CN-121984672-A - Quantum attack resistant attribute-based Boolean searchable encryption system and method in cloud environment

Abstract

The invention provides a quantum attack resistant attribute base Boolean searchable encryption system and a quantum attack resistant attribute base Boolean searchable encryption method in a cloud environment, and provides a lattice ABBKS which adopts a non-monotonic LSSS expression Boolean query formula to support Boolean query. Only the keyword names in the keyword index are disclosed to prevent the keyword from being revealed, and the active guessing attack of an attacker on the keyword is resisted by dividing the secret value in the keyword index. Meanwhile, a grid-based trapdoor smooth projection hash function is provided, and IKGA security resistance under a multi-user/multi-owner retrieval scene is achieved together with two non-collusion cloud servers. According to the scheme, hash processing is carried out on each keyword in the search token, and only two non-collusion clouds respectively holding a hash key and TSPHF trapdoors can finish search operation together. The cloud data searching method and the cloud data searching device realize accurate searching of the cloud data and balance of safety and practicality.

Inventors

• HUANG QINLONG
• YAN GUANYU
• JIAN RUI

Assignees

• 北京邮电大学

Dates

Publication Date

20260505

Application Date

20260202

Claims (8)

1. 1. The quantum attack resistant attribute base Boolean searchable encryption method in cloud environment is characterized by comprising the following specific steps: Step one, establishing an encryption search system based on a data owner and a user; Order the Is a global set of attributes in the system, and a user has a set of attribute sets therein Data owners define access policies using AND gates The policy may be expressed as a tandem combination of a positive attribute set, a negative attribute set, and a nonsensical attribute set; In the searching system, a trusted authority establishes a system public key and a system master key, maintains the whole system, and distributes cloud server private keys to two cloud servers through a secure channel; (1) The process of establishing a system public key and a system master key by a trusted authority and distributing cloud server private keys to two cloud servers is defined as Setup @ ) The specific process is as follows: the trusted authority obtains ABBKS.setup @ ) ( ); Further, call TSPHF.setup% ) Generating TSPHF common parameters ; Calling TSPHS. TSetup # - ) Generating trapdoor public keys Trapdoor private key ; Calling TSPHS.HashKG% ) Generating hash keys And TSPHF. ProjKG ] ) Generating a projection key ; Finally, the public key is output Preserving master keys And is of Setting server key Is that Setting up ; (2) The user private key algorithm generated by the trusted authority is defined as KeyGen # ) : Step three, data owner input Search strategy Keyword set Outputting keyword encryption index ; Step four, when a user sends a query request, a search trapdoor is generated based on a Boolean query formula, and is submitted to a cloud server A to search for encrypted documents in the search trapdoor; the algorithm for generating search trapdoors based on Boolean query formula by users is defined as TokenGen # ) : The user first obtains Subsequently, a random number is selected And noise value With witnessed marks And the words thereof Then, it generates Selecting a new hash key Projection key Trapdoor projection key Then, the user generates a hash Hash( ) And is all that A kind of electronic device Performing blinding operation generation And finally, the algorithm goes to Outputting search trapdoor of user , ; Step five, the cloud server A performs partial search operation by utilizing the search trapdoor uploaded by the user and the private key thereof to obtain a temporary search result, and sends the temporary search result to the cloud server B; ( ) After the search request is received, Selecting random And is aligned as follows And Performing a partial search operation and outputting temporary search results: first of all, Using its own private key Calculation acquisition And generate ; Next to this, the process is carried out, Will be Randomization to ; Finally, the step of obtaining the product, To the direction of Outputting temporary search results ; Step six, the cloud server B completes final searching by utilizing the private key of the cloud server B and the temporary search result sent by the cloud server A; ( ) Slave slave Received by After that, the processing unit is configured to, The whole searching process is completed by using the private key of the user according to the following steps: first of all, Through TSPHF. VerHP ] ) Algorithm checking [ ] ) Whether it is a valid projection key, and judging whether it satisfies If yes, the projection key is effective, and output Further will Is arranged as Obtaining TSPHF.THash( ) And is all that A kind of electronic device Performing blind removing operation to generate Otherwise, the projection key is invalid and output Terminating the search process and outputting ; Next to this, the process is carried out, Setting up And performs final search: If the user's attributes meet the index policy, i.e Then calculate Wherein The value rule of (1) is that if Then If not, then Then take Otherwise take And if the keyword of the encryption index meets the user searching strategy, namely The cloud server may build a collection And And can obtain coefficients So that Hold true for each Definition of And is also provided with And then, if And is also provided with The cloud server B obtains the final calculation search result as follows: Wherein, the Due to And , , And Is sampled from a truncated discrete gaussian distribution for each dimension of the component , And all of 、 Is statistically distributed as And all that Obeying truncated discrete gaussian distribution Is set according to parameters Therefore, the encryption index meets the search requirement of the user, the algorithm outputs 1 and returns corresponding search entries to the user, otherwise, outputs 0.
2. 2. The quantum attack resistant attribute-based boolean searchable encryption method in a cloud environment according to claim 1, wherein the access policy is In the forward subset Requiring users to possess these attributes to search for the corresponding searchable ciphertext, a negative subset For prohibiting users possessing these attributes from searching for searchable ciphertext, while nonsensical subsets The attribute in the system does not influence the authorization decision If and only if And is also provided with In the time-course of which the first and second contact surfaces, For a set of authorization attributes, otherwise Is an unlicensed set.
3. 3. The method for quantum attack resistant attribute-based boolean searchable encryption in a cloud environment according to claim 1, wherein the trusted authority obtains abbks setup @ ) ( ) The specific process of (2) is as follows: first based on system security parameters Generating system parameters And , Is that -Bounded error distribution, integer loop at modulo q Selecting random number And outputs global common parameters And define hash functions The following operations are performed: first, generate% ) TrapGen( ) And is a global attribute set Each attribute of (3) Selection of Wherein Indicating that the user has possession of the attribute, Indicating that the user does not possess the attribute; Then, at Is selected randomly And at Randomly selecting vectors in the n-dimensional vector space Calculation of And ; At the same time generate TrapGen And ; Finally, the master public key of LABKS is output ( ) Preserving a master private key ( ); Wherein, the All are intermediate results, and together form a main public key; are all random numbers selected randomly and form a main private key together.
4. 4. The method for quantum attack resistant attribute-based boolean searchable encryption in a cloud environment according to claim 1, wherein the trusted authority generates a user private key algorithm specifically comprising: trusted authority selection And performs the following operations: first, generate When (when) Value taking Otherwise Value taking Definition of And generate ExtendR( ); Then, generate Satisfy the following requirements Granting access rights to the user; next, a generation Satisfy the following requirements And select Calculation of , , ; Finally, the algorithm outputs the user private key 。
5. 5. The method for quantum attack resistant attribute-based boolean searchable encryption in a cloud environment according to claim 1, wherein the keyword encryption indexing algorithm is defined as IndexGen @ a ) Random selection of data owners As a secret vector for attribute authorization and keyword encryption, thereby achieving a combination of search authorization and boolean search, the data owner first generates an authorization index in the following manner: Data owner sampling noise values from gaussian distribution And uses the previously generated common base matrix Generating ; For each attribute Data owner selects noise value Generating Wherein if (a) Then Otherwise For any attribute Selecting And generate And ; Next, the data owner generates a keyword index as follows: sampling noise values from gaussian distributions And Generating And ; For each of Randomly selecting n-dimensional secret vector And generate And Wherein Is a keyword Does not contain private information; Is that Key word value, m-dimensional noise vector ; Finally, the data owner output keyword index is as follows: 。
6. 6. the quantum attack resistant attribute base boolean searchable encryption method in a cloud environment according to claim 1, characterized in that the algorithm construction details of TSPHF are as follows: TSetup ( ) The algorithm firstly generates ) TrapGen ( ) Then select to satisfy A kind of electronic device And Then generate And setting another common parameter SPHF trapdoor ; HashKG ( ) The algorithm randomly selects Setting a hash key ; ProjKG ( ) The algorithm generates and outputs a projection key ; ProjHash ( ) Given witness The algorithm generates and outputs a projected hash value ; TProjKG ( ) The algorithm generates another projection key ; Hash ( ) Given witness Corresponding word Wherein And is also provided with For noise, the algorithm generates and outputs a hash value ; THash ( ) The algorithm generates trapdoor hash values ; VerHP ( ) If (1) The algorithm outputs And otherwise output 。
7. 7. The quantum attack resistant attribute-based boolean searchable encryption method in a cloud environment according to claim 1, wherein the user obtains The specific process is as follows: the user first randomly selects Construction vector And uses the matrix corresponding to the Boolean search strategy Computing shared vectors Then for each The following operations are performed: for counting From 1 to Randomly select Setting up , And generate And Next, for each Generating Wherein Is the LSSS matrix of the first Keyword values corresponding to the rows; generating Satisfy the following requirements And Satisfy the following requirements ; And ; Finally, the data user is further randomized Wherein scalar is randomly selected And outputs a search trapdoor as follows: 。
8. 8. The attribute-based boolean searchable encryption system for resisting quantum attack in a cloud environment is characterized by comprising a trusted authority, a data owner, a data user, a cloud server A and a cloud server B, wherein the method is used for realizing any one of the claims 1-7; the trusted authority establishes a system public key and a system master key and maintains the whole system, and simultaneously, the trusted authority distributes private keys to users and distributes cloud server private keys to two cloud servers through a secure channel; the data owner stores and shares data on the server, generates a keyword index and uploads the keyword index to the cloud server A; The user generates a search token for a Boolean query formula based on the self query request, and submits the search token to the cloud server A to search the encrypted document in the cloud server A; The cloud server A is a semi-trusted third party and is responsible for storing the keyword index uploaded by the data owner, and performs partial search operation by utilizing the search trapdoor uploaded by the user and the private key thereof, and sends the temporary search result to the cloud server B; the cloud server B is a semi-trusted third party and is responsible for completing final search by utilizing the private key of the cloud server B and the temporary search result sent by the cloud server A.

Description

Quantum attack resistant attribute-based Boolean searchable encryption system and method in cloud environment Technical Field The invention belongs to the technical field of cloud computing encryption search, and particularly relates to an attribute-based Boolean searchable encryption system and method for resisting quantum attack in a cloud environment. Background With the rapid development of cloud computing, the digital transformation process is continuously accelerated, and more enterprises and individuals choose to outsource self data to cloud storage so as to fully utilize huge storage space and abundant computing resources of cloud services. In recent years, frequent cloud data leakage events knock alarms for cloud data security protection. In the field of cryptography, data security protection requirements are met, and the traditional mode is to encrypt data and upload the encrypted data to the cloud. However, with the development of quantum computing, conventional Diffie-Hellman, elliptic curve and other password support technologies cannot ensure data security. 2024, the national institute of standards for technology published 4 post-quantum cryptography algorithm standards. The lattice-based password (LBC) is widely used, and based on a nearest vector problem, a shortest vector problem, fault tolerant Learning (LWE) and the like, after construction, quantum Identity Based Encryption (IBE), attribute Based Encryption (ABE) and the like, data security under quantum threat is ensured. Although the data security can be effectively protected by the method, the data owner loses effective management and control of the cloud data, and challenges are brought to accurate, efficient and safe retrieval of the cloud data. The attribute base Boolean searchable encryption technology (ABBKS) realizes fine granularity search authorization and Boolean retrieval by means of ABE technology support, protects data security, simultaneously gives users the capability of efficiently and accurately controlling information screening, and can effectively cope with the challenges. Specifically, ABBKS allows the data owner to specify an access policy for the encrypted data, and to generate a keyword set and send the keyword set to the cloud server, the user generates a search token for its boolean search requirement by using its attribute private key, the cloud server searches the cloud keyword index by using the search token, and the user can obtain corresponding search data if and only if the attribute information of the user satisfies the access policy of the keyword index and the keyword set of the keyword index matches the boolean request. Because the keywords are extracted from the data, an attacker can initiate a selected keyword attack (CKA) to acquire keyword information in the keyword index by using an unauthorized search token, or initiate a Keyword Guess Attack (KGA) to directly guess the keyword information in the search token by using the public parameters, or generate the keyword index for the guessed keywords and acquire the keyword information in the search token in a way of matching the keyword index with the intercepted search token. Therefore, in this technology, not only should data be secured, but also keyword information in the keyword index and the search token should be privacy-protected, so that the security under CKA and KGA is ensured. The grid-based attribute-based searchable encryption (LABKS) technology can realize fine-grained authorized retrieval of cloud encrypted data under quantum threat, and related entities comprise an authorization mechanism, a cloud server, a data owner and a data user. As shown in fig. 1, the implementation process of LABKS includes the following steps: 1) And initializing a system. Authorization mechanism generation system public key System master key。 2) And (5) generating a key. User submits property sets to an authorityUsing an authorityAndGenerating a private key for the user。 3) And (5) encrypting the data. Data owners specify access policies for their dataKeywords and method for producing the sameData owner generates keyword indexAnd sending the cloud server. 4) A search token is generated. The user uses his private keySearching for keywords thereforGenerating search tokensAnd sending the search result to a cloud server for searching. 5) And (5) cloud data retrieval. Cloud server utilization search tokensKeyword index and cloudPerforming search matching operations if and only ifAnd is also provided withAnd if the search is successful, the cloud server returns a search result to the user. In a cloud computing environment, the following problems still exist in adopting LABKS technology to realize data fine-grained authorized retrieval under quantum threat: 1) The existing LABKS scheme only realizes the single keyword retrieval of fine-granularity search authorization in the cloud environment, AND cannot support the retrieval expression of the retrieval logic such