrieval in hidden mode as recited in claim 8, comprising:

the data owner extracts keywords from several encrypted source files, each encrypted file id_i The corresponding keyword set is W_i The method comprises the steps of carrying out a first treatment on the surface of the Obtaining a keyword w= n Wi of the first keyword W; and

arrange the reverse order index of the encrypted source file, each keyword w_i Is a file identification set DB (w_i ) The file identification dictionary ID of the first keyword W is obtained.

10. A hidden-mode keyword retrieval apparatus comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the hidden-mode keyword retrieval method of any one of claims 1-6 when executing the computer program;

or, the processor, when executing the computer program, implements the verification method for keyword retrieval of hidden modes according to any one of claims 7-10.

Images