Search

CN-122020721-A - Method and system for searching encrypted data

CN122020721ACN 122020721 ACN122020721 ACN 122020721ACN-122020721-A

Abstract

The application provides an encrypted data searching method and system. The method comprises the steps that a target user side obtains document keys of a plurality of documents and identifiers of corresponding documents, the document keys of the documents are generated in advance according to preset master keys and the identifiers of the documents, the target user side generates search tokens of the documents aiming at the keywords to be searched according to the document keys of the documents, the keywords to be searched and the identifiers of the documents, the target user side sends the search tokens of the documents to a server side, the server side carries out encryption search on the documents according to the search tokens to obtain target encrypted document identifiers, and returns the target encrypted document identifiers to the target user side, and the target user side decrypts the target encrypted document identifiers according to the document keys of the documents to obtain the identifiers of the target documents with the keywords to be searched. By generating the secure search token and combining the server side encryption retrieval and the target user side decryption verification, the efficient data retrieval under the encryption state is realized.

Inventors

  • LI YANG
  • ZHOU XIAOGANG

Assignees

  • 中电信量子信息科技集团有限公司

Dates

Publication Date
20260512
Application Date
20260213

Claims (10)

  1. 1. An encrypted data search method, the method comprising: the method comprises the steps that a target user side obtains document keys of a plurality of documents and identifiers of corresponding documents, wherein the document keys of the documents are generated in advance according to a preset master key and the identifiers of the documents; The target user side generates a search token aiming at the keyword to be searched according to the document key of each document, the keyword to be searched and the identifier of each document; the target user side sends the search token to a server side; the server side performs encryption retrieval on each document according to the search token to obtain a target encrypted document identifier, and returns the target encrypted document identifier to the target user side; And the target user end decrypts the target encrypted document identifier according to the document key of each document to obtain the identifier of the target document with the keyword to be searched.
  2. 2. The method of claim 1, wherein the document key comprises an encryption key, and the target client decrypts the target encrypted document identifier according to the document key of each document to obtain the identifier of the target document with the keyword to be retrieved, comprising: and the target user end decrypts the target encrypted document identifier according to the encryption and decryption keys of the documents to obtain the identifier of the target document with the keyword to be searched.
  3. 3. The method according to claim 2, wherein the target user side obtains document keys of a plurality of documents and identifiers of corresponding documents, including: If the target user terminal corresponds to the user authorized by the data management terminal, the target user terminal receives the document keys of a plurality of documents and identifiers of the corresponding documents sent by the data management terminal; the target user side generates a search token for the keyword to be searched according to the document key of each document, the keyword to be searched and the identifier of each document, and the search token comprises: The target user side generates first user information according to the first bit key of the target user and the identification of each document; The target user side generates first document information of the target user aiming at the keywords to be searched according to the index key of each document, the second bit key of the target user, the keywords to be searched and the identifiers of each document; And the target user side generates a search token of the keyword to be searched according to the first user information and the first document information.
  4. 4. The method according to claim 2, wherein the target user side obtains document keys of a plurality of documents and identifiers of corresponding documents, including: If the target user corresponding to the target user is an upper-layer user terminal authorized user, the target user terminal receives a plurality of document keys of the documents, identifiers of the corresponding documents, user-level authorized index information and offline authorized token information of the documents sent by the upper-layer user terminal, wherein the document keys at least comprise index keys; the target user side generates a search token for the keyword to be searched according to the document key of each document, the keyword to be searched and the identifier of each document, and the search token comprises: the target user side obtains the offline authorization token information of each document according to the identifier of each document, wherein the offline authorization token information of the document comprises second user information of the upper user side corresponding to the upper user and the offline authorization information of the target user; the target user side generates second document information of the target user aiming at the keywords to be searched according to the offline authorization information of the target user, the keywords to be searched and index keys of the documents; and the target user side generates a search token of the keyword to be searched according to the second user information and the second document information.
  5. 5. The method of claim 4, wherein before the target client receives the document keys of the plurality of documents, the identifiers of the corresponding documents, the user-level authorization index information, and the offline authorization token information of each of the documents sent by the upper layer client, the method further comprises: The upper user side generates the user level authorization index information according to the first bit key of the upper user and the identification of the target user; the upper layer user side obtains document keys of a plurality of documents, identifiers of corresponding documents and offline authorization token information of each document; The upper layer user side sends document keys of a plurality of documents, identifiers of corresponding documents, the user-level authorization index information and offline authorization token information of each document to a target user side; And the upper layer user side sends the user level authorization index information to a server side, so that the server side updates a preset user level authorization set according to the user level authorization index information.
  6. 6. The method of claim 3, wherein before the target client obtains the document keys of the plurality of documents sent by the receiving data management end and the identifiers of the corresponding documents, the method further comprises: The data management end generates an index key of each document according to a first master key in a preset master key and an identifier of each document; the data management end generates a token key of each document according to a second master key in the preset master keys and identifiers of the documents; the data management end generates encryption and decryption keys of the documents according to a third master key in the preset master keys and identifiers of the documents; The data management end generates an authorization token of each document according to the token key of each document and the identifier of each document, and generates the first user information according to the first bit key of the target user and the identifier of each document; The data management end sends the index key, the encryption and decryption key and the identifier of the corresponding document of each document to the target user end; the data management end sends the authorization token of each document and the first user information to the server end, so that the server end updates a preset authorization token set according to the authorization token of each document and the first user information.
  7. 7. The method of claim 1, wherein the server performs encryption retrieval on each document according to the search token to obtain a target encrypted document identifier, including: The server side acquires user information and document information of the target user from the search token; The server retrieves a preset authorization token set according to the user information to obtain an authorization token of the target user; The server calculates retrieval information according to the authorization token of the target user and the document information; The server retrieves the retrieval information in an encryption index set of a preset keyword document pair; And if the search information is in the encryption index set, the server acquires a corresponding encryption document identifier from the encryption index set as the target encryption document identifier.
  8. 8. The method of claim 7, wherein the method further comprises: The data management end generates a first index set of the document according to the index key of the document, the identifier of the document and the identifier of each keyword in the document, wherein the first index set stores the retrieval information of each keyword; The data management end generates a second index set according to the encryption and decryption key of the document and the identifier of the document, wherein the encrypted document identifier of the document is stored in the second index set; The data management end sends the first index set and the second index set of the document to the server end, so that the server end updates the encryption index set according to the first index set and the second index set of the document.
  9. 9. The method of claim 8, wherein the data management side sends the first index set and the second index set of the document to the server side, the method further comprising: the data management end randomly sorts the first index set and the second index set of the document, and sends the first index set and the second index set after being randomly arranged to the server.
  10. 10. An encrypted data search system, comprising a target user side and a server side, wherein the target user side and the server side are respectively used for executing the steps of the encrypted data search method according to any one of claims 1-9.

Description

Method and system for searching encrypted data Technical Field The invention relates to the technical field of password application, in particular to an encrypted data searching method and system. Background The rapid development of quantum computing technology poses a serious challenge to traditional cryptography. The quantum algorithm Shor can solve the problems of large integer decomposition and discrete logarithm in polynomial time, and directly breaks the widely used public key cryptosystem. This means that once large-scale quantum computers are developed successfully, most of the current encryption systems for protecting network security are thoroughly destroyed, and an attacker can decrypt the encrypted communication data intercepted in the past, with catastrophic consequences. To address this impending threat, the international cryptology community has actively developed anti-quantum cryptography (Post-Quantum Cryptography ‌, PQC) algorithms, i.e., cryptographic algorithms that can remain secure in a quantum computing environment. In the field of encrypted database searching, quantum threats are particularly serious, because encrypted data often needs to be stored for a long period, which means that even if the current encrypted data is secure, with the development of quantum computing technology, the data may be decrypted in the future, resulting in leakage of sensitive information. Therefore, research into quantum-resistant encryption database search techniques has great urgency and importance. However, existing encryption database search schemes, including the aforementioned hierarchical authorized encryption database search schemes, are mostly built based on traditional cryptography, and cannot resist quantum computing attacks, and public key cryptography and digital signature algorithms used in these schemes cannot guarantee long-term security of data. Disclosure of Invention The invention aims to provide an encrypted data searching method and system aiming at the defects in the prior art, so that the efficient data searching under the encryption state is realized by combining the closed loop design of the server side encryption searching and the target user side decryption verification through the document key of each document, the keyword to be searched and the identifier of each document to generate a secure search token. In order to achieve the above purpose, the technical scheme adopted by the embodiment of the application is as follows: in a first aspect, an embodiment of the present application provides an encrypted data searching method, where the method includes: the method comprises the steps that a target user side obtains document keys of a plurality of documents and identifiers of corresponding documents, wherein the document keys of the documents are generated in advance according to a preset master key and the identifiers of the documents; The target user side generates a search token aiming at the keyword to be searched according to the document key of each document, the keyword to be searched and the identifier of each document; the target user side sends the search token to a server side; the server side performs encryption retrieval on each document according to the search token to obtain a target encrypted document identifier, and returns the target encrypted document identifier to the target user side; And the target user end decrypts the target encrypted document identifier according to the document key of each document to obtain the identifier of the target document with the keyword to be searched. In an optional implementation manner, the document key comprises an encryption key and a decryption key, the target user end decrypts the target encrypted document identifier according to the document key of each document to obtain the identifier of the target document with the keyword to be searched, and the method comprises the following steps: and the target user end decrypts the target encrypted document identifier according to the encryption and decryption keys of the documents to obtain the identifier of the target document with the keyword to be searched. In an alternative embodiment, the target user side obtains the document keys of the plurality of documents and the identifiers of the corresponding documents, including: If the target user terminal corresponds to the user authorized by the data management terminal, the target user terminal receives the document keys of a plurality of documents and identifiers of the corresponding documents sent by the data management terminal; the target user side generates a search token for the keyword to be searched according to the document key of each document, the keyword to be searched and the identifier of each document, and the search token comprises: The target user side generates first user information according to the first bit key of the target user and the identification of each document; The target user side generates fir