Revocable attribute encryption method based on complete binary tree

[0034] The present invention will be described in detail below with reference to specific embodiments.

[0035] The present invention is based on the revocable attribute encryption method of the complete binary tree, and is specifically implemented according to the following steps:

[0036] Step 1. System parameter initialization:

[0037] The specific steps are as follows:

[0038] Enter the security parameter λ and randomly select α∈Z p , where Z p ={0,1,...,p-1}, use the set {1,2,...,m} to represent the attribute set, where m is the maximum number of attributes in the system, and use a complete binary tree for each The leaf node represents the unique identifier of a user, and defines the set of all users in the system as U. According to the system naming rules, U is transformed into in represents the entire set of leaf nodes transformed by all users, let is the set of nodes in the binary tree determined according to the system naming rules, for each leaf node make Indicates the path from the leaf node to the root node, for the partially marked leaf node set set overlay node Cover(L) is the minimum coverage set of unmarked leaf nodes, and defines the maximum number of nodes in the covered nodes as d. What this method revokes is the unique identifier of the user, which corresponds to the revoke of the leaf nodes in the binary tree. Let R t Represents the list of revoked user identities at time t, that is, R t The elements within are the revoked leaf nodes of the binary tree at time t, where For each attribute i∈[1,m], choose s at random i ∈Z p ,definition Randomly choose d+1 values ​​h 0 ,h 1 ,...,h d ∈Z p ,definition Also define H ( x ) = Π j = 0 d ( H j ) x j , output master private key and public parameters :

[0039]

[0040] Step 2. Key generation:

[0041] Specifically, follow the steps below:

[0042] Step (2.1), convert the access policy into an access structure (M, ρ) through the linear secret sharing technique LSSS, where the matrix M is an l×k matrix, M i is the corresponding i-th row of matrix M, and the mapping ρ converts M i Mapped to the attribute ρ(i);

[0043] Step (2.2), randomly select α 1 ,α 2 make it satisfy α=α 1 +α 2 , select the vector where z 2 ,...,z k ∈Z p ,calculate and randomly selected For any node in a binary tree choose r at random x ∈Z p Correspondingly, the private key sk with the ID under (M, ρ) is output ID,(M,ρ) =(D 1 ,D 2 ,D 3 ,D 4 ):

[0044] D 1 = { D i ( 1 ) | D i ( 1 ) = g λ i T i β i , i ∈ [ 1 , l ] } ; D 2 = { D i ( 2 ) | D i ( 2 ) = g β i , i ∈ [ 1 , l ] } ; D 3 = { D x ( 3 ) | D x ( 3 ) = g α 2 H ( x ) r x , x ∈ P a t h [ I D ] } ;

[0045] D 4 = { D x ( 4 ) | D x ( 4 ) = g r x , x ∈ P a t h ( I D ) } ;

[0046] Step 3. Encryption:

[0047] Specifically, follow the steps below:

[0048] Step (3.1), randomly select s∈Z p ,calculate C (1) =g s , for the attribute set For each attribute i∈ω, compute

[0049] Step (3.2), according to the system revocation list R at time t t , the system revocation list R t Represents the set of revoked user identities at time t, looking for Cover(R t ), so that Cover(R t ) is the minimum cover of U\R, and calculate Cover(R t ) covering leaf nodes:

[0050] x ∈ C o v e r ( R t ) : C x ( t ) = H ( x ) s ,

[0051] In summary, the output ciphertext CT:

[0052] C T = ( C 0 , C ( 1 ) , { C i ( 2 ) } i ∈ ω , { C x ( t ) } x ∈ C o v e r ( R t ) ) ;

[0053] Step 4. Decryption:

[0054] Specifically, follow the steps below:

[0055] Step (4.1), when the attribute set ω satisfies the access structure (M, ρ), the user The user implements decryption and defines I={i:ρ(i)∈ω}. According to the reconstructability of LSSS, there is an array μ i Satisfy Σ I μ i M i = ( 1 , 0 , ... , 0 ) ;

[0056] Step (4.2), because Then there is x∈Path(ID)∩Cover(R t ),calculate:

[0057]

[0058]

[0059] exist combine successfully decrypted the message

[0060] The security analysis of the revocable attribute encryption method based on the complete binary tree of the present invention is carried out below:

[0061] Proof of correctness:

[0062] If all data are generated as described in the inventive method, the decryption calculation is as follows:

[0063]

[0064]

[0065] therefore,

[0066]

[0067] Summarize the present invention:

[0068] The present invention is based on the revocable attribute encryption method based on the complete binary tree, which is an important progress of the revocable attribute encryption method, specifically: 1) constructing a complete binary tree, and using each leaf node of the binary tree as the unique identifier of the user; 2) revoking During the process, once the user's identifier is revoked, the user will be revoked. At this time, regardless of whether the user's attributes satisfy the access structure constituted by the access policy, the user no longer has the ability to decrypt; 3) Input the security parameters to construct the system master secret. 4) According to the path of the binary tree where the user is located, establish the user's private key; 5) Encrypt the message through the cover set of the known revocation user list; 6) Find the user path corresponding to the revocation list The intersection of the covering set to implement the decryption operation.

[0069] The present invention is based on the revocable attribute encryption method of the complete binary tree, which can complete the revocation of the user without updating the public key of the system and the private key of any user, and realizes the purpose of revoking all the information of the user, and the cost is small. The construction of is simpler, and the security of the scheme is guaranteed on the basis of the discriminative bilinear Diffie-Hellman problem.