CN107154845A - A kind of BGN types ciphertext decryption outsourcing scheme based on attribute - Google Patents
A kind of BGN types ciphertext decryption outsourcing scheme based on attribute Download PDFInfo
- Publication number
- CN107154845A CN107154845A CN201710233091.7A CN201710233091A CN107154845A CN 107154845 A CN107154845 A CN 107154845A CN 201710233091 A CN201710233091 A CN 201710233091A CN 107154845 A CN107154845 A CN 107154845A
- Authority
- CN
- China
- Prior art keywords
- mrow
- msup
- msub
- ciphertext
- prime
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
- H04L9/3073—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Power Engineering (AREA)
- Other Investigation Or Analysis Of Materials By Electrical Means (AREA)
- Medicines Containing Antibodies Or Antigens For Use As Internal Diagnostic Agents (AREA)
- Storage Device Security (AREA)
Abstract
Outsourcing scheme is decrypted present invention relates particularly to a kind of BGN types ciphertext based on attribute, is comprised the following steps:(1) initialization system parameter, produces encryption key;(2) sender-selected access structure, to message encryption, generates ciphertext;(3) recipient's input master key and attribute, output transition key and private key;(4) sending direction high in the clouds sends ciphertext;(5) receive direction high in the clouds and send transition key;(6) high in the clouds carries out being converted to part ciphertext and is sent to recipient using transition key to ciphertext;(7) part ciphertext is decrypted using private key by recipient, obtains message;Also include high in the clouds between step (4) and step (5) and operating procedure is calculated to the homomorphism of ciphertext.This outsourcing decryption scheme not only increases the decryption efficiency of system, reduces the storage overhead of recipient;The ciphertext that encryption method according to this programme is obtained, can allow server that ciphertext data are carried out with multiple additive homomorphism and a multiplicative homomorphic operation, in the case where not increasing decryption difficulty, greatly improve the CPA securities of user profile.
Description
Technical field
The invention belongs to field of information security technology, and in particular to a kind of BGN types ciphertext decryption outsourcing side based on attribute
Case.
Background technology
The proposition of cloud computing concept, has brought the development of information industry into fast traffic lane.Cloud service is providing the user with magnanimity
Storage service and powerful computing capability while, also promoted expanding economy, public cloud is mainly by the incredible 3rd
Square service provider safeguards and run that the safety problem of cloud computing association also increasingly highlights.The safety problem of cloud is considered as
Cloud service practical application faces challenge maximum in many difficulties, is also cloud service the biggest problem urgently to be resolved hurrily.If user
Sensitive data is saved in by Cloud Server with plaintext version, because these information may be replicated or even distorted in high in the clouds, and user
The unauthorized behavior in high in the clouds can not be learnt at all, so that imponderable loss is caused, so cloud is unconditionally to be trusted
's.In order to prevent the malice of sensitive data from revealing and unauthorized access, user can carry out outsourcing with ciphertext form to data.
Traditional cloud computing encryption and decryption model, it is impossible to realize the fine-granularity access control to result of calculation.Shamir exists
Identity based encryption is proposed within 1984, the public key of user is, by the unique mark generation related to its identity, to be taken during access
Business device end need not inquire about the public key certificate of user again.Encryption based on attribute is proposed by Sahai and Waters, can be regarded as
Popularization to Identity based encryption, in this encryption system, key and ciphertext and the Attribute Association of user are got up, and are only belonged to
During sexual satisfaction access control policy, the legal decryption of user's ability, it is achieved thereby that to the fine-granularity access control of ciphertext.
In the encryption system based on attribute, the key and ciphertext of user are respectively associated descriptive attributes collection and access plan
Slightly.Only associated attribute and access strategy is mutually matched, and a specific key can decrypt a specific ciphertext.
At present, there are two kinds of encryption methods based on attribute to be suggested, include the encryption (KP-ABE) based on attribute of key strategy
With the encryption (CP-ABE) based on attribute of Ciphertext policy.In KP-ABE, access strategy is embedded in private key, and in CP-
In ABE, access strategy is embedded in ciphertext.Encryption ABE based on attribute provides a kind of safe mode so that data are gathered around
The person of having shares outer bag data on incredible server, rather than is carried out in the trusted servers for have specific user.This
One advantage make it that this methods of ABE are popular in cloud storage, because cloud storage need to be a large number of users for belonging to different tissues
The access control of safety is provided.
Nevertheless, the encryption ABE based on attribute but has a main defect, i.e. key distribution and decrypted in efficiency
The calculation cost in stage can increase with the growth of the complexity of access module.With access the time required to ciphertext size and decryption
The complexity of formula and increase, this is undoubtedly individual huge challenge for resource-constrained mobile subscriber.In order to ensure that distal end is provided
The limited mobile subscriber in source also can safely and efficiently be decrypted, and this concept of the ABE of outsourcing is suggested, and it make it that encryption and decryption can be with
It is contracted out to third party service provider.The core of ABE decryption outsourcings is exactly to change encryption key generating algorithms, generates two keys, one
Individual is the short ElGamal keys preserved by user, and one is Distorted Key TK.Ciphertext CT for meeting access function, can
So that CT to be first converted into simple and short and small ElGamal ciphertexts CT ' using TK beyond the clouds.User only needs to a simple index
Computing can be carried out decryption.This outsourcing decrypts scheme compared to traditional encipherment scheme based on attribute, improves system
Decryption efficiency, reduce the storage overhead of recipient.However, to the decryption of ciphertext, some is by high in the clouds in this scheme
Carry out, this requires that external packet server is trusted, and ciphertext, transition key TK have the possibility illegally read.
Therefore, design a kind of can not only improve and decrypt Information Security in sub-contract management, while not increasing user's solution again
The ciphertext decryption outsourcing scheme of close difficulty has important value.
The content of the invention
In order to which the decryption outsourcing scheme for improving CP-ABE schemes in the prior art decrypts Information Security in sub-contract management, together
When do not increase user's decryption difficulty again, decrypt outsourcing scheme the invention provides a kind of BGN types ciphertext based on attribute.The present invention
Outsourcing scheme is decrypted there is provided the BGN types ciphertext based on attribute, the ciphertext obtained according to the encryption method of this programme can allow clothes
Device be engaged in the multiple additive homomorphism of ciphertext data progress and a multiplicative homomorphic operation, so as to not increase the same of user's decryption difficulty
When greatly improve the CPA securities of user profile.
The technical problem to be solved in the present invention is achieved through the following technical solutions:
A kind of BGN types ciphertext decryption outsourcing scheme based on attribute, comprises the following steps:
Step (1):Initialization system parameter, produces encryption key, master key MSK and public key PK;
Step (2):A sender-selected access structure, message is encrypted, and export ciphertext CT;
Step (3):Recipient inputs master key MSK and attribute S, randomly chooses parameter, output transition key TK and private key
SK;
Step (4):Sender sends ciphertext data CT by overt channel to high in the clouds;
Step (5):Receive direction high in the clouds and send transition key TK;
Step (6):High in the clouds carries out conversion calculating to ciphertext CT using transition key TK and obtains part ciphertext CT ', and by institute
State part ciphertext CT ' and be sent to recipient;
Step (7):Part ciphertext CT ' is decrypted using private key SK by recipient, obtains message;
Also include high in the clouds between the step (4) and step (5) and operating procedure is calculated to the homomorphism of ciphertext.
More specifically, in the BGN types ciphertext decryption outsourcing scheme of the present invention based on attribute, step (1) tool
Body is:
Step (1-1):Initialization system parameter, inputs security parameter λ and attribute space U, wherein U={ 0,1 }*;
Step (1-2):Algorithm ξ (λ) is run, tuple (q is obtained1,q2,G,G1, e) with bilinear map e:G×G→G1, its
In, q1,q2For prime number, G, G1All it is that rank is n=q1q2Group;
Step (1-3):Random selection generation member k, the u in group G, and makeThen h is crowd G q1 ranks subgroup generation
Member, then randomly choose Groups of Prime Orders G ' and G ' that rank is pT, the generation member that g is group G ' is made, bilinear map e ' is obtained:G′
×G′→G′T;
Step (1-4):Random selection is by { 0,1 }*It is mapped to G ' hash function F and by G 'TIt is mapped to the Hash of (0,1)
Function, randomly chooses factor alpha, a ∈ Zp, ZpAs mould p integer field, then the master key of algorithm be expressed as:MSK=(gα,PK);
Public key is expressed as:PK=(n, g, k, h, e, e ' (g, g)α,ga,F,H,G,G1)。
More specifically, in the BGN types ciphertext decryption outsourcing scheme of the present invention based on attribute, step (2) tool
Body is:
Step (2-1):Sender-selected LSSS access structures (M, ρ), wherein, M is a l × n relevant with attribute
Matrix, ρ is the row element M with MiRelated function, i=1,2 ..., l;
Step (2-2):Randomly choose n ZpIn element (s, y2... ..., yn)∈Zp, composition of vector v, v=(s,
y2... ..., yn), wherein, s is privacy sharing parameter, calculates λi=MiV, wherein, MiBe M the i-th row element constituted to
Amount, then randomly choose l+1 ZpIn element (R, r1... ..., rl)∈Zp, ciphertext CT is exported, ciphertext CT includes three below portion
Point:
More specifically, in the BGN types ciphertext decryption outsourcing scheme of the present invention based on attribute, step (3) tool
Body is:
Step (3-1):Recipient inputs master key MSK and attribute S, random selection t ' ∈ Zp, output
SK '=(PK, K '=gαgat′, L '=gt′,{Kx'=F (x)t′}x∈S)
Step (3-2):Randomly choose z ∈ Zp, and t=t '/z is made, obtain the private key SK of transition key TK and recipient:
TK is:
SK is:SK=(q1,z)。
More specifically, in the BGN types ciphertext decryption outsourcing scheme of the present invention based on attribute, step (6) tool
Body is:
Step (6-1):The transition key TK that high in the clouds is sent using recipient carries out conversion calculating to ciphertext CT, works as recipient
Attribute S be unsatisfactory for access structure (M, ρ), then high in the clouds output ⊥, system is out of service;
When the attribute S of recipient meets access structure (M, ρ), defineAnd meet I={ i:ρ(i)∈
S }, then there is constant collection { ωi∈Zp}i∈I, for { λiIn all values, calculate ∑i∈Iωiλi=s can recover secret
Shared parameter s, and then transfer algorithm calculating is run, part ciphertext CT ' is obtained,
The transfer algorithm is calculated:
Step (6-2):High in the clouds is to recipient's returning part ciphertext CT '=(c, Q).
More specifically, in the BGN types ciphertext decryption outsourcing scheme of the present invention based on attribute, step (7) tool
Body is:
Step (7-1):Recipient input private key SK=(q1, z) and part ciphertext CT ', utilize (z, Q) calculate e ' (g,
g)sα=Qz;
Step (7-2):Recipient recycles part private key q1Calculate
Step (7-3):Recipient pass through Pollard ' s lambda algorithms decryption withThe bottom of forIt is discrete
Logarithm, you can obtain clear-text message m.
More specifically, in the BGN types ciphertext decryption outsourcing scheme of the present invention based on attribute, the homomorphism calculates behaviour
It is the operation of additive homomorphism at least one times and the operation of most multiplicative homomorphics to make step.
More specifically, in the BGN types ciphertext decryption outsourcing scheme of the present invention based on attribute, step (4):Sender
Sent by overt channel to high in the clouds after ciphertext data CT, it is addition at least one times that high in the clouds calculates operating procedure to the homomorphism of ciphertext
Homomorphism is operated,
High in the clouds receives ciphertext packet and contains c1 and c2:
WithCalculate
Then the ciphertext after additive homomorphism is calculated is:
C=gs,
Step (5):Receive direction high in the clouds and send transition key TK;
Step (6):Ciphertext after high in the clouds is operated using transition key TK to additive homomorphism carries out conversion calculating, and by part
Ciphertext is sent to recipient, and step (6) detailed process is as follows:
Step (6-1):The transition key TK that high in the clouds is sent using recipient carries out conversion calculating to ciphertext,
When the attribute S of recipient meets access structure (M, ρ), defineAnd meet I={ i:ρ(i)∈
S }, then there is constant collection { ωi∈Zp}i∈I, calculate ∑i∈Iωiλi=s can recover privacy sharing parameter s, and then computing turns
Scaling method is calculated, and obtains part ciphertext,
The transfer algorithm is calculated:
Step (6-2):High in the clouds is to recipient's returning part ciphertext CT '=(c, Q);
Step (7):Part ciphertext CT ' is decrypted using private key SK by recipient, and step (7) detailed process is as follows:
Step (7-1):Recipient input private key SK=(q1, z) with part ciphertext CT ', utilize (z, Q) to carry out an index
Computing, calculates e ' (g, g)sα=Qz, obtain e ' (g, g)sα, so as to obtain H (e ' (g, g)sα) value;
Step (7-2):Recipient recycles part private key q1Calculate:
Step (7-3):Recipient pass through Pollard ' s lambda algorithms decryption withThe bottom of forIt is discrete right
Number, you can obtain clear-text message m1+m2。
Because c ' ∈ G in the ciphertext obtained by an additive homomorphism, illustrate high in the clouds receive can be carried out after ciphertext CT it is many
Sub-addition homomorphism is operated.
More specifically, in the BGN types ciphertext decryption outsourcing scheme of the present invention based on attribute, step (4):Sender
Sent by overt channel to high in the clouds after ciphertext data CT, it is a multiplicative homomorphic that high in the clouds calculates operating procedure to the homomorphism of ciphertext
Operation,
Make k1=e (k, k), h1=e (k, h), then k1 rank is n, and h1 rank is q1, and necessarily has β ∈ Z so thatZ is limited integer field, is calculated
Then the ciphertext after a multiplicative homomorphic is calculated is:
C=gs,
Step (5):Receive direction high in the clouds and send transition key TK;
Step (6):High in the clouds carries out conversion calculating using transition key TK to ciphertext, obtains part ciphertext, and by the portion
Point ciphertext is sent to recipient, and step (6) detailed process is as follows:
Step (6-1):The transition key TK that high in the clouds is sent using recipient carries out conversion calculating to ciphertext, when recipient's
Attribute S meets access structure (M, ρ), definitionAnd meet I={ i:ρ (i) ∈ S }, then there is constant collection
{ωi∈Zp}i∈I, calculate ∑i∈Iωiλi=s can recover privacy sharing parameter s, and then computing transfer algorithm is calculated, and is obtained
Part ciphertext CT ',
The transfer algorithm is calculated:
Step (6-2):High in the clouds is to recipient's returning part ciphertext CT '=(c, Q);
Step (7):Part ciphertext CT ' is decrypted using private key SK by recipient, obtains message, step (7) specific mistake
Journey is as follows:
Step (7-1):Recipient input private key SK=(q1, z) with part ciphertext CT ', utilize (z, Q) to carry out an index
Computing, that is, calculate e ' (g, g)sα=Qz, obtain e ' (g, g)sα, so as to obtain H (e ' (g, g)sα)2Value;
Step (7-2):Recipient recycles part private key q1Calculate:
Step (7-3):Recipient pass through Pollard ' s lambda algorithms decryption withThe bottom of for's
Discrete logarithm, you can obtain clear-text message m1m2。
More specifically, in the BGN types ciphertext decryption outsourcing scheme of the present invention based on attribute, the random selection institute
It is specially two Big prime q that 512bit sizes are randomly choosed using PRNG that the parameter of finger, which produces algorithm,1、q2, G,
G1All it is that rank is n=q1q2Group, e:G×G→G1It is bilinear map.
The mathematical theory that the present invention is applied is made an explanation below:
" bilinear map " of the present invention is " Bilinear map ", refers to a kind of Function Mapping, and the element in group G is reflected
It is mapped to crowd GTIn, its implication is as follows:
G, GTIt is the multiplicative cyclic group that two ranks are p, g is first for G generation, then bilinear map e:G×G→GTUnder satisfaction
Row property:
(1) bilinearity:To any u, k ∈ G and a, b ∈ Zp, there is e (ua,kb)=e (u, k)ab。
(2) non-degeneracy:There is u, k ∈ G so that e (u, k) ≠ 1.
(3) computability:There is efficient algorithm, to any u, k ∈ G, e (u, k) can be calculated.
Wherein, ZpFor mould p integer field;
" access structure " of the present invention has following implication:
Assuming that { P1,P2,…,PnBe privacy sharing participant's set, define P=2 { P1,P2,…,Pn, access structure
Γ is { P1,P2,…,PnNonvoid subset, i.e.,The monotonicity of access structure is defined as follows:If A ∈ Γ andThen B ∈ Γ.Meanwhile, the subset is called an authorized subset, it is impossible to which the subset for reconstructing shared secret is unauthorized son
Collection.
" LSSS (Linear Secret Sharing Scheme) access structure " of the present invention has following implication:
One linear privacy sharing mechanism (Linear Secret for being defined on privacy sharing participant's set P
Sharing Scheme, LSSS) Π refers to:
(1) share of all participants constitutes a ZpOn vector.
(2) there is l × n matrix M, it is a shared generator matrix on Π.M the i-th row correspondent entity ρ
(i), wherein i=1,2 ..., l, ρ are the mapping functions that P is arrived from { 1,2 ..., l }.Randomly choose column vectorWherein s is shared secret, then the l on the s shared compositions that Mv is obtained using Π
Vector, and (Mv)iBelong to entity ρ (i).
Linear reconstruction:Assuming that Π is a LSSS on access structure Γ, authorization set S ∈ Γ are made, I={ i are defined:ρ
(i) ∈ S } andSo just it is bound to the presence of such a constant collection { wi∈Zp}i∈ISo that ∑i∈IwiMi=
(1,0 ..., 0) set up, so as to there is ∑i∈IwiMiV=s;And for unauthorized collection, then in the absence of such { wi∈Zp}i∈I。
Beneficial effects of the present invention:
1st, in decryption outsourcing scheme of the invention, the ciphertext that information is produced in ciphering process includes three parts, wherein
A part of ciphertext is embedded into BGN type ciphertexts, and server can be allowed to carry out multiple additive homomorphism to the part ciphertext and once multiply
Method homomorphism operate, this result with directly to plaintext carry out same computing again by result encrypt;Therefore, to ciphertext
Carry out after class homomorphism operation, can not only greatly promote Information Security, while not increasing the difficulty of user's decrypting process.
2nd, homomorphism calculates operation the operation such as can carry out, retrieve, compare in encryption data, draw correct result,
And without data be decrypted in whole processing procedure, that is to say, that server is not required to read user's sensitive data just can be with
Processing data information.
3rd, decryption outsourcing scheme of the invention utilizes bilinear map technology, and uses domestic hash function SM3 algorithms, will
The security reduction of scheme is difficult it is assumed that having reached CPA safety to subgroup decision problem.
4th, in the access control of high in the clouds result of calculation, by adding the encryption method based on attribute, realizing to homomorphism
The fine-granularity access control based on attribute of operation result decrypted rights;Access rule is specified by user, can be visited at any time
The change of authority is asked, that is, shares generator matrix formula and message binds together generation ciphertext, it is possible to change at any time together
The associated identity characteristic collection of generator matrix is enjoyed, and the private key of user is only related to identity characteristic collection.
5th, in terms of efficiency, under mobile cloud storage environment, user is embedded into BGN after property control is handled by Hash
In type ciphertext, high in the clouds storage is uploaded to, then by ciphertext switch process, the part decryption of ciphertext is outsourced to high in the clouds and carried out, is protected
The security of data beyond the clouds has been demonstrate,proved, on the premise of clear data is not revealed, by means of the powerful operational capability of outsourcing decryption agent,
Accelerate decryption speed, reduce storage, the decryption expense of recipient, improve the decryption efficiency of system.
The present invention is described in further details below with reference to drawings and Examples.
Brief description of the drawings
Fig. 1 is the schematic flow sheet that BGN type ciphertext of the present invention based on attribute decrypts outsourcing scheme.
Embodiment
Reach technological means and effect that predetermined purpose is taken for the present invention is expanded on further, below in conjunction with accompanying drawing and reality
Apply example as follows to embodiment of the invention, architectural feature detailed description.
Embodiment 1:BGN types ciphertext decryption outsourcing scheme based on attribute
BGN types ciphertext based on attribute decryption outsourcing scheme as shown in Figure 1, it is comprised the following steps that:
Step (1):Initialization system parameter, produces encryption key, master key MSK and public key PK, step (1) detailed process is such as
Under:
Step (1-1):Initialization system parameter, inputs security parameter λ and attribute space U, wherein U={ 0,1 }*;Inputted
Security parameter λ value than larger, in the present embodiment, λ selection 1024bit sizes, it is sufficient to ensure the security of scheme.
Step (1-2):Algorithm ξ (λ) is run, tuple (q is obtained1, q2, G, G1, e) with bilinear map e:G×G→G1, its
In, q1,q2For prime number, G, G1All it is that rank is n=q1q2Group;ξ (λ) is that disclosed parameter produces algorithm, q1,q2For Big prime,
Q is selected in the present embodiment1,q2For the prime number of 512bit sizes.
Step (1-3):Random selection generation member k, the u in group G, and makeThen h is crowd G q1Rank subgroup is generated
Member, then randomly choose Groups of Prime Orders G ' and G ' that rank is pT, the generation member that g is group G ' is made, bilinear map e ' is obtained:G′
×G′→G′T。
Step (1-4):Random selection is by { 0,1 }*It is mapped to G ' hash function F and by G 'TIt is mapped to the Hash of (0,1)
Function H, randomly chooses factor alpha, a ∈ Zp, i.e. α, a randomly choose on mould p integer field, ZpAs mould p integer field, then
The master key of algorithm is expressed as:MSK=(gα,PK);
Public key is expressed as:PK=(n, g, k, h, e, e ' (g, g)α,ga,F,H,G,G1)。
Hash function F and hash function H used in step (1) are disclosed domestic hash function SM3 algorithms.
Step (2):A sender-selected access structure, message is encrypted, and generates ciphertext CT, step (2) tool
Body process is as follows:
Step (2-1):Sender-selected LSSS access structures (M, ρ), wherein, M is a l × n relevant with attribute
Matrix, ρ is the row element M with MiMatrix M every a line can be corresponded to the unitary of certain in access structure by related function, expression
The mapping of element, i=1,2 ..., l.
Step (2-2):Randomly choose n ZpIn element (s, y2... ..., yn)∈Zp, composition of vector v, v=(s,
y2... ..., yn), wherein, s is privacy sharing parameter, calculates λi=MiV, wherein, MiBe M the i-th row element constituted to
Amount, then randomly choose l+1 ZpIn element (R, r1... ..., rl)∈Zp, i.e., R is randomly choosed on mould p integer field,
r1,…,rl, output ciphertext CT, CT include three below part:
Step (3):Recipient inputs master key MSK and attribute S, selects random parameter, output transition key TK and private key
SK, step (3) detailed process is as follows:
Step (3-1):Recipient inputs master key MSK and attribute S, random selection t ' ∈ Zp, output:
SK '=(PK, K '=gαgat′, L '=gt′,{Kx'=F (x)t′}x∈S)。
Step (3-2):Randomly choose z ∈ Zp, and t=t '/z is made, obtain the private key SK of transition key TK and recipient:
SK=(q1,z)。
Step (4):Sender sends ciphertext data CT by overt channel to high in the clouds.
High in the clouds is received after the ciphertext data CT of sender's transmission;Homomorphism can be carried out to ciphertext and calculate operating procedure, together
It is the operation of additive homomorphism at least one times and the operation of most multiplicative homomorphics that state, which calculates operating procedure,;High in the clouds receive according to this
Obtained ciphertext CT, which is encrypted, in embodiment scheme includes three parts, and wherein Part I ciphertext c insertion BGN can allow clothes
Device be engaged in the part multiple additive homomorphism of ciphertext progress and a multiplicative homomorphic operation.
Step (5):Receive direction high in the clouds and send transition key TK.
Step (6):High in the clouds carries out conversion calculating using transition key TK to ciphertext CT, obtains part ciphertext CT ', and by institute
State part ciphertext CT ' and be sent to recipient, step (6) detailed process is as follows:
Step (6-1):The transition key TK that high in the clouds is sent using recipient carries out conversion calculating to ciphertext CT, works as recipient
Attribute S be unsatisfactory for access structure (M, ρ), then high in the clouds output ⊥, system is out of service;
When the attribute S of recipient meets access structure (M, ρ), defineAnd meet I={ i:ρ(i)∈
S }, i.e. then there is constant in all elements ρ (i) ∈ S by mapping the set that ρ () corresponds to matrix M rower i in property set S
Collect { ωi∈Zp}i∈ISo that ∑i∈IwiMi=(1,0 ..., 0) is set up, for { λiIn all values, { λiIt is secret s
Live part, then calculate ∑i∈Iωiλi=s can recover privacy sharing parameter s, and then computing transfer algorithm is calculated, and is obtained
Part ciphertext CT ',
The transfer algorithm is calculated:
Step (6-2):High in the clouds is to recipient's returning part ciphertext CT '=(c, Q).
Step (7):Part ciphertext CT ' is decrypted using private key SK by recipient, obtains message, step (7) specific mistake
Journey is as follows:
Step (7-1):Recipient input private key SK=(q1, z) with part ciphertext CT ', utilize (z, Q) to carry out an index
Computing, that is, calculate e ' (g, g)sα=Qz。
Step (7-2):Recipient recycles part private key q1Calculate:
Step (7-3):Recipient pass through Pollard ' s lambda algorithms decryption withThe bottom of forIt is discrete
Logarithm, you can obtain clear-text message m.
In the ciphertext decryption outsourcing scheme of the present embodiment, wherein, the operating main body of step (3) is recipient, with step
(2) and step (4) is different, therefore the order of step (3) can be changed, step (3) not have to be in step (2) and step
(4) between, as long as after step (1), before step (5).The parameter of " random selection " meaning in the present invention program
It is specially two Big prime q that 512bit sizes are randomly choosed using pseudo-random generator to produce algorithm1、q2, G, G1All it is that rank is
N=q1q2Group, e:G×G→G1It is bilinear map.PRNG is not specifically designated, if it can reach with
The purpose of machine selection, as long as random selection can be realized, does not then produce influence to solution security.
Embodiment 2:BGN types ciphertext decryption outsourcing scheme based on attribute
Concrete scheme is as follows:
Step (1):Initialization system parameter, produces encryption key, master key MSK and public key PK, step (1) detailed process is such as
Under:
Step (1-1):Initialization system parameter, inputs security parameter λ and attribute space U, wherein U={ 0,1 }*;Inputted
Security parameter λ value than larger, in the present embodiment, λ selection 1024bit sizes, it is sufficient to ensure the security of scheme.
Step (1-2):Algorithm ξ (λ) is run, tuple (q is obtained1,q2,G,G1, e) with bilinear map e:G×G→G1, its
In, q1,q2For prime number, G, G1All it is that rank is n=q1q2Group;ξ (λ) is that disclosed parameter produces algorithm, q1,q2For Big prime,
Q is selected in the present embodiment1,q2For the prime number of 512bit sizes.
Step (1-3):Random selection generation member k, the u in group G, and makeThen h is crowd G q1Give birth to rank subgroup
Cheng Yuan, then randomly choose Groups of Prime Orders G ' and G ' that rank is pT, the generation member that g is group G ' is made, bilinear map e ' is obtained:
G′×G′→G′T。
Step (1-4):Random selection is by { 0,1 }*It is mapped to G ' hash function F and by G 'TIt is mapped to the Hash of (0,1)
Function H, randomly chooses factor alpha, a ∈ Zp, i.e. α, a randomly choose on mould p integer field, ZpAs mould p integer field, then
The master key of algorithm is expressed as:MSK=(gα,PK);
Output public key is expressed as:PK=(n, g, k, h, e, e ' (g, g)α,ga,F,H,G,G1)。
Hash function F and hash function H used in step (1) are disclosed domestic hash function SM3 algorithms.
Step (2):A sender-selected access structure, message is encrypted, and generates ciphertext CT, step (2) tool
Body process is as follows:
Step (2-1):Sender-selected LSSS access structures (M, ρ), wherein, M is a l × n relevant with attribute
Matrix, ρ is the row element M with MiMatrix M every a line can be corresponded to the unitary of certain in access structure by related function, expression
The mapping of element, i=1,2 ..., l.
Step (2-2):Randomly choose n ZpIn element (s, y2... ..., yn)∈Zp, composition of vector v, v=(s,
y2... ..., yn), wherein, s is privacy sharing parameter, calculates λi=MiV, wherein, MiBe M the i-th row element constituted to
Amount, then randomly choose l+1 ZpIn element (R, r1... ..., rl)∈Zp, i.e., R is randomly choosed on mould p integer field,
r1,…,rl, output ciphertext CT, CT include three below part:
Step (3):Recipient inputs master key MSK and attribute S, selects random parameter, output transition key TK and private key
SK, step (3) detailed process is as follows:
Step (3-1):Recipient inputs master key MSK and attribute S, random selection t ' ∈ Zp, output:
SK '=(PK, K '=gαgat′, L '=gt′,{Kx'=F (x)t′}x∈S)。
Step (3-2):Randomly choose z ∈ Zp, and t=t '/z is made, obtain the private key SK of transition key TK and recipient:
SK=(q1,z)。
Step (4):Sender sends ciphertext data CT by overt channel to high in the clouds.
High in the clouds is received after the ciphertext data CT of sender's transmission;Homomorphism can be carried out to ciphertext and calculate operating procedure, together
It is the operation of additive homomorphism at least one times and the operation of most multiplicative homomorphics that state, which calculates operating procedure,.In the present embodiment, carry out
Additive homomorphism operation:
High in the clouds receives ciphertext packet and contains c1 and c2:
WithCalculate
Ciphertext after additive homomorphism is calculated is:
C=gs,
Because c ' ∈ G in the ciphertext obtained by additive homomorphism, illustrating that high in the clouds is received can carry out repeatedly adding after ciphertext CT
Method homomorphism is operated.
Step (5):Receive direction high in the clouds and send transition key TK.
Step (6):Ciphertext after high in the clouds is operated using transition key TK to additive homomorphism carries out conversion calculating, obtains part
Ciphertext CT ', and the part ciphertext CT ' is sent to recipient, step (6) detailed process is as follows:
Step (6-1):The transition key TK that high in the clouds is sent using recipient carries out conversion calculating to ciphertext CT, works as recipient
Attribute S be unsatisfactory for access structure (M, ρ), then high in the clouds output ⊥, system is out of service;
When the attribute S of recipient meets access structure (M, ρ), defineAnd meet I={ i: ρ (i) ∈ S },
Then there is constant collection { ωi∈Zp}i∈I, for { λiIn all values, { λ i } is secret s live part, that is, calculates
∑i∈Iωiλi=s can recover privacy sharing parameter s, and then computing transfer algorithm is calculated, and obtains part ciphertext CT ',
The transfer algorithm is calculated:
Step (6-2):High in the clouds is to recipient's returning part ciphertext CT '=(c, Q).
Step (7):Part ciphertext CT ' is decrypted using private key SK by recipient, obtains message, step (7) specific mistake
Journey is as follows:
Step (7-1):Recipient input private key SK=(q1, z) with part ciphertext CT ', utilize (z, Q) to carry out an index
Computing, that is, calculate e ' (g, g)sα=Qz, obtain e ' (g, g)sα, so as to obtain H (e ' (g, g)sα) value.
Step (7-2):Recipient recycles part private key q1Calculate:
Step (7-3):Recipient pass through Pollard ' s lambda algorithms decryption withThe bottom of forIt is discrete
Logarithm, you can obtain clear-text message m1+m2。
What high in the clouds was received obtained ciphertext CT is encrypted according to this embodiment scheme includes three parts, wherein first
Part ciphertext c is embedded into BGN type ciphertexts, and server can be allowed to carry out multiple additive homomorphism operation to the part ciphertext, this
Result with directly to plaintext carry out same computing again by result encrypt;Therefore, class homomorphism operation is carried out to ciphertext
Afterwards, Information Security can be greatly promoted, while not increasing the difficulty of user's decrypting process.Because being obtained by additive homomorphism
Ciphertext in c ' ∈ G, illustrate that high in the clouds can carry out multiple additive homomorphism operation after receiving ciphertext CT.
In the ciphertext decryption outsourcing scheme of the present embodiment, wherein, the operating main body of step (3) is recipient, with step
(2) and step (4) is different, therefore the order of step (3) can be changed, step (3) not have to be in step (2) and step
(4) between, as long as after step (1), before step (5).
It is specially random using pseudo-random generator that the parameter of " random selection " meaning in the present invention program, which produces algorithm,
Select two Big prime q of 512bit sizes1、q2, G, G1All it is that rank is n=q1q2Group, e:G×G→G1It is bilinear map.
PRNG is not specifically designated, as long as it can reach randomly selected purpose, as long as can realize random
Selection, then do not produce influence to solution security.
Embodiment 3:BGN types ciphertext decryption outsourcing scheme based on attribute
Concrete scheme is as follows:
Step (1):Initialization system parameter, produces encryption key, master key MSK and public key PK, step (1) detailed process is such as
Under:
Step (1-1):Initialization system parameter, inputs security parameter λ and attribute space U, wherein U={ 0,1 }*;Inputted
Security parameter λ value than larger, in the present embodiment, λ selection 1024bit sizes, it is sufficient to ensure the security of scheme.
Step (1-2):Algorithm ξ (λ) is run, tuple (q is obtained1,q2,G,G1, e) with bilinear map e:G×G→G1, its
In, q1,q2For prime number, G, G1All it is that rank is n=q1q2Group;ξ (λ) is that disclosed parameter produces algorithm, q1,q2For Big prime,
Q is selected in the present embodiment1,q2For the prime number of 512bit sizes.
Step (1-3):Random selection generation member k, the u in group G, and makeThen h is crowd G q1Give birth to rank subgroup
Cheng Yuan, then randomly choose Groups of Prime Orders G ' and G ' that rank is pT, the generation member that g is group G ' is made, bilinear map e ' is obtained:
G′×G′→G′T。
Step (1-4):Random selection is by { 0,1 }*It is mapped to G ' hash function F and by G 'TIt is mapped to the Hash of (0,1)
Function H, randomly chooses factor alpha, a ∈ Zp, i.e. α, a randomly choose on mould p integer field, ZpAs mould p integer field, then
The master key of algorithm is expressed as:MSK=(gα,PK);
Output public key is expressed as:PK=(n, g, k, h, e, e ' (g, g)α,ga,F,H,G,G1)。
Hash function F and hash function H used in step (1) are disclosed domestic hash function SM3 algorithms.
Step (2):A sender-selected access structure, message is encrypted, and generates ciphertext CT, step (2) tool
Body process is as follows:
Step (2-1):Sender-selected LSSS access structures (M, ρ), wherein, M is a l × n relevant with attribute
Matrix, ρ is the row element M with MiMatrix M every a line can be corresponded to the unitary of certain in access structure by related function, expression
The mapping of element, i=1,2 ..., l.
Step (2-2):Randomly choose n ZpIn element (s, y2... ..., yn)∈Zp, composition of vector v, v=(s,
y2... ..., yn), wherein, s is privacy sharing parameter, calculates λi=MiV, wherein, MiBe M the i-th row element constituted to
Amount, then randomly choose l+1 ZpIn element (R, r1... ..., rl)∈Zp, i.e., R is randomly choosed on mould p integer field,
r1,…,rl, output ciphertext CT, CT include three below part:
Step (3):Recipient inputs master key MSK and attribute S, selects random parameter, output transition key TK and private key
SK, step (3) detailed process is as follows:
Step (3-1):Recipient inputs master key MSK and attribute S, random selection t ' ∈ Zp, output:
SK '=(PK, K '=gαgat′, L '=gt′,{Kx'=F (x)t′}x∈S)。
Step (3-2):Randomly choose z ∈ Zp, and t=t '/z is made, obtain the private key SK of transition key TK and recipient:
SK=(q1,z)。
Step (4):Sender sends ciphertext data CT by overt channel to high in the clouds.
High in the clouds is received after the ciphertext data CT of sender's transmission;Homomorphism can be carried out to ciphertext and calculate operating procedure, together
It is the operation of additive homomorphism at least one times and the operation of most multiplicative homomorphics that state, which calculates operating procedure,.In the present embodiment, carry out
Multiplicative homomorphic operation:
Make k1=e (k, k), h1=e (k, h), then k1Rank be n, h1Rank be q1, and necessarily have β ∈ Z so thatZ is limited integer field, is calculated
By
Ciphertext after multiplicative homomorphic is calculated is:
C=gs,
C ' ∈ G1 in the ciphertext obtained by multiplicative homomorphic, due to causing e in the absence of efficient algorithm:G1×G1→ G is set up,
So this programme can only carry out a multiplication.
Step (5):Receive direction high in the clouds and send transition key TK.
Step (6):High in the clouds carries out conversion calculating using transition key TK to ciphertext, obtains part ciphertext CT ', and will be described
Part ciphertext CT ' is sent to recipient, and step (6) detailed process is as follows:
Step (6-1):The transition key TK that high in the clouds is sent using recipient carries out conversion calculating to ciphertext CT, works as recipient
Attribute S be unsatisfactory for access structure (M, ρ), then high in the clouds output ⊥, system is out of service;
When the attribute S of recipient meets access structure (M, ρ), defineAnd meet I={ i:ρ
(i) ∈ S }, then there is constant collection { ωi∈Zp}i∈I, for { λiIn all values, { λiBe secret s live part, then
Calculate ∑i∈Iωiλi=s can recover privacy sharing parameter s, and then computing transfer algorithm is calculated, and obtains part ciphertext CT ',
The transfer algorithm is calculated:
Step (6-2):High in the clouds is to recipient's returning part ciphertext CT '=(c, Q).
Step (7):Part ciphertext CT ' is decrypted using private key SK by recipient, obtains message, step (7) specific mistake
Journey is as follows:
Step (7-1):Recipient input private key SK=(q1, z) with part ciphertext CT ', utilize (z, Q) to carry out an index
Computing, that is, calculate e ' (g, g)sα=Qz, obtain e ' (g, g)sα, so as to obtain H (e ' (g, g)sα)2Value.
Step (7-2):Recipient recycles part private key q1Calculate:
Step (7-3):Recipient pass through Pollard ' s lambda algorithms decryption withThe bottom of forFrom
Dissipate logarithm, you can obtain clear-text message m1m2。
According to embodiment 3, what high in the clouds was received obtained ciphertext CT is encrypted according to this embodiment scheme includes three
Part, wherein Part I ciphertext c are embedded into BGN type ciphertexts, and server can be allowed to carry out a multiplication to the part ciphertext
Homomorphism operate, this result with directly to plaintext carry out same computing again by result encrypt;Therefore, ciphertext is entered
After the operation of row class homomorphism, Information Security can be greatly promoted, while not increasing the difficulty of user's decrypting process.
Under mobile cloud storage environment, user is embedded into BGN type ciphertexts after property control is handled by Hash, on
High in the clouds storage is passed to, then by ciphertext switch process, the part decryption of ciphertext is outsourced to high in the clouds and carried out, it is ensured that data are in cloud
The security at end, on the premise of clear data is not revealed, by means of the powerful operational capability of outsourcing decryption agent, accelerates decryption speed
Degree, reduces storage, the decryption expense of recipient, improves the decryption efficiency of system.
Embodiment 4:Security to the BGN types ciphertext decryption outsourcing scheme of the present invention is illustrated
The security of the present invention program is built upon opponent's algorithm Α and can not broken through on the basis of the hypothesis of subgroup decision problem.
Assuming that there is a certain algorithm Β can break through the semantic security of this programme with advantage ε, then just certainly exist opponent's algorithm Α
Subgroup decision problem can be solved with advantage ε to assume.Detailed proof procedure is as follows:
(1) opponent's algorithm Α randomly chooses g ∈ G, by public key (n, G, G1, e, g, x) and it is sent to algorithm Β.
(2) algorithm Β selects two clear-text message m at random0,m1Opponent algorithm Α is sent to, algorithm Α returns to random challenge
CiphertextWherein
(3) algorithm Β exports the conjecture b ' on b, if b=b ', algorithm Α outputs " 1 ", otherwise exports " 0 ".
If element x is uniformly distributed in group G, then challenge ciphertext c is also to be uniformly distributed in group G, the selection with b
It is unrelated, i.e. Pr | b=b ' |=1/2;If x is crowd G q1Element in rank subgroup, then Pr is just had according to hypothesis | b=b ' |
> 1/2+ ε, so SD-AdvA(τ) > ε, this means that the advantage ε that opponent's algorithm Α solves subgroup decision problem hypothesis is not
It is insignificant, with difficult problem contradiction.
Therefore, scheme is assumed to be issued to CPA safety in subgroup decision problem difficulty.Simultaneously, it is necessary to it is noted that decryption person
The leakage of attribute does not interfere with the safety of ciphertext.Because if attacker does not get part of key q1, then even if he, which knows, adds
The attribute of close person and random parameter z, i.e. attacker can calculate e ' (g, g)sαValue, but do not know part of key q1Value,
It can not thus calculate
So correct plaintext still can not be obtained.On the other hand, even if attacker has only taken part of key q1, still
E ' (g, g) can not be calculated because his attribute is unsatisfactory for ciphertext access strategy, i.e. attackersαValue, therefore can not decrypt
To in plain text.In summary, only attribute meets the legal decryption person of ciphertext access strategy and just can normally decrypt ciphertext.
Process is understood according to the above description, and decryption outsourcing scheme of the invention utilizes bilinear map technology, and uses state
Hash function SM3 algorithms are produced, the security reduction of scheme is difficult it is assumed that having reached CPA safety to subgroup decision problem.
Above content is to combine specific preferred embodiment further description made for the present invention, it is impossible to assert
The specific implementation of the present invention is confined to these explanations.For general technical staff of the technical field of the invention,
On the premise of not departing from present inventive concept, some simple deduction or replace can also be made, should all be considered as belonging to the present invention's
Protection domain.
Claims (10)
1. a kind of BGN types ciphertext decryption outsourcing scheme based on attribute, comprises the following steps:
Step (1):Initialization system parameter, produces encryption key, master key MSK and public key PK;
Step (2):A sender-selected access structure, message is encrypted, and export ciphertext CT;
Step (3):Recipient inputs master key MSK and attribute S, randomly chooses parameter, exports transition key TK and private key SK;
Step (4):Sender sends ciphertext data CT by overt channel to high in the clouds;
Step (5):Receive direction high in the clouds and send transition key TK;
Step (6):High in the clouds carries out conversion calculating to ciphertext CT using transition key TK and obtains part ciphertext CT ', and by the portion
Point ciphertext CT ' is sent to recipient;
Step (7):Part ciphertext CT ' is decrypted using private key SK by recipient, obtains message;
Characterized in that, also include high in the clouds between the step (4) and step (5) calculates operating procedure to the homomorphism of ciphertext.
2. the BGN types ciphertext decryption outsourcing scheme according to claim 1 based on attribute, it is characterised in that the step
(1) it is specially:
Step (1-1):Initialization system parameter, inputs security parameter λ and attribute space U, wherein U={ 0,1 }*;
Step (1-2):Algorithm ξ (λ) is run, tuple (q is obtained1,q2,G,G1, e) with bilinear map e:G×G→G1, wherein,
q1,q2For prime number, G, G1All it is that rank is n=q1q2Group;
Step (1-3):Random selection generation member k, the u in group G, and makeThen h is crowd G q1Rank subgroup generation member,
Groups of Prime Orders G ' and G ' that rank is p are randomly choosed againT, the generation member that g is group G ' is made, bilinear map e ' is obtained:G′×
G′→G′T;
Step (1-4):Random selection is by { 0,1 }*It is mapped to G ' hash function F and by G 'TThe hash function of (0,1) is mapped to,
Randomly choose factor alpha, a ∈ Zp, ZpFor mould p integer field, then the master key of algorithm is expressed as:MSK=(gα,PK);
Public key is expressed as:PK=(n, g, k, h, e, e ' (g, g)α,ga,F,H,G,G1)。
3. the BGN types ciphertext decryption outsourcing scheme according to claim 2 based on attribute, it is characterised in that the step
(2) it is specially:
Step (2-1):Sender-selected LSSS access structures (M, ρ), wherein, M is a l × n relevant with attribute matrix,
ρ is the row element M with MiRelated function, i=1,2 ..., l;
Step (2-2):Randomly choose n ZpIn element (s, y2... ..., yn)∈Zp, composition of vector v, v=(s, y2... ...,
yn), wherein, s is privacy sharing parameter, calculates λi=MiV, wherein, MiIt is the vector that M the i-th row element is constituted, then with
Machine selects l+1 ZpIn element (R, r1... ..., rl)∈Zp, ciphertext CT is exported, ciphertext CT includes three below part:
C '=gs,
<mrow>
<mo>(</mo>
<msub>
<mi>C</mi>
<mn>1</mn>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<mrow>
<msub>
<mi>a&lambda;</mi>
<mn>1</mn>
</msub>
</mrow>
</msup>
<mo>&CenterDot;</mo>
<mi>F</mi>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>&rho;</mi>
<mrow>
<mo>(</mo>
<mn>1</mn>
<mo>)</mo>
</mrow>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mo>-</mo>
<msub>
<mi>r</mi>
<mn>1</mn>
</msub>
</mrow>
</msup>
<mo>,</mo>
<msub>
<mi>D</mi>
<mn>1</mn>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<msub>
<mi>r</mi>
<mn>1</mn>
</msub>
</msup>
<mo>)</mo>
<mo>,</mo>
<mn>......</mn>
<mo>;</mo>
<mo>(</mo>
<msub>
<mi>C</mi>
<mi>l</mi>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<mrow>
<msub>
<mi>a&lambda;</mi>
<mi>l</mi>
</msub>
</mrow>
</msup>
<mo>&CenterDot;</mo>
<mi>F</mi>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>&rho;</mi>
<mrow>
<mo>(</mo>
<mi>l</mi>
<mo>)</mo>
</mrow>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mo>-</mo>
<msub>
<mi>r</mi>
<mi>l</mi>
</msub>
</mrow>
</msup>
<mo>,</mo>
<msub>
<mi>D</mi>
<mi>l</mi>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<msub>
<mi>r</mi>
<mi>l</mi>
</msub>
</msup>
<mo>)</mo>
<mo>.</mo>
</mrow>
4. the BGN types ciphertext decryption outsourcing scheme according to claim 1 based on attribute, it is characterised in that the homomorphism
It is the operation of additive homomorphism at least one times and the operation of most multiplicative homomorphics to calculate operating procedure.
5. the BGN types ciphertext decryption outsourcing scheme according to claim 3 based on attribute, it is characterised in that the step
(3) it is specially:
Step (3-1):Recipient inputs master key MSK and attribute S, random selection t ' ∈ Zp, output
SK '=(PK, K '=gαgat′, L '=gt′,{Kx'=F (x)t′}x∈S);
Step (3-2):Randomly choose z ∈ Zp, and t=t '/z is made, obtain the private key SK of transition key TK and recipient:
TK is:
PK, K=K '1/z=g(α/z)gat, L=L '1/z=gt,SK is:SK=(q1,z)。
6. the BGN types ciphertext decryption outsourcing scheme according to claim 5 based on attribute, it is characterised in that the step
(6) it is specially:
Step (6-1):The transition key TK that high in the clouds is sent using recipient carries out conversion calculating to ciphertext CT, when the category of recipient
Property S be unsatisfactory for access structure (M, ρ), then high in the clouds output ⊥, system is out of service;
When the attribute S of recipient meets access structure (M, ρ), defineAnd meet I={ i:ρ (i) ∈ S }, then deposit
In constant collection { ωi∈Zp}i∈I, for { λiIn all values, calculate ∑i∈Iωiλi=s can recover privacy sharing ginseng
S is measured, and then runs transfer algorithm and is calculated, part ciphertext CT ' is obtained,
The transfer algorithm is calculated:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<mi>Q</mi>
<mo>=</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<msup>
<mi>C</mi>
<mo>&prime;</mo>
</msup>
<mo>,</mo>
<mi>K</mi>
<mo>)</mo>
</mrow>
<mo>/</mo>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<mo>(</mo>
<mrow>
<munder>
<mo>&Pi;</mo>
<mrow>
<mi>i</mi>
<mo>&Element;</mo>
<mi>I</mi>
</mrow>
</munder>
<msubsup>
<mi>C</mi>
<mi>i</mi>
<msub>
<mi>w</mi>
<mi>i</mi>
</msub>
</msubsup>
<mo>,</mo>
<mi>L</mi>
</mrow>
<mo>)</mo>
<mo>&CenterDot;</mo>
<munder>
<mo>&Pi;</mo>
<mrow>
<mi>i</mi>
<mo>&Element;</mo>
<mi>I</mi>
</mrow>
</munder>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<mo>(</mo>
<mrow>
<msubsup>
<mi>D</mi>
<mi>i</mi>
<msub>
<mi>w</mi>
<mi>i</mi>
</msub>
</msubsup>
<mo>,</mo>
<msub>
<mi>K</mi>
<mrow>
<mi>&rho;</mi>
<mrow>
<mo>(</mo>
<mi>i</mi>
<mo>)</mo>
</mrow>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
<mo>)</mo>
</mrow>
<mrow>
<mi>s</mi>
<mi>&alpha;</mi>
<mo>/</mo>
<mi>z</mi>
</mrow>
</msup>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
<mo>)</mo>
</mrow>
<mrow>
<mi>s</mi>
<mi>a</mi>
<mi>t</mi>
</mrow>
</msup>
<mo>/</mo>
<mrow>
<mo>(</mo>
<mrow>
<munder>
<mo>&Pi;</mo>
<mrow>
<mi>i</mi>
<mo>&Element;</mo>
<mi>I</mi>
</mrow>
</munder>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<msub>
<mi>ta&lambda;</mi>
<mi>i</mi>
</msub>
<msub>
<mi>w</mi>
<mi>i</mi>
</msub>
</mrow>
</msup>
</mrow>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
<mo>)</mo>
</mrow>
<mrow>
<mi>s</mi>
<mi>&alpha;</mi>
<mo>/</mo>
<mi>z</mi>
</mrow>
</msup>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Step (6-2):High in the clouds is to recipient's returning part ciphertext CT '=(c, Q).
7. the BGN types ciphertext decryption outsourcing scheme according to claim 6 based on attribute, it is characterised in that the step
(7) it is specially:
Step (7-1):Recipient input private key SK=(q1, z) with part ciphertext CT ', utilize (z, Q) to calculate e ' (g, g)sα=Qz;
Step (7-2):Recipient recycles part private key q1Calculate
<mrow>
<msup>
<mi>c</mi>
<msub>
<mi>q</mi>
<mn>1</mn>
</msub>
</msup>
<mo>=</mo>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<msup>
<mi>k</mi>
<mrow>
<mi>m</mi>
<mi>H</mi>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
</mrow>
</msup>
<msup>
<mi>h</mi>
<mi>R</mi>
</msup>
</mrow>
<mo>)</mo>
</mrow>
<msub>
<mi>q</mi>
<mn>1</mn>
</msub>
</msup>
<mo>=</mo>
<msup>
<mrow>
<mo>(</mo>
<msup>
<mi>k</mi>
<mrow>
<mi>H</mi>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<msub>
<mi>q</mi>
<mn>1</mn>
</msub>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<mi>m</mi>
</msup>
<mo>;</mo>
</mrow>
Step (7-3):Recipient pass through Pollard ' s lambda algorithms decryption withThe bottom of forDiscrete logarithm, i.e.,
Clear-text message m can be obtained.
8. the BGN types ciphertext decryption outsourcing scheme according to claim 5 based on attribute, it is characterised in that step (4):
Sender is sent after ciphertext data CT by overt channel to high in the clouds, and it is at least one that high in the clouds calculates operating procedure to the homomorphism of ciphertext
Sub-addition homomorphism is operated,
High in the clouds receives ciphertext and includes c1 and c2:
With
Calculate
<mfenced open = "" close = "">
<mtable>
<mtr>
<mtd>
<mrow>
<msup>
<mi>c</mi>
<mo>&prime;</mo>
</msup>
<mo>=</mo>
<msub>
<mi>c</mi>
<mn>1</mn>
</msub>
<msub>
<mi>c</mi>
<mn>2</mn>
</msub>
<msup>
<mi>h</mi>
<mi>R</mi>
</msup>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<mrow>
<mo>(</mo>
<mrow>
<msup>
<mi>k</mi>
<mrow>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<mi>H</mi>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
</mrow>
</msup>
<msup>
<mi>h</mi>
<msub>
<mi>R</mi>
<mn>1</mn>
</msub>
</msup>
</mrow>
<mo>)</mo>
</mrow>
<mo>&CenterDot;</mo>
<mrow>
<mo>(</mo>
<mrow>
<msup>
<mi>k</mi>
<mrow>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
<mi>H</mi>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
</mrow>
</msup>
<msup>
<mi>h</mi>
<msub>
<mi>R</mi>
<mn>2</mn>
</msub>
</msup>
</mrow>
<mo>)</mo>
</mrow>
<msup>
<mi>h</mi>
<mi>R</mi>
</msup>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mi>k</mi>
<mrow>
<mo>(</mo>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<mo>+</mo>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
<mo>)</mo>
<mi>H</mi>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
</msup>
<msup>
<mi>h</mi>
<mrow>
<msub>
<mi>R</mi>
<mn>1</mn>
</msub>
<mo>+</mo>
<msub>
<mi>R</mi>
<mn>2</mn>
</msub>
<mo>+</mo>
<mi>R</mi>
</mrow>
</msup>
<mo>&Element;</mo>
<mi>G</mi>
</mrow>
</mtd>
</mtr>
</mtable>
</mfenced>
Then the ciphertext after additive homomorphism is calculated is:
<mrow>
<msup>
<mi>c</mi>
<mo>&prime;</mo>
</msup>
<mo>=</mo>
<msup>
<mi>k</mi>
<mrow>
<mo>(</mo>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<mo>+</mo>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
<mo>)</mo>
<mi>H</mi>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
</msup>
<msup>
<mi>h</mi>
<mrow>
<msub>
<mi>R</mi>
<mn>1</mn>
</msub>
<mo>+</mo>
<msub>
<mi>R</mi>
<mn>2</mn>
</msub>
<mo>+</mo>
<mi>R</mi>
</mrow>
</msup>
<mo>&Element;</mo>
<mi>G</mi>
</mrow>
C=gs,
<mrow>
<mo>(</mo>
<msub>
<mi>C</mi>
<mn>1</mn>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<mrow>
<msub>
<mi>a&lambda;</mi>
<mn>1</mn>
</msub>
</mrow>
</msup>
<mo>&CenterDot;</mo>
<mi>F</mi>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>&rho;</mi>
<mrow>
<mo>(</mo>
<mn>1</mn>
<mo>)</mo>
</mrow>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mo>-</mo>
<msub>
<mi>r</mi>
<mn>1</mn>
</msub>
</mrow>
</msup>
<mo>,</mo>
<msub>
<mi>D</mi>
<mn>1</mn>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<msub>
<mi>r</mi>
<mn>1</mn>
</msub>
</msup>
<mo>)</mo>
<mo>,</mo>
<mn>......</mn>
<mo>,</mo>
<mo>(</mo>
<msub>
<mi>C</mi>
<mi>l</mi>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<mrow>
<msub>
<mi>a&lambda;</mi>
<mi>l</mi>
</msub>
</mrow>
</msup>
<mo>&CenterDot;</mo>
<mi>F</mi>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>&rho;</mi>
<mrow>
<mo>(</mo>
<mi>l</mi>
<mo>)</mo>
</mrow>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mo>-</mo>
<msub>
<mi>r</mi>
<mi>l</mi>
</msub>
</mrow>
</msup>
<mo>,</mo>
<msub>
<mi>D</mi>
<mi>l</mi>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<msub>
<mi>r</mi>
<mi>l</mi>
</msub>
</msup>
<mo>)</mo>
<mo>;</mo>
</mrow>
Step (5):Receive direction high in the clouds and send transition key TK;
Step (6):Ciphertext after high in the clouds is operated using transition key TK to additive homomorphism carries out conversion calculating, and by part ciphertext
Recipient is sent to, step (6) detailed process is as follows:
Step (6-1):The transition key TK that high in the clouds is sent using recipient carries out conversion calculating to ciphertext,
When the attribute S of recipient meets access structure (M, ρ), defineAnd meet I={ i:ρ (i) ∈ S }, then deposit
In constant collection { ωi∈Zp}i∈I, calculate ∑i∈Iωiλi=s can recover privacy sharing parameter s, and then computing transfer algorithm meter
Calculate, obtain part ciphertext,
The transfer algorithm is calculated:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<mi>Q</mi>
<mo>=</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<msup>
<mi>C</mi>
<mo>&prime;</mo>
</msup>
<mo>,</mo>
<mi>K</mi>
<mo>)</mo>
</mrow>
<mo>/</mo>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<mo>(</mo>
<mrow>
<munder>
<mo>&Pi;</mo>
<mrow>
<mi>e</mi>
<mo>&Element;</mo>
<mi>I</mi>
</mrow>
</munder>
<msubsup>
<mi>C</mi>
<mi>i</mi>
<msub>
<mi>w</mi>
<mi>i</mi>
</msub>
</msubsup>
<mo>,</mo>
<mi>L</mi>
</mrow>
<mo>)</mo>
<mo>&CenterDot;</mo>
<munder>
<mo>&Pi;</mo>
<mrow>
<mi>i</mi>
<mo>&Element;</mo>
<mi>I</mi>
</mrow>
</munder>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<mo>(</mo>
<mrow>
<msubsup>
<mi>D</mi>
<mi>i</mi>
<msub>
<mi>w</mi>
<mi>i</mi>
</msub>
</msubsup>
<mo>,</mo>
<msub>
<mi>K</mi>
<mrow>
<mi>&rho;</mi>
<mrow>
<mo>(</mo>
<mi>i</mi>
<mo>)</mo>
</mrow>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
<mo>)</mo>
</mrow>
<mrow>
<mi>s</mi>
<mi>&alpha;</mi>
<mo>/</mo>
<mi>z</mi>
</mrow>
</msup>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
<mo>)</mo>
</mrow>
<mrow>
<mi>s</mi>
<mi>a</mi>
<mi>t</mi>
</mrow>
</msup>
<mo>/</mo>
<mrow>
<mo>(</mo>
<mrow>
<munder>
<mo>&Pi;</mo>
<mrow>
<mi>i</mi>
<mo>&Element;</mo>
<mi>I</mi>
</mrow>
</munder>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<msub>
<mi>ta&lambda;</mi>
<mi>i</mi>
</msub>
<msub>
<mi>w</mi>
<mi>i</mi>
</msub>
</mrow>
</msup>
</mrow>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
<mo>)</mo>
</mrow>
<mrow>
<mi>s</mi>
<mi>&alpha;</mi>
<mo>/</mo>
<mi>z</mi>
</mrow>
</msup>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Step (6-2):High in the clouds is to recipient's returning part ciphertext CT '=(c, Q);
Step (7):Part ciphertext CT ' is decrypted using private key SK by recipient, and step (7) detailed process is as follows:
Step (7-1):Recipient input private key SK=(q1, z) with part ciphertext CT ', utilize (z, Q) to carry out an exponent arithmetic,
Calculate e ' (g, g)sα=Qz, obtain e ' (g, g)sα, so as to obtain H (e ' (g, g)sα) value;
Step (7-2):Recipient recycles part private key q1Calculate:
<mrow>
<msup>
<mrow>
<mo>(</mo>
<msup>
<mi>c</mi>
<mo>&prime;</mo>
</msup>
<mo>)</mo>
</mrow>
<msub>
<mi>q</mi>
<mn>1</mn>
</msub>
</msup>
<mo>=</mo>
<msup>
<mrow>
<mo>(</mo>
<msup>
<mi>k</mi>
<mrow>
<mo>(</mo>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<mo>+</mo>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
<mo>)</mo>
<mi>H</mi>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
</msup>
<msup>
<mi>h</mi>
<mrow>
<msub>
<mi>R</mi>
<mn>1</mn>
</msub>
<mo>+</mo>
<msub>
<mi>R</mi>
<mn>2</mn>
</msub>
<mo>+</mo>
<mi>R</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<msub>
<mi>q</mi>
<mn>1</mn>
</msub>
</msup>
<mo>=</mo>
<msup>
<mrow>
<mo>(</mo>
<msup>
<mi>k</mi>
<mrow>
<mi>H</mi>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<msub>
<mi>q</mi>
<mn>1</mn>
</msub>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<mrow>
<mo>(</mo>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<mo>+</mo>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
<mo>)</mo>
</mrow>
</msup>
<mo>.</mo>
</mrow>
Step (7-3):Recipient pass through Pollard ' s lambda algorithms decryption withThe bottom of forIt is discrete right
Number, you can obtain clear-text message m1+m2。
9. the BGN types ciphertext decryption outsourcing scheme according to claim 5 based on attribute, it is characterised in that step (4):
Sender is sent after ciphertext data CT by overt channel to high in the clouds, and high in the clouds calculates operating procedure once to multiply to the homomorphism of ciphertext
Method homomorphism is operated,
Make k1=e (k, k), h1=e (k, h), then k1Rank be n, h1Rank be q1, and necessarily have β ∈ Z so that
Z is limited integer field, is calculated
Then the ciphertext after a multiplicative homomorphic is calculated is:
<mrow>
<msup>
<mi>c</mi>
<mo>&prime;</mo>
</msup>
<mo>=</mo>
<msubsup>
<mi>k</mi>
<mn>1</mn>
<mrow>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
<mi>H</mi>
<msup>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<mn>2</mn>
</msup>
</mrow>
</msubsup>
<msubsup>
<mi>h</mi>
<mn>1</mn>
<mrow>
<mi>R</mi>
<mo>+</mo>
<mrow>
<mo>(</mo>
<msub>
<mi>R</mi>
<mn>1</mn>
</msub>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
<mo>+</mo>
<msub>
<mi>R</mi>
<mn>2</mn>
</msub>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<mo>)</mo>
</mrow>
<mi>H</mi>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<mo>+</mo>
<msub>
<mi>&beta;q</mi>
<mn>2</mn>
</msub>
<msub>
<mi>R</mi>
<mn>1</mn>
</msub>
<msub>
<mi>R</mi>
<mn>2</mn>
</msub>
</mrow>
</msubsup>
<mo>&Element;</mo>
<msub>
<mi>G</mi>
<mn>1</mn>
</msub>
</mrow>
C′=gs,
<mrow>
<mo>(</mo>
<msub>
<mi>C</mi>
<mn>1</mn>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<mrow>
<msub>
<mi>a&lambda;</mi>
<mn>1</mn>
</msub>
</mrow>
</msup>
<mo>&CenterDot;</mo>
<mi>F</mi>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>&rho;</mi>
<mrow>
<mo>(</mo>
<mn>1</mn>
<mo>)</mo>
</mrow>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mo>-</mo>
<msub>
<mi>r</mi>
<mn>1</mn>
</msub>
</mrow>
</msup>
<mo>,</mo>
<msub>
<mi>D</mi>
<mn>1</mn>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<msub>
<mi>r</mi>
<mn>1</mn>
</msub>
</msup>
<mo>)</mo>
<mo>,</mo>
<mn>......</mn>
<mo>,</mo>
<mo>(</mo>
<msub>
<mi>C</mi>
<mi>l</mi>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<mrow>
<msub>
<mi>a&lambda;</mi>
<mi>l</mi>
</msub>
</mrow>
</msup>
<mo>&CenterDot;</mo>
<mi>F</mi>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>&rho;</mi>
<mrow>
<mo>(</mo>
<mi>l</mi>
<mo>)</mo>
</mrow>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mo>-</mo>
<msub>
<mi>r</mi>
<mi>l</mi>
</msub>
</mrow>
</msup>
<mo>,</mo>
<msub>
<mi>D</mi>
<mi>l</mi>
</msub>
<mo>=</mo>
<msup>
<mi>g</mi>
<msub>
<mi>r</mi>
<mi>l</mi>
</msub>
</msup>
<mo>)</mo>
<mo>;</mo>
</mrow>
Step (5):Receive direction high in the clouds and send transition key TK;
Step (6):High in the clouds carries out conversion calculating using transition key TK to ciphertext, obtains part ciphertext, and the part is close
Text is sent to recipient, and step (6) detailed process is as follows:
Step (6-1):The transition key TK that high in the clouds is sent using recipient carries out conversion calculating to ciphertext, when the attribute of recipient
S meets access structure (M, ρ), definitionAnd meet I={ i:ρ (i) ∈ S }, then there is constant collection { ωi∈
Zp}i∈I, calculate ∑i∈Iωiλi=s can recover privacy sharing parameter s, and then computing transfer algorithm is calculated, and obtains part close
Literary CT ',
The transfer algorithm is calculated:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<mi>Q</mi>
<mo>=</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<msup>
<mi>C</mi>
<mo>&prime;</mo>
</msup>
<mo>,</mo>
<mi>K</mi>
<mo>)</mo>
</mrow>
<mo>/</mo>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<mo>(</mo>
<mrow>
<munder>
<mo>&Pi;</mo>
<mrow>
<mi>i</mi>
<mo>&Element;</mo>
<mi>I</mi>
</mrow>
</munder>
<msubsup>
<mi>C</mi>
<mi>i</mi>
<msub>
<mi>w</mi>
<mi>i</mi>
</msub>
</msubsup>
<mo>,</mo>
<mi>L</mi>
</mrow>
<mo>)</mo>
<mo>&CenterDot;</mo>
<munder>
<mo>&Pi;</mo>
<mrow>
<mi>i</mi>
<mo>&Element;</mo>
<mi>I</mi>
</mrow>
</munder>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<mo>(</mo>
<mrow>
<msubsup>
<mi>D</mi>
<mi>i</mi>
<msub>
<mi>w</mi>
<mi>i</mi>
</msub>
</msubsup>
<mo>,</mo>
<msub>
<mi>K</mi>
<mrow>
<mi>&rho;</mi>
<mrow>
<mo>(</mo>
<mi>i</mi>
<mo>)</mo>
</mrow>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
<mo>)</mo>
</mrow>
<mrow>
<mi>s</mi>
<mi>&alpha;</mi>
<mo>/</mo>
<mi>z</mi>
</mrow>
</msup>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
<mo>)</mo>
</mrow>
<mrow>
<mi>s</mi>
<mi>a</mi>
<mi>t</mi>
</mrow>
</msup>
<mo>/</mo>
<mrow>
<mo>(</mo>
<mrow>
<munder>
<mo>&Pi;</mo>
<mrow>
<mi>i</mi>
<mo>&Element;</mo>
<mi>I</mi>
</mrow>
</munder>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<msub>
<mi>ta&lambda;</mi>
<mi>i</mi>
</msub>
<msub>
<mi>w</mi>
<mi>i</mi>
</msub>
</mrow>
</msup>
</mrow>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
<mo>)</mo>
</mrow>
<mrow>
<mi>s</mi>
<mi>&alpha;</mi>
<mo>/</mo>
<mi>z</mi>
</mrow>
</msup>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Step (6-2):High in the clouds is to recipient's returning part ciphertext CT '=(c, Q);
Step (7):Part ciphertext CT ' is decrypted using private key SK by recipient, obtains message, step (7) detailed process is such as
Under:
Step (7-1):Recipient input private key SK=(q1, z) with part ciphertext CT ', utilize (z, Q) to carry out an exponent arithmetic,
Calculate e ' (g, g)sα=QZ, obtain e ' (g, g)sα, so as to obtain H (e ' (g, g)sα)2Value;
Step (7-2):Recipient recycles part private key q1Calculate:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<msup>
<mrow>
<mo>(</mo>
<msup>
<mi>c</mi>
<mo>&prime;</mo>
</msup>
<mo>)</mo>
</mrow>
<msub>
<mi>q</mi>
<mn>1</mn>
</msub>
</msup>
<mo>=</mo>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<msup>
<msub>
<mi>k</mi>
<mn>1</mn>
</msub>
<mrow>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
<mi>H</mi>
<msup>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<mn>2</mn>
</msup>
</mrow>
</msup>
<msup>
<msub>
<mi>h</mi>
<mn>1</mn>
</msub>
<mrow>
<mi>R</mi>
<mo>+</mo>
<mrow>
<mo>(</mo>
<msub>
<mi>R</mi>
<mn>1</mn>
</msub>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
<mo>+</mo>
<msub>
<mi>R</mi>
<mn>2</mn>
</msub>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<mo>)</mo>
</mrow>
<mi>H</mi>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<mo>+</mo>
<msub>
<mi>&beta;q</mi>
<mn>2</mn>
</msub>
<msub>
<mi>R</mi>
<mn>1</mn>
</msub>
<msub>
<mi>R</mi>
<mn>2</mn>
</msub>
</mrow>
</msup>
</mrow>
<mo>)</mo>
</mrow>
<msub>
<mi>q</mi>
<mn>1</mn>
</msub>
</msup>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<msup>
<msub>
<mi>k</mi>
<mn>1</mn>
</msub>
<mrow>
<mi>H</mi>
<msup>
<mrow>
<mo>(</mo>
<msup>
<mi>e</mi>
<mo>&prime;</mo>
</msup>
<msup>
<mrow>
<mo>(</mo>
<mrow>
<mi>g</mi>
<mo>,</mo>
<mi>g</mi>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<mi>&alpha;</mi>
<mi>s</mi>
</mrow>
</msup>
<mo>)</mo>
</mrow>
<mn>2</mn>
</msup>
<msub>
<mi>q</mi>
<mn>1</mn>
</msub>
</mrow>
</msup>
</mrow>
<mo>)</mo>
</mrow>
<mrow>
<msub>
<mi>m</mi>
<mn>1</mn>
</msub>
<msub>
<mi>m</mi>
<mn>2</mn>
</msub>
</mrow>
</msup>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Step (7-3):Recipient pass through Pollard ' s lambda algorithms decryption withThe bottom of forIt is discrete right
Number, you can obtain clear-text message m1m2。
10. the decryption outsourcing scheme of the BGN types ciphertext based on attribute according to claim any one of 1-9, it is characterised in that
It is to randomly choose the two big of 512bit sizes using PRNG that the signified parameter of the random selection, which produces algorithm,
Prime number q1、q2, G, G1All it is that rank is n=q1q2Group, e:G×G→G1It is bilinear map.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710233091.7A CN107154845B (en) | 2017-04-11 | 2017-04-11 | BGN type ciphertext decryption outsourcing scheme based on attributes |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710233091.7A CN107154845B (en) | 2017-04-11 | 2017-04-11 | BGN type ciphertext decryption outsourcing scheme based on attributes |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107154845A true CN107154845A (en) | 2017-09-12 |
| CN107154845B CN107154845B (en) | 2020-08-11 |
Family
ID=59792652
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710233091.7A Active CN107154845B (en) | 2017-04-11 | 2017-04-11 | BGN type ciphertext decryption outsourcing scheme based on attributes |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107154845B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108155994A (en) * | 2017-12-22 | 2018-06-12 | 青岛大学 | Safely outsourced computational methods applied to RSA decryption |
| CN108537315A (en) * | 2018-04-13 | 2018-09-14 | 中国人民武装警察部队工程大学 | A kind of generation of safe Quick Response Code and authentication method |
| CN109214160A (en) * | 2018-09-14 | 2019-01-15 | 温州科技职业学院 | A kind of computer network authentication system and method, computer program |
| CN109214201A (en) * | 2018-08-31 | 2019-01-15 | 平安科技(深圳)有限公司 | A kind of data sharing method, terminal device and computer readable storage medium |
| CN110308691A (en) * | 2019-07-26 | 2019-10-08 | 湘潭大学 | A kind of multidimensional data polymerization of ubiquitous electric power Internet of Things and access control method |
| CN110891066A (en) * | 2019-12-03 | 2020-03-17 | 重庆交通大学 | Proxy anonymous communication method based on homomorphic encryption scheme |
| CN110995430A (en) * | 2019-12-24 | 2020-04-10 | 电子科技大学 | Outsourcing decryption method supporting invalid ciphertext detection based on attribute encryption |
| CN112182600A (en) * | 2020-09-18 | 2021-01-05 | 北京云钥网络科技有限公司 | Data encryption method, data decryption method and electronic equipment |
| CN114499967A (en) * | 2021-12-27 | 2022-05-13 | 天翼云科技有限公司 | Data access control method, device, system and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104156671A (en) * | 2013-05-13 | 2014-11-19 | 清华大学 | Non-center dot product computing method achieving privacy protection |
| CN104320393A (en) * | 2014-10-24 | 2015-01-28 | 西安电子科技大学 | Effective attribute base agent re-encryption method capable of controlling re-encryption |
| CN105447361A (en) * | 2014-08-27 | 2016-03-30 | 华为技术有限公司 | Encryption and similarity measurement method, terminal and server |
| CN106534313A (en) * | 2016-11-17 | 2017-03-22 | 浙江工商大学 | Frequentness measuring method and system for security and privacy protection facing cloud data issuing |
-
2017
- 2017-04-11 CN CN201710233091.7A patent/CN107154845B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104156671A (en) * | 2013-05-13 | 2014-11-19 | 清华大学 | Non-center dot product computing method achieving privacy protection |
| CN105447361A (en) * | 2014-08-27 | 2016-03-30 | 华为技术有限公司 | Encryption and similarity measurement method, terminal and server |
| CN104320393A (en) * | 2014-10-24 | 2015-01-28 | 西安电子科技大学 | Effective attribute base agent re-encryption method capable of controlling re-encryption |
| CN106534313A (en) * | 2016-11-17 | 2017-03-22 | 浙江工商大学 | Frequentness measuring method and system for security and privacy protection facing cloud data issuing |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108155994B (en) * | 2017-12-22 | 2021-06-22 | 青岛大学 | Secure outsourcing calculation method applied to RSA decryption |
| CN108155994A (en) * | 2017-12-22 | 2018-06-12 | 青岛大学 | Safely outsourced computational methods applied to RSA decryption |
| CN108537315A (en) * | 2018-04-13 | 2018-09-14 | 中国人民武装警察部队工程大学 | A kind of generation of safe Quick Response Code and authentication method |
| CN109214201A (en) * | 2018-08-31 | 2019-01-15 | 平安科技(深圳)有限公司 | A kind of data sharing method, terminal device and computer readable storage medium |
| CN109214201B (en) * | 2018-08-31 | 2024-03-19 | 平安科技(深圳)有限公司 | Data sharing method, terminal equipment and computer readable storage medium |
| CN109214160A (en) * | 2018-09-14 | 2019-01-15 | 温州科技职业学院 | A kind of computer network authentication system and method, computer program |
| CN110308691B (en) * | 2019-07-26 | 2021-07-02 | 湘潭大学 | Multidimensional data aggregation and access control method for ubiquitous power Internet of things |
| CN110308691A (en) * | 2019-07-26 | 2019-10-08 | 湘潭大学 | A kind of multidimensional data polymerization of ubiquitous electric power Internet of Things and access control method |
| CN110891066A (en) * | 2019-12-03 | 2020-03-17 | 重庆交通大学 | Proxy anonymous communication method based on homomorphic encryption scheme |
| CN110995430A (en) * | 2019-12-24 | 2020-04-10 | 电子科技大学 | Outsourcing decryption method supporting invalid ciphertext detection based on attribute encryption |
| CN112182600A (en) * | 2020-09-18 | 2021-01-05 | 北京云钥网络科技有限公司 | Data encryption method, data decryption method and electronic equipment |
| CN114499967A (en) * | 2021-12-27 | 2022-05-13 | 天翼云科技有限公司 | Data access control method, device, system and computer readable storage medium |
| CN114499967B (en) * | 2021-12-27 | 2024-03-08 | 天翼云科技有限公司 | Data access control method, device and system and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107154845B (en) | 2020-08-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | Full verifiability for outsourced decryption in attribute based encryption | |
| CN107154845A (en) | A kind of BGN types ciphertext decryption outsourcing scheme based on attribute | |
| Lin et al. | Revisiting attribute-based encryption with verifiable outsourced decryption | |
| Ning et al. | White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes | |
| Li et al. | Privacy-aware attribute-based encryption with user accountability | |
| Seo et al. | An efficient certificateless encryption for secure data sharing in public clouds | |
| CN104320393B (en) | The controllable efficient attribute base proxy re-encryption method of re-encryption | |
| JP5466763B2 (en) | ENCRYPTION DEVICE, DECRYPTION DEVICE, ENCRYPTION METHOD, DECRYPTION METHOD, PROGRAM, AND RECORDING MEDIUM | |
| CN107181590B (en) | Anti-leakage CP-ABE method under strategy hiding and outsourcing decryption | |
| Wang et al. | An Efficient Key‐Policy Attribute‐Based Encryption Scheme with Constant Ciphertext Length | |
| CN107294697A (en) | Symmetrical full homomorphic cryptography method based on plaintext similar matrix | |
| CN109831297A (en) | A kind of full homomorphic cryptography method of more identity for supporting thresholding to decrypt | |
| CN105763528B (en) | The encryption device of diversity person's anonymity under a kind of mixed mechanism | |
| CN109873699A (en) | A kind of voidable identity public key encryption method | |
| CN111786790A (en) | Privacy protection identity-based encryption method and system with keyword search function | |
| Liu et al. | Offline/online attribute‐based encryption with verifiable outsourced decryption | |
| Tu et al. | A fine‐grained access control and revocation scheme on clouds | |
| Suguna et al. | A study on symmetric and asymmetric key encryption algorithms | |
| Qin et al. | Simultaneous authentication and secrecy in identity-based data upload to cloud | |
| CN114697042A (en) | Block chain-based Internet of things security data sharing proxy re-encryption method | |
| Padhya et al. | A novel approach for searchable CP-ABE with hidden ciphertext-policy | |
| CN104320249B (en) | A kind of elastoresistance leakage encryption method of identity-based | |
| Wang et al. | Attribute-Based Traitor Tracing. | |
| Zhang et al. | Data owner based attribute based encryption | |
| CN104868963A (en) | Broadcast encryption scheme based on multi-linear mapping |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |