CN104113408A - Method for realizing timely user attribute cancel based on ciphertext-policy attribute-based encryption - Google Patents

Abstract

The invention discloses a method for realizing timely user attribute cancel based on ciphertext-policy attribute-based encryption. The method is realized by the following steps: a system is established to generate a system public key and a master key; an encipherer constructs an access strategy; the encipherer carries out encryption to generate a ciphertext; an attribute authority center generates a user private key and an authorization private key; a cloud server constructs a path secret key binary tree; the cloud server carries out proxy re-encryption and generates a re-ciphertext to realize the cancel of user attributes; and a decipher carries out decryption to obtain a plaintext. The method helps to reduce the burden of the attribute authority center, and can solve the private key updating problem corresponding to the attribute cancel quickly and efficiently; when one or some attributes of a user is cancelled, access authority for other attributes is still reserved; and the cancelling of one or some attributes of the user does not influence the access authorities of other uses to the cancelled attribute; and the method has the advantages of being capable of cancelling the user attributes in a flexible, timely, fine-grained and efficient manner.

Description

A kind of realize that timely user property cancels based on ciphertext policy attribute encryption method

Technical field

The present invention relates to network and information security fields, relate to enciphered data access control technology, be specifically related to a kind of realize that timely user property cancels based on ciphertext policy attribute encryption method.

Background technology

Based on encryption attribute, belong to public-key cryptography scheme, its towards to as if Yi Ge colony, rather than unique user, allows user to utilize attribute to implement message encryption and deciphering, can realize broadcast enciphering and the fine-grained access control of efficient one-to-many.According to ciphertext and key form of expression encryption attribute two classes that are divided into encryption attribute and the ciphertext strategy of key strategy different from application scenarios.Wherein, in the encryption attribute based on ciphertext strategy, private key for user is relevant to attribute, and encipherer formulates access strategy, has determined that the user of which attribute can decipher, and and if only if just can successfully decipher when user property meets ciphertext access strategy.

Along with the development of cloud computing, increasing user is stored in the sensitive data of oneself on third-party server, to reach the object of sharing data.But third-party server is not completely believable, caused thus the worry of user for Information Security.Encryption attribute is a good solution route, and user can be embedded into access strategy in ciphertext and is stored on Cloud Server, and the user who only has attribute to meet access strategy just can successfully decipher the ciphertext on Cloud Server.But in view of user adds frequently or leaves attribute customer group, user property is cancelled with interpolation and compared, in more complicated in execution, realization, difficulty is larger, and user property is cancelled the hot issue that becomes the research of the cryptographic system of encryption attribute.At present existing many methods solve and cancel problem, revocation list can be embedded in ciphertext, to realize user and cancel; Or timing re-encrypted private key completes attribute and cancels; Can also complete and cancel by the mode of acting on behalf of re-encryption and changing system PKI and private key for user simultaneously.But above method all respectively has weak point, cancels cost large, underaction, can not realize timely fine-grained attribute and cancel.

Summary of the invention

For the deficiencies in the prior art, the present invention propose a kind of realize that timely user property cancels based on ciphertext policy attribute encryption method, to reach, reduce attribute authority (aa) central task amount and fine granularity is cancelled the object of user property.Apply key random division and act on behalf of Re-encryption Technology, the work at attribute authority (aa) center is transferred to Cloud Server to be completed, Cloud Server is gathered structure path key binary tree according to attribute user, efficiently quick solution and cancel the private key replacement problem that Attribute Relative is answered.When certain or some attribute of a user is by after cancelling, he will have the access rights of other attributes, the attribute of cancelling certain or certain user does not affect other users for the access rights of this attribute.

To achieve these goals, the following technical scheme of employing of the present invention:

Utilize linear secret technology of sharing that access strategy is embedded in ciphertext; Utilize key random division technology that master key is divided into two parts at random, be respectively used to as user and Cloud Server generation private key for user and authorize private key; Encipherer generates initial ciphertext and sends it to Cloud Server, and Cloud Server utilizes Re-encryption Technology to carry out re-encryption to initial ciphertext and generates heavy ciphertext to reach the object of data sharing and fine granularity access; The burden at attribute authority (aa) center, without linking up as it generates and upgrade private key with deciphering person, has been reduced in attribute authority (aa) center; Cloud Server is gathered structure path key binary tree according to attribute user, the corresponding private key replacement problem of other user properties after can effectively solving user property and cancelling; The ciphertext of the mandate private key of Cloud Server is deciphered the part as validated user key heavy ciphertext together with upgrading private key.Wherein:

Attribute authority (aa) center can generate PKI and master key for system, is responsible for each user assignment attribute and generates private key for user, for Cloud Server generates, authorizes private key, and user's set corresponding to each attribute sent to Cloud Server.

Encipherer formulates access strategy and encrypts the data-message of oneself, and initial ciphertext is sent to Cloud Server.

Cloud Server is responsible for that the ciphertext obtaining from encipherer is carried out to re-encryption there and is generated heavy ciphertext and store for user and share, and is responsible for the access rights that user gathers generation pass key binary tree and control user.

Deciphering person access is stored in the ciphertext on Cloud Server, only has attribute to meet ciphertext access strategy, and does not have the user who cancels in dependency user set could successful decrypting ciphertext.

The concrete implementation step of the technical program is as follows:

Step 1, system made, generation system PKI and master key:

Step 1.1, attribute authority (aa) center input security parameter 1 ^λ, and select rank be prime number p group G, described security parameter 1 ^λdetermined the size of described group G;

Step 1.2, defines hash function a: H:{0,1} ^*→ G;

Step 1.3, attribute authority (aa) center is in finite field in the random integer of selecting calculate α=(α ₁+ α ₂) modp;

Step 1.4, generation system PKI PK=<G, g, e, e (g, g) ^α, g ^a> and master key MK=< α ₁, α ₂, g ^α>, wherein e:G * G → G _tfor bilinear map, g is a generator in group G;

Step 1.5, discloses described system PKI, retains described master key.

Step 2, encipherer constructs access strategy:

Note M is the shared generator matrix of the capable n of l row, represents the participant of the capable institute of M i mark with function ρ (i), i=1 wherein ..., l, described access strategy is (M, ρ).

If share a secret value s, choose at random n-1 number form a n-dimensional vector with s vector for l the shared share of s, be i shared share, it belongs to participant ρ (i); Above-mentioned linear secret sharing scheme has linear reconstruction character: access strategy A, and participant's S set, making S ∈ A is sets of authorizations, if { λ _ithat the legal of secret s shared, there is constant make Σ _{i ∈ I}w _iλ _i=s.

Step 3, encipherer is encrypted message, generates initial ciphertext, comprises described access strategy in wherein said initial ciphertext:

Step 3.1, encipherer inputs described system PKI PK=<G, g, e, e (g, g) ^α, g ^a>, described access strategy (M, ρ) and the clear-text message that needs encryption

Step 3.2, selects random number export initial ciphertext CT=<C, C, { C _i, D _i} _{i=1 ..., l}> also sends to Cloud Server, wherein c=g ^s, $\&ForAll;i=1,...,l,C_i=g^{a{\mathrm{\&lambda;}}_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i},D_i=g^{r_i}.$

Step 4, attribute authority (aa) center generates private key for user and authorizes private key:

Step 4.1, described system PKI PK=<G, g, e, e (g, g) are inputted in attribute authority (aa) center ^α, g ^a> and master key MK=< α ₁, α ₂, g ^α>;

Step 4.2, community set S corresponding to information distribution that attribute authority (aa) center provides according to user, selects random number for user generates private key for user wherein l=g ^t, $\&ForAll;j\&Element;S,K_j=H{\left(j\right)}^t;$ For generating, Cloud Server authorizes private key ${\mathrm{SK}}_2=\&lang;D=g^{{\mathrm{\&alpha;}}_2}\&rang;;$

Step 4.3, by safe lane by SK ₁and SK ₂pass to respectively user and Cloud Server.

Step 5, Cloud Server structure path key binary tree:

Step 5.1, U is gathered by each attribute user corresponding to attribute j ∈ S in attribute authority (aa) center _jsend to Cloud Server, for example user identity ID ₁, ID ₂, ID ₃, ID ₄{ 1,2,3}, { 2,3,4}, { 1,3,4}, { 1,2,4}, Cloud Server is gathered U by dependency authority center acquisition attribute user so to have respectively attribute ₁={ ID ₁, ID ₃, ID ₄, U ₂={ ID ₁, ID ₂, ID ₄, U ₃={ ID ₁, ID ₂, ID ₃, U ₄={ ID ₂, ID ₃, ID ₄;

Step 5.2, Cloud Server generation pass key binary tree, each member in attribute user set is on the leafy node of described binary tree, and each member has corresponding path key, each leafy node or inner node represent the key of random generation, node u _ihave path key τ _i, path key derives from leafy node to root node, for each attribute customer group U _jall there is corresponding minimum first tree (U of covering _j) can cover the corresponding leafy node of member in all properties customer group, path key is included in minimum covering in unit.

Step 6, Cloud Server is acted on behalf of re-encryption, generates heavy ciphertext, realizes cancelling user property:

Step 6.1, the described initial ciphertext CT=<C of Cloud Server input, C, { C _i, D _i} _{i=1 ..., l}> and described authorization key ${\mathrm{SK}}_2=\&lang;D=g^{{\mathrm{\&alpha;}}_2}\&rang;;$

Step 6.2, the different attribute revocation list RL that Cloud Server gives according to attribute authority (aa) center generates two kinds of dissimilar heavy ciphertexts, and wherein RL is attribute revocation list RL _jset attribute revocation list RL _jcomprised and to each attribute j relevantly in community set cancelled the corresponding relation between user:

If attribute revocation list representing does not have user's attribute to be cancelled, and Cloud Server is selected random number generate the heavy ciphertext of I $\mathrm{CT}=\&lang;\tilde{C},C,C^{\&prime;},D^{\&prime;},{\{{C^{\&prime;}}_i,{D^{\&prime;}}_i\}}_{i=1,...,l}\&rang;,$ Wherein, c=g ^s, C'=g ^s/k, $D^{\&prime;}=g^{{\mathrm{\&alpha;}}_{2}k},\&ForAll;i=1,...,l,{C^{\&prime;}}_i=g^{a{\mathrm{\&lambda;}}_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^k,{D^{\&prime;}}_i=g^{r_i}{g}^k;$

If for revocation list attribute j' have reversed user, according to Cloud Server, be now all path key binary trees that user generates of not cancelling, Cloud Server is selected random number generate the heavy ciphertext of II wherein c=g ^s, C'=g ^s/k, $D^{\&prime;}=g^{{\mathrm{\&alpha;}}_{2}k},\&ForAll;i=1,...,l,{C^{\&prime;}}_i=g^{a{\mathrm{\&lambda;}}_i}H{{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i}\left(\mathrm{\&rho;}\left(i\right)\right)}^k,$ $\mathrm{\&rho;}\left(i\right)=x^{\&prime;}:{D^{\&prime;}}_i={\left(g^{r_i}{g}^k\right)}^{1/v_{p\left(i\right)}},\mathrm{\&rho;}\left(i\right)\&NotEqual;x^{\&prime;}:{D^{\&prime;}}_i=g^{r_i}{g}^k,$ for adopting symmetric encryption method to v _j'the ciphertext of encrypting, tree (U _j') gather U for attribute user _j'the corresponding minimum unit that covers, τ is the described minimum path key covering in unit.

Step 7, deciphering person is decrypted, and draws expressly:

If do not have user's attribute to be cancelled, deciphering person inputs the heavy ciphertext of described I $\mathrm{CT}=\&lang;\tilde{C},C,C^{\&prime;},D^{\&prime;},{\{{C^{\&prime;}}_i,{D^{\&prime;}}_i\}}_{i=1,...,l}\&rang;,$ With described private key for user ${\mathrm{SK}}_1=\&lang;K,L,{\left\{K_j\right\}}_{\&ForAll;j\&Element;S}\&rang;$ And calculate as follows:

$A=\frac{{\mathrm{\&Pi;}}_{i\&Element;I}e{({C^{\&prime;}}_i,L)}^{w_i}}{{\mathrm{\&Pi;}}_{i\&Element;I}e({D^{\&prime;}}_i,K_{\mathrm{\&rho;}\left(i\right)}{)}^{w_i}}=e{(g,g)}^{\mathrm{ats}};$

Then the result drawing according to above formula is calculated clear-text message

The clear-text message of finally output deciphering;

If the revocation list of attribute j' and deciphering person's attribute j' is cancelled, represent that deciphering person is at revocation list RL _x'in, export ⊥;

If the revocation list of attribute j' and deciphering person's attribute j' is not cancelled, represent that deciphering person is not at revocation list RL _j'in, still there is the authority of access attribute j', deciphering person inputs the heavy ciphertext of described II with described private key for user ${\mathrm{SK}}_1=\&lang;K,L,\{K_j{\}}_{\&ForAll;j\&Element;S}\&rang;,$ According to the path key deciphering of oneself obtain v _j', renewal private key is calculate as follows:

$\mathrm{\&rho;}\left(i\right)=j^{\&prime;}:B_i=\frac{e{({C^{\&prime;}}_i,L)}^{w_i}}{e{({D^{\&prime;}}_i,{\tilde{K}}_{\mathrm{\&rho;}\left(i\right)})}^{w_i}}=e{(g,g)}^{\mathrm{at}{\mathrm{\&lambda;}}_i{w}_i};$

$\mathrm{\&rho;}\left(i\right)\&NotEqual;j^{\&prime;}:B_i=\frac{e{({C^{\&prime;}}_i,L)}^{w_i}}{e{({D^{\&prime;}}_i,K_{\mathrm{\&rho;}\left(i\right)})}^{w_i}}=e{(g,g)}^{\mathrm{at}{\mathrm{\&lambda;}}_i{w}_i};$

A＝Π _i∈IB _i＝e(g,g) ^ats；

Then calculate clear-text message

The clear-text message of finally output deciphering.

Beneficial effect of the present invention is:

1, utilize linear secret technology of sharing that access strategy is embedded in ciphertext, make undelegated user cannot recover secret value;

2, attribute authority (aa) center is divided into two parts at random by master key, is respectively used to as user and Cloud Server generation private key for user and authorizes private key, and the major part work at attribute authority (aa) center is transferred to Cloud Server and completes, and has reduced the burden at attribute authority (aa) center;

3, Cloud Server is gathered structure path key binary tree according to attribute user, efficiently quick solution and cancel the private key replacement problem that Attribute Relative is answered;

4, the ciphertext of the mandate private key of Cloud Server is using the decrypting ciphertext together with upgrading private key of the part as validated user key;

5, reached in time cancelling certain or some specific users' particular community;

6,, when certain or some attribute of a user is by after cancelling, he will have the access rights of other attributes, the attribute of cancelling certain or certain user does not affect other users for the access rights of this attribute;

7, have flexibly, in time, fine granularity, efficiently cancel user property.

Accompanying drawing explanation

Fig. 1 is method flow diagram of the present invention;

Fig. 2 is system configuration schematic diagram of the present invention;

Fig. 3 is path key binary tree structure schematic diagram of the present invention.

Embodiment

Below with reference to accompanying drawing, the invention will be further described, it should be noted that, the present embodiment be take the technical program and provided detailed execution mode and implementation step as prerequisite, but is not limited to the present embodiment.

As shown in Figure 1, described a kind of mainly comprising the steps: based on ciphertext policy attribute encryption method that timely user property cancels of realizing

Step 1, system made, generation system PKI and master key;

Step 2, encipherer constructs access strategy;

Step 3, encipherer is encrypted message, generates initial ciphertext;

Step 4, attribute authority (aa) center generates private key for user and authorizes private key;

Step 5, Cloud Server structure path key binary tree;

Step 6, Cloud Server is acted on behalf of re-encryption, generates heavy ciphertext, realizes cancelling user property;

Step 7, deciphering person is decrypted, and draws expressly.

Wherein, system of the present invention consists of main bodys such as attribute authority (aa) center, encipherer, Cloud Server, deciphering persons, and the correlation between main body as shown in Figure 2;

The concrete implementing procedure of step 1 is as follows:

Attribute authority (aa) center input security parameter 1 ^λ, the group G that selection rank are prime number p, security parameter 1 ^λdetermined the size of group G; Define hash function a: H:{0,1} ^*→ G; Random integers are selected at attribute authority (aa) center calculate α=(α ₁+ α ₂) modp, wherein symbol modp represents to calculate the remainder of mould p; Generation system PKI PK=<G, g, e, e (g, g) ^α, g ^a>, master key MK=< α ₁, α ₂, g ^α>, wherein, g ∈ G is for selecting a generator of group G, e:G * G → G _tfor bilinear map; System PKI is open, and master key retains.

E:G * G → G _tbilinear map need meet following character: group G and G that rank are prime number p _t, g is the generator of crowd G, chooses at random (1) bilinearity: right have (2) non-degeneracy: make e (g, h) ≠ 1; (3) computability: right mapping e (g, h) can effectively calculate in polynomial time.

The implementing procedure of step 2 is as follows:

Apply linear secret sharing scheme, all participants' shared share forms on a vector, M is the shared generator matrix of the capable n of l row, note function ρ (i) represents the participant of the capable institute of M i mark, i=1 wherein ..., l, access strategy is (M, ρ);

If share a secret value choose at random n-1 number form a n-dimensional vector with s vector for l the shared share of s, be i shared share, it belongs to participant ρ (i), and above-mentioned linear secret sharing scheme has linear reconstruction character: access strategy A, and participant's S set, making S ∈ A is sets of authorizations, if { λ _ithat the legal of secret s shared, there is constant make Σ _{i ∈ I}w _iλ _i=s.

The implementing procedure of step 3 is as follows:

Encipherer inputs described system PKI PK=<G, g, e, e (g, g) ^α, g ^a>, described access strategy (M, ρ) and the clear-text message that needs encryption select random number export initial ciphertext CT=<C, C, { C _i, D _i} _{i=1 ..., l}> also sends to Cloud Server, wherein c=g ^s, $\&ForAll;i=1,...,l{C}_i=g^{a{\mathrm{\&lambda;}}_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i},D_i=g^{r_i}.$

The concrete implementation step of step 4 is as follows:

Attribute authority (aa) center input system PKI PK=<G, g, e, e (g, g) ^α, g ^a> and master key MK=< α ₁, α ₂, g ^α>, community set S corresponding to information distribution providing according to user, selects random number calculate as follows:

$K=g^{{\mathrm{\&alpha;}}_1}{g}^{\mathrm{at}},$ L＝g ^t， $\&ForAll;j\&Element;S,K_j=H{\left(j\right)}^t,D=g^{{\mathrm{\&alpha;}}_2};$

For user generates private key for user for generating, Cloud Server authorizes private key by safe lane by SK ₁and SK ₂pass to respectively user and Cloud Server.

As shown in table 1, according to user ID _icommunity set corresponding to information distribution providing user identity ID ₁there is attribute user identity ID ₂there is attribute user identity ID ₃there is attribute user identity ID ₄there is attribute

Table 1

The concrete implementing procedure of step 5 is as follows:

U is gathered by attribute user corresponding to each attribute j in attribute authority (aa) center _jsend to Cloud Server: user identity ID ₁, ID ₂, ID ₃, ID ₄have respectively attribute ${S_{\mathrm{ID}}}_1=\left\{\mathrm{1,2,3}\right\},{S_{\mathrm{ID}}}_2=\left\{\mathrm{2,3,4}\right\},{S_{\mathrm{ID}}}_3=\left\{\mathrm{1,3,4}\right\},{S_{\mathrm{ID}}}_4=\left\{\mathrm{1,2,4}\right\},$ Cloud Server obtains attribute user set for U by dependency authority center ₁={ ID ₁, ID ₃, ID ₄, U ₂={ ID ₁, ID ₂, ID ₄, U ₃={ ID ₁, ID ₂, ID ₃, U ₄={ ID ₂, ID ₃, ID ₄, specifically as shown in table 2.

Table 2

Cloud Server generation pass key binary tree, each member in attribute user set is on the leafy node of binary tree, and each member has corresponding path key.As shown in Figure 3, user identity ID _i, i=1 ..., 4 respectively corresponding each leafy node, leafy node or inner node all represent the path key of random generation, the path key that node ui has is τ _i, path key derives from leafy node to root node; For user ID ₄the path key of storing is RK ₄={ τ ₇, τ ₃, τ ₁.For each attribute user, gather U _jall there is corresponding minimum first tree (U of covering _j) can cover the corresponding leafy node of member in all properties user set, path key is included in minimum covering in unit; For example, for attribute user, gather U ₂={ ID ₁, ID ₂, ID ₄, so corresponding minimum first tree (U that covers ₂)={ τ ₂, τ ₇, because node u ₂, u ₇can cover attribute user and gather U ₂in all users: ID ₁, ID ₂, ID ₄.Any one is not at U ₂user all cannot obtain tree (U ₂)={ τ ₂, τ ₇in any one path key.

The concrete implementing procedure of step 6 is as follows:

Cloud Server is inputted initial ciphertext CT=<C, C, { C _i, D _i} _{i=1 ..., l}>, wherein ciphertext has comprised access strategy, c=g ^s, $\&ForAll;i=1,...,l{C}_i=g^{a{\mathrm{\&lambda;}}_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i},D_i=g^{r_i}$ With mandate private key ${\mathrm{SK}}_2=\&lang;D=g^{{\mathrm{\&alpha;}}_2}\&rang;,$ The different generation of attribute revocation list RL two kinds of dissimilar heavy ciphertexts, wherein attribute revocation list RL that Cloud Server gives according to attribute authority (aa) center _jcomprised the corresponding relation between reversed user relevant to each attribute j in community set, RL is attribute revocation list RL _jset as shown in table 3, attribute 1,2,3,4 the set of cancelling is respectively

RL ₁＝{ID ₁}， RL ₃＝{ID ₁,ID ₂}，

Table 3

If attribute revocation list do not have user's attribute to be cancelled, Cloud Server is selected random number calculate as follows:

C＝g ^s，C'＝g ^s/k， $D^{\&prime;}=g^{{\mathrm{\&alpha;}}_{2}k};$

$\&ForAll;i=1,...,l,{C^{\&prime;}}_i=g^{a{\mathrm{\&lambda;}}_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i}H,{\left(\mathrm{\&rho;}\left(i\right)\right)}^k,{D^{\&prime;}}_i=g^{r_i}{g}^k;$

Generate the heavy ciphertext of I $\mathrm{CT}=\&lang;\tilde{C},C,C^{\&prime;},D^{\&prime;}{\{{C^{\&prime;}}_i,{C^{\&prime;}}_i\}}_{i=1,...,l}\&rang;.$

If the revocation list of attribute j' be that attribute j' has reversed user.Cloud Server is all unrevoked user's generation pass key binary trees according to the attribute user set after upgrading, and Cloud Server is selected random number calculate as follows:

C＝g ^s，C'＝g ^s/k， $D^{\&prime;}=g^{{\mathrm{\&alpha;}}_{2}k};$

$\&ForAll;i=\mathrm{1,2},...,l{C^{\&prime;}}_i=g^{a{\mathrm{\&lambda;}}_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^k,\mathrm{\&rho;}\left(i\right)=j^{\&prime;}:{D^{\&prime;}}_i={\left(g^{r_i}{g}^k\right)}^{1/v_{p\left(i\right)}};$

$\mathrm{\&rho;}\left(i\right)\&NotEqual;j^{\&prime;}:{D^{\&prime;}}_i=g^{r_i}{g}^k,$

for adopting symmetric encryption method to v _j'the ciphertext of encrypting, key τ is that the minimum in binary tree covers the path key in unit, generates the heavy ciphertext of II

The concrete implementing procedure of step 7 is as follows:

If be that attribute is not cancelled, deciphering person ID _iinput the heavy ciphertext of I $\mathrm{CT}=\&lang;\tilde{C},C,C^{\&prime;},D^{\&prime;},{\{{C^{\&prime;}}_i,{D^{\&prime;}}_i\}}_{i=1,...,l}\&rang;,$ With according to private key ${\mathrm{SK}}_1=\&lang;K,L,{\left\{K_j\right\}}_{\&ForAll;j\&Element;S}\&rang;,$ Calculate as follows:

$A=\frac{{\mathrm{\&Pi;}}_{i\&Element;I}e{({C^{\&prime;}}_i,L)}^{w_i}}{{\mathrm{\&Pi;}}_{i\&Element;I}e({D^{\&prime;}}_i,K_{\mathrm{\&rho;}\left(i\right)}{)}^{w_i}}=e{(g,g)}^{\mathrm{ats}};$

The clear-text message of output deciphering;

If the revocation list of attribute j' deciphering person ID _iattribute j' cancelled ID _i∈ RL _j', export ⊥.Otherwise, deciphering person ID _iattribute j' do not cancelled i.e. deciphering person ID _ithe authority still with access attribute j', deciphering person ID _iinput the heavy ciphertext of II and private key for user deciphering person ID _iattribute do not cancelled, can decipher according to path key obtain v _j', upgrade the private key of corresponding attribute j' calculate as follows:

$\mathrm{\&rho;}\left(i\right)=j^{\&prime;}:B_i=\frac{e{({C^{\&prime;}}_i,L)}^{w_i}}{e{({D^{\&prime;}}_i,{\tilde{K}}_{\mathrm{\&rho;}\left(i\right)})}^{w_i}}=e{(g,g)}^{\mathrm{at}{\mathrm{\&lambda;}}_i{w}_i};$

$\mathrm{\&rho;}\left(i\right)\&NotEqual;j^{\&prime;}:B_i=\frac{e{({C^{\&prime;}}_i,L)}^{w_i}}{e{({D^{\&prime;}}_i,K_{\mathrm{\&rho;}\left(i\right)})}^{w_i}}=e{(g,g)}^{\mathrm{at}{\mathrm{\&lambda;}}_i{w}_i};$

A＝Π _i∈IB _i＝e(g,g) ^ats；

The clear-text message of output deciphering.

For a person skilled in the art, can make various corresponding changes and distortion according to above technical scheme and design, and these all changes and distortion all should be included in the protection range of the claims in the present invention within.

Claims (8)

1. realize that timely user property cancels based on a ciphertext policy attribute encryption method, it is characterized in that, described method comprises the steps:

Step 1, system made, generation system PKI and master key;

Step 2, encipherer constructs access strategy;

Step 3, encipherer is encrypted message, generates initial ciphertext;

Step 4, attribute authority (aa) center generates private key for user and authorizes private key;

Step 5, Cloud Server structure path key binary tree;

Step 6, Cloud Server is acted on behalf of re-encryption, generates heavy ciphertext, realizes cancelling user property;

Step 7, deciphering person is decrypted, and draws expressly.

According to claim 1 a kind of realize that timely user property cancels based on ciphertext policy attribute encryption method, it is characterized in that, the idiographic flow of described step 1 is as follows:

Step 1.1, attribute authority (aa) center input security parameter 1 ^λ, and select rank be prime number p group G, described security parameter 1 ^λdetermined the size of described group G;

Step 1.2, defines hash function a: H:{0,1} ^*→ G;

Step 1.3, attribute authority (aa) center is in finite field in the random integer of selecting calculate α=(α ₁+ α ₂) modp;

Step 1.4, generation system PKI PK=<G, g, e, e (g, g) ^α, g ^a> and master key MK=< α ₁, α ₂, g ^α>, wherein e:G * G → G _tfor bilinear map, g is a generator in group G;

Step 1.5, discloses described system PKI, retains described master key.

According to claim 1 a kind of realize that timely user property cancels based on ciphertext policy attribute encryption method, it is characterized in that, the idiographic flow of described step 2 is as follows:

Apply linear secret sharing scheme, all participants' shared share forms on a vector; Note M is the shared generator matrix of the capable n of l row, represents the participant of the capable institute of M i mark with function ρ (i), i=1 wherein ..., l; Access strategy is (M, ρ); If share a secret value choose at random n-1 number form a n-dimensional vector with s vector for l the shared share of s, be i shared share, it belongs to participant ρ (i); Note access strategy A, participant's S set, making S ∈ A is sets of authorizations, if { λ _ithat the legal of secret s shared, there is constant make Σ _{i ∈ I}w _iλ _i=s.

According to claim 1 a kind of realize that timely user property cancels based on ciphertext policy attribute encryption method, it is characterized in that, the idiographic flow of described step 3 is as follows:

Step 3.1, encipherer inputs described system PKI PK=<G, g, e, e (g, g) ^α, g ^a>, described access strategy (M, ρ) and the clear-text message that needs encryption

Step 3.2, selects random number export initial ciphertext CT=<C, C, { C _i, D _i} _{i=1 ..., l}> also sends to Cloud Server, wherein c=g ^s, $\&ForAll;i=1,...,l,C_i=g^{a{\mathrm{\&lambda;}}_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i},D_i=g^{r_i}.$

According to claim 1 a kind of realize that timely user property cancels based on ciphertext policy attribute encryption method, it is characterized in that, the idiographic flow of described step 4 is as follows:

Step 4.1, described system PKI PK=<G, g, e, e (g, g) are inputted in attribute authority (aa) center ^α, g ^a> and master key MK=< α ₁, α ₂, g ^α>;

Step 4.2, community set S corresponding to information distribution that attribute authority (aa) center provides according to user, selects random number for user generates private key for user wherein l=g ^t, $\&ForAll;j\&Element;S,K_j=H{\left(j\right)}^t;$ For generating, Cloud Server authorizes private key ${\mathrm{SK}}_2=\&lang;D=g^{{\mathrm{\&alpha;}}_2}\&rang;;$

Step 4.3, by safe lane by SK ₁and SK ₂pass to respectively user and Cloud Server.

According to claim 1 a kind of realize that timely user property cancels based on ciphertext policy attribute encryption method, it is characterized in that, the idiographic flow of described step 5 is as follows:

Step 5.1, U is gathered by each attribute user corresponding to attribute j ∈ S in attribute authority (aa) center _jsend to Cloud Server;

Step 5.2, Cloud Server generation pass key binary tree, each member in attribute user set is on the leafy node of described binary tree, and each member has corresponding path key.

According to claim 1 a kind of realize that timely user property cancels based on ciphertext policy attribute encryption method, it is characterized in that, the idiographic flow of described step 6 is as follows:

Step 6.1, the described initial ciphertext CT=<C of Cloud Server input, C, { C _i, D _i} _{i=1 ..., l}> and described authorization key ${\mathrm{SK}}_2=\&lang;D=g^{{\mathrm{\&alpha;}}_2}\&rang;;$

Step 6.2, the different attribute revocation list RL that Cloud Server gives according to attribute authority (aa) center generates two kinds of dissimilar heavy ciphertexts, and wherein RL is attribute revocation list RL _jset attribute revocation list RL _jcomprised and to each attribute j relevantly in community set cancelled the corresponding relation between user:

If attribute revocation list representing does not have user's attribute to be cancelled, and Cloud Server is selected random number generate the heavy ciphertext of I $\mathrm{CT}=\&lang;\tilde{C},C,C^{\&prime;},D^{\&prime;},{\{{C^{\&prime;}}_i,{D^{\&prime;}}_i\}}_{i=1,...,l}\&rang;,$ Wherein, c=g ^s, C'=g ^s/k, $D^{\&prime;}=g^{{\mathrm{\&alpha;}}_{2}k},\&ForAll;i=1,...,l,{C^{\&prime;}}_i=g^{a{\mathrm{\&lambda;}}_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^k,{D^{\&prime;}}_i=g^{r_i}{g}^k;$

If for revocation list attribute j' have reversed user, according to Cloud Server, be now all path key binary trees that user generates of not cancelling, Cloud Server is selected random number generate the heavy ciphertext of II wherein c=g ^s, C'=g ^s/k, $D^{\&prime;}=g^{{\mathrm{\&alpha;}}_{2}k},\&ForAll;i=1,...,l,{C^{\&prime;}}_i=g^{a{\mathrm{\&lambda;}}_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^{r_i}H{\left(\mathrm{\&rho;}\left(i\right)\right)}^k,$ $\mathrm{\&rho;}\left(i\right)=j^{\&prime;}:{D^{\&prime;}}_i={\left(g^{r_i}{g}^k\right)}^{1/v_{p\left(i\right)}},\mathrm{\&rho;}\left(i\right)\&NotEqual;j^{\&prime;}:{D^{\&prime;}}_i=g^{r_i}{g}^k,$ for adopting symmetric encryption method to v _j'the ciphertext of encrypting, tree (U _j') gather U for attribute user _j'the corresponding minimum unit that covers, τ is the described minimum path key covering in unit.

According to claim 1 a kind of realize that timely user property cancels based on ciphertext policy attribute encryption method, it is characterized in that, described step 7 is carried out in accordance with the following steps:

If do not have user's attribute to be cancelled deciphering person and input the heavy ciphertext of described I $\mathrm{CT}=\&lang;\tilde{C},C,C^{\&prime;},D^{\&prime;},{\{{C^{\&prime;}}_i,{D^{\&prime;}}_i\}}_{i=1,...,l}\&rang;$ With described private key for user ${\mathrm{SK}}_1=\&lang;K,L,{\left\{K_j\right\}}_{\&ForAll;j\&Element;S}\&rang;$ And calculate as follows:

$A=\frac{{\mathrm{\&Pi;}}_{i\&Element;I}e{({C^{\&prime;}}_i,L)}^{w_i}}{{\mathrm{\&Pi;}}_{i\&Element;I}e({D^{\&prime;}}_i,K_{\mathrm{\&rho;}\left(i\right)}{)}^{w_i}}=e{(g,g)}^{\mathrm{ats}};$

Then the result drawing according to above formula is calculated clear-text message

The clear-text message of finally output deciphering;

If the revocation list of attribute j' and deciphering person's attribute j' is cancelled, represent that deciphering person is at revocation list RL _j'in, export ⊥;

If the revocation list of attribute j' and deciphering person's attribute j' is not cancelled, represent that deciphering person is not at revocation list RL _j'in, still there is the authority of access attribute j', deciphering person inputs the heavy ciphertext of described II with described private key for user ${\mathrm{SK}}_1=\&lang;K,L,\{K_j{\}}_{\&ForAll;j\&Element;S}\&rang;,$ According to the path key deciphering of oneself obtain v _j', renewal private key is calculate as follows:

$\mathrm{\&rho;}\left(i\right)=j^{\&prime;}:B_i=\frac{e{({C^{\&prime;}}_i,L)}^{w_i}}{e{({D^{\&prime;}}_i,{\tilde{K}}_{\mathrm{\&rho;}\left(i\right)})}^{w_i}}=e{(g,g)}^{\mathrm{at}{\mathrm{\&lambda;}}_i{w}_i};$

$\mathrm{\&rho;}\left(i\right)\&NotEqual;j^{\&prime;}:B_i=\frac{e{({C^{\&prime;}}_i,L)}^{w_i}}{e{({D^{\&prime;}}_i,K_{\mathrm{\&rho;}\left(i\right)})}^{w_i}}=e{(g,g)}^{\mathrm{at}{\mathrm{\&lambda;}}_i{w}_i};$

A＝Π _i∈IB _i＝e(g,g) ^ats；

Then calculate clear-text message

The clear-text message of finally output deciphering.