Search

CN-122001641-A - SM2 proxy re-encryption dual method and device for medical cloud data security sharing

CN122001641ACN 122001641 ACN122001641 ACN 122001641ACN-122001641-A

Abstract

The invention discloses an SM2 proxy re-encryption dual method and device for medical cloud data security sharing, wherein the method comprises the steps of initializing and disclosing system parameters by a third party organization, generating a reusable session key by a data owner based on an identity mark, a private key and a time stamp, encrypting a medical message by using the session key and a message random number to form an original ciphertext, uploading the original ciphertext to a cloud server, generating a proxy re-encryption key which is strongly bound with a specific message and a receiver based on the message random number, a self public key and the receiver public key by the data owner when the sharing is authorized, and sending the proxy re-encryption key to the cloud server, wherein the cloud server combines the key and the original ciphertext to the receiver, decrypting the obtained data by the receiver, and directly decrypting the original ciphertext by the data owner for self checking. The invention realizes the non-transferability, low resource cost and high security of the authority based on the design of the proxy re-encryption key, and is suitable for medical terminals and cloud environments with limited resources.

Inventors

  • ZHANG ZHIWEI
  • WANG XUAN
  • ZHU MINGXING
  • LIU WENHAO
  • LIU SHUANGGEN
  • Tang Guiyuan
  • ZHU XINGHUI

Assignees

  • 西安电子科技大学

Dates

Publication Date
20260508
Application Date
20260128

Claims (10)

  1. 1. The SM2 proxy re-encryption dual method for medical cloud data security sharing is characterized by comprising the following steps of: S10, initializing and disclosing system parameters by a third party mechanism, wherein the system parameters comprise a definition based on an SM2 algorithm Cyclic group of step addition And its generation element An SM4 symmetric encryption algorithm, and a plurality of cryptographic hash functions; S20, the data owner user A generates own SM2 public-private key pair And identity mark The data receiver user B generates own SM2 public-private key pair And identity mark ; S30, the user A is identified according to the identity of the user A Private key And a current timestamp Generating a reusable session key through cryptographic hash function and elliptic curve operation ; S40, the user A generates a message random number And calculates a temporary public key component Using the session key Encrypting messages Obtaining the core ciphertext Using the message random number With its own public key Calculating an encapsulation key and encrypting the session key using the encapsulation key Obtaining And generates a binding ciphertext component, user A's public key Integrity verification tag for encrypted time stamps Finally, the original ciphertext is formed Uploading to a cloud server; s50, the user A is based on the message random number Public key of user a And user B's public key Generating proxy re-encryption keys To grant user B access to the message And re-encrypting the proxy encryption key Sending to a cloud server; S60, the cloud server verifies the integrity of the original ciphertext and re-encrypts the proxy encryption key With the original ciphertext Combining to generate re-encrypted ciphertext And transmits to user B; s70, the user B decrypts the re-encrypted ciphertext Acquiring a message ; S80, when the user A views the message When user A is on the original ciphertext Decrypting to obtain the message 。
  2. 2. The SM2 proxy re-encryption dual method for medical cloud data security sharing of claim 1, wherein the third party authority initializes and exposes system parameters comprising: S101, third party institutions input safety parameters according to the input safety parameters Selecting a large prime number Determining SM2 standard specified finite fields Generates a Cyclic group of step addition Order-making Is that Is a generator of (1); s102, defining three secure password hash functions: ; ; ; Wherein, the Representation model Is a positive integer domain of (2); S103, selecting a symmetric encryption algorithm as SM4, and setting the validity period of a session key ; S104, third party institutions disclose system parameters 。
  3. 3. The SM2 proxy re-encryption dual method for medical cloud data security sharing of claim 2, wherein the session key The generation mode of (a) is as follows: ; Wherein, the Is that Is a positive integer of (a) and (b), , Representing the current timestamp at the time of session key generation, The operation of the splice is represented by a concatenation, Representing scalar multiplication operations.
  4. 4. The SM2 proxy re-encryption dual method for medical cloud data security sharing according to claim 3, wherein the step S40 specifically comprises: s401, generating message random number , And calculates a temporary public key component ; S402, calculating a shared secret Wherein Representing the public key of user A, using the shared secret Deriving an encapsulation key Wherein Hashing one of the plurality of cryptographic functions; S403, using the encapsulation key Encrypting the session key Obtaining ; S404, using the session key Encrypting messages Obtaining ; S405, calculating an integrity label Wherein Representing messages The corresponding encrypted time stamp is used to determine, Hashing one of the plurality of cryptographic functions; S406, forming original ciphertext And convert the original ciphertext Uploading to a cloud server.
  5. 5. The SM2 proxy re-encryption dual method for medical cloud data security sharing of claim 4, wherein the proxy re-encryption key The generation mode of (a) is as follows: ; Wherein, the The temporary parameter is indicated as such, 。
  6. 6. The SM2 proxy re-encryption dual method for medical cloud data security sharing according to claim 5, wherein step S60 specifically comprises: S601, the cloud server generates the original ciphertext Recalculation of And will And (3) with Comparison, if The cloud server executes the subsequent re-encryption step; s602, the cloud server re-encrypts the proxy encryption key With the original ciphertext Combining to generate re-encrypted ciphertext Wherein ; S603, encrypting the encrypted ciphertext To user B.
  7. 7. The SM2 proxy re-encryption dual method for medical cloud data security sharing of claim 6, wherein the user B decrypts the re-encrypted ciphertext Acquiring a message Comprising the following steps: s701, calculating Wherein Representing the private key of user B; s702, utilize Deriving an encapsulation key And get the recovered session key ; S703, calculating the decrypted message ; S704, the user B verifies the re-encrypted ciphertext After verification is successful, the decrypted message is obtained Obtaining the message 。
  8. 8. The SM2 proxy re-encryption dual method for medical cloud data security sharing of claim 4, wherein step S80 comprises: S801, calculation Wherein Representing the private key of user a; s802, utilization of Deriving an encapsulation key And get the recovered session key ; S803, calculate the decrypted message ; S804, the user A verifies the original ciphertext After verification is successful, the decrypted message is obtained Obtaining the message 。
  9. 9. The SM2 proxy re-encryption dual device for medical cloud data security sharing, which is characterized by being used for executing the SM2 proxy re-encryption dual method for medical cloud data security sharing according to any one of claims 1-8, and comprising: the initialization module is deployed in a third party mechanism and is used for generating and disclosing system parameters; A key generation module for generating own SM2 public-private key pair for the user A of the data owner And identity mark Generating an own SM2 public-private key pair for a data receiver user B And identity mark And generates a session key ; The data encryption module is deployed at the data owner end and is used for generating a message random number And calculates a temporary public key component Using the session key Encrypting messages Obtaining the core ciphertext Using the message random number Public key with user a Calculating an encapsulation key and encrypting the session key using the encapsulation key Obtaining And generates a binding ciphertext component, user A's public key Integrity verification tag for encrypted time stamps Finally, the original ciphertext is formed Uploading to a cloud server; the proxy re-encryption key generation module is deployed at the data owner end and is used for generating a random number based on the message Public key of user a And user B's public key Generating proxy re-encryption keys To grant user B access to the message And re-encrypting the proxy encryption key Sending to a cloud server; the re-encryption ciphertext generating module is deployed on the cloud server and is used for verifying the original ciphertext And re-encrypting the proxy encryption key With the original ciphertext Combining to generate re-encrypted ciphertext And transmits to user B; the re-encryption ciphertext decryption module is deployed at the data user end and is used for decrypting the re-encryption ciphertext Acquiring a message ; An original ciphertext decrypting module, configured at a data owner terminal, for decrypting the original ciphertext Decrypting and obtaining the message 。
  10. 10. The SM2 proxy re-encryption dual device for medical cloud data security sharing of claim 9, wherein the key generation module comprises a data owner terminal module and a data receiver terminal module, each independently operating on a data owner terminal and a data receiver terminal.

Description

SM2 proxy re-encryption dual method and device for medical cloud data security sharing Technical Field The invention belongs to the technical field of information security, and particularly relates to an SM2 proxy re-encryption dual method and device for medical cloud data security sharing. Background With the rapid development of the internet and medical, a cloud medical information system has become an important infrastructure for medical data storage and cross-institution collaboration. According to the 2023 Chinese medical cloud market report, the permeability of the Chinese medical cloud service is 45%, and the requirements of sharing and exchanging key data such as electronic medical records, image reports and the like in the cloud are continuously and rapidly increased. Under the background, how to realize safe, efficient and controllable sharing of medical data on the premise of ensuring privacy of patients becomes a core problem to be solved. However, the conventional technology mainly faces three challenges in realizing medical data sharing, namely that a significant contradiction exists between privacy protection and sharing efficiency. Conventional techniques typically employ a "download-decrypt-re-encrypt" mode that requires the data owner (patient) to locally complete the decryption and re-encrypt operations of all data, and the computational and bandwidth overhead may occupy more than 60% of the terminal resources. This makes this mode difficult to be applicable to mobile terminals with limited resources such as smart phones, wearable devices, etc., hampering real-time, convenient medical data sharing. Secondly, the existing proxy re-encryption scheme has the risk of right runaway. In the conventional Proxy Re-Encryption (PRE) mechanism, a Re-Encryption key for converting ciphertext is generated by the patient and held by the cloud Proxy. This key has general applicability and can convert any ciphertext for the patient. This results in the possibility of unauthorized or misuse of the key, resulting in an illegal spread of the access rights to the patient's data, against the minimum authorization principle specified in personal information protection laws. Thirdly, the safety strength and compliance requirements are to be improved. Most existing PRE schemes can only achieve a security level of selecting a Plaintext Attack (CPA), cannot resist more realistic active attacks in a cloud environment (e.g., selecting a ciphertext Attack (Chosen-Ciphertext Attack, CCA)), and the security model is not robust enough. Meanwhile, the schemes generally adopt an international general cryptographic algorithm, do not follow the standards of a commercial cryptographic management system in China, and are difficult to meet the mandatory requirements of key industries such as medical treatment, government affairs and the like on autonomous controllability and compliance assessment of the cryptographic technology. To cope with the issue of rights runaway, the academia has proposed a Dual Form of Proxy Re-Encryption (pre+). The key is that the generation authority and logic of the re-encryption key are transferred from the data owner to the data encryptor (namely the patient himself), and the generated key is uniquely bound with the specific message and the appointed receiver, so that the possibility that the key is arbitrarily transferred is eliminated in the cryptography principle, namely the key has non-transferability. However, the existing PRE+ scheme still has limitations, which restrict the practical application of the PRE+ scheme in medical scenes, namely firstly, the PRE+ scheme generally relies on double linear pairing operation with high computation cost, the single pairing operation consumes about 12 times of the scalar multiplication of an SM2 elliptic curve, real-time response is difficult to realize on various medical terminals, secondly, each medical data needs to be independent and complete key generation and management flow, when the quantity of the medical data is huge, obvious storage and management expenses are generated, and finally, the high-frequency and multi-role shared business characteristics of the medical data cannot be fully considered, so that the protection capability on specific attacks is insufficient in system design. Therefore, a new security scheme that can integrate pre+rights control advantages and perform deep optimization for medical cloud data sharing scenarios is needed to truly achieve the core goals of nontranslatable fine-grained authorization, low resource overhead, high-level security, and comprehensive compliance. Disclosure of Invention In order to solve the problems in the prior art, the invention provides an SM2 proxy re-encryption dual method and device for medical cloud data security sharing. The technical problems to be solved by the invention are realized by the following technical scheme: in a first aspect, the invention provides an SM2 proxy re-encryption