CN105635135A - Encryption system based on attribute sets and relational predicates and access control method - Google Patents

Abstract

The invention discloses an encryption system based on attribute sets and relational predicates and an access control method. The method comprises the following steps of: 1) outputting a public key mpk and a master key msk of a security encryption system according to a given security parameter k; 2) for each given attribute set, generating the public key pki and a private key ski of the attribute set through msk, adding the pki into the mpk, and adding the ski into the msk, wherein attributes or identifications having the same properties are in the same data set; 3) generating a private key sk(k) for a user according to an identify attribute value list input by the user; 4) encrypting a data resource M according to the mpk and an access strategy, and obtaining a ciphertext C[phi]; and 5) judging, by the system, whether the user can access the data resource M according to the identify attribute value list input by the user, if so, encrypting the C[phi] according to the user private key. The encryption system based on attribute sets and relational predicates and the access control method can greatly improve the security and access efficiency of the access control.

Description

A kind of encryption system based on attribute collection and relation predicate and access control method

Technical field:

The present invention relates to areas of information technology, in particular to a kind of encryption system based on attribute collection and relation predicate and access control method.

Background technology:

Along with the development of network technology; more and more new network forms and system are emerged in large numbers one after another; comprise: thing networking, mobile Internet, cloud computing, service compute etc.; be characterized in data increasingly numerous and diverse huge, opening expands day by day, data mobility increase; this result also in secret protection and the sharing problem of some new network security problems, particularly user data and information. On the one hand our open network impels the exchange of information and shares more convenient, and on the other hand, uncontrolled message exchange must bring the illegal acts such as a series of data abuses, infringement with sharing.

Traditional network technology, particularly encryption and authentication techniques can not meet the needs of existing network, mainly open increase so that traditional protection border disappears; Meanwhile, the increase of data sharing scope, conventional cipher system also cannot meet the needs of information sharing on a large scale. It can thus be seen that conventional cipher technology cannot solve previous security problem. Therefore, how to realize the secret protection of data and effective information sharing simultaneously, become the key problem that internet is in the urgent need to address.

Access control is the important means realizing user data secret He carrying out secret protection. In order to solve the problem, the novel cipher access control technology that one is called as " encryption of attribute base " is suggested. So-called attribute base encryption just refers to that a kind of is a community set by the identification presentation of user, enciphered data is then associated with access control structure, user can decrypting ciphertext, depend on whether the access control structure that the community set associated by ciphertext is corresponding with user's identity mates. Specifically, the encryption of attribute base has following character:

1) one group " attribute " is adopted to conduct interviews the expression of main body;

2) flexible policy towards attribute is adopted to carry out authorizing judgement;

3) by supporting that the encryption method of property policy realizes data protection;

4) realize authorizing by distributing user attribute key;

5) judgement whether deciphered is realized by attribute key and tactful the mating of ciphertext access.

Attribute base encryption essence is a kind of access authorization and authentication service technology, ensures that unauthorized user does not have qualification to access specific data. The encryption of attribute base belongs to public-key cryptography scheme, its towards deciphering to as if a colony, instead of single user, it uses the PKI of combinations of attributes as colony of colony, and all users send data to colony and use identical PKI.

Such as, the access strategy of an attribute base encryption is (" Peking University " OR " University of Science & Technology, Beijing ") AND " 2015 " AND " the degree council " AND (NOT " biological institute " ANDNOT " chemistry institute ")

The encryption of existing attribute base is all adopt character string to generate access strategy, and all attributes are all isolated, can not define attribute relation each other, support AND, OR and simple non-logic simultaneously. It realizes being adopt strict string matching mode, and namely user only has one group of character string as attribute-bit.

By upper example it will be seen that the encryption of existing attribute base exists following problem:

1) " community set " concept that kind attributes is formed is not supported, but all attributes all adopt character string to represent;

2) " belonging to " and " not belonging to " operation not supporting to gather, only supports to equal operation.

For the problems referred to above that the encryption of current attribute base exists, the present invention proposes one and support that the community set in " community set " concept and cryptography operates. Concrete patent content brief introduction is as follows:

1) supporting the concept of attribute collection, attribute value namely of the same type forms a set;

2) scale of not limitations set, such as global all cities form " city " collection, and each city is called an attribute value, it is possible to represented by character string, numeral etc.;

3) support that between set value, " belonging to ", " not belonging to ", " equaling ", " being not equal to " etc. operate.

The present invention is a kind of vast improvement to existing attribute base encryption function. Such as, in previous example, we can set up the set of attribute value below:

Big formal name used at school :=..., " Peking University ", " University of Science & Technology, Beijing ", " Tsing-Hua University " ...,

Department :=..., " biological institute ", " chemistry institute ", " Information Institute " ...,

Time :=..., 2013,2014,2015,2016 ...,

Role :=..., " professor's meeting ", " the academic council ", " the degree council " ....

Corresponding to this, we can be for any resource (comprising file, storage space, network channel, process etc.) redefines above-mentioned security strategy

(big formal name used at school �� { " Peking University ", " University of Science & Technology, Beijing " } AND time=2015AND role=" the degree council " AND department{ " biological institute ", " chemistry institute " }).

By above-mentioned definition, assume that a user has following identity attribute: { big formal name used at school :=" University of Science & Technology, Beijing ", time :=2015, role :=" the degree council ", department :=" Information Institute " }, this represents that this user held a post in the mathematics institute of University of Science & Technology, Beijing in 2015, and is degree council committee member. Obviously, the identity of this user by the certification of above-mentioned security strategy, therefore, can be accessed being allowed to by the resource of above-mentioned strategy encryption.

Obviously, our method can produce more simple security policy expression clearly, and meanwhile, AND/OR operates number and reduces to 3 by original 5, and attribute value compares and reduced to 4 by original 6. Therefore, calculated amount also has significant reduction. In view of the safety problem in network application new in recent years and demand cause extensive concern day by day, institute's contrive equipment certainly leads to huge prograding for solution for the development of internet and the communication technology.

Summary of the invention:

For the technical problem existed in prior art, it is an object of the invention to provide a kind of encryption system based on attribute collection and relation predicate and access control method.

The technical scheme of the present invention is:

A kind of based on the encryption system access control method of attribute collection and relation predicate, the steps include:

According to given security parameter k, the PKI mpk and main key msk of output safety encryption system;

2) for each given attribute collection A_i={ v_i1,...,v_im, the PKI pk of this attribute collection is generated by main key msk_iWith private key sk_i, and by PKI pk_iJoin in PKI mpk, private key sk_iAdd in main key msk; Wherein, attribute or the mark with same nature are positioned at same data centralization, and each attribute collection has a unique name, and each attribute or mark in attribute collection are called an attribute value, v_imIt is i-th attribute collection A_iIn the m attribute value;

3) according to the identity attribute value list ��={ v of user's input_ij��A_iGenerate a private key for user sk for this user^(k);

4) for data resource M arranges an access strategy ��; According to step 2) in PKI mpk and this access strategy �� this data resource M is encrypted, obtain ciphertext C_��; Wherein, containing some subset S in access strategy ��_iWith corresponding binary relation predicateAndS_iFor A_iSubset;

5) when a user requires to access this data resource M, the identity attribute value list that secure encryption system inputs according to this user judges whether this user can access this data resource M, if can access, then according to the private key for user of this user to this ciphertext C_��It is decrypted, exports plaintext M; Otherwise export empty.

Further, generate described private key for user sk^(k)Method be: for user u_k, first generate the main private key usk of this user^(k); Then for this user at identity attribute value list ��={ v_ij��A_iIn any attribute value v_ij��A_i, generate corresponding user property value key vsk_ij, obtain this private key for userA_iFor this user u_kAttribute collection.

Further, the method judging the access strategy �� whether this user can access this data resource M is: the access strategy �� of the identity attribute value list �� this user inputted and this data resource is as the input of binary relation predicate, if binary relation predicate judge that Output rusults is as true, then judge whether this user can access this data resource M, otherwise can not access.

Further, non-for the logic in access strategy, utilize Moore's Law by non-transformed for logic be the Negative Predicate " not " in binary relation predicate, obtain the access strategy that Boolean algebra logic represents.

Further, described ciphertextIt is comprise binary relationThe sub-ciphertext generated.

It is a kind of based on the encryption system of attribute collection and relation predicate, it is characterised in that, comprise system key production module, community set key production module, user's key production module, encryption module and deciphering module; Wherein,

Described system key production module, for according to given security parameter k, the PKI mpk and main key msk of output safety encryption system;

Described community set key production module, for each given attribute collection A_i={ v_i1,...,v_im, the PKI pk of this attribute collection is generated by main key msk_iWith private key sk_i, and by PKI pk_iJoin in PKI mpk, private key sk_iAdd in main key msk; Wherein, attribute or the mark with same nature are positioned at same data centralization, and each attribute collection has a unique name, and each attribute or mark in attribute collection are called an attribute value, v_imIt is i-th attribute collection A_iIn the m attribute value;

Described user's key production module, for the identity attribute value list ��={ v inputted according to user_ij��A_iGenerate a private key for user sk for this user^(k);

Described encryption module, is encrypted this data resource M for the access strategy �� according to data resource M and PKI mpk, obtains ciphertext C_��; Wherein, containing some subset S in access strategy ��_iWith corresponding binary relation predicateAndS_iFor A_iSubset;

According to the identity attribute value list of access user's input, described deciphering module, for judging whether this user can access the data resource M to be accessed, if can access, then according to the private key for user of this user to this ciphertext C_��It is decrypted, exports plaintext M; Otherwise export empty.

The present invention relates to a kind of encryption system based on community set, encrypt system referred to as attribute collection. A feature of this system to support the concept of attribute collection, and attribute or the mark namely with same nature are integrated into a set. Each attribute collection has a unique name, is called as " attribute-name ". System can be supported the attribute collection not limitting element number. Each attribute or mark in attribute collection are called as one " attribute value ". Usually, we are with capital U={ e₁,...,e_nRepresent attribute collection, e_iRepresent attribute value.

A feature of the present invention is to provide a kind of safe member relation decision method. The method can use a kind of cryptography mode to be judged by the member relation between given S set and element e, and this kind of member relation comprises: relation belonging to, not relation belonging to. This kind of member relation adopts binary predicateRepresented, whereinAlso just represent e �� S orJudgement. Above-mentioned for employing expression is carried out method description below.

Specifically, as shown in Figure 1, the present invention coupleSafe member relation decision method comprise the steps:

1. attribute value key production module: given any community set U_i={ e₁,...,e_n, according to security parameter ��, generate PKI pk_i, private key sk_i, angle mark i represents the sequence number of set or key.

2. subset represents generation module: the random subset S={e of given set U₁,...,e_m, by PKI pk_iThe safety obtaining S set represents C_S��

3. element extraction module: given U gather in an attribute element e as input, from private key sk_iMiddle extraction element e, thus obtain W_e��

4. member relation authentication module: the expression C of given subset S_SWith the expression W of element e_e, this module will provide relation between above-mentioned inputThe judgement that true or false (represents with 1 and 0) usually.

In above process, a feature of the present invention set and element be have employed cryptography represent, such as, and W_eIt is that the cryptography of e represents, C_SIt is that the cryptography of S represents.

A feature of the present invention is for different member relationsThere is different safe member relation decision methods.

A feature of the present invention be can support to equal=and be not equal to �� predicate, these two predicates are the special cases belonging to and not belonging to predicate when gathering an only element, that is, $P_{=}(e_1,e_2)\⇔P\∈(e_1,\{e_2\left\}\right)$ With $P_{\≠}(e_1,e_2)\⇔P\∉(e_1,\{e_2\left\}\right).$

A feature of the present invention is that authentication module can ensure to verify the security of result, and this kind of security comprises integrity and the completeness of checking when opponent attempts deception in attack time.

A feature of the present invention is to ensure the integrity of checking process, if that is,So checking person can accept the proof of member relation authentication module with the probability of success 1. We useRepresent for relationThe output of member relation authentication module, so integrity means that probability equation (formula 1) is set up below:

(formula 1)

Another of the present invention is characterised in that the completeness that can ensure checking process, and completeness is divided into again weak completeness and strong completeness.

1. weak completeness: give the arbitrary element e in set U, andThe expression W of element e is extracted from private key sk_e ^*, after member relation authentication module, then checking person's probability of success is almost 0, that is, all set up by �� (formula 2) little arbitrarily.

(formula 2)

2. strong completeness: for any polynomial expression time algorithm A, it can generate(certain unknown element e that e refers to not in set U here), and the probability of success that this value is verified by member relation authentication module is almost 0, that is, to �� little arbitrarily, (formula 3) is set up.

(formula 3)

A feature of the present invention is to realize attribute collection encryption system, and by adopting, above-mentioned safe member relation decision method realizes belonging to ��, do not belong on attribute collection to this systemEqual=, be not equal to �� etc. set member's predicate.

This system can dynamically be added attribute collection, make each attribute set representations be A_i={ v_i1,...,v_im, then in system, all attribute collection form setMeanwhile, this system can support unlimited multi-user, makes user gather for U={u₁,u₂,��,u_n, each user has a list of attribute values ��={ v_ij��A_i, wherein, v_ijFirst subscript i represent affiliated attribute collection label, the 2nd subscript j is attribute value sequence number. Obviously these attribute value tables have shown the identity of user.

Given any one data resource M, it is possible to define the access strategy �� of these data according to attribute collection defined above, this access strategy can represent the form of the Boolean function for having set relation, orderAndRepresent any element and S set in attribute collection A_iThe binary predicate of relation, and the above-mentioned multiple binary predicate of available AND and OR goalkeeper represents and becomes a Boolean expression. Such as, can formulate for an enciphered data and access strategy as follows:

$\begin{array}{c}\mathrm{\Π}:=\left({\mathrm{\ρ}}_{1}OR{\mathrm{\ρ}}_2\right)AND{\mathrm{\ρ}}_3\\ =\left(P_{\∈}\right(A_1,\{v_{11},v_{12}\}\left)OR{P}_{\∉}\right(A_2,\{v_{22},v_{23}\}\left)\right)AND{P}_{=}(A_3,v_{32})\\ =(A_1\∈\{v_{11},v_{12}\}OR{A}_2\∉\{v_{22},v_{23}\left\}\right)AND{A}_3=v_{32}\end{array}.$

Wherein ��₁Corresponding P_��(A₁,{v₁₁,v₁₂), ��₂Corresponding��₃Corresponding P₌(A₃,v₃₂). If a certain user's identity can represent by with properties assignment: �� :={ v₁₂,v₂₁,v₃₂, wherein, attribute value v₁₂��A₁, v₂₁��A₂, v₃₂��A₃. We can by this group attribute assignment { v₁₂,v₂₁,v₃₂Substitute into attribute collection corresponding to access control �� above, can obtain final user

Meet the judgement authorized: $\begin{array}{c}\mathrm{\Π}=(v_{12}\∈\{v_{11},v_{12}\}OR{v}_{21}\∉\{v_{22},v_{23}\left\}\right)AND(v_{32}=v_{32})\\ =\left(TrueORTrue\right)ANDTrue\\ =True\end{array}$

As shown in Figure 2, this system is by several module compositions below:

1. system generation module: this module is used for the generation of cryptographic system, for given security intensity as input, exports PKI mpk and main key msk.

2. community set key production module: this module joins in system for the attribute collection specified, for given any attribute collection A_i={ v_i1,...,v_imAs input, generate PKI pk by main key msk_iWith private key sk_i, and it is joined in PKI mpk, private key sk_iAdd main key msk to.

3. user's key production module: this module is used for having identity attribute value list ��={ v for certain_ij��A_iUser generate private key for user sk^(k). For user u_k, first generate this with the private key usk of householder^(k); Then for any attribute value v of this user_ij��A_i, corresponding user property value key vsk can be generated_ij, when user has multiple attribute value ��={ v_ij��A_i, private key for user comprises

4. module is encrypted: this module is used for the data resource M for having access strategy �� and is encrypted. Taking PKI mpk and access strategy �� as input, wherein, containing some subset S in access strategy ��_iWith corresponding binary predicateAndThis module can export a ciphertext by encrypting plaintext data resource MWherein, S_iIt is contained in community set A_i, i.e. S_iFor A_iSubset

5. deciphering module: this module is used for certain and has identity attribute value list ��={ v_ij��A_iUser use private key to the ciphertext C with property policy ��_��Being decrypted, the prerequisite of deciphering is that list of attribute values can make property policy �� be true. With private key for user sk^(k)With ciphertext C_��For input, export plaintext M, otherwise export empty.

A feature of the present invention is that access control strategy can support various element and set relation predicate, and this kind of member relation comprises and belong to ��, do not belong toEqual=, be not equal to ��, it is true and false that predicate exports, and available cloth value of 1 and 0 represents.

A feature of the present invention is that the relation predicate cryptography adopting safe member relation decision method to realize in attribute collection encryption system judges, comprising:

1. employing attribute value key production module realizes the secret generating function that community set adds in module, generates PKI pk_iWith private key sk_i;

2. generation module realizes in encryption module containing specifying member relation predicate to adopt subset to representUnder aggregation security represent

3. adopt element extraction module to any attribute value v_ij��A_iGenerate the user property value key in attribute value key production module

4. the cryptography adopting member relation authentication module to realize member relation predicate in deciphering module judges, i.e. given attribute value v_ij��A_iExpressionRelation predicateLower subset representsRealize determining type (formula 4)

(formula 4)

A feature of the present invention is that accessing strategy supports to represent based on the Boolean function non-with logical AND, logical OR and logic, and this Boolean function supports logical AND AND and logical OR OR. Linear Secret sharing techniques is adopted to realize logical AND AND and logical OR OR, it is possible to adopt level thresholding (threshold value) technology of sharing to be realized.

A feature of the present invention is that the Boolean function accessed in strategy supports non-logic NOT, the nonessential conversion carrying out following Moore's Law of logics all in Boolean algebra, namelyWithAccording to this conversion, thus obtain the access strategy �� ' of the equivalence of the encryption system based on attribute collection. Such as, access strategyAccess strategy after conversion is ${\Π}^{\′}:=(A_1\∉\{v_{11},v_{13}\left\}\right)or(A_2=v_{22}),$ Namely utilize Moore's Law by non-transformed for logic be the Negative Predicate " not " in binary relation predicate, comprise and not belonging toBe not equal to ��.

The positively effect of the present invention

In sum, the present invention proposes one and support that the community set in " community set " concept and cryptography operates, be a kind of vast improvement to existing attribute base encryption function. The present invention relates to a kind of encryption system based on community set, encrypt system referred to as attribute collection. A feature of this system to support the concept of attribute collection, and attribute or the mark namely with same nature are integrated into a set. A feature of the present invention is for different member relationsThere is different safe member relation decision methods and set and element be have employed cryptography and represent.

A feature of the present invention be can support to equal=and be not equal to �� predicate, these two predicates are the special cases belonging to and not belonging to predicate when gathering an only element, that is, $P_{=}(e_1,e_2)\⇔P\∈(e_1,\{e_2\left\}\right)$ With $P_{\≠}(e_1,e_2)\⇔P\∉(e_1,\{e_2\left\}\right).$

A feature of the present invention is that authentication module can ensure to verify the security of result, and this kind of security comprises integrity and the completeness of checking when opponent attempts deception in attack time.

A feature of the present invention is to ensure integrity and the completeness of checking process.

A feature of the present invention is to realize attribute collection encryption system, and by adopting, above-mentioned safe member relation decision method realizes belonging to ��, do not belong on attribute collection to this systemEqual=, be not equal to �� etc. set member's predicate. A feature of the present invention is that access control strategy can support various element and set relation predicate, and this kind of member relation comprises and belong to ��, do not belong toEqual=, be not equal to ��, it is true and false that predicate exports, and available cloth value of 1 and 0 represents.

A feature of the present invention is that the relation predicate cryptography adopting safe member relation decision method to realize in attribute collection encryption system judges, a feature of the present invention is that accessing strategy supports based on logical AND, logical OR and the non-Boolean function of logic represent, this Boolean function supports logical AND AND and logical OR OR. Linear Secret sharing techniques is adopted to realize logical AND AND and logical OR OR, it is possible to adopt level thresholding (threshold value) technology of sharing to be realized. A feature of the present invention is that the Boolean function accessed in strategy supports non-logic NOT.

Accompanying drawing explanation

The structural representation that the safe member relation that Fig. 1 embodiment of the present invention provides judges.

The structural representation of the attribute collection encryption system that the safe member relation that Fig. 2 embodiment of the present invention provides judges.

Embodiment:

Bilinear map is widely used in the aggregate signature scheme proposed in recent years as an effective instrument, and usual Bilinear map is got being out of shape with Tate by the Weil in elliptic curve. Bilinear map can construct scheme and Bilinear map that much general cryptography instrument can not realize on using relatively flexibly, has good character.

If G₁, G₂The cyclic group on to be two taking p be rank, g₁It is crowd G₁Generator, g₂It is crowd G₂Generator. �� is from group G₂To group G₁Computable isomorphism function, i.e. �� (g₂)=g₁, e is the mapping e:G that can calculate₁��G₂��G_T, map e and there is following character:

1) bilinearity: for all u �� G₁v��G₂AndMeet e (u^a,v^b)=e (u, v)^ab��

2) non-degeneracy: meet e (g₁,g₂)��1��

Can extrapolate from above character:

For arbitrary u �� G₁, v₁,v₂��G₂, e (u, v₁v₂)=e (u, v₁)��e(u,v₂); For arbitrary u, v �� G₁, e (u, �� (v))=e (v, �� (u)).

For making the technical problem to be solved in the present invention, technical scheme and advantage clearly, it is described in detail below in conjunction with the accompanying drawings and the specific embodiments.

Following examples are all used zero point polymerization function and limit polymerization function, have been defined as follows:

1) zero point polymerization function

A given random subsetWith a p rank cyclic group G, p is prime number, if there is a polynomial expression time algorithm ZeroAggr, algorithm exports and isThen this algorithm is called as zero point polymerization function, and wherein, g is the generator of p rank cyclic group G, and �� is the random secret introduced, x_i=hash (e_i) for each cycling of elements in S set be the random point in cryptography space.

2) limit polymerization function

A given random subsetWith a p rank cyclic group G, p is prime number, if there is a polynomial expression time algorithm PolesAggr, algorithm exportsThen this algorithm is called as limit polymerization function, and wherein, h is the generator of p rank cyclic group G, and �� is the random secret introduced, x_i=hash (e_i) for each cycling of elements in S set be the random point in cryptography space.

Be polymerized function and limit polymerization function except zero point described above, the following is example is at bilinearity mapped system s=(p, G₁,G₂,G_T, e ()) middle realization, wherein, G₁And G₂Rank be p, generator is respectively g₁And g₂. Employ cryptographic Hash function hash:{0,1} in addition^*��Z_p ^*, by arbitrary attribute value v_iRandom element x is mapped from scale-of-two string_i, i.e. x_i=hash (v_i)��

Embodiment one

This gives for the cryptography judgement structure method that member relation belongs to, concrete comprises following four steps:

1) attribute value key production module: for given any community set U={e₁,...,e_n, choose at randomWith m �� Z⁺, generate PKIWith private key

2) subset represents generation module: the random subset S={e of given set U₁,...,e_m, we call PolesAggr function and calculate the safety that (formula 5) obtain S set and represent H_S, wherein, x_k=hash (e_k)��

(formula 5)

3) element extraction module: an attribute element e in given U set_iAs input, from private key sk, extract element e_i, thus obtain e_iCryptography represent

4) member relation authentication module: the expression H of given subset S_SWith element e_iExpressionThis module will provide relation P between above-mentioned input_��The judgement that (e, S) true or false (represents with 1 and 0) usually, that is, e_iBelong to S. First, calculate S_=S { e_iAnd (formula 6); Secondly, checking W_iWhether equal e (G_{S_},H_S), i.e. e (G_{S_},H_S)��e(W_i, H) whether=V set up. If set up, we just think e_i�� S also returns true, otherwise returns vacation.

$G_{S\_}\←ZerosAggr({\mathrm{pk}}_{\∈},S\_)=g^{f_{S\_\left(\mathrm{\γ}\right)}}=g^{\mathrm{\γ}\frac{\Πe_k\∈S(\mathrm{\γ}+x_k)}{\mathrm{\γ}+x_i}}\backslash *MERGEFORMAT$ (formula 6)

Embodiment two

This gives for the cryptography judgement structure method that member relation does not belong to, concrete, comprise following four steps:

1) attribute value key production module: for given any community set U={e₁,...,e_n, according to security parameter ��, choose at randomWith n �� Z⁺, generate PKIWith private key

2) subset represents generation module: the random subset S={e of given set U₁,...,e_m, we call ZerosAggr function and calculate the safety that (formula 7) obtain S set and represent G_S, wherein, x_k=hash (e_k)��

$G_S\←ZerosAggr{(sk,S)}^s=g^{s\·f_s\left(\mathrm{\γ}\right)}=g^{{\mathrm{\γs\Π}}_{e_k\∈s}(x+x_k)}$

$\backslash *MERGEFORMAT$ (formula 7)

3) element extraction module: an attribute element e in given U set_iAs input, from private key sk, extract element e_i, thus obtain e_iCryptography represent

4) member relation authentication module: the expression G of given subset S_SWith element e_iCryptography representThis module will provide relation between above-mentioned inputThe judgement that true or false (represents with 1 and 0) usually, that is, e_iDo not belong to S. First, calculate S₊=S �� { e_iAnd (formula 8), secondly, checking e (G_S,H_S+)��e(W_i, H) whether=V set up. If set up, we just thinkAnd return true, otherwise return vacation.

(formula 8)

Embodiment three

Each party is about Z_pSharing of upper vector. The matrix T that there is a l �� n is called shared generator matrix. ForT_iIt is i-th row vector of T. Setting function �� is defined as label �� (i) of row i. Column vector v=(s, r₂,������,r_n), wherein s �� Z_pIt is shared secret, r₂,...,r_nIt is Z_pIn randomized number. The column vector of the shared secret s of Tv to be length be l, and (Tv)_iIt it is the secret that �� (i) side holds. Setting U is the set authorized arbitrarily, I �� 1 ..., l} is defined as I={i: �� (i) �� U}. So there is fixing { w_i}_i��IIf making ��_iBeing the effectively shared of secret s arbitrarily, so secret can pass through ��_i��Iw_i��_i=s reconstructs.

For technical background, we illustrate that the attribute collection of native system is arranged, first such as definition attribute collection:

Big formal name used at school :=..., " Peking University ", " University of Science & Technology, Beijing ", " Tsing-Hua University " ...,

Department :=..., " biological institute ", " chemistry institute ", " Information Institute " ...,

Time :=..., 2013,2014,2015,2016 ...,

Role :=..., " professor's meeting ", " the academic council ", " the degree council " ....

We can define A_i:={ v_i1,...,v_im, wherein, A₁�� department, v_1k1�� " biological institute ", v_1k2�� " chemistry institute ", v_1k3�� " Information Institute "; A₂�� big formal name used at school, v_2k1�� " Peking University ", v_2k2�� " University of Science & Technology, Beijing ", v_2k3�� " Tsing-Hua University "; A₃�� the time, v_3k1�� 2013, v_3k2�� 2014, v_3k3�� 2015;

A₄�� role, v_4k1�� " professor's meeting ", v_4k2�� " the academic council ", v_4k3�� " the degree council ".

(big formal name used at school �� { " Peking University ", " University of Science & Technology, Beijing " } AND time=2015AND role=" the degree council " AND department{ " biological institute ", " chemistry institute " }).

We can definition strategy be $A_1\∉\{v_{1k_1},v_{1k_2}\}AND{A}_2\∈\{v_{2k_1},v_{2k_2}\}AND{A}_3=v_{3k_3}AND{A}_4=v_{4k_3}.$

Assume that a user has following identity attribute: { big formal name used at school :=" University of Science & Technology, Beijing ", time :=2015, role :=" the degree council ", department :=" Information Institute " }.

The core of the present invention is attribute collection encryption system, and we adopt the method in above-described embodiment one and embodiment two to give detailed attribute collection cryptographic construction scheme, specifically comprise following five modules:

1) system generation module

The corresponding bilinearity mapped system based on elliptic curve cipher is obtained for the security intensity formulatedAt G₁, G₂In random select two elementsWithChooseSetting Q=H^��, R=e (G, H)^��. Obtain PKI mpk=(S, H, Q, R), main key msk=(��, ��, ��, G, G^��). Finally export (mpk, msk).

2) community set adds module

From Z_p ^*In choose �� at random_i, namelySettingWherein j �� [1, m]. For all v_ij��A_iAnd x_ij=h (v_ij), haveBy main secret generating client public keyRespectively by pk_iAdd mpk and by sk_i=��_iIt is attached to msk.

3) attribute value key production module

For user u_k, choose an integer �� at random_l, generate this with the private key of householderFor any attribute value (A of this user_i��v_ij) �� ��, corresponding user property value key can be generatedWhen user has multiple attribute value ��={ v_ij��A_iSituation, generate private key for user

4) module is encrypted

Input plaintext M, PKI mpk and access strategy ��, export ciphertext C_��. First �� is converted to (T, ��), containing some subset S in access strategy ��_iWith corresponding predicateAndSelect stochastic variableShare secret s, then calculate ek=R^s=e (G, H)^��s, c₀=Q^S,And ��_k=v T_k, wherein T_kIt it is kth the row vector of the shared generator matrix T of l �� n. Ciphertext isWherein C₀=(c₀,c₁). ForWhether set upCalculateMeet (formula 9)

$C_{{\mathrm{\ρ}}_i}=(c_{k1},c_{k2})=\left\{\begin{array}{cc}(H^{{\mathrm{\λ}}_k},{\left(H_S\right)}^{{\mathrm{\λ}}_k})& for(A_k\∈S)\\ (H^{{\mathrm{\λ}}_k},{\left(G_S\right)}^{{\mathrm{\λ}}_k})& for(A_k\∉S)\end{array}\right.$

$\backslash *MERGEFORMAT$ (formula 9)

Wherein, H_S=PolesAggr (mpk, S), G_S=ZerosAggr (mpk, S).

5) deciphering module

User u_kInputAnd ciphertextFrom i-th sub-ciphertext (c_i1,c_i2) inner extract S, then attempt finding the appointment A that can meet above condition_i��v_ij. If success, attribute value ��={ v that namely the private key of user is corresponding_ij��A_iMeet access strategy �� in ciphertext, search sub-keyAnd calculating formula (10):

$c_i=\left\{\begin{array}{cc}e({\mathrm{vsk}}_{ij}^{\left(k\right)},c_{i1})\·e(G_{S-},c_{i2})& for(v_{ij}\∈S)\\ e({\mathrm{vsk}}_{ij}^{\left(k\right)},c_{i1})\·e(c_{i2},H_{S+})& for(v_{ij}\∉S)\end{array}\right.\backslash *MERGEFORMAT$ (formula 10)

Wherein, G_S-=ZerosAggr (mpk, S { v_ij), H_s+=PolesAggr (mpk, S �� { v_ij). As all c_iWhen being worth known, calculate the vector { w of reconstruct according to T and I={i: �� (i) �� U}_i��Z_p}_i��I, wherein U is the set of coupling arbitrarily, if { ��_iIt is the effectively shared of secret s arbitrarily, so ��_i��Iw_i��_i=s. Then calculateFinally recover session key ek=e (sk₀,c₀)/c. Calculated by the session key ek recoveredExport plaintext M. If attribute value ��={ v that the private key of user is corresponding_ij��A_iDo not meet access strategy �� in ciphertext, export empty.

The above is the preferred embodiment of the present invention; it is noted that for those skilled in the art, under the prerequisite not departing from principle of the present invention; can also making some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (10)

1. one kind based on the encryption system access control method of attribute collection and relation predicate, the steps include:

1) according to given security parameter k, the PKI mpk and main key msk of output safety encryption system;

2) for each given attribute collection A_i={ v_i1,...,v_im, the PKI pk of this attribute collection is generated by main key msk_iWith private key sk_i, and by PKI pk_iJoin in PKI mpk, private key sk_iAdd in main key msk; Wherein, attribute or the mark with same nature are positioned at same data centralization, and each attribute collection has a unique name, and each attribute or mark in attribute collection are called an attribute value, v_imIt is i-th attribute collection A_iIn the m attribute value;

3) according to the identity attribute value list ��={ v of user's input_ij��A_iGenerate a private key for user sk for this user^(k);

4) for data resource M arranges an access strategy ��; According to step 2) in PKI mpk and this access strategy �� this data resource M is encrypted, obtain ciphertext C_��; Wherein, containing some subset S in access strategy ��_iWith corresponding binary relation predicateAndS_iFor A_iSubset;

5) when a user requires to access this data resource M, the identity attribute value list that secure encryption system inputs according to this user judges whether this user can access this data resource M, if can access, then according to the private key for user of this user to this ciphertext C_��It is decrypted, exports plaintext M; Otherwise export empty.

2. the method for claim 1, it is characterised in that, generate described private key for user sk^(k)Method be: for user u_k, first generate the main private key usk of this user^(k); Then for this user at identity attribute value list ��={ v_ij��A_iIn any attribute value v_ij��A_i, generate corresponding user property value key vsk_ij, obtain this private key for user ${\mathrm{sk}}^{\left(k\right)}=({\mathrm{usk}}_0^{\left(k\right)},{\left\{{\mathrm{vsk}}_{ij}^{\left(k\right)}\right\}}_{v_{ij}\∈A_i}\};$ A_iFor this user u_kAttribute collection.

3. method as claimed in claim 1 or 2, it is characterized in that, the method judging the access strategy �� whether this user can access this data resource M is: the access strategy �� of the identity attribute value list �� this user inputted and this data resource is as the input of binary relation predicate, if binary relation predicate judge that Output rusults is as true, then judge whether this user can access this data resource M, otherwise can not access.

4. method as claimed in claim 3, it is characterised in that, non-for the logic in access strategy, utilize Moore's Law by non-transformed for logic be the Negative Predicate " not " in binary relation predicate, obtain the access strategy that Boolean algebra logic represents.

5. method as claimed in claim 1 or 2, it is characterised in that, described ciphertext It is comprise binary relationThe sub-ciphertext generated.

6. one kind based on the encryption system of attribute collection and relation predicate, it is characterised in that, comprise system key production module, community set key production module, user's key production module, encryption module and deciphering module; Wherein,

Described system key production module, for according to given security parameter k, the PKI mpk and main key msk of output safety encryption system;

Described community set key production module, for each given attribute collection A_i={ v_i1,...,v_im, the PKI pk of this attribute collection is generated by main key msk_iWith private key sk_i, and by PKI pk_iJoin in PKI mpk, private key sk_iAdd in main key msk; Wherein, attribute or the mark with same nature are positioned at same data centralization, and each attribute collection has a unique name, and each attribute or mark in attribute collection are called an attribute value, v_imIt is i-th attribute collection A_iIn the m attribute value;

Described user's key production module, for the identity attribute value list ��={ v inputted according to user_ij��A_iGenerate a private key for user sk for this user^(k);

Described encryption module, is encrypted this data resource M for the access strategy �� according to data resource M and PKI mpk, obtains ciphertext C_��; Wherein, containing some subset S in access strategy ��_iWith corresponding binary relation predicateAndS_iFor A_iSubset;

According to the identity attribute value list of access user's input, described deciphering module, for judging whether this user can access the data resource M to be accessed, if can access, then according to the private key for user of this user to this ciphertext C_��It is decrypted, exports plaintext M; Otherwise export empty.

7. system as claimed in claims 6 or 7, it is characterised in that, for user u_k, first described user's key production module generates the main private key usk of this user^(k); Then for this user identity attribute value list ��={ v_ij��A_iIn any attribute value v_ij��A_i, generate corresponding user property value key vsk_ij, obtain this private key for userA_iFor this user u_kAttribute collection.

8. system as claimed in claims 6 or 7, it is characterized in that, the access strategy �� of the identity attribute value list that this user is inputted by described deciphering module and this data resource is as the input of binary relation predicate, if binary relation predicate judge that Output rusults is as true, then judge whether this user can access this data resource M, otherwise can not access.

9. system as claimed in claim 8, it is characterised in that, described deciphering module is non-for the logic in access strategy, utilize Moore's Law by non-transformed for logic be the Negative Predicate " not " in binary relation predicate, obtain the access strategy that Boolean algebra logic represents.

10. system as claimed in claims 6 or 7, it is characterised in that, described ciphertext