WO2020082687A1

Movatterモバイル変換

Info

Publication number: WO2020082687A1
Application number: PCT/CN2019/079637
Authority: WO
Inventors: 王树兰; 黄美东; 王磊; 王汇文
Original assignee: Shenzhen Technology University
Current assignee: Shenzhen Technology University
Priority date: 2018-10-25
Filing date: 2019-03-26
Publication date: 2020-04-30
Anticipated expiration: 2021-04-25
Also published as: CN109617855B; CN109617855A

Abstract

The present invention is applicable to the technical field of ciphertext access control. Provided are a file sharing method and apparatus based on CP-ABE layered access control, and a device and a medium. The method comprises: when a file sharing request sent by a file owner is received, encrypting a set of files to be shared by means of a symmetric encryption algorithm and according to a content key set to obtain a file ciphertext set; encrypting the content key set by means of an encryption function and according to common parameters and an AND gate access control policy corresponding to an AND gate policy LSSS matrix to obtain a key ciphertext set corresponding to the content key set; and uploading the file ciphertext set and the key ciphertext set to a cloud server so as to realize cloud-end file sharing. Thus, while ciphertext layered access is realized by means of CP-ABE, the storage overhead, the communication overhead and the decryption computational complexity of a ciphertext are reduced, and the encryption efficiency, the decryption efficiency and the security degree of shared data are improved.

Description

Translated fromChinese

基于CP-ABE分层访问控制的文件共享方法、装置、设备及介质File sharing method, device, equipment and medium based on CP-ABE hierarchical access control

技术领域Technical field

本发明属于密文访问控制技术领域，尤其涉及一种基于CP-ABE分层访问控制的文件共享方法、装置、设备及介质。The invention belongs to the technical field of ciphertext access control, and particularly relates to a file sharing method, device, device and medium based on CP-ABE hierarchical access control.

背景技术Background technique

随着云计算的发展以及大数据使用规模的逐级增大，数据成为最有价值的信息，人们将自己的数据存储在云服务器上已经成为了一种趋势，而云数据的使用与共享给人们的生活和工作带来便利性的同时，也带来了前所未有的数据安全风险，因此，如何实现对云数据的受控共享成为亟待解决的问题。With the development of cloud computing and the increasing use of big data, data has become the most valuable information. It has become a trend for people to store their data on cloud servers. The use and sharing of cloud data At the same time that people's lives and work bring convenience, it also brings unprecedented data security risks. Therefore, how to achieve controlled sharing of cloud data has become an urgent problem to be solved.

为了解决云数据的受控共享问题，同时避免隐私数据被窃取，传统的方法是通过用户对待共享的数据进行加密，再以密文的形式传输至云服务器，这种利用加密方案来分发这些加密数据给特定群体的用户非常低效，且不能确保数据是完全安全的，若想确保数据的安全性可通过设计加密机制的访问控制来实现，其中访问控制是阻止非授权用户访问云端隐私数据的第一道安全防线，所以访问控制技术尤为重要。In order to solve the problem of controlled sharing of cloud data and avoid theft of private data, the traditional method is to encrypt the data to be shared by the user and then transmit it to the cloud server in the form of cipher text. This encryption scheme is used to distribute these encryptions. It is very inefficient for data to be given to users of a specific group, and cannot ensure that the data is completely safe. If you want to ensure the security of the data, you can achieve it by designing an encryption mechanism for access control, which prevents unauthorized users from accessing cloud private data The first line of security, so access control technology is particularly important.

为了避免特权用户非法访问用户的敏感数据，同时又能够实现在云存储环境中的细粒度访问控制，Sahai等人在2005年提出了属性基加密(Attribute Based Encryption，ABE)的概念，ABE能够对共享数据进行细粒度控制且降低了私钥存储和分发的工作量，然而基本的ABE无法支持灵活的访问控制策略。因此，Bethencourt等人提出了适用于访问控制类应用的密文策略属性基加密(Ciphertext Policy-Attribute Based Encryption，CP-ABE)机制，CP-ABE通过灵活的访问策略使得加密方加密信息时不需要知道具体是谁解密，而解密方只需要符合相应条件便可解密。国内外许多学者对CP-ABE算法进行研究，虽然获得了很多成果但与实际应用相结合的具体实施模型还有不少问题亟待研究，例如，如何构造易维护的访问控制结构，如何增强访问控制的表达能力等。In order to prevent privileged users from illegally accessing users ’sensitive data and at the same time enabling fine-grained access control in cloud storage environments, Sahai et al. Proposed the concept of attribute-based encryption (ABE) in 2005. ABE can Sharing data for fine-grained control reduces the workload of storing and distributing private keys. However, basic ABE cannot support flexible access control strategies. Therefore, Bethencourt et al. Proposed a Ciphertext Policy-Attribute Based Encryption (CP-ABE) mechanism suitable for access control applications. With a flexible access policy, CP-ABE makes it unnecessary for the encrypting party to encrypt information Know who is decrypting, and the decrypting party only needs to meet the corresponding conditions to decrypt. Many scholars at home and abroad have studied the CP-ABE algorithm. Although many achievements have been obtained, there are still many problems in the specific implementation model combined with practical applications, such as how to construct an easy-to-maintain access control structure and how to enhance access control The ability to express etc.

发明内容Summary of the invention

本发明的目的在于提供一种基于CP-ABE分层访问控制的文件共享方法、装置、设备及介质，旨在解决由于现有技术无法提供一种有效的访问控制方法，导致共享数据安全低的问题。The object of the present invention is to provide a file sharing method, device, device and medium based on CP-ABE hierarchical access control, aiming to solve the problem that the existing technology cannot provide an effective access control method, resulting in low security of shared data problem.

一方面，本发明提供了一种基于CP-ABE分层访问控制的文件共享方法，所述方法包括下述步骤：In one aspect, the present invention provides a file sharing method based on CP-ABE hierarchical access control. The method includes the following steps:

当接收到文件拥有者发送的文件共享请求时，根据预先设置的内容密钥集合，使用对称加密算法对待共享文件集合进行加密，得到文件密文集合；When a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the preset content key set to obtain a file ciphertext set;

根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略，使用预设的加密函数对所述内容密钥集合进行加密，得到与所述内容密钥集合对应的密钥密文集合，所述密钥密文集合包含所述与门访问控制策略；According to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix, the content key set is encrypted using a preset encryption function to obtain a secret key corresponding to the content key set A set of key ciphertexts, the set of key ciphertexts containing the AND gate access control strategy;

将所述文件密文集合和所述密钥密文集合上传至云服务器，以实现云端文件共享。Upload the set of file ciphertexts and the set of key ciphertexts to a cloud server to achieve cloud file sharing.

另一方面，本发明提供了一种基于CP-ABE分层访问控制的文件共享装置，所述装置包括：On the other hand, the present invention provides a file sharing device based on CP-ABE hierarchical access control. The device includes:

第一加密单元，用于当接收到文件拥有者发送的文件共享请求时，根据预先设置的内容密钥集合，使用对称加密算法对待共享文件集合进行加密，得到文件密文集合；The first encryption unit is used to encrypt the shared file set by using a symmetric encryption algorithm according to the preset content key set when receiving the file sharing request sent by the file owner to obtain a file ciphertext set;

第二加密单元，用于根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略，使用预设的加密函数对所述内容密钥集合进行加密，得到与所述内容密钥集合对应的密钥密文集合，所述密钥密文集合包含所述与门访问控制策略；以及The second encryption unit is configured to encrypt the content key set using a preset encryption function according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix to obtain the A set of key ciphertexts corresponding to the set of content keys, the set of key ciphertexts containing the AND gate access control policy; and

密文上传单元，用于将所述文件密文集合和所述密钥密文集合上传至云服务器，以实现云端文件共享。A ciphertext uploading unit is used to upload the set of file ciphertexts and the set of key ciphertexts to a cloud server, so as to realize cloud file sharing.

另一方面，本发明还提供了一种计算设备，包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序，所述处理器执行所述计算机程序时实现如上述基于CP-ABE分层访问控制的文件共享方法所述的步骤。On the other hand, the present invention also provides a computing device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, which is implemented when the processor executes the computer program The steps are as described in the above file sharing method based on CP-ABE hierarchical access control.

另一方面，本发明还提供了一种计算机可读存储介质，所述计算机可读存储介质存储有计算机程序，所述计算机程序被处理器执行时实现如上述基于CP-ABE分层访问控制的文件共享方法所述的步骤。On the other hand, the present invention also provides a computer-readable storage medium that stores a computer program, and when the computer program is executed by a processor, implements the CP-ABE-based hierarchical access control as described above The steps described in the file sharing method.

本发明当接收到文件拥有者发送的文件共享请求时，根据内容密钥集合，使用对称加密算法对待共享文件集合进行加密，得到文件密文集合，根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略，使用预设的加密函数对内容密钥集合进行加密，得到与内容密钥集合对应的密钥密文集合，将文件密文集合和密钥密文集合上传至云服务器，以实现云端文件共享，从而在通过CP-ABE实现密文分层访问的同时，降低了密文的存储开销、通信开销以及解密的计算复杂度，提高了加密效率、解密效率以及共享数据的安全程度。When receiving the file sharing request sent by the file owner, the present invention encrypts the shared file set using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set. According to the common parameters and the corresponding gate strategy LSSS matrix, the Door access control strategy, use a preset encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and upload the file ciphertext set and key ciphertext set to the cloud server to Realize cloud file sharing, so as to achieve hierarchical access to ciphertext through CP-ABE, reduce the storage overhead, communication overhead and decryption computational complexity of ciphertext, improve encryption efficiency, decryption efficiency and the degree of security of shared data .

附图说明BRIEF DESCRIPTION

图1是本发明实施例一提供的基于CP-ABE分层访问控制的文件共享方法的实现流程图；1 is an implementation flowchart of a file sharing method based on CP-ABE hierarchical access control provided inEmbodiment 1 of the present invention;

图2是本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法的实现流程图；2 is an implementation flowchart of a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention;

图3是本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法中构造的与门结构访问树示意图；3 is a schematic diagram of an access structure of an AND gate structure constructed in a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention;

图4是本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法中集成的与门分层访问树示意图；4 is a schematic diagram of an AND gate hierarchical access tree integrated in a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention;

图5是本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法中将门分层访问树转换成与门策略LSSS矩阵的示意图；5 is a schematic diagram of converting a gate hierarchical access tree into an AND gate strategy LSSS matrix in a file sharing method based on CP-ABE hierarchical access control provided by Embodiment 2 of the present invention;

图6是本发明实施例三提供的基于CP-ABE分层访问控制的文件共享装置的结构示意图；6 is a schematic structural diagram of a file sharing device based on CP-ABE hierarchical access control provided by Embodiment 3 of the present invention;

图7是本发明实施例四提供的基于CP-ABE分层访问控制的文件共享装置的结构示意图；以及7 is a schematic structural diagram of a file sharing device based on CP-ABE hierarchical access control provided by Embodiment 4 of the present invention; and

图8是本发明实施例五提供的计算设备的结构示意图。8 is a schematic structural diagram of a computing device according to Embodiment 5 of the present invention.

具体实施方式detailed description

为了使本发明的目的、技术方案及优点更加清楚明白，以下结合附图及实施例，对本发明进行进一步详细说明。应当理解，此处所描述的具体实施例仅仅用以解释本发明，并不用于限定本发明。In order to make the objectives, technical solutions and advantages of the present invention more clear, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, and are not intended to limit the present invention.

以下结合具体实施例对本发明的具体实现进行详细描述：The following describes the specific implementation of the present invention in detail with reference to specific embodiments:

实施例一：Example one:

图1示出了本发明实施例一提供的基于CP-ABE分层访问控制的文件共享方法的实现流程，为了便于说明，仅示出了与本发明实施例相关的部分，详述如下：FIG. 1 shows an implementation process of a file sharing method based on CP-ABE hierarchical access control provided inEmbodiment 1 of the present invention. For ease of description, only the parts related to the embodiment of the present invention are shown. The details are as follows:

在步骤S101中，当接收到文件拥有者发送的文件共享请求时，根据预先设置的内容密钥集合，使用对称加密算法对待共享文件集合进行加密，得到文件密文集合。In step S101, when a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the preset content key set to obtain a file ciphertext set.

本发明实施例适用于数据处理平台、设备或服务器，例如个人计算设备、服务器等。本发明实施例主要包括文件拥有者、文件访问者、属性授权中心以及云服务器四个实体，其中，文件拥有者可将大量的文件进行一次加密，并将加密后的密文存储到云服务器，实现多文件共享；文件访问者根据自身访问权限访问存储在云服务器的文件；属性授权中心除了负责密钥的管理以外，还是负责定义系统属性集合，它是完全信任的，其主要的功能是接受用户的注册、密钥分发、用户验证和管理属性域等；云服务器主要作用是提供密文的存储和文件传输服务。The embodiments of the present invention are applicable to data processing platforms, devices or servers, such as personal computing devices and servers. The embodiments of the present invention mainly include four entities: a file owner, a file visitor, an attribute authorization center, and a cloud server. Among them, the file owner can encrypt a large number of files at once, and store the encrypted ciphertext to the cloud server. Achieve multi-file sharing; file accessors access files stored in cloud servers according to their own access rights; in addition to the management of keys, the attribute authorization center is also responsible for defining the set of system attributes. It is fully trusted and its main function is to accept User registration, key distribution, user verification and management of attribute domains, etc .; the main role of the cloud server is to provide ciphertext storage and file transfer services.

在本发明实施例中，当接收到文件拥有者发送的文件共享请求时，根据文件拥有者预先设置的内容密钥集合ck＝{ck₁,......,ck_k}，采用对称加密算法(例如，数据加密算法(Data Encryption Standard，DES)、高级加密标准(Advanced Encryption Standard，AES)等)对待共享文件集合进行加密，得到文件密文集合

其中，待共享文件集合包含一个或多个待共享文件，内容密钥集合ck＝{ck₁,......,ck_k}中的第k个内容密钥ck_k为待共享文件集合中第k个待共享文件采用对称加密算法时的密钥，

为第k个待共享文件对应的文件密文。In the embodiment of the present invention, when a file sharing request sent by the file owner is received, according to the content key set preset by the file owner ck = {ck₁ , ......, ck_k }, symmetric Encryption algorithm (for example, Data Encryption Standard (DES), Advanced Encryption Standard (AES), etc.) encrypts the set of shared files to obtain a set of file ciphertexts

The file set to be shared contains one or more files to be shared, and the content key set ck = {ck₁ , ......, ck_k } is the kth content key ck_k to be the file set to be shared The key of the k-th file to be shared in the symmetric encryption algorithm,

The file ciphertext corresponding to the k-th file to be shared.

在使用对称加密算法对待共享文件集合进行加密之前，优选地，控制属性授权中心通过系统初始化函数Setup(λ)生成公共参数(公钥)PK和主私钥MSK，从而提高了公共参数和主私钥的信任度。其中，λ为预设安全参数。Before using the symmetric encryption algorithm to encrypt the shared file set, preferably, the control attribute authorization center generates the public parameter (public key) PK and the master private key MSK through the system initialization function Setup (λ), thereby improving the public parameter and the master private The trustworthiness of the key. Among them, λ is a preset security parameter.

在控制属性授权中心通过系统初始化函数Setup(λ)生成公共参数(公钥)PK和主私钥MSK时，优选地，通过下述步骤具体实现：When the control attribute authorization center generates the public parameter (public key) PK and the master private key MSK through the system initialization function Setup (λ), it is preferably implemented through the following steps:

1)、选取一个素数阶为p的双线性群G₀、G_T，双线性映射e:G₀×G₀→G_T，且选取双线性群G₀的一个生成元g；1). Select a bilinear group G₀ , G_T with prime order p, bilinear map e: G₀ × G₀ → G_T , and select a generator g of the bilinear group G₀ ;

2)、定义一个哈希函数H:{0,1}^*→G₀，并在Z_p:{0,1,...,p-1}域中随机选择两个元素α和β；2). Define a hash function H: {0,1}^* → G₀ and randomly select two elements α and β in the Z_p : {0,1, ..., p-1} domain;

3)、通过公式PK＝(G₀,p,g,e(g,g)^α,h＝g^β)计算公共参数PK，通过公式MSK＝(g^α,β)计算主私钥MSK，PK作为公钥对外开放，MSK作为主密钥由属性授权中心保管。3) Calculate the public parameter PK by the formula PK = (G₀ , p, g, e (g, g)^α , h = g^β ), and calculate the master private key MSK, PK by the formula MSK = (g^α , β) As the public key is open to the public, MSK is kept by the attribute authorization center as the master key.

从而通过上述步骤1)～3)实现了公共参数PK和主私钥MSK的生成，进一步提高了公共参数和主私钥的信任度。Therefore, the public parameters PK and the master private key MSK are generated through the above steps 1) to 3), and the trustworthiness of the public parameters and the master private key is further improved.

在步骤S102中，根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略，使用预设的加密函数对内容密钥集合进行加密，得到与内容密钥集合对应的密钥密文集合。In step S102, according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix, the content key set is encrypted using a preset encryption function to obtain the corresponding content key set Key ciphertext collection.

在本发明实施例中，文件拥有者将公共参数PK、内容密钥集合ck＝{ck₁,......,ck_k}以及与门策略LSSS矩阵对应的与门访问控制策略(M,ρ)输入到加密函数CT＝Encrypt(PK,(M,ρ),ck)中，通过该加密函数对内容密钥集合进行加密，得到与内容密钥集合对应的密钥密文集合CT，且密钥密文集合CT包含与门访问控制策略(M,ρ)，其中，(M,ρ)为与门策略线性秘密分享方案(Linear Secret Sharing Scheme，LSSS)矩阵M对应的与门访问控制策略，函数ρ为将矩阵M的每一行映射成系统属性集合中系统属性的单映射函数，M为n×n的矩阵，n也即矩阵M中系统属性的数目。In the embodiment of the present invention, the file owner combines the common parameter PK, the content key set ck = {ck₁ , ......, ck_k } and the AND gate access control strategy (M , ρ) is input into the encryption function CT = Encrypt (PK, (M, ρ), ck), and the content key set is encrypted by the encryption function to obtain the key ciphertext set CT corresponding to the content key set, And the key ciphertext set CT includes the AND gate access control strategy (M, ρ), where (M, ρ) is the AND gate access control corresponding to the matrix M of the linear secret sharing scheme (LSSS) matrix Strategy, function ρ is a single mapping function that maps each row of matrix M to system attributes in the system attribute set, M is an n × n matrix, and n is the number of system attributes in matrix M.

在使用加密函数CT＝Encrypt(PK,(M,ρ),ck)对内容密钥集合进行加密时，优选地，通过下述步骤实现对内容密钥集合的加密：When the encryption function CT = Encrypt (PK, (M, ρ), ck) is used to encrypt the content key set, preferably, the content key set is encrypted through the following steps:

1)在Z_p:{0,1,...,p-1}域中选择k个随机数s₁、s₂、...、s_k作为加密指数秘密值，对于所有的i＝1,2,...,k计算C_i和C′_i：

1) Select k random numbers s₁ , s₂ , ..., s_k as the secret value of the encryption index in the Z_p : {0,1, ..., p-1} field, for all i = 1 , 2, ..., k calculate C_i and C ′_i :

2)选择一组随机向量集合

其中，

其中，y₂,...,y_n是为了分享加密指数秘密值s_i(i∈[1,k])；2) Choose a set of random vectors

among them,

Among them, y₂ , ..., y_n is to share the secret value of the encryption index s_i (i∈ [1, k]);

3)计算

并在Z_p:{0,1,...,p-1}域中选择n个随机数λ′_1,j、λ′_2,j、...、λ′_n,j作为属性掩码，其中，i∈[1,n]，j∈[1,n-1]，M_i,j为第j个矩阵M_j的第i行，

为随机向量集合

中的第j个向量；3) Calculation

And select n random numbers λ ′_{1, j} , λ ′_{2, j} , ..., λ ′_{n, j} as the attribute mask in the field of Z_p : {0,1, ..., p-1} , Where i∈ [1, n], j∈ [1, n-1], M_{i, j} is the i-th row of the j-th matrix M_j ,

Random vector collection

The jth vector in;

4)对于i∈[1,n]，计算C_1,i和C_2,i：

C_2,i＝λ_i,j-λ′_i,j；4) For i ∈ [1, n], calculate C_{1, i} and C_{2, i} :

C_{2, i} = λ_{i, j} -λ ′_{i, j} ;

5)根据密文公式

计算密钥密文集合CT。5) According to the ciphertext formula

Compute the key ciphertext set CT.

从而通过上述步骤1)～5)实现了对内容密钥集合的加密，得到与待共享文件集合对应的密钥密文集合，提高了对共享文件加密的效率和安全程度。Therefore, the encryption of the content key set is realized through the above steps 1) to 5), and a key ciphertext set corresponding to the file set to be shared is obtained, which improves the efficiency and security of encrypting the shared file.

在步骤S103中，将文件密文集合和密钥密文集合上传至云服务器，以实现云端文件共享。In step S103, the file ciphertext set and the key ciphertext set are uploaded to the cloud server, so as to realize cloud file sharing.

在本发明实施例中，文件拥有者将文件密文集合E_ck(Μ)和与该文件密文集合对应的密钥密文集合CT上传至云服务器，以供文件访问者访问云服务器中相应的文件，从而实现云端文件共享。In the embodiment of the present invention, the file owner uploads the file ciphertext set E_ck (Μ) and the key ciphertext set CT corresponding to the file ciphertext set to the cloud server for the file visitor to access the corresponding cloud server Files to achieve cloud file sharing.

在本发明实施例中，当接收到文件拥有者发送的文件共享请求时，根据内容密钥集合，使用对称加密算法对待共享文件集合进行加密，得到文件密文集合，根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略，使用加密函数对内容密钥集合进行加密，得到与内容密钥集合对应的密钥密文集合，将文件密文集合和密钥密文集合上传至云服务器，以实现云端文件共享，从而在通过CP-ABE实现密文分层访问的同时，降低了密文的存储开销、通信开销以及解密的计算复杂度，提高了加密效率、解密效率以及共享数据的安全程度。In the embodiment of the present invention, when a file sharing request sent by the file owner is received, the shared file set is encrypted using a symmetric encryption algorithm according to the content key set to obtain a file ciphertext set, based on the common parameters and AND gate strategy The AND gate access control strategy corresponding to the LSSS matrix uses an encryption function to encrypt the content key set to obtain the key ciphertext set corresponding to the content key set, and uploads the file ciphertext set and key ciphertext set to the cloud server , To achieve cloud file sharing, thereby reducing the storage overhead, communication overhead, and decryption computational complexity of ciphertext while achieving hierarchical access to ciphertext through CP-ABE, improving encryption efficiency, decryption efficiency, and shared data Security.

实施例二：Example 2:

图2示出了本发明实施例二提供的基于CP-ABE分层访问控制的文件共享方法的实现流程，为了便于说明，仅示出了与本发明实施例相关的部分，详述如下：FIG. 2 shows an implementation process of a file sharing method based on CP-ABE hierarchical access control provided in Embodiment 2 of the present invention. For ease of description, only the parts related to the embodiment of the present invention are shown, and the details are as follows:

在步骤S201中，当接收到文件拥有者发送的文件共享请求时，控制文件拥有者根据预设的系统属性集合对待共享文件集合中每个文件构造对应的与门结构访问树。In step S201, when a file sharing request sent by the file owner is received, the control file owner constructs a corresponding AND gate structure access tree for each file in the shared file set according to a preset system attribute set.

在本发明实施例中，当接收到文件拥有者发送的文件共享请求时，文件拥有者根据属性授权中心定义的系统属性集合对待共享文件集合中每个文件一一构造对应的与门结构访问树，即不同的文件具有不同的访问策略。In the embodiment of the present invention, when a file sharing request sent by the file owner is received, the file owner constructs a corresponding AND gate structure access tree for each file in the shared file set according to the system attribute set defined by the attribute authorization center , That is, different files have different access policies.

作为示例地，文件拥有者要将文件集合Μ＝{m₁,m₂}加密后上传到云服务器，首先，根据系统属性集合Y＝{"主治医生","糖尿病学","研究员"}对文件m₁构造与门结构访问树T₁、对文件m₂构造与门结构访问树T₂，图3示出了与门结构访问树T₁和与门结构访问树T₂，T₁对应的访问策略的属性集合Y₁＝{"主治医生","糖尿病学","研究员"}，即只有达到主治医生级别的糖尿病学研究员才能访问文件m₁，T₂对应的访问策略的属性集合Y₂＝{"糖尿病学","研究员"}，即只要是糖尿病学研究员就能访问文件m₂。As an example, the file owner wants to encrypt the file set M = {m₁ , m₂ } and upload it to the cloud server. First, according to the system attribute set Y = {"attending doctor", "diabetes", "researcher"} file m₁ is configured with a gate structure of an access tree T_1, access tree T to the document₂ is configured with the gate structure m_2, FIG. 3 shows the access tree_{T. 1} and a door structure and a door structure of an access tree T_2, T₁ corresponding to Attribute set of access strategy Y₁ = {"attending doctor", "diabetes", "researcher"}, that is, only diabetic researchers who reach the level of attending doctor can access the attribute set of access strategy corresponding to file m₁ and T₂ Y₂ = {"Diabetes", "Researcher"}, that is, as long as a diabetes researcher can access the file m₂ .

在步骤S202中，根据每个与门结构访问树之间的共性，将所有的与门结构访问树集成为一个与门分层访问树。In step S202, according to the commonality between each AND gate structure access tree, all AND gate structure access trees are integrated into an AND gate hierarchical access tree.

在本发明实施例中，每个与门结构访问树都包括等级节点、传输节点和具有属性的叶节点，根据每个与门结构访问树之间的共性(即等级关系)，将所有的与门结构访问树集成为一个与门分层访问树，从而通过共享访问策略的形式降低计算和存储开销，除此之外，用户解密所有密文时仅需要计算一次密钥，提高了解密效率。In the embodiment of the present invention, each AND gate structure access tree includes a rank node, a transmission node, and a leaf node with attributes. According to the commonality between each AND gate structure access tree (that is, a hierarchical relationship), all The access tree of the gate structure is integrated into a hierarchical access tree of AND gates, thereby reducing the calculation and storage overhead in the form of a shared access strategy. In addition, users only need to calculate the key once to decrypt all ciphertext, which improves the decryption efficiency.

作为示例地，如图3示出的与门结构访问树T₁和与门结构访问树T₂，假设属性A＝"主治医生"，B＝"糖尿病学"，C＝"研究员"，则T₁相应的访问策略为(A,(B,C,2),2)，T₂相应的访问策略为(B,C,2)，经过观察发现T₂是T₁的子集，彼此之间有明显的等级关系，即访问策略树T₂可通过扩展的形式得到访问策略树T₁，则将T₁和T₂集成一个如图4所示的与门分层访问树T，即如果这两份文件采用访问策略树T进行加密，其中访问策略可以被文件m₁和文件m₂共同使用。As an example, as shown in the AND gate structure access tree T₁ and the AND gate structure access tree T₂ shown in FIG. 3, assuming that the attributes A = "attending doctor", B = "diabetes", and C = "researcher", then T_{1 The} corresponding access strategy is (A, (B, C, 2), 2), and the corresponding access strategy for T₂ is (B, C, 2). After observation, it is found that T₂ is a subset of T₁ , between each other There is an obvious hierarchical relationship, that is, the access policy tree T₂ can be obtained by expanding the access policy tree T₁ , and then integrate T₁ and T₂ into a hierarchical access tree T as shown in FIG. 4, that is, if this The two files are encrypted using an access policy tree T, where the access policy can be used jointly by file m₁ and file m₂ .

在步骤S203中，根据预设的矩阵转换规则将与门分层访问树转换成与门策略LSSS矩阵。In step S203, the AND gate hierarchical access tree is converted into an AND gate strategy LSSS matrix according to a preset matrix conversion rule.

在本发明实施例中，在根据预设的矩阵转换规则将与门分层访问树转换成与门策略LSSS矩阵时，优选地，首先将与门分层访问树的根节点标记为矢量v，并初始化一个全局计数器变量c为1，遍历完与门分层访问树后，c即向量的最长长度，然后从上往下遍历与门分层访问树，将一个子节点标记为由其父节点分配的矢量v|1(父节点|子节点连接)，标记该父节点的另一个子节点为矢量(0,...,0)|-1，其中(0,...,0)表示的是0向量的长度为c，最后，一旦完成整个树的标记，将向量标记的叶节点转换成LSSS矩阵中的每一行，若这些向量长度不同，将在向量尾部填充矢量0，从而达到相同的向量长度，从而通过与门策略LSSS矩阵替换分层访问树的访问结构，实现了分层访问的效果，提高了对共享文件加密的效率，并降低了密文的存储开销。In the embodiment of the present invention, when converting the AND gate hierarchical access tree into an AND gate strategy LSSS matrix according to a preset matrix conversion rule, preferably, the root node of the AND gate hierarchical access tree is first marked as a vector v, And initialize a global counter variable c to 1, after traversing the AND gate hierarchical access tree, c is the longest length of the vector, and then traverse the AND gate hierarchical access tree from top to bottom, marking a child node as its parent Node assigned vector v | 1 (parent node | child node connection), mark the other child node of the parent node as vector (0, ..., 0) | -1, where (0, ..., 0) It means that the length of the 0 vector is c. Finally, once the entire tree is marked, the leaf nodes labeled by the vector are converted into each row in the LSSS matrix. If the length of these vectors is different, thevector 0 will be filled at the end of the vector to achieve With the same vector length, the access structure of the hierarchical access tree is replaced by the AND gate strategy LSSS matrix, which achieves the effect of hierarchical access, improves the efficiency of encrypting shared files, and reduces the storage overhead of ciphertext.

作为示例地，图5示出了将与门分层访问树T按照矩阵转换规则转换成与门策略LSSS矩阵M。As an example, FIG. 5 shows that the AND gate hierarchical access tree T is converted into an AND gate strategy LSSS matrix M according to a matrix conversion rule.

在步骤S204中，根据预先设置的内容密钥集合，使用对称加密算法对待共享文件集合进行加密，得到文件密文集合。In step S204, according to the preset content key set, a symmetric encryption algorithm is used to encrypt the set of shared files to obtain a set of file ciphertexts.

在步骤S205中，根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略，使用预设的加密函数对内容密钥集合进行加密，得到与内容密钥集合对应的密钥密文集合。In step S205, the content key set is encrypted using a preset encryption function according to the common parameters and the AND access control policy corresponding to the gate policy LSSS matrix to obtain a key ciphertext set corresponding to the content key set.

在步骤S206中，将文件密文集合和密钥密文集合上传至云服务器，以实现云端文件共享。In step S206, the set of file ciphertexts and the set of key ciphertexts are uploaded to the cloud server to achieve cloud file sharing.

在本发明实施，步骤S204～步骤S206的具体实施方式可参考实施例一的步骤S101-步骤S103的描述，在此不再赘述。In the implementation of the present invention, for the specific implementation of step S204 to step S206, reference may be made to the description of step S101 to step S103 inEmbodiment 1, and details are not described herein again.

在步骤S207中，当接收到文件访问者发送的文件访问请求时，控制文件访问者从属性授权中心获得文件访问者的用户私钥，用户私钥包含与文件访问者对应的用户属性集合。In step S207, when receiving the file access request sent by the file accessor, the control file accessor obtains the file accessor's user private key from the attribute authorization center, and the user private key contains the user attribute set corresponding to the file accessor.

在本发明实施例中，当接收到文件访问者发送的文件访问请求时，属性授权中心根据该文件访问请求，以主私钥MSK和该文件访问者对应的用户属性集合作为输入，通过密钥生成函数KeyGen(MSK,S)生成文件访问者的用户私钥。In the embodiment of the present invention, when a file access request sent by a file visitor is received, the attribute authorization center takes the master private key MSK and the user attribute set corresponding to the file visitor as input according to the file access request, and passes the key The generating function KeyGen (MSK, S) generates the user private key of the file visitor.

文件访问者在发送文件访问请求之前，优选地，文件访问者在属性授权中心进行注册，在注册时，属性授权中心对文件访问者身份的合法性进行验证，验证通过后，为该文件访问者分配用户属性集合，从而提高云端文件访问的安全性。Before the file visitor sends the file access request, preferably, the file visitor registers with the attribute authorization center. During registration, the attribute authorization center verifies the legality of the file visitor ’s identity. Assign user attribute sets to improve the security of file access in the cloud.

在通过密钥生成函数KeyGen(MSK,S)生成文件访问者的用户私钥时，优选地，当文件访问者身份的合法性验证通过后，通过公式

计算文件访问者的用户私钥，其中，K₀＝g^αh^r，K₁＝g^r，

r为Z_p:{0,1,...,p-1}域中一随机元素，用户属性集合S＝{A₁,...,A_x}，A_x为S中第x个属性，从而进一步提高云端文件访问的安全性。When generating the file visitor's user private key through the key generation function KeyGen (MSK, S), preferably, after the file visitor's identity verification is passed, the formula is passed

Calculate the user private key of the file visitor, where K₀ = g^α h^r and K₁ = g^r ,

r is Z_p : a random element in the domain {0,1, ..., p-1}, user attribute set S = {A₁ , ..., A_x }, A_x is the xth attribute in S To further improve the security of file access in the cloud.

在步骤S208中，根据公共参数和用户私钥，使用预设的解密函数对云服务器中的密钥密文集合进行解密，得到与用户属性集合对应的访问内容密钥集合。In step S208, according to the public parameters and the user's private key, the key ciphertext set in the cloud server is decrypted using a preset decryption function to obtain an access content key set corresponding to the user attribute set.

在本发明实施例中，文件访问者将公共参数PK、用户私钥SK以及密钥密文集合CT输入到解密函数Decrypt(PK,CT,SK)中，通过该解密函数对云服务器中的密钥密文集合CT进行解密，得到与用户属性集合对应的访问内容密钥集合。In the embodiment of the present invention, the file visitor inputs the public parameter PK, the user's private key SK, and the set of key ciphertext CT into the decryption function Decrypt (PK, CT, SK), and uses the decryption function to encrypt The key ciphertext set CT is decrypted to obtain the access content key set corresponding to the user attribute set.

在对密钥密文集合进行解密时，优选地，通过下述步骤实现对密钥密文集合的解密：When decrypting the set of key ciphertexts, it is preferable to decrypt the set of key ciphertexts through the following steps:

1)根据与门访问控制策略，获取满足用户属性集合的文件访问策略。1) According to the AND gate access control strategy, obtain the file access strategy that satisfies the user attribute set.

在本发明实施例中，在获取满足用户属性集合的文件访问策略时，优选地，判断用户属性集合S是否满足与门访问控制策略(M,ρ)，是则，将与门访问控制策略设置为文件访问策略，否则，根据与门策略LSSS矩阵M中等级关系规则，将矩阵M_j(即M)中的第一行和第一列删除产生新的矩阵M_j+1，其中j∈[1,n-2]，M为n×n的矩阵，n也即矩阵M中系统属性的的数目，再判断用户属性集合S是否满足M_j+1，若不满足，则对M_j+1中的第一行和第一列进行删除，产生新的矩阵，继续判断，直至用户属性集合满足生成的新矩阵对应的与门访问控制策略，从而提高获取的文件访问策略的合理性。In the embodiment of the present invention, when obtaining a file access policy that satisfies the user attribute set, it is preferable to determine whether the user attribute set S satisfies the AND gate access control policy (M, ρ). Is a file access strategy, otherwise, according to the hierarchical relationship rules in the AND gate strategy LSSS matrix M, the first row and first column in the matrix M_j (ie, M) are deleted to generate a new matrix M_{j + 1} , where j∈ [ 1, n-2], M is a matrix of n × n, n is the number of system attributes in matrix M, and then judge whether the user attribute set S satisfies M_{j + 1} , if not, then M_{j + 1} The first row and the first column in the are deleted, a new matrix is generated, and the judgment is continued until the user attribute set meets the AND access control strategy corresponding to the generated new matrix, thereby improving the rationality of the obtained file access strategy.

2)根据文件访问策略解密出对应的访问内容密钥集合。2) Decrypt the corresponding access content key set according to the file access strategy.

在本发明实施例中，在根据文件访问策略解密出对应的访问内容密钥集合时，优选地，In the embodiment of the present invention, when decrypting the corresponding set of access content keys according to the file access policy, preferably,

当文件访问策略为与门策略LSSS矩阵M对应的与门访问控制策略(M,ρ)时，首先，通过∑_i∈Sω_i·M_i＝(1,0,...,0)计算ω_i，且使得ω_i∈Z_p，其中M_i为矩阵M的第i行，再通过公式

计算第i个用户属性A_i，最后，通过公式

计算出对应的访问内容密钥集合ck＝{ck₁,......,ck_k}；When the file access strategy is the AND gate access control strategy (M, ρ) corresponding to the gate strategy LSSS matrix M, first, it is calculated by ∑_i∈S ω_i · M_i = (1,0, ..., 0) ω_i , and make ω_i ∈ Z_p , where M_i is the i-th row of matrix M, and then pass the formula

Calculate the i-th user attribute A_i , and finally, pass the formula

Calculate the corresponding access content key set ck = {ck₁ , ......, ck_k };

当文件访问策略为M_j+1对应的与门访问控制策略时，首先，选择满足M_j+1对应的访问策略的属性集合I＝{i:ρ(i)∈S}，再通过∑_i∈Iω_i·M_i,j+1＝(1,0,...,0)计算ω_i，且使得ω_i∈Z_p，其中，M_i,j+1为矩阵M_j+1的第i行，j∈[1,n-2]，然后，通过公式

计算第i个用户属性A_i，最后，通过公式

计算出对应的访问内容密钥集合ck＝{ck_j+1,ck_j+2,......,ck_k}。When the file access strategy is the AND access control strategy corresponding to M_{j + 1} , first, select the attribute set I = {i: ρ (i) ∈S} that satisfies the access strategy corresponding to M_{j + 1} , and then pass ∑_{i ∈I} ω_i · M_{i, j + 1} = (1,0, ..., 0) calculate ω_i and make ω_i ∈Z_p , where M_{i, j + 1} is the matrix M_{j + 1} Line i, j ∈ [1, n-2], then, through the formula

Calculate the i-th user attribute A_i , and finally, pass the formula

Calculate the corresponding access content key set ck = {ck_{j + 1} , ck_{j + 2} , ......, ck_k }.

通过上述步骤，可提高解密出的访问内容密钥的适应性和可信度。Through the above steps, the adaptability and credibility of the decrypted access content key can be improved.

在步骤S209中，根据访问内容密钥集合，使用对称解密算法对云服务器中的文件密文集合进行解密，得到与访问内容密钥集合相应的访问文件明文集合。In step S209, according to the access content key set, a symmetric decryption algorithm is used to decrypt the file ciphertext set in the cloud server to obtain the access file plaintext set corresponding to the access content key set.

在本发明实施例中，根据访问内容密钥集合，采用对称解密算法对云服务器中的文件密文集合E_ck(Μ)进行解密，得到与访问内容密钥集合相应的访问文件明文集合，例如，若根据用户属性集合解密出的访问内容密钥集合为ck＝{ck₁,......,ck_k}，根据该访问内容密钥集合，采用对称解密算法对文件密文集合

进行解密，则获得的访问文件明文集合为Μ＝{m₁,m₂,....,m_k}，若根据用户属性集合解密出的访问内容密钥集合为ck＝{ck_j+1,ck_j+2,......,ck_k}，根据该访问内容密钥集合，采用对称解密算法对文件密文集合

进行解密，则获得的访问文件明文集合为Μ＝{m_j+1,m_j+2,....,m_k}。In the embodiment of the present invention, according to the access content key set, a symmetric decryption algorithm is used to decrypt the file ciphertext set E_ck (Μ) in the cloud server to obtain the access file clear text set corresponding to the access content key set, for example If the access content key set decrypted according to the user attribute set is ck = {ck₁ , ......, ck_k }, according to the access content key set, a symmetric decryption algorithm is used to set the file ciphertext set

For decryption, the obtained plaintext set of access files is M = {m₁ , m₂ , ..., m_k }, and if the set of access content keys decrypted according to the user attribute set is ck = {ck_{j + 1} , ck_{j + 2} , ......, ck_k }, according to the access content key set, a symmetric decryption algorithm is used to set the file ciphertext

After decryption, the obtained plaintext set of access files is M = {m_{j + 1} , m_{j + 2} , ..., m_k }.

在本发明实施例中，文件共享时，每个待共享文件都有不同的访问策略，文件拥有者为每个待共享构造对应的与门结构访问树，再根据与门结构访问树之间共性，将与门结构访问树集成为一个与门分层访问树，文件拥有者对共享文件加密时都采用该与门分层访问树；文件访问时，文件访问者根据自身携带的用户属性对与门分层访问树的每个子树遍历进而判断该访问者满足哪个文件的访问策略，最终解密相应的内容密钥，同时通过对称解密获得相应的明文文件，从而在通过CP-ABE实现密文分层访问的同时，降低了密文的存储开销、通信开销以及解密的计算复杂度，提高了加密效率、解密效率以及共享数据的安全程度。In the embodiment of the present invention, when files are shared, each file to be shared has a different access strategy, and the file owner constructs a corresponding AND structure access tree for each to be shared, and then accesses the tree according to the AND structure , The AND gate structure access tree is integrated into an AND gate hierarchical access tree, and the file gate owner uses the AND gate hierarchical access tree when encrypting shared files; during file access, the file visitor matches the user attribute carried by itself Each subtree of the hierarchical access tree traverses to determine which file access strategy the visitor satisfies, and finally decrypts the corresponding content key, and obtains the corresponding plaintext file through symmetric decryption, thus achieving ciphertext separation through CP-ABE At the same time of layer access, it reduces the storage overhead of ciphertext, communication overhead, and the computational complexity of decryption, and improves the efficiency of encryption, decryption, and the security of shared data.

实施例三：Example three:

图6示出了本发明实施例三提供的基于CP-ABE分层访问控制的文件共享装置的结构，为了便于说明，仅示出了与本发明实施例相关的部分，其中包括：FIG. 6 shows the structure of a file sharing device based on CP-ABE hierarchical access control provided in Embodiment 3 of the present invention. For ease of description, only parts related to the embodiment of the present invention are shown, including:

第一加密单元61，用于当接收到文件拥有者发送的文件共享请求时，根据预先设置的内容密钥集合，使用对称加密算法对待共享文件集合进行加密，得到文件密文集合；Thefirst encryption unit 61 is configured to, when receiving a file sharing request sent by the file owner, encrypt the shared file set using a symmetric encryption algorithm according to the preset content key set to obtain a set of file ciphertexts;

第二加密单元62，用于根据预先生成的公共参数和预先构建的与门策略LSSS矩阵对应的与门访问控制策略，使用预设的加密函数对内容密钥集合进行加密，得到与内容密钥集合对应的密钥密文集合；以及Thesecond encryption unit 62 is used to encrypt the content key set using a preset encryption function according to the pre-generated public parameters and the pre-built AND gate access control strategy corresponding to the gate strategy LSSS matrix to obtain the content key The set of key ciphertexts corresponding to the set; and

密文上传单元63，用于将文件密文集合和密钥密文集合上传至云服务器，以实现云端文件共享。Theciphertext uploading unit 63 is used to upload the set of file ciphertext and the set of key ciphertext to the cloud server, so as to realize cloud file sharing.

在本发明实施例中，基于CP-ABE分层访问控制的文件共享装置的各单元可由相应的硬件或软件单元实现，各单元可以为独立的软、硬件单元，也可以集成为一个软、硬件单元，在此不用以限制本发明。具体地，各单元的实施方式可参考前述实施例一的描述，在此不再赘述。In the embodiment of the present invention, each unit of the file sharing device based on CP-ABE hierarchical access control may be implemented by a corresponding hardware or software unit, and each unit may be an independent software or hardware unit, or may be integrated into one software or hardware unit The unit is not used here to limit the invention. Specifically, for the implementation of each unit, reference may be made to the foregoing description ofEmbodiment 1, and details are not described herein again.

实施例四：Example 4:

图7示出了本发明实施例四提供的基于CP-ABE分层访问控制的文件共享装置的结构，为了便于说明，仅示出了与本发明实施例相关的部分，其中包括：FIG. 7 shows the structure of a file sharing device based on CP-ABE hierarchical access control provided in Embodiment 4 of the present invention. For ease of description, only parts related to the embodiment of the present invention are shown, including:

访问树构造单元71，当接收到文件拥有者发送的文件共享请求时，控制文件拥有者根据预设的系统属性集合对待共享文件集合中每个文件构造对应的与门结构访问树；The accesstree construction unit 71, when receiving the file sharing request sent by the file owner, controls the file owner to construct a corresponding AND gate structure access tree for each file in the shared file set according to the preset system attribute set;

访问树集成单元72，用于根据每个与门结构访问树之间的共性，将所有的与门结构访问树集成为一个与门分层访问树；The accesstree integration unit 72 is used to integrate all AND gate structure access trees into one AND gate hierarchical access tree according to the commonality between each AND gate structure access tree;

矩阵转换单元73，用于根据预设的矩阵转换规则将与门分层访问树转换成与门策略LSSS矩阵；Thematrix conversion unit 73 is configured to convert the AND gate layered access tree into an AND gate strategy LSSS matrix according to a preset matrix conversion rule;

第一加密单元74，用于根据预先设置的内容密钥集合，使用对称加密算法对待共享文件集合进行加密，得到文件密文集合；Thefirst encryption unit 74 is configured to encrypt the set of shared files using a symmetric encryption algorithm according to the preset content key set to obtain a set of file ciphertexts;

第二加密单元75，用于根据公共参数和与门策略LSSS矩阵对应的与门访问控制策略，使用预设的加密函数对内容密钥集合进行加密，得到与内容密钥集合对应的密钥密文集合；Thesecond encryption unit 75 is used to encrypt the content key set using a preset encryption function according to the common parameters and the AND access control policy corresponding to the gate policy LSSS matrix to obtain the key secret corresponding to the content key set Text collection

密文上传单元76，用于将文件密文集合和密钥密文集合上传至云服务器，以实现云端文件共享；The ciphertext uploadunit 76 is used to upload the set of file ciphertext and the set of key ciphertext to the cloud server, so as to realize cloud file sharing;

用户私钥获取单元77，用于当接收到文件访问者发送的文件访问请求时，控制文件访问者从属性授权中心获得文件访问者的用户私钥，用户私钥包含与文件访问者对应的用户属性集合；The user privatekey acquisition unit 77 is used to control the file accessor to obtain the file accessor's user private key from the attribute authorization center when receiving the file access request sent by the file accessor, and the user private key contains the user corresponding to the file accessor Attribute collection

密钥密文解密单元78，用于根据公共参数和用户私钥，使用预设的解密函数对云服务器中的密钥密文集合进行解密，得到与用户属性集合对应的访问内容密钥集合；以及The keyciphertext decryption unit 78 is used to decrypt the key ciphertext set in the cloud server using a preset decryption function according to the public parameters and the user's private key to obtain the access content key set corresponding to the user attribute set; as well as

文件密文解密单元79，用于根据访问内容密钥集合，使用对称解密算法对云服务器中的文件密文集合进行解密，得到与访问内容密钥集合相应的访问文件明文集合。The fileciphertext decryption unit 79 is configured to decrypt the file ciphertext set in the cloud server using a symmetric decryption algorithm according to the access content key set, to obtain the access file cleartext set corresponding to the access content key set.

在本发明实施例中，基于CP-ABE分层访问控制的文件共享装置的各单元可由相应的硬件或软件单元实现，各单元可以为独立的软、硬件单元，也可以集成为一个软、硬件单元，在此不用以限制本发明。具体地，各单元的实施方式可参考前述方法实施例的描述，在此不再赘述。In the embodiment of the present invention, each unit of the file sharing device based on CP-ABE hierarchical access control may be implemented by a corresponding hardware or software unit, and each unit may be an independent software or hardware unit, or may be integrated into one software or hardware unit The unit is not used here to limit the invention. Specifically, for the implementation of each unit, reference may be made to the description of the foregoing method embodiments, and details are not described herein again.

实施例五：Example 5:

图8示出了本发明实施例五提供的计算设备的结构，为了便于说明，仅示出了与本发明实施例相关的部分。FIG. 8 shows the structure of the computing device provided in Embodiment 5 of the present invention. For convenience of description, only parts related to the embodiment of the present invention are shown.

本发明实施例的计算设备8包括处理器80、存储器81以及存储在存储器81中并可在处理器80上运行的计算机程序82。该处理器80执行计算机程序82时实现上述基于CP-ABE分层访问控制的文件共享方法实施例中的步骤，例如图1所示的步骤S101至S103。或者，处理器80执行计算机程序82时实现上述各装置实施例中各单元的功能，例如图6所示单元61至63的功能。Thecomputing device 8 of the embodiment of the present invention includes aprocessor 80, amemory 81, and acomputer program 82 stored in thememory 81 and executable on theprocessor 80. When theprocessor 80 executes thecomputer program 82, the steps in the embodiment of the file sharing method based on CP-ABE hierarchical access control described above are implemented, for example, steps S101 to S103 shown in FIG. 1. Alternatively, when theprocessor 80 executes thecomputer program 82, the functions of the units in the foregoing device embodiments are realized, for example, the functions of theunits 61 to 63 shown in FIG. 6.

本发明实施例的计算设备可以为个人计算设备、服务器。该计算设备8中处理器80执行计算机程序82时实现基于CP-ABE分层访问控制的文件共享方法时实现的步骤可参考前述方法实施例的描述，在此不再赘述。The computing device in this embodiment of the present invention may be a personal computing device or a server. For the steps implemented when theprocessor 80 in thecomputing device 8 executes thecomputer program 82 to implement the file sharing method based on CP-ABE hierarchical access control, reference may be made to the description of the foregoing method embodiments, and details are not described herein again.

实施例六：Example 6:

在本发明实施例中，提供了一种计算机可读存储介质，该计算机可读存储介质存储有计算机程序，该计算机程序被处理器执行时实现上述基于CP-ABE分层访问控制的文件共享方法实施例中的步骤，例如，图1所示的步骤S101至S103。或者，该计算机程序被处理器执行时实现上述各装置实施例中各单元的功能，例如图6所示单元61至63的功能。In an embodiment of the present invention, a computer-readable storage medium is provided, and the computer-readable storage medium stores a computer program that implements the above-mentioned file sharing method based on CP-ABE hierarchical access control when the computer program is executed by a processor The steps in the embodiment are, for example, steps S101 to S103 shown in FIG. 1. Alternatively, when the computer program is executed by the processor, the functions of the units in the above device embodiments are realized, for example, the functions of theunits 61 to 63 shown in FIG. 6.

本发明实施例的计算机可读存储介质可以包括能够携带计算机程序代码的任何实体或装置、记录介质，例如，ROM/RAM、磁盘、光盘、闪存等存储器。The computer-readable storage medium in the embodiments of the present invention may include any entity or device capable of carrying computer program code, and a recording medium, such as ROM / RAM, magnetic disk, optical disk, flash memory, and other memories.

以上所述仅为本发明的较佳实施例而已，并不用以限制本发明，凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等，均应包含在本发明的保护范围之内。The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement and improvement made within the spirit and principle of the present invention should be included in the protection of the present invention Within range.